Compliance Fields

Understand the data classification, SOC 2, DPA, and risk level fields on every tool.

Compliance Fields

Every tool in ToolTrack AI includes a set of compliance and risk fields that help your organization track vendor security posture and data handling practices. These fields are optional but strongly recommended.

Data Classification

This field describes the sensitivity of the data the tool processes or stores:

  • Public -- Information that can be freely shared outside the organization (e.g., marketing content).
  • Internal -- General business data intended for internal use only (e.g., project plans).
  • Confidential -- Sensitive data with limited access (e.g., financial records, customer data).
  • Restricted -- Highly sensitive data subject to strict regulatory controls (e.g., PII, health records, payment card data).

Choosing the correct classification helps your team make informed decisions about which tools are appropriate for specific workflows.

SOC 2 Status

Indicates whether the tool vendor has completed a SOC 2 audit, which evaluates controls related to security, availability, processing integrity, confidentiality, and privacy.

  • Compliant -- The vendor has a current SOC 2 report.
  • Non-Compliant -- The vendor does not have a SOC 2 report.
  • In Progress -- The vendor is working toward SOC 2 compliance.
  • Not Applicable -- SOC 2 is not relevant for this tool.

DPA Status

Tracks whether a Data Processing Agreement is in place with the vendor. A DPA is often required by privacy regulations such as GDPR.

  • Signed -- A DPA has been executed.
  • Not Signed -- No DPA is in place.
  • Not Required -- The tool does not process personal data in a way that requires a DPA.

Risk Level

An overall risk assessment for the tool, taking into account data sensitivity, vendor compliance, and organizational impact:

  • Low -- Minimal risk; suitable for general use.
  • Medium -- Moderate risk; standard review recommended.
  • High -- Elevated risk; requires additional controls or approval.
  • Critical -- Highest risk; requires executive-level approval and ongoing monitoring.

Keeping Compliance Data Current

Review compliance fields regularly -- especially after vendor contract renewals or changes in how a tool is used. Outdated compliance information can lead to incorrect risk assessments.