Subject downloads themselves. No human in the loop.

The DSAR ten-stage lifecycle

From public submission to regulatory evidence package, every DSAR moves through the same ten stages. Each stage logged. Each transition signed. The full timeline reproducible on demand.

1. Intake — subject submits via the public privacy center. Tracking number generated; auto-acknowledgement sent.
2. Verification — identity verification through tenant-configurable workflow.
3. Assignment — request routed to DPO or designated handler; SLA clock starts.
4. Datastore discovery — automated search across catalogued datastores using encrypted identity keys.
5. Vendor sub-requests — for vendors holding subject data, downstream sub-requests dispatched via the vendor portal.
6. Compilation — results assembled into a structured response package.
7. Review — multi-reviewer decision tracked separately; tie-breakers preserved.
8. Delivery — secure delivery via the privacy center; subject downloads their own data.
9. Appeal — formal channel for denied requests with documented rationale.
10. Regulatory evidence package — the full timeline, every action, every reviewer signature, bundled for the regulator.

Six request types. One workflow.

Access (GDPR Art. 15, CCPA), Erasure (Right to be Forgotten, GDPR Art. 17), Portability (GDPR Art. 20), Rectification (GDPR Art. 16), Restriction (GDPR Art. 18), and Objection (GDPR Art. 21) all run through the same engine. Do-Not-Sell and CCPA opt-out variations handled through the export adapter rather than separate workflows.

SLA management with jurisdictional awareness

30 days for GDPR Article 15 / 17 / 20 / 16 / 18 / 21. 15 business days for CCPA Do-Not-Sell. Shorter SLAs supported for jurisdictions with stricter timelines.

The status board surfaces SLA risk in real time:

• 🟢 Green — more than 14 days remaining. Assignee notified.
• 🟡 Amber — 7 to 14 days remaining. Manager escalation.
• 🔴 Red — 3 to 7 days remaining. DPO escalation.
• ⛔ Breached — at or past deadline. All-hands flag, regulator-facing audit entry.

No barriers to submission

Requiring account creation to submit a DSAR is an unlawful barrier in most jurisdictions and an actively enforced one in others. Verisq's privacy center requires only an email address. Identity verification happens after submission, not as a gate to it.

"Download my data" without an engineer

The most common DSAR — Article 15 access — fulfils automatically for catalogued datastores. Discovery executes against the inventory. Compilation produces a structured response package. Subject downloads via the privacy center. No engineer ticket. No production query. No compliance-vs-engineering negotiation.

Erasure and rectification require operator confirmation through the deletion runbook — retention policy and legal-hold constraints honoured before any change executes. Sensitive-category deletions surface for explicit operator approval; marketing-class data eligible for streamlined auto-deletion.