CIPT Exam Prep
CIPT Exam Glossary - 38 Terms
Search the terminology pack for Certified Information Privacy Technologist. Use these definitions with the study guide and practice questions.
A
- Access control
- Mechanisms that restrict who can view or use data and systems based on authorization rules.
- Analytics SDK
- A software development kit embedded in applications to collect usage, event, or telemetry data for analytics purposes.
- API
- Application Programming Interface; a set of rules and endpoints enabling software systems to exchange data and functions.
- API gateway
- An intermediary service that manages, routes, authenticates, and monitors API traffic between clients and backend services.
- Automated regression testing
- Repeated automated testing used to detect unintended changes or reintroduced defects after updates or patches.
C
- Context of collection
- The circumstances and expectations surrounding how data was originally obtained and intended to be used.
D
- Data inventory
- A structured record of data assets, including what data exists, where it resides, and how it is used.
- Data lineage
- Documentation of data origins, transformations, movement, and destinations across systems.
- Data minimization
- A principle requiring collection and use of only the data necessary for a defined purpose.
- Data-flow map
- A diagram or record showing how data moves between systems, services, actors, and regions.
- Deletion request
- A request from an individual or authority to remove personal data from systems and repositories.
- Development life cycle
- The structured sequence of phases through which software is planned, designed, built, tested, deployed, and maintained.
- Documented instructions
- Formal, recorded directions from a controller or customer specifying how a processor may handle personal data.
- Downstream use
- Subsequent use, sharing, resale, or aggregation of data beyond the original collector or initial context of collection.
E
- Enterprise data lake
- A centralized repository used to store and analyze large volumes of structured and unstructured data from many sources.
- Ephemeral identifiers
- Short-lived identifiers designed to reduce persistent tracking of individuals or devices over time.
F
- Facial recognition
- A biometric technology that identifies or verifies individuals using facial features extracted from images or video.
- Field-level authorization
- Access control that determines whether a user or client may view or modify specific data fields within a record.
I
- Insecure direct object reference (IDOR)
- A security flaw where a user can access another object or record by manipulating an identifier without proper authorization checks.
K
- Keystroke capture
- The recording of characters typed by a user, including text that may not ultimately be submitted.
L
- Lead-scoring model
- An analytics or machine learning model used to rank potential customers based on predicted sales value or likelihood to convert.
- Least privilege
- A security and privacy principle giving users only the minimum access necessary to perform their tasks.
M
- Mobile client
- A mobile application or device that consumes data or services from a backend system or API.
N
- Necessity and proportionality
- A privacy assessment standard asking whether a data practice is needed for the goal and appropriately limited in intrusiveness.
- Need-to-know
- An access principle limiting data access to individuals who require it to perform their duties.
P
- Privacy acceptance criteria
- Defined privacy requirements that must be satisfied before a feature, system, or API is considered ready.
- Privacy by design
- An engineering approach that embeds privacy requirements into systems and processes from the earliest stages of development.
- Processor
- An entity that processes personal data on behalf of another organization, typically under contractual instructions.
- Profiling
- Automated processing of personal data to evaluate, analyze, or predict aspects of an individual’s behavior or status.
- Proxy variables
- Data attributes that indirectly stand in for sensitive or protected characteristics and may create fairness or privacy risks.
- Purpose limitation
- A privacy principle requiring personal data to be used only for specific, explicit, and legitimate purposes.
R
- Role-based access control (RBAC)
- An authorization model that grants permissions based on a user’s organizational role.
S
- Sensitive personal data
- Personal data that presents elevated privacy risk if disclosed or misused, such as disability-accommodation records or precise location data.
- Session replay
- A monitoring technique that records user interactions within a web or mobile session for analysis or debugging.
- Subprocessor
- A third party engaged by a vendor or processor to assist in processing personal data.
T
- Transformed identifiers
- Identifiers that have been modified, masked, tokenized, or otherwise altered to reduce direct identifiability.
V
- Voice samples
- Audio-derived biometric or personal data collected from an individual’s speech.
W
- Wi-Fi analytics
- The use of Wi-Fi signal observations to measure presence, movement, or traffic patterns of devices in a physical space.
About These Definitions
These definitions are loaded from the shared release pack. Use them with the study guide and practice questions to connect vocabulary to exam scenarios.