Q.

What authentication/authorization schemes does the solution support to connect

to IaaS clouds?

Customers can connect to their respective IaaS clouds via IAM roles with the required
permissions.

Q. Can you discover assets across multiple regions in cloud accounts?

Securiti can discover and catalog cloud-native and shadow data assets across AWS, Azure,
and GCP. Data assets range from cloud storage buckets, data warehouses, data lakes, and
databases deployed across your cloud environments.

Q. Can you import assets from an external CMDB?

We allow admins to synchronize assets from external CMDBs via our asset connectors. We
provide the ability to perform field mapping and customize the mapping of columns in your
CMDBs across different sections and attributes. One can schedule automated periodic
scans of CMDBs to ensure your data asset catalog is kept up to date.

Q. Do you support on-demand and scheduled discovery of assets?

Admins have the ability to initiate asset discovery scans on-demand or on a periodic basis.

Q. Do you support built-in detectors for personal and sensitive data elements?

Securiti’s Sensitive Data Intelligence comes with hundreds of personal and sensitive data
that can be used to discover sensitive data in structured and unstructured data assets.
These include name, phone number, email ID, social security number, credit card number,
and more.

Q. Is sensitive data discovery supported in IaaS, SaaS, and on-premise data stores?

Securiti supports 200+ predefined connectors to a variety of data repositories. Custom

connectors can also be enabled using standards-based webhooks interfaces or using our
workflow module.

Q. Do you allow defining custom data element detections?

Securiti allows the creation of custom data elements. Custom data elements can be created
with granular scopes such as target data source types, jurisdiction, and regulation. We allow
data element definition via regex, dictionaries, keywords, and anchors to optimize for high
detection rates.

Q. Do you support matching on exact data?

Securiti supports exact data matching to fingerprint and match billions of cells of your unique
sensitive data. One can create an Exact Data template and corresponding Exact Data
Profiles which can be applied via Discovery Scans.

Q. Where will you store the exact data fingerprints?

Exact Data fingerprints will be stored in your on-premises or cloud environment to maximize
data protection and help you maintain compliance with industry mandates.
Q. Do you allow manual override of the classification of a table column?

The system allows manual override of the classification of a table column and customers can
choose data elements to override the decision.

Q. Is sensitive data discovery supported in the unstructured text (CLOB) of database

tables?

All major databases support character string data types to store unstructured data. SDI can
help discover sensitive data in Character Large Objects (CLOB) of database fields and
provide visibility about what Data Element Types were found in such columns.

Q. Do you allow sampling of files in a data store for scanning?

We have configuration knobs that facilitate data sampling on portions of files in order to
determine the size, scale, location of data clusters and help customers to prioritize key
datastores.

Q. Can you scan big data formats like Avro, Parquet?

Securiti’s SDI solution leverages AI/ML techniques that classify sensitive data in Avro,
Parquet, and other structured files. We leverage proprietary NER and NLP algorithms
specialized for such data that fuse the various signals contained within them to provide
accurate classifications and can even detect challenging types such as multi-part names &
locations.

Q. Do you allow one to view detections from past scan jobs?

Our discovery scan jobs dashboard provides a complete view of past scan jobs that have
completed and they can be correlated with data element detections in the respective
dashboards.

Q. What is the retention period for scan results?

Securiti’s SDI solutions discovery scan results are retained in our data stores until customers
decide to deactivate and purge the corresponding data store or when customers request
deletion of their tenants.

Q. How do you scale to scan petabyte-scale data volumes?

Securiti’s SDI provides a number of techniques to improve and optimize scan performance.
A few examples include

 First, built-in elasticity allows data scans to be run as containers that spin up new
nodes based on the volume of data and expected time to find sensitive data. An
orchestration engine can manage the number of compute nodes required and winds
down extra nodes when not in use providing the most optimal speed and cost.
 Second, it includes policy-based scanning to manage the scope of their target data
based on file formats, file size, data attributes, and other types of metadata (such as
last modified). Narrowing the scope can help yield faster results.
 Lastly, certain types of big data such as logs can be very homogenous (repeatable).
Organizations can use sampling techniques to scan a portion of the first few bytes of
a file. Similarly, in the case of structured data stores scan the first few rows of data.
Q. Does your solution offer a SaaS-based and on-premises deployment model?

