If you've added Privacy or Processing Integrity criteria to your Drata Starter audit, here's how to understand the evidence needed for your controls.
By this stage of our Drata Playbook, you should have connected your systems, generated and uploaded your policies, worked through most of your Security controls, and if you're doing a Type 2 audit, uploaded the few population items. Now it's time to move on to the Privacy or Processing Integrity section of the audit checklist!
The items for these criteria audit are described in the table below, including their ID reference in Drata's Controls menu. The requirement column explains the expected audit evidence. We know this can look different for every organisation. The idea here is to provide the evidence that demonstrates how you do it.
These items require manually adding evidence into Drata, either of two actions. As long as the evidence is linked to the control ID, either action is acceptable.
1. Evidence Library: In Drata's Evidence Library menu, click "Add Evidence", fill in the required details and link to the relevant control(s) IDs in Drata.
2. Map external evidence: When you click into each control, you can add files or URLs with the relevant documentation.
Processing Integrity
| Title | Ref | Requirement | Examples |
| Data flow documentation |
DCF-21/ DCF-22 |
Evidence of documented information sources or data flows to clearly establish and communicate the use of data in relation to the system(s) and service(s). | Data flow diagrams, system architecture, network diagram, process flowcharts, operating procedures |
| Systematic data validation checks |
DCF-110/ DCF-111 |
Evidence of system configured data validation checks applied to input data for syntax, value tolerances or mandatory fields | Screenshots of configurations, documentation of system designed validation checks |
| Information processing objectives | DCF-32 | Evidence of documented information processing objectives | Internal page (intranet), information security policy (if included) |
| Risk assessment of processing objectives | DCF-16 | The latest completed risk assessment cover processing objectives | Risk register, meeting minutes, risk report |
| Processing integrity policies and procedures | DCF-32 | Defined policies or procedures that set out the responsibilities and requirements to ensure data inputs, processing and outputs are complete, accurate and timely to meet the objectives | System and Information Integrity Policy, procedure document, Information security policy (if included) |
| Register of critical data variables | DCF-102 | Register, inventory or mapping of the critical data variables necessary to support the system processing objectives | System data variable spreadsheet |
| Data register classifications and details | |||
| Management review of the data register | Evidence of review of the data register | Meeting minutes, memo, edit history | |
| Review of system outputs | DCF-155 | Evidence of system output test required as a part of change management process or other evidence of system outputs being reviewed for completeness/accuracy | Test cases, procedure document |
| Data processing error communications | DCF-82 |
Evidence of data processing errors logged (we'll select a sample for evidence of communications to users of the system) |
Ticketing system report, log, screenshots |
| Logging of data processing errors | Evidence of communications to users of the system for data processing errors (we'll select a sample from the log you provide above) | Notification email, website notice, other communications | |
| User documentation of information processing | DCF-66 | User documentation communicating processing objectives, product/service specifications, descriptions of data processed, troubleshooting guidance, and/or data validation responsibilities | Standard terms of service (website), service agreement, contract, user guide |
| System boundaries for data protection | DCF-21 | Evidence to demonstrate data is maintained within the system boundaries by design | Architectural diagram, system diagram, data handling policies |
| Job schedule failures | DCF-80 | Evidence of automated alerts being used for job schedule monitoring | Configuration screenshot, example automated email/message notification |
| Resolution of job schedule failures | Evidence of job schedule failures logged (we'll select a sample for evidence of resolution) | System log | |
| Job schedule change approvals | DCF-6 | Evidence of job schedule changes (we'll select a sample for evidence of the change management process) | Logs |
| Failed backup alerts | DCF-99, DCF-98 | Evidence of automated alerts being used for backup monitoring | Configuration screenshot, example automated email/message notification |
Privacy
* Applicable to Data Processors only
| Title | Ref | Requirement | Examples |
| Privacy policy purpose and use | DCF-65, DCF-115 | Documented privacy policy and supporting procedures (if applicable) | Privacy policy or other policies or documentation |
| Communication of the privacy policy | DCF-112, DCF-114 | Evidence of how the privacy policy is communicated to data subjects | Screen shots, emails, links or other evidence |
| Communication of changes to the privacy policy | DCF-112, DCF-113, DCF-114 | Evidence of the latest communication for changes to the privacy policy | Screen shots, emails, links or other evidence |
| Basis of processing personal data | DCF-117, DCF-121 | Documentation of the basis of processing personal data (e.g. consent by data subjects, contract performance requirements, processing required to comply with legal obligation, etc.) | Privacy policy or other policies or documentation |
| Privacy policy third-party processors | DCF-115 | Disclosure on the use of third parties or sub-processors of the personal data | Privacy policy or other policies or documentation |
