The DROP workflow, operationalized end-to-end.
DROPShield turns the California Delete Act's recurring obligations into a structured, audit-ready operating system for your privacy and compliance team.
1. Import or receive deletion request list
Securely ingest the CPPA DROP list via signed API, SFTP, or scheduled import on every 45-day cycle. Hashed identifiers only — never raw PII in transit.
- Scheduled cycle ingestion
- Signed payload verification
- Identifier-only data model
2. Match identifiers against internal systems
Deterministic and probabilistic matching against your CRM, warehouse, marketing stack, and identity graph. Every match is logged with confidence.
- Hashed email / phone matching
- Deterministic & probabilistic
- Confidence scoring + thresholds
3. Create deletion & suppression tasks
Auto-generate deletion tasks with owners, SLAs, and approval gates. Persistent suppression prevents re-ingestion on future data loads.
- SLA timers per request
- Approval workflows
- Persistent suppression list
4. Route requests to vendors & service providers
Dispatch deletion instructions to downstream processors via API, email, or webhook. Track acknowledgments and escalate stalled vendors.
- Native vendor connectors
- Email-based fallback
- Acknowledgment tracking
5. Export audit-ready evidence
Generate immutable evidence packs with hashes, timestamps, and chain of custody — formatted for CPPA inquiries and internal audit.
- Immutable cryptographic logs
- Per-cycle evidence packs
- PDF + CSV exports
A platform privacy teams can defend in front of the CPPA.
SOC 2 architecture
Designed to SOC 2 Type II controls. Customer-managed encryption available on Enterprise.
US-only data residency
All processing in US regions. No cross-border data movement, ever.
Identifier-only model
We work in hashes. We don't store raw consumer PII — your data stays in your stack.