
Privacy & Data Governance
Ethyca Fides
Privacy engineering platform automating DSARs with open-source core and enterprise features.
Ethyca Fides Overview
What it does
Ethyca Fides is a privacy engineering platform using an open-core model that embeds privacy compliance directly into technical infrastructure through Privacy-as-Code. Founded in 2018 by Cillian Kieran and Miguel Burger-Calderon, Ethyca takes an engineering-first approach that integrates with CI/CD pipelines, enabling developers to programmatically manage Data Subject Access Requests (DSAR), consent, and data mapping. The open-source core (Apache 2.0 license) provides self-hosted deployment, while Fides Enterprise offers cloud-hosted deployment with enhanced features, forward-deployed engineering teams, and enterprise support for organizations like New York Times, Mozilla, and Ramp.
How it works
The platform uses a machine-readable privacy taxonomy (the Fides language) to unify legal and engineering teams around shared definitions for consent, purpose, and lawful basis. Fides automates end-to-end DSAR fulfillment across hybrid cloud and on-premises environments, provides continuous data discovery and classification with ML-powered detection, orchestrates consent management, and enforces privacy policies in real-time across APIs and AI pipelines. The enterprise tier includes advanced SaaS connector integrations (700+ apps), cloud hosting, dedicated support, and deployment services.
Credentials and traction
Ethyca is used by enterprises including The New York Times, Condé Nast, Ramp, WeTransfer, SurveyMonkey, and Axios. In 2024, Ethyca donated its Fideslang taxonomy to the IAB Tech Lab, where it became the foundation of the IAB Tech Lab Privacy Taxonomy released for public comment that September.
Key Capabilities
mapped to solution categoriesExposes consent management through REST APIs, enabling custom front-end consent experiences without being constrained to the vendor's UI components.
Crawls the site to discover all cookies and tracking technologies in use, categorizes them by purpose (strictly necessary, analytics, marketing), and maintains the cookie declaration.
Stores an immutable record of consent transactions (what consent was given, when, to which version of the privacy notice, from which IP and session), as required for GDPR accountability.
Implements IAB Europe TCF v2.2, encoding user consent through the TC String and Global Vendor List for CMP certification in EU programmatic advertising.
Handles GDPR opt-in, CCPA/CPRA opt-out, LGPD, and other jurisdiction-specific consent regimes from a single implementation, applying the correct consent model based on visitor geolocation.
Hosts a self-service center where individuals manage granular communication and data-use preferences over time (channels, topics, and purposes), with those choices enforced across connected systems.
Discovers personal data processing activities and their associated data flows, systems, and third-party transfers: the foundation for GDPR Article 30 Records of Processing Activities.
Provides structured DPIA workflows with pre-built templates for common processing activities, routing for DPO review, and documentation of risk mitigations.
Assesses third-party processors and sub-processors against GDPR data processing agreement requirements and privacy control standards before data sharing.
Monitors updates to privacy laws and regulatory guidance across jurisdictions and maps changes to affected data processing activities and controls in the program.
Serves compliant cookie consent banners, stores granular consent by category, and integrates with analytics and ad tech platforms to enforce user consent preferences.
Captures, stores, and versions consent records with purpose, legal basis, and timestamp, providing auditable proof of consent for data processing activities.
Automates intake, identity verification, routing to data owners, and fulfillment of GDPR, CCPA, and LGPD data subject requests, access, deletion, portability, and correction.
Handles data subject requests under GDPR, CCPA/CPRA, LGPD, and other privacy laws from a single intake workflow, applying jurisdiction-specific handling rules and response timeframes.
Verifies data subject identity using configurable verification methods (email OTP, ID document check, account authentication), before disclosing or deleting personal data.
Queries connected data sources (CRM, email, databases, SaaS apps) to locate personal data for a given subject, automating the data retrieval step of access and deletion requests.
Tracks regulatory response deadlines (GDPR 30-day, CCPA 45-day) per request, escalates overdue items to named owners, and generates compliance reporting.
Integrations
compatible toolsImplementation & support
Info last updated on May 28, 2026
Vendors
Is this your product?
Claim your profile to connect with the teams looking for your solutions.