Compliance Officer Onboarding Guide

Welcome to Trua Cloud! This guide will help you get started as a Compliance Officer, responsible for data retention policy enforcement, audit log management, and data subject request handling.

Your Role

As a Compliance Officer (ACT-09), you are responsible for:

• Data Retention: Monitoring the retention dashboard, granting exceptions, ensuring timely termination
• Audit Logs: Reviewing compliance actions, investigating anomalies, generating reports
• Data Subject Requests: Processing access, deletion, and correction requests from individuals
• Policy Compliance: Ensuring the platform operates within regulatory requirements

Getting Started

Step 1: Account Setup

Your admin will create your account with the compliance role. Once you receive your credentials:

1. Log in at https://cloud.trua.com/login
2. Complete MFA setup (required for compliance role)
3. Verify you see "Compliance" in your role badge

Step 2: Explore the Admin Dashboard

Navigate to the admin area and familiarize yourself with key sections:

Step 3: Understand the Retention Dashboard

The Data Retention Dashboard (/admin/data_retention) is your primary workspace.

Dashboard Tabs

Key Metrics

• Expiring Soon Count: Records 60-90 days old needing attention
• Due for Termination: Records overdue (usually 0 if job runs correctly)
• Active Exceptions: Current extensions you've granted
• Terminated This Month: Throughput metric

Step 4: Review Key Documentation

Read these documents to understand policies and procedures:

1. Data Retention Policy
2. Data Subject Request Procedures
3. ACTORS.md - Your role definition (ACT-09)

Daily Tasks

Morning Routine

1. Check Retention Dashboard

   • Navigate to /admin/data_retention
   • Review "Due for Termination" tab (should be empty if job ran)
   • Review "Expiring Soon" tab for awareness

2. Check Audit Logs

   • Navigate to /admin/audit_logs
   • Filter by yesterday's date
   • Verify retention_warning_sent and data_terminated counts are expected

3. Check Email

   • Review any DSR requests received
   • Check for escalations from support team

As Needed

• Process data subject requests (see below)
• Grant retention exceptions when justified
• Generate reports for leadership

Granting Retention Exceptions

When a customer or legal requirement necessitates extended retention:

When to Grant

• Legal hold (litigation, investigation)
• Customer contractual requirement
• Pending data subject request
• Regulatory inquiry

How to Grant

1. Navigate to /admin/data_retention
2. Find the record (search by Candidate ID or External ID)
3. Click "View" to open details
4. In the "Grant Exception" panel:
   • Enter a clear, specific reason
   • Set the exception end date (max 180 days from submission)
5. Click "Grant Exception"

What Happens

• An audit log entry is created (exception_granted)
• The record is excluded from automatic termination
• The exception appears in the "Exceptions" tab
• At the until date, the exception automatically revokes

Handling Data Subject Requests

Receiving a DSR

When you receive an access, deletion, or correction request:

1. Log it immediately (see DSR procedures document)
2. Acknowledge receipt within 24 hours
3. Verify the requester's identity

Identity Verification

Before processing any DSR:

• Email Match: Does request come from the same email as submission?
• Access Code: Can they provide their 4-digit code?
• Challenge Questions: Date of submission, employer name?

Processing Requests

Access Request

1. Locate the invitation record
2. Export data (personal info, submission, status)
3. Send via secure link
4. Log completion

Deletion Request

1. Verify identity (enhanced)
2. Check for legal holds or exceptions
3. Execute deletion (terminates record early)
4. Confirm to requester
5. Log completion

Correction Request

1. Verify the correction is factual
2. Make the edit via admin interface
3. Confirm to requester
4. Log completion

Using the Audit Log

The Audit Log (/admin/audit_logs) shows all compliance actions.

Filtering

• Action Type: Filter by specific actions (e.g., exception_granted)
• Date Range: Find actions in a time period
• User: See actions by specific user or system-initiated

Exporting

Click "Export CSV" to download audit data for reporting or external analysis.

Key Actions to Monitor

Permissions

As a Compliance Officer, you can:

Escalation Path

When you encounter issues:

1. Technical Issues: Contact IT support
2. Complex DSRs: Escalate to Legal Counsel
3. Policy Questions: Review documentation or contact Admin
4. Regulatory Inquiries: Immediately escalate to Executive Leadership

Key Contacts

• Admin Support: admin@trua.com
• Privacy Inquiries: privacy@trua.com
• Legal Counsel: legal@trua.com

Common Questions

Q: The "Due for Termination" tab has records. What should I do?

This usually means the DataRetentionJob failed or is delayed. Contact IT to verify job status. Records should not accumulate here.

Q: A customer wants to keep data longer than 180 days.

The platform enforces a 180-day maximum. For longer retention, the customer must export and store data in their own systems before the deadline.

Q: Someone claims to be a data subject but I can't verify them.

After 3 failed verification attempts, deny the request with an explanation. Document the attempts in the ticket.

Q: How do I run the retention job manually?

You cannot run jobs directly. Contact an Admin to trigger DataRetentionJob.perform_now in Rails console if needed.

---

Next Steps

1. Complete your first dashboard review today
2. Read the full Data Retention Policy
3. Familiarize yourself with audit log filtering
4. Bookmark key URLs in your browser

Welcome aboard! Your role is essential to keeping Trua Cloud compliant and trustworthy.