| Implicit and explicit consent | DCF-115 | Evidence of determining when explicit versus implicit consent is required for data collection and processing | Privacy policy or other policies or documentation |
| Consent from data subjects | DCF-112, DCF-116 | Evidence of consent from data subjects prior to data collection or processing | Contract, terms and conditions or other documentation |
| Opportunity to withdraw consent | DCF-112, DCF-114 | Evidence of documented rights for data subjects to withdraw consent | Privacy policy or other policies or documentation |
| Data controller permission for new sub-processors | DCF-115 | Evidence of Data Controller permission for new sub-processors (we'll select a sample from the vendors list) | Contract, consent document, addendum or other documentation |
| Consent for sharing data with sub-processors | DCF-115, DCF-116 | Evidence of consent from data subjects prior to sharing their personal data with third-parties | Contract, terms and conditions or other documentation |
| Contract terms with sub-processors | DCF-132, DCF-133 | Evidence of privacy requirements agreed with sub-processors (we'll select a sample from the vendors list) | Formal contracts with privacy requirements |
| Established responsibilities for privacy | DCF-115 | Documentation and communication of the defined privacy responsibilities | Privacy policy or other policies or documentation |
| Employee security | DCF-37, DCF-119 | Documented policy with requirements for employee security practices | Acceptable use policy, privacy policy or other policies |
| Employee privacy training | DCF-36 | Evidence of privacy training for employees (we'll select a sample from the employee list) | Training records, certificates or other evidence of completed privacy training |
| Disposal of personal data | DCF-122, DCF-123 | Documented data disposal procedures for secure disposal/erasure of personal data | Data handling policy, privacy policy or other documentation |
| Defined procedures for handling requests from the Data Controller | DCF-16 | Documented privacy request processes and procedures for handling requests from the Data Controller | Privacy policy or other policies or documentation |
| Defined procedures for handling privacy requests | DCF-122, DCF-125, DCF-126 | Documented privacy request processes and procedures for handling requests from data subjects | Privacy policy or other policies or documentation |
| Denied privacy requests handling | DCF-141 | Evidence of denied privacy requests with evidence of notification to data subjects | List or log of denied privacy requests, notification of request result |
| Data subject access to modify data | DCF-125, DCF-126 | Evidence of data subjects access to review, correct, amend or append their own personal data | Screen shots, system documentation or other evidence |
| Personal data request authentication | DCF-124 | Evidence of data subject requests/disclosures and defined authentication practices to verify the identity and appropriateness of requests from data subjects (we'll select a sample of the requests) | Identity and security checks performed for samples |
| Defined procedures for privacy requests | DCF-125 | Evidence of communication of personal data to data subjects (we'll select a sample of data disclosures from the log in DCF-141) | Email communication, automated messages, confirmation of letters sent or other evidence |
| Tracking of privacy requests and disclosures | DCF-141 | Evidence of formally tracking privacy events such as data subject information requests, personal data disposals, authorized disclosures, disclosures to third parties, etc. |
Log, register or other tracking of privacy events |
| Data breach notifications to the Data Controller* | DCF-131, DCF-135, DCF-134 | Evidence of a defined process for identification, assessment and reporting data breaches to Data Controllers | Documented data breach handling policies and procedures |
| Data breach notification procedures | DCF-131, DCF-135, DCF-134 | Evidence of a defined process for identification, assessment and reporting data breaches to impacted data subjects and authorities | Documented data breach handling policies and procedures |
| Data breach response plans | DCF-131, DCF-135 | Evidence of predefined with responsibilities, contacts and key steps for handling breaches | Data breach response plans |
| Personal data processing scope | DCF-113, DCF-120, DCF-142 | Evidence that the personal data processing scope has been assessed and tracked | Log, listing or register of personal data processing activities or defined and documented scope |
| Privacy impact assessment | DCF-16 | The most recent privacy impact assessment | Meeting minutes, documented assessment, outputs, outcomes or other evidence |
| Personal data risk assessment | DCF-16 | Evidence of personal data risk assessment performed | Completed risk assessment including evidence of considering privacy related requirements and risks |
| Annual review of privacy policy, notices and activities | DCF-113, DCF-120, DCF-142 | Evidence of annual review of privacy policy, notices and activities | Meeting minutes, documentation with evidence of updates, documented review or other evidence |
| Privacy policy contact methods | DCF-139 | Evidence of contact methods and contact details for customers to raise privacy requests or ask for more information | Privacy policy or other policies or documentation |
| Annual vendor risk assessment | DCF-56, DCF-57, DCF-16 | Evidence of periodic vendor risk assessment | The completed vendor risk assessment for current vendors |
| Vendor register | DCF-56 | Evidence of identifying sub-processors | Vendor registers |
| Risk assessment of new vendors | DCF-56 | Evidence of risk assessment for new vendors (we'll select a sample of new vendors) | The completed risk assessments for the new vendors sampled |