FAQs

Frequently Asked Questions

Have questions? We’re here to help.

Adopting these tools early keeps you ahead of new regulations. You’ll avoid scrambling to meet new requirements and reduce the risk of fines. It also shows customers and partners that you take privacy and responsible AI seriously. Early adoption improves internal processes and can be a competitive advantage.

Automation replaces manual tasks like request intake, identity checks, data searches, and response letters. This frees up staff time, reduces errors, and makes it easier to handle large volumes of requests. With a tool like Truyo, you lower labor costs, improve accuracy, and speed up response times.

New laws can require extra steps, new workflows, or updated timelines. For example, the EU AI Act adds AI risk assessments and new transparency rules. Privacy law updates might give people new rights or shorten deadlines. Review and update your workflows, policies, and tools to meet these changes. Platforms like Truyo can be updated to reflect new requirements without overhauling your entire system.

Track request volume by type, average response times, and the percentage completed within the legal deadline. Monitor trends over time, spikes in requests, and workload by channel. Track resolution status, such as fulfilled or denied. Privacy tools like Truyo provide dashboards for these metrics.

Yes. Starting in one department or business unit lets you test the process, gather feedback, and measure results before a company-wide rollout. This approach minimizes disruption and builds support. Tools like Truyo make it easy to expand the workflow once it’s refined.

Set up a clear workflow that defines each team’s role. For example, privacy reviews the request, legal approves disclosures, and IT handles data deletion. Use a collaborative platform like Truyo to route tasks to the right people and track status in real time. This keeps the process efficient and transparent.

Use a centralized privacy request management system. This collects all requests—whether from web, email, chat, or phone—into one dashboard. Your team can then track, assign, and fulfill them without losing any. This creates an audit trail and ensures consistent handling. Platforms like Truyo make multi-channel request management simple.

Use only the personal data needed for the AI’s purpose. Apply anonymization or pseudonymization to remove personal identifiers. Use aggregated or synthetic data when possible. Limit the data fields to only those relevant to the model’s goals. This reduces risk and supports privacy by design while allowing the AI to learn effectively.

Run privacy impact assessments for AI projects to understand how personal data is used. Apply privacy by design, using only the data needed and anonymizing it when possible. Build in ways to honor user rights, such as deleting or correcting data on request. Be transparent about AI data use and get consent when required. Use an AI governance framework or tool like Truyo to track compliance, monitor for bias, and document all steps.

When using AI that processes customer data, follow privacy regulations like GDPR and CCPA. Only use data for purposes the customer agreed to. Apply data minimization so only the needed personal data is used. Use techniques like anonymization or pseudonymization, secure the data, and be transparent about how it is used. Regularly assess AI systems for risks like bias or misuse, and have policies in place to address them.

Under CCPA/CPRA, businesses generally have 45 days to respond to a verified deletion or access request, with one possible 45-day extension. Under GDPR, the standard is one month, with up to two extra months for complex cases. Many companies aim to respond faster. Tools like Truyo speed up this process by handling verification, data searches, and response steps.

Under California’s CCPA/CPRA, you can request that a business delete your personal data. Submit your request through the business’s designated channels, such as an online privacy form, a self-service portal, or a toll-free number listed in their privacy policy. Businesses must offer at least two methods. Look for a “Privacy Center” or “Do Not Sell/Share” page on their site. If they use a DSAR portal like Truyo’s, you can submit your deletion request there for easier tracking and processing.

We have a team of data scientists who will work with your AI governance team to understand your data pipeline and test pre- and post-training results of your AI models for evidence of bias and discrimination.

Traditional data generation uses random lists, but Truyo de-identification goes into your system and grabs information using data you store. Your sample set will match your production systems rather producing randomized data. We de-identify your real consumer data from names to emails in a usable format. Mix phone number digits, scramble everything left and right of ‘@’ separately for emails, and rearrange SSNs by section to defy SSN rules. Truyo can de-identify, replace, hash, and 2-way encrypt so you can decrypt data with the key.

Truyo will scan your content, such as documents in SharePoint, to find indicators of generative AI usage through API connectors to isolate instances of AI use cases
for governance review. We will also scan your website and source code for mention of AI tools and fingerprints that point to an AI tool being used to generate code. Scans can be set to run on a recurring basis and no data is saved after the scan.

BitBucket, GitHub, Azure Repo, and more coming soon

Truyo provides a holistic platform that encompasses all components of AI governance from AI inventory to risk management. Truyo reduces the manual workload of producing an AI inventory, provides a full suite of assessments, helps you identify bias and discrimination in your AI models, and more. Combined with our comprehensive and automated data privacy platform, you have one solution to manage compliance and governance that will scale with your business.

An AI scorecard provides you with documented representation of your AI governance efforts to show your consumers and business partners, both internal and external, that you are using AI responsibly and monitoring risks.

Great news! You won’t need to circumvent your current ticketing system. Truyo can integrate to dispatch tickets and listen for the results in a fully automated fashion without interrupting your current organizational work flows.

We can create customized solutions using restful APIs, file exchange, direct to database connectors, or most commonly a remote software agent to connect to internally-developed systems. Truyo has the capability to connect to virtually every type of data system.

Yes, with the new generation of agents our tool will comply with all jurisdictions to provide compliant DSAR fulfillment.

