Describe the extent to which non-digital PI is maintained in connection with the DB/App and how deal with a need to search such records (e.g., discovery requests)

Please describe the protocol and technical solutions utilized to respond to requests, including the process of determining if retention is permitted and how that retention is maintained within only the scope of the permitted purposes

Is PI associated with the DB/App retained / deleted in accordance with a data retention policy?

Describe the data security policies and practices, including assessments and testing, that govern the DB/App

Do you wish to complete additional DDQ for another DB/APP?

Do you have a mechanism in place that offers consumers the ability to change their PI in connection with the DB/App?

Do you have a mechanism in place that offers consumers the ability to copy their PI in connection with the DB/App?

Do you have a mechanism in place that offers consumers the ability to delete their PI in connection with the DB/App?

Are you confident that by January 1, 2020 you will be able to enable consumers to access and copy each and every piece of PI about them associated with the DB/App under your control (including with vendors)?

Do you, or will you, sell (which means to provide for consideration, even non-monetary) or otherwise share PI associated with the DB/App with others for any purpose other in connection with the services relationships described in previous questions?