Securiti’s SDI is available in various deployment options. Organizations with large data
centers or public cloud presence can choose to own and run it in their private clouds. In this
approach, organizations scan data closest to their data sources with better security and at a
lower total cost of ownership (TCO). For example: In an IaaS environment, if the data is
scanned within the same Virtual Private Cloud (VPC) there is no risk of data leakage & no
additional data export costs. For lean organizations with little or no infrastructure, Securiti
SDI is available in the cloud. With a cloud-based deployment, organizations can start
quicker. Organizations receive their expected service level agreement (SLA) with elastic
capacity available out-of-the-box.

Q. Where is your SaaS service hosted?

Securiti is hosted in Amazon Web Services (AWS) and GCP (Google Cloud Platform).
AWS Customer tenants can be hosted in our US or EU cloud infrastructure.
GCP Customer tenants can be hosted in the US only, for now.

Q. How do you tune out false positives in what is detected?

We apply several approaches to filtering out false-positive detections, and they vary for
different types of data. First, we aim to determine data layout. Data can be in either
structured tabular format, a semi-structured format such as JSON, and unstructured formats
such as forms and natural text. These layouts are fundamentally different, and specialized
parsing and algorithmic pipelines are applied to each. These algorithms allow us to better
correlate the detections that are discovered to each other and to anchor terms, providing the
important ability to set meaningful confidence levels to the detections. The final part of our
pipeline, ML-based Contextual Analysis, examines the collection of detections to resolve
ambiguous detections and to filter out likely false positives.

Q. How long will it take me to scan my environment?

Typically customers tend to perform content classification across all the datastores that they
manage. The scan time for each datastore depends on the type of data that it contains
(structured data or unstructured data), the type of detectors that have been configured, and
the amount of data that needs to be scanned.

Q. Will scanning impact my production environment?

Our systems are optimized for scanning hyper-scale production data environments and work
within the rate limits of the respective datastores. For data stores that contain structured
data, we offer linear and random data sampling techniques. For datastores containing
unstructured data, we offer (a) sampling techniques targeting specific portions of files and (b)
incremental scans which only scan the delta of any newly created or modified files and
objects.

Q. Can I schedule scans outside of business hours?

Data discovery jobs can be run manually or on a periodic basis. Admins can specify start
times of these discovery scans on any periodic schedule frequency such as daily, weekly or
monthly, during and outside business hours.
Q. Does the scanning of my file shares reset the “last accessed” date on all of my
files?

Our scan engine does not reset the “Last accessed” data on files since we do not update
any data in the files.

Q. Can I scan encrypted files and databases?

For datastores such asS3, if Server Side encryption has been used, we will scan the
encrypted files transparently. If you have used KMS, then we would require permissions to
the KMS in order to scan encrypted files.

Q. Can it read the classification tags that were applied via <Titus>,<Boldon
James>,<Microsoft>, etc?

Securiti’s SDI solution integrates with Microsoft’s Information protection to read and retrieve
labels and apply them to documents based on our Data Element detection and content
classification capabilities. We also provide additional metadata labels that can be applied for
privacy use-cases.

Q. Can your scanning and detection handle multibyte characters in databases?

All major databases support multibyte character string data types to store unstructured data.
It is even possible that such database columns contain a variety of different Data Element
types. We provide the ability to scan unstructured columns in databases for all possible Data
Element types. Once the detections are complete, we provide visibility about the Data
Element types that were found in such columns.

Q. Do you pull the “file owner”, “last modified by” and” file created” by user
information?

We capture user information such as including “file owner”, “last modified by” and” file
created” along with the file metadata such as file name, size, file extension.

Q. Can I automatically perform data masking to redact the offending data inside of
files or in table columns after sensitive data is detected?

The Securiti SDI tool orchestrates actions such as Dynamic Data Masking for data
warehouses like Snowflake by automatically applying the masking functions supported by
the datastore on sensitive data columns detected by the tool.

Q. Can I use it to scan desktops and laptops?

Securiti’s SDI solution is targeted to provide data scanning solutions for IaaS, SaaS and on-
premise data stores.

14
Q. What regulations/jurisdictions are supported by the DSR module?

The Securiti DSR module supports global regulatory requirements around handling subject
rights requests including, but not limited to, EU GDPR, LGPD, Thailand’s PDPA, South
Africa’s POPIA, US state (California (CPRA), Maine, Nevada, and Virginia) privacy laws, etc.
Q. Do you send automatic reminders when a DSR is due?

Yes, automatic reminders are sent to task owners when a DSR is due. The system also auto
extends overdue DSR requests, to the extent allowed by law and automatically notified the
data subject of the delay using configurable notification templates.