Truyo’s Framework Assessment Module includes privacy impact assessments, vendor assessments, CMMC, NIST, and ISO.

Truyo currently supports regulations for the following states: California, Colorado, Connecticut, Nevada, Utah, and Virginia. Internationally, Truyo supports regulations for Australia, GDPR, MENA, PIPEDA, and Quebec. We are always adding new regulations as they arise and at no additional charge to our customers.

Within one month we have saved:

  • A large retail chain $2.7m in operating costs with CCPA automation
  • A mid-size restaurant chain $350k in operating costs with CCPA automation
  • A national home goods chain $1.1m in operating costs with CCPA automation
  • A national health and wellness chain $2.6m in staffing costs with CCPA automation
  • A salon chain $180k in operating costs with CCPA automation

Oftentimes, legacy applications or printed materials have no possibility of an API connection. In these cases, automation may not be possible. But Truyo can automatically create a manual Task for your team members when it is necessary to interact with these sources.

Truyo can integrate with any system capable of supporting an API. Truyo uses over 100 pre-built Connectors to all of the most popular CRMs, ERPs, marketing tools, HR tools, etc. For systems where Truyo does not have a pre-built Connector, we use a flexible API builder that includes standard components like error checking, caching, retries, etc.

Through your secure, branded Data Subject Portal, Data Subjects are guided through options to help them formulate exactly what they are trying to Request. Your users do not need to be knowledgeable about the regulations, but their Requests are properly structured so you can act on them easily and quickly without having to interact with the Data Subject.

Truyo leverages a secure, immutable ledger to log and timestamp all system interactions and changes associated with your SAR operation, including requests, task assignments and task fulfillment. We then provide simple graphical reports as well as flexible filters so you can see and create the reports you need very quickly, whether for internal purposes, or for external purposes like an audit or legal defense.

Truyo will create common reports such as those for CCPA & CPRA compliance – average time to complete requests, number of requests, etc. We also have complete reporting for any transactional element in the platform such as when a request is accepted or completed. We have system reporting for connections that are managing processes and how long it takes. All reporting can easily be exported to spreadsheets or reporting tools at no additional cost for our customers.

Yes, we can deploy on a company’s own cloud instance. Truyo is built on Kubernetes and can manage and maintain remote installations while keeping your data secure on your infrastructure. Truyo can also be deployed on-premise or in a hosted multi-tenant environment.

Yes, many companies do not require automation because they get very few, if any, Requests from Data Subjects, or they have very few back-end systems which hold data. These companies use the Truyo secure portal, task management system, logging and reporting engine without any connected data sources, while supporting manual responses to SARs. This is a cost-effective and more compliant alternative to receiving SARs to an email alias or a simple web form. But if you do start getting a lot of SARs, it is an easy upgrade to start adding automation to the system.

Yes, the entire product is built for variable enterprise requirements and stringent security standards and is driven by a set of flexible APIs so it can be largely tailored to your specifications. Customizations are performed and billed as a Professional Service.

By default, Truyo sends verification links to any emails or SMS endpoints given by the Data Subject before a Request becomes “verified” and actionable. But Truyo can incorporate many additional verification methods, including integration with 3rd party verification tools and even integration to your own authentication systems for customers and employees. Truyo also offers you the option of requiring the Data Subject to upload a photo ID.

If you have over 10 back-end systems that contain privacy data, AND you get or plan to get at least one SAR per week, then you should consider at least some level of automation. Back-end systems include CRMs, ERPs, billing systems, help desk and ticketing systems, marketing systems, analytics, e-commerce, applicant tracking systems and payroll systems, just for example. The first level of automation — validating identities, validating requests, generating tasks, logging and reporting — will cut out 20 to 30% of your operational overhead without any systems integration required. The next level of automation, information gathering and compiling, will cut out another 30 to 40% of your overhead, and will require simple data ingestion integration to your systems. The last level of integration, fully automating changes to back-end systems, requires more integration effort, but will help you achieve a fully-automated, self-service experience for your customers and employees.

Personal data is any information that can be used to directly or indirectly identify a person. This information ranges from social media activity, credit card information, medical information to computer IP address. Public, private and work data is all covered under the regulation.

Also called a SAR or DSAR, a Data Subject Access Request refers to the new requirements under privacy regulations that allow a person, the Data Subject, to request to see the data that a given company is tracking on them. This includes a very broad set of data tied to that person’s identity in your systems, like website visits, shopping history, demographic information, etc. For most companies, this data resides in multiple back-end systems. Companies have 30 days under the GDPR or 45 days under CCPA to compile this information and deliver it to the requestor in a format that is understandable. Further, a Data Subject can also ask for that data to be deleted from all systems, for it to be modified, or for it to be provided in an exportable format, depending on the regulation.

Modern privacy regulations are very broad, and cover many areas like breach notification, security practices and privacy by design. Truyo helps automate and streamline the area of Individual Rights. That is, the rights of a person to request to see the data a company is tracking on them, and to exercise control over that data. This is one of the main areas of exposure to a company, and serves as the primary entry point for complaints and fines if not done properly, so it is important to execute Individual Rights properly, and to the degree a company receives many Requests, to do so at scale.

Witness the Innovation with Truyo

Connect with an Expert