DSAR software · Buyer guide

Choose the workflow that survives a real request.

DSAR software should do more than open a ticket. It should show what was requested, where the data was found, what remains uncertain, who approved the response and what evidence was retained.

A practical definition

DSAR software is case infrastructure.

It connects a legal request to the operational evidence and decisions needed for a response. The best buying test is not the number of rights or connectors on a feature grid. It is whether one real request can move from intake to approved output without losing context.

DSAR is commonly used for a data subject access request. Some products use it more broadly for data subject rights requests. Trace names the right explicitly in each case so an access request is not confused with erasure, rectification or another right.

The GDPR gives individuals a right of access in Article 15. Article 12 sets general conditions for facilitating rights and responding. A tool may structure that work, but the controller remains accountable for the response and any case-specific decisions.

Eight buying questions

Look past the intake form.

A polished portal is useful only if the underlying case can survive source gaps, reviewer questions and a later audit.

01 / INTAKE

Can it preserve the original request?

Channel, wording, received time, request type and later scope changes should remain visible.

02 / IDENTITY

Can it record proportional verification?

Identity state, rationale and customer action should be explicit—not a generic “verified” switch.

03 / SOURCES

Can it prove coverage?

The case should show which sources were checked, by what identifier and with what limitation.

04 / ACCESS

Can credentials stay narrow?

Ask about read-only methods, time limits, customer-run queries and immediate revocation.

05 / REVIEW

Can people own decisions?

Third-party data, exemptions, retention and final wording need a documented approval boundary.

06 / OUTPUT

Is the response usable?

Exports need context, clear source grouping, a response draft and a secure delivery plan.

07 / HISTORY

Does the timeline reflect reality?

Record events and decisions without implying cryptographic immutability unless it exists.

08 / RETENTION

Can case data be removed?

Retention, deletion, backups and evidence requirements need agreed, controllable rules.

Software, service or consultancy

The operating model matters.

Self-serve platform

A platform may suit a mature privacy-operations team that can configure integrations, write procedures and own every case. Check how much implementation is hidden behind the licence.

Privacy consultancy

A consultancy can provide case-specific judgement and advice. It may not maintain repeatable source retrieval or a product-level audit trail unless that work is explicitly in scope.

Trace’s proposed managed model

Trace combines a configured operational workflow with a concierge first case. It aims to assemble evidence and drafts consistently while preserving an authorised human decision boundary. Reviewer qualifications and availability are not assumed; they must be confirmed for each accepted pilot.

Not yet a software licence: pricing, integrations and the 24-hour pack are hypotheses offered only after scope and delivery readiness are confirmed. Applying does not create a contract and no checkout is active.

Before the shortlist

Straight answers about Trace.

This site distinguishes the intended product from what an early concierge pilot can responsibly deliver now.

What is DSAR software?
DSAR software supports the operational handling of data subject rights requests. Useful systems coordinate intake, deadlines, identity status, source discovery, evidence collection, review, response and records of the work. Software does not transfer the controller’s legal responsibility.
Is Trace self-serve DSAR software?
Not today. Trace is validating a managed, early-access service in which the workflow is configured with the customer and the first accepted request is handled as a concierge pilot. The interfaces shown on this site are prototypes unless labelled otherwise.
Does Trace automate deletion?
No automated-deletion capability is claimed. A deletion request can require retention and legal decisions. Trace may prepare a source-by-source action plan, but any deletion method and approval boundary must be agreed for the pilot.
How should we compare DSAR tools?
Test the real path from one request to approved response. Ask how the tool handles identity uncertainty, source gaps, third-party data, reviewer decisions, access revocation, retention and evidence of what actually happened.

A controlled first request

Test DSAR software with one scoped request—not a feature checklist.

Apply for a concierge pilot. Trace will confirm source access, reviewer capacity, terms and the proposed output before any live data or payment changes hands.