Q. Where is your SaaS service hosted?

Securiti is hosted in AWS and customer tenants can be hosted in our US or EU cloud
infrastructure.

Q. Can you have different response workflows for each request type?

Securiti DSR workbench automatically adjusts response workflows based on the request
type.

Q. Which data repositories do you support?

Securiti supports 200+ predefined connectors to a variety of data repositories. This includes:

 IaaS data systems

 SaaS Applications
 On-Premise Systems
 Multicloud data lakes/ data warehouses

Custom connectors can also be enabled using standards-based webhooks interfaces or

using our workflow module which offers standards-based API interfaces to any compatible
application.

Q. Do you support the scanning of tape backups?

No, Securiti cannot directly scan tape backups. This data has to be restored into a
compatible environment before the data can be scanned to build People Data Graphs to
support DSR fulfillment.

Q. Which languages are supported by the DSR module? Can consumers/data subjects
interact with the system in different languages?

Securiti currently supports 8 languages – English, Portuguese (Brazil), French, Italian,

Spanish, German, Japanese, and Arabic with more on the roadmap. Consumers can choose
to interact with the system using the language of their choice.

Q. Can I embed the DSR form on my website?

Yes, the DSR form can be embedded within your website to follow your brand guidelines
using a special, embeddable form link, available once a form has been published.

Q. How do you perform identity verification?

Email-based identity verification is included by default. External identity service providers

such as [Link] and Accesso Digital can also be enabled to verify user identities using
government identifiers such as driver’s license, CPF, and passport, augmented with
selfie/liveliness checks.
Q. How are the reports secured? Where is it stored?

All DSR reports are encrypted at rest using tenant-specific encryption keys within the
Securiti platform. These reports cannot be downloaded from the DSR workbench by tenant
admins. If required, all this information can be stored at rest in customer-controlled cloud
storage (AWS/Azure/GCP). When ready, reports are published to the authorized end-user
through the secure portal in encrypted format using a key accessible only to the end-user.

Q. Can you redact/obfuscate data before handing it back to the data subject?

No, Securiti does not support redaction. This feature is on the near term roadmap

Q. How does data deletion work?

For applications that support the deletion of users through APIs, Securiti’s DSR workflow can
automatically delete user data for verified erasure requests. In other cases, custom
workflows can be enabled to handle data deletion. For apps that don’t support standard
deletion workflows, the DSR workbench displays all the data discovered for the user, along
with standard data deletion steps/scripts, so that task owners can intelligently initiate
application-specific data deletion tasks.

Q. Can we hand back only the personal data attributes and not the actual data?

Yes, in most cases, organizations can choose to withhold actual data and only hand over
personal data attributes through process records

Q. Is the DSR form customizable?

Yes, The DSR form can be customized to add/remove form fields and to add conditional
logic and customization such as:

1. Setting a default country in the country field

2. Showing/hiding a field based on data entered in a form field
3. Showing/hiding fields based on country and state selection
4. Adding hyperlinks and tooltips
5. Advanced HTML element style customization etc.

Q. Do you provide legal research data?

Yes, regulation-specific research data is available within the workbench. Only relevant
research data is shown in context so users don’t have to sift through research data to find
the information they need.

Q. How is the end-user experience?

End users submit a DSR request using a form on your website. Users then get access to a
secure portal where they can message/communicate with your internal privacy team and
receive their final DSR report when it is ready in an encrypted format. This report is only
accessible to the data subject ensuring full confidentiality of the information and preventing
unwanted data sprawls within your environment.

Q. Can I restrict/control the number of DSR requests a consumer can initiate?

Yes, the DSR module allows administrators to enforce restrictions on a per-DSR form basis.
The following restrictions can be enforced

1. Number of requests allowed in a certain duration

2. Allow/deny parallel requests
3. Allow/deny overlapping requests (of the same type)
4. Enforce minimum duration between requests

FAQ: Securiti Universal Consent

Q. What are the different ways Securiti could capture consent?

Securiti offers a no-code form consent code that automatically captures the consent on a
web form. We also support Universal Consent API to upload consent. With over 200+
connectors, there are many ways to ingest and distribute data.

Q. Does Securiti support granular capture of purposes?

Yes. Securiti allows you to fully configure Processing Purpose, Processing Purpose
description, and Consent Purposes (which are sub-processing purposes).

