YOUR OWN DATA ARCHITECTURE
First-Party Data & Measurement Architecture
sGTM, Conversion API, BigQuery/Snowflake data lake, Consent Mode v2 + TCF 2.2, identity resolution and reverse ETL — the data infrastructure of brands that win in the post-third-party-cookie world, built with first-principles engineering discipline.
This isn't the era when the pixel died; it's the era when data ownership became mandatory — infrastructure is an engineering discipline, not plug-and-play SaaS.
With Consent Mode v2, iOS 17 ATT, Chrome cookie changes and TCF 2.2, the signal reaching ad platforms has eroded by 40-60% on average. Most brands responded by stitching together parallel data lakes across multiple SaaS tools — each with its own ID, its own consent interpretation, its own event schema. Roibase's first-party data operation removes this fragmentation through six principles; every principle is an engineering standard, not a SaaS product.
Roibase perspective
METHODOLOGY
AUDIT to DESIGN to DEPLOY to VALIDATE to GOVERN to HANDOFF — engineering discipline
Data architecture is not a tag management project; it's a long-lived platform. A six-stage process makes every decision written, testable, and transferable.
01
01
AUDIT
Audit of current client-side GTM, GA4, pixels, CMP, consent implementation, data flow and cost visibility; signal loss, consent violations and data duplication are quantified.
02
02
DESIGN
Event taxonomy, identity strategy, consent policy, warehouse architecture and data contracts are designed; stakeholder approval (legal, IT, marketing, data) is secured.
03
03
DEPLOY
sGTM container, CAPI endpoints, Consent Mode v2 configuration, warehouse streaming and dbt models go live; blue/green deployment reduces risk.
04
04
VALIDATE
Shadow mode + dual tracking run old and new architecture in parallel; no cutover until event parity reaches 99%+; QA checklist covers 120+ items.
05
05
GOVERN
Schema registry, PII tagging, retention, RBAC, audit log and compliance reports go live; a data governance council convenes on a monthly cadence.
06
06
HANDOFF
Three weeks of hands-on training for your team + runbook + 6 months of async support; critical alert rotation and SLA contract handed over in writing.
— COMPARISON
In-house vs SaaS-dependent agency vs Roibase data engineering
The concrete difference three approaches make on data ownership, consent compliance, engineering depth and total cost.
| Dimension | