Security Stack Logo
Ethyca Fides logo

Privacy & Data Governance

Ethyca Fides

Privacy engineering platform automating DSARs with open-source core and enterprise features.

Consent and Preference Management (CPM)Privacy ManagementData Subject Request Automation

Ethyca Fides Overview

What it does

Ethyca Fides is a privacy engineering platform using an open-core model that embeds privacy compliance directly into technical infrastructure through Privacy-as-Code. Founded in 2018 by Cillian Kieran and Miguel Burger-Calderon, Ethyca takes an engineering-first approach that integrates with CI/CD pipelines, enabling developers to programmatically manage Data Subject Access Requests (DSAR), consent, and data mapping. The open-source core (Apache 2.0 license) provides self-hosted deployment, while Fides Enterprise offers cloud-hosted deployment with enhanced features, forward-deployed engineering teams, and enterprise support for organizations like New York Times, Mozilla, and Ramp.

How it works

The platform uses a machine-readable privacy taxonomy (the Fides language) to unify legal and engineering teams around shared definitions for consent, purpose, and lawful basis. Fides automates end-to-end DSAR fulfillment across hybrid cloud and on-premises environments, provides continuous data discovery and classification with ML-powered detection, orchestrates consent management, and enforces privacy policies in real-time across APIs and AI pipelines. The enterprise tier includes advanced SaaS connector integrations (700+ apps), cloud hosting, dedicated support, and deployment services.

Credentials and traction

Ethyca is used by enterprises including The New York Times, Condé Nast, Ramp, WeTransfer, SurveyMonkey, and Axios. In 2024, Ethyca donated its Fideslang taxonomy to the IAB Tech Lab, where it became the foundation of the IAB Tech Lab Privacy Taxonomy released for public comment that September.

Key Capabilities

mapped to solution categories
Consent and Preference Management (CPM)

Exposes consent management through REST APIs, enabling custom front-end consent experiences without being constrained to the vendor's UI components.

Crawls the site to discover all cookies and tracking technologies in use, categorizes them by purpose (strictly necessary, analytics, marketing), and maintains the cookie declaration.

Stores an immutable record of consent transactions (what consent was given, when, to which version of the privacy notice, from which IP and session), as required for GDPR accountability.

Implements IAB Europe TCF v2.2, encoding user consent through the TC String and Global Vendor List for CMP certification in EU programmatic advertising.

Handles GDPR opt-in, CCPA/CPRA opt-out, LGPD, and other jurisdiction-specific consent regimes from a single implementation, applying the correct consent model based on visitor geolocation.

Hosts a self-service center where individuals manage granular communication and data-use preferences over time (channels, topics, and purposes), with those choices enforced across connected systems.

Privacy Management

Discovers personal data processing activities and their associated data flows, systems, and third-party transfers: the foundation for GDPR Article 30 Records of Processing Activities.

Provides structured DPIA workflows with pre-built templates for common processing activities, routing for DPO review, and documentation of risk mitigations.

Assesses third-party processors and sub-processors against GDPR data processing agreement requirements and privacy control standards before data sharing.

Monitors updates to privacy laws and regulatory guidance across jurisdictions and maps changes to affected data processing activities and controls in the program.

Serves compliant cookie consent banners, stores granular consent by category, and integrates with analytics and ad tech platforms to enforce user consent preferences.

Captures, stores, and versions consent records with purpose, legal basis, and timestamp, providing auditable proof of consent for data processing activities.

Automates intake, identity verification, routing to data owners, and fulfillment of GDPR, CCPA, and LGPD data subject requests, access, deletion, portability, and correction.

Data Subject Request Automation

Handles data subject requests under GDPR, CCPA/CPRA, LGPD, and other privacy laws from a single intake workflow, applying jurisdiction-specific handling rules and response timeframes.

Verifies data subject identity using configurable verification methods (email OTP, ID document check, account authentication), before disclosing or deleting personal data.

Queries connected data sources (CRM, email, databases, SaaS apps) to locate personal data for a given subject, automating the data retrieval step of access and deletion requests.

Tracks regulatory response deadlines (GDPR 30-day, CCPA 45-day) per request, escalates overdue items to named owners, and generates compliance reporting.

Integrations

compatible tools
Auth0AWSAzureBigQueryDockerGCPGitHub ActionsHubSpotKubernetesMongoDBMySQLOktaPostgreSQLRedshiftSalesforceSnowflakeStripe

Implementation & support

Deployment model
CloudHybridOn-PremisesSaaS
Pricing structure
Community EditionSubscription
Support channels
Community ForumDocumentationTraining / Academy

Info last updated on May 28, 2026

Vendors

Is this your product?

Claim your profile to connect with the teams looking for your solutions.

Security Stack Logo

The curated research platform for enterprise cybersecurity solutions.

All product and company names, logos, and brands are property of their respective owners and are used on this website for identification purposes only. Security Stack does not endorse any vendor, product, or service listed, and makes no warranties, express or implied, as to the accuracy or completeness of this content, including any warranties of merchantability or fitness for a particular purpose.

© 2026 Security Stack. All rights reserved.