Q. How can Securiti help me demonstrate compliance?

[Link] automatically stores the UUID, Processing Purpose, Consent Purpose, Consent
Status, Timestamp, and Consent Source, when consent is given. You are able to view the
metrics on the reporting dashboard or export the data for further analysis.

Q. How does Securiti verify identity for the consumer preference center?

Securiti’s preference center by default verifies user identity through email verification.

Q. How do I integrate my organization’s databases with Securti’s workflow module?

Choose from over 200+ pre-integrated connectors in the Workflow module list. If you don’t
see a database or application or have a first-party database you’d like to connect to, please
email support@[Link].

Q. How do I slice and dice consent data by business unit, department, or any other
attribute?

Create a Custom Parameter, and upload the value along with the consent record. Then,
simply leverage the filter in the reporting dashboard or query by the Custom Parameter via
Universal Consent API.

Q. How many UUIDs does Securiti support?

Companies can pass multiple UUIDs into the UUIDs object, when consent is collected, to
help identify the user of a consent record.

Q. Can Securiti connect to a first-party database?

Yes. Securiti can connect to your first-party in-house or third-party database.

Q. How does Securiti work with my Customer Data Platform (CDP)?

Security can connect to your Customer Data Platform (CDP) of choice and perform regular
data ingestion or distribution with the database.

Q. What does Securiti’s on-boarding process look like if I have millions of existing
consent records?

You can leverage our Bulk Import API to import existing consent records into the consent
database. We also support connecting to the database(s), where you are currently storing
the existing consent records, directly for data ingestion.

Q. Does Securiti’s system automate asking for re-consent?

Yes. We trigger several events such as 1) when a consent expires, or 2) when a policy tied
to consent has materially changed.

Q. Can Securiti collect consent from mobile applications?

Yes. You can easily integrate a mobile preference center of choice with our Universal REST
APIs 1) to pull the latest consent status of the user to your preference center UI and 2) set
consent when s/he submits preferences

Q. Can Securiti store and manage preferences or just consent?

Processing and consent purposes are configurable to store consumer preferences as well,
although we most often see companies integrate our consent database with their Customer
Data Platform (CDP).

Q. What kind of devices does Securiti support?

Securiti supports desktop, mobile iOS, Android, tablets, and more to capture and retrieve
consent.

FAQ: Cookie Consent Management

Q. Is it possible that a new scan on a URL changes the cookies present in the
Essential category?

When you rescan a site, all updated category classifications are placed in a draft
state. The admin has the option to re-verify the classifications and then publish it
when ready. This will not impact what has already been published. The new scan will
also preserve any category customizations you may have done to some cookies in
the past.

It means that if you have moved a cookie from its auto-categorization category to a
new category, that will still be maintained after the rescan (so you don’t have to go
through the process again).

Q. How can Securiti help me demonstrate compliance?

Securiti automatically stores the Subject identifier (UUID), Cookie Category, Consent
Status, Timestamp, and Source URL, when consent is given. It is important to note
that, you can insert a UUID of choice to store with the consent record. Securiti also
provides attributes such as geolocation to support your audit trail. You are able to
view the metrics on the reporting dashboard or export the data for further analysis.

Q. Is custom text in the cookie banner translated?

Yes. Custom text entered to configure the cookie consent banner is dynamically
translated.

Q. How many languages does the cookie banner support?

Cookie banner supports over 30 languages. Please refer to our Help Center for more
details. If you would like us to add a language, please contact support@[Link].

Q. How do I honor a web visitor’s consent preferences?

Securiti supports a variety of ways to honor consent.

1. Use our revolutionary auto-blocking script.

2. Integrate with a Tag Manager of choice, such as Google Tag Manager.

3. Integrate the Cookie Consent SDK (JavaScript) with your website.

4. Enable IAB TCR V2.0

5. Use a combination of the above methods.

Q. How long does it take to deploy Securiti Cookie Consent on my website?

You can deploy a cookie banner in minutes. First, enter the website URL for
scanning. We will then auto-categorize the discovered cookies, so your code is
ready to embed as soon as the scan is complete.

Securiti also has a WordPress plug-in to help you deploy even more seamlessly.

Q. Does Securiti scan more than cookies?

Yes. Securiti scans for more tracking technologies than cookies such as tracking
beacons and pixels.

Q. How configurable is the cookie banner & preference center?

Securiti’s cookie consent is extremely configurable. Choose any predefined color

palette, or create a custom one of your own by dragging and dropping along the hex
color bar. Companies may also customize position, button styles, and text on both
the banner and preference center.
Q. Is Securiti an approved CMP provider of IAB EU?

