CIPT Exam Glossary - 38 Terms

Search the terminology pack for Certified Information Privacy Technologist. Use these definitions with the study guide and practice questions.

Download App Study Guide Free Practice Exam

A

Access control: Mechanisms that restrict who can view or use data and systems based on authorization rules.
Analytics SDK: A software development kit embedded in applications to collect usage, event, or telemetry data for analytics purposes.
API: Application Programming Interface; a set of rules and endpoints enabling software systems to exchange data and functions.
API gateway: An intermediary service that manages, routes, authenticates, and monitors API traffic between clients and backend services.
Automated regression testing: Repeated automated testing used to detect unintended changes or reintroduced defects after updates or patches.

C

Context of collection: The circumstances and expectations surrounding how data was originally obtained and intended to be used.

D

Data inventory: A structured record of data assets, including what data exists, where it resides, and how it is used.
Data lineage: Documentation of data origins, transformations, movement, and destinations across systems.
Data minimization: A principle requiring collection and use of only the data necessary for a defined purpose.
Data-flow map: A diagram or record showing how data moves between systems, services, actors, and regions.
Deletion request: A request from an individual or authority to remove personal data from systems and repositories.
Development life cycle: The structured sequence of phases through which software is planned, designed, built, tested, deployed, and maintained.
Documented instructions: Formal, recorded directions from a controller or customer specifying how a processor may handle personal data.
Downstream use: Subsequent use, sharing, resale, or aggregation of data beyond the original collector or initial context of collection.

E

Enterprise data lake: A centralized repository used to store and analyze large volumes of structured and unstructured data from many sources.
Ephemeral identifiers: Short-lived identifiers designed to reduce persistent tracking of individuals or devices over time.

F

Facial recognition: A biometric technology that identifies or verifies individuals using facial features extracted from images or video.
Field-level authorization: Access control that determines whether a user or client may view or modify specific data fields within a record.

I

Insecure direct object reference (IDOR): A security flaw where a user can access another object or record by manipulating an identifier without proper authorization checks.

K

Keystroke capture: The recording of characters typed by a user, including text that may not ultimately be submitted.

L

Lead-scoring model: An analytics or machine learning model used to rank potential customers based on predicted sales value or likelihood to convert.
Least privilege: A security and privacy principle giving users only the minimum access necessary to perform their tasks.

M

Mobile client: A mobile application or device that consumes data or services from a backend system or API.

N

Necessity and proportionality: A privacy assessment standard asking whether a data practice is needed for the goal and appropriately limited in intrusiveness.
Need-to-know: An access principle limiting data access to individuals who require it to perform their duties.

P

Privacy acceptance criteria: Defined privacy requirements that must be satisfied before a feature, system, or API is considered ready.
Privacy by design: An engineering approach that embeds privacy requirements into systems and processes from the earliest stages of development.
Processor: An entity that processes personal data on behalf of another organization, typically under contractual instructions.
Profiling: Automated processing of personal data to evaluate, analyze, or predict aspects of an individual’s behavior or status.
Proxy variables: Data attributes that indirectly stand in for sensitive or protected characteristics and may create fairness or privacy risks.
Purpose limitation: A privacy principle requiring personal data to be used only for specific, explicit, and legitimate purposes.

R

Role-based access control (RBAC): An authorization model that grants permissions based on a user’s organizational role.

S

Sensitive personal data: Personal data that presents elevated privacy risk if disclosed or misused, such as disability-accommodation records or precise location data.
Session replay: A monitoring technique that records user interactions within a web or mobile session for analysis or debugging.
Subprocessor: A third party engaged by a vendor or processor to assist in processing personal data.

T

Transformed identifiers: Identifiers that have been modified, masked, tokenized, or otherwise altered to reduce direct identifiability.

V

Voice samples: Audio-derived biometric or personal data collected from an individual’s speech.

W

Wi-Fi analytics: The use of Wi-Fi signal observations to measure presence, movement, or traffic patterns of devices in a physical space.

About These Definitions

These definitions are loaded from the shared release pack. Use them with the study guide and practice questions to connect vocabulary to exam scenarios.

Download App Read the full study guide Take the free practice exam