Yes. We are an approved CMP provider of IAB EU.

Q. How does Securiti categorize cookies?

Securiti uses a very comprehensive methodology, leveraging cookie name/purpose,

to guide mapping towards bigger consent buckets.

First, we have a dedicated data team that looks into the processing purpose of the
actual cookie. Based on the purpose of the actual cookie, we map it into Essential,
Functionality, and Advertising, so you don’t have to maintain the mapping long-term
like other platforms.

Note 1: These consent buckets are configurable.

Note 2: In order to determine the purpose of the actual cookie, the data team uses a
combination of manual research as well as algorithmic help.

It produces a very high percentage of accuracy. For example, if we don’t have a

consent bucketing for a cookie, we look at the consent bucketing for the vendor,
using both manual research and algorithmic help. Our multiple redundancy and
granular approach are to ensure that we are able to automatically bucket as much of
the scan results as accurately as possible for our clients.

Our approach ensures we 1) categorize the cookies discovered in the correct

consent buckets, and 2) disclose as granular a purpose as possible to provide even
better transparency to the consumer.

Q. How deep and wide does Securiti scan?

Securiti scans websites multiple levels deep and thousands of pages wide to
discover cookies, beacons, pixels, and other tracking technologies. This provides
accurate, comprehensive disclosure from the organization which de-risks privacy
violations
Q. If we do not recognize a cookie or tracker, does Securiti report which page
it was found on?

Yes. Simply export the website scan results. For each cookie or tracker, we will
provide which page it was found on.

Q. Can you deploy multiple banners across multiple sites/domains?

Yes, although if different sites/domains have different tracking vendors, we do

recommend that companies generate and deploy different cookie banners for
accuracy and transparency.

Q. Are vendors in Data Maps the same vendors in Vendor Assessments?

Yes. The two modules utilize the same list of Vendors, so you always have a
synchronized list.

Q. Can I invite Vendors who have public email domains such as Gmail or
Yahoo?

Yes. Securiti platform supports inviting and sending vendor assessments using
public email domains.

Q. Can Vendors see my internal responses, risks, or flags?

No. Vendors, who are non-system users, cannot see internal responses, risks, or
flags by default. If you would like them to collaborate on risks or flags, then assign
the vendors as risk or flag owners.

Q. Can Vendors invite their co-workers to help them with a question?

Yes. If the Vendor has a question assigned to him or her, s/he can reassign that
question to another user who can help answer the question.

Q. Why is the CSV Import of Vendors failing?

The CSV file containing vendor information must be using UTF-8 encoding.

Most spreadsheet tools are configured with a different encoding by default. Before
you export your vendor information as a CSV file, please appropriately change the
encoding to UTF-8.

The following screenshot shows how to select the correct encoding in Microsoft
Excel.

Q. How does the Vendor Assessment section assignment work?

ANS: When a vendor is invited to take an assessment, the first collaborator becomes
the default assignee of all sections in the assessment. This is the behavior in both
the single vendor invite flow and the multiple vendor invite flow.

In the multiple vendor invite flow, only one collaborator can be added who becomes
the default assignee for all sections. More collaborators can be added subsequently
using the regular flow and section assignments can be modified. The newly added
collaborators have to be assigned at least one section.

Q. Why are Vendor risks not shown on the Risk Register?

There is a filter at the very bottom of the filter panel that can be toggled on as shown
in the picture below to show risks from vendor assessments on the dashboard. It is
toggled off by default.

Q. When does the vendor manager receive notifications on Vendor

Assessments?

In the vendor assessments, a vendor manager is sent a notification when all the
vendor collaborators submit answers to all their questions and they are ready to be
reviewed by the vendor manager.

The vendor manager himself/herself will publish the assessment when all answers
are reviewed and approved. So, no notification is sent out to the vendor manager on
publishing.

Q. Why is the publish button not enabled for publishing the assessment?

All the mandatory questions in the assessment should be answered and approved
before it is published. Please check if there are any mandatory questions that are
either not answered or answered but not approved.

Q. How is the vendor-level risk score calculated?

Securiti first sums the average assessment-level risks score across all the
assessments tied to that vendor. Then, Securiti divides that sum by the number of
vendor assessments for that vendor. This vendor-level risk score helps you prioritize
which vendor to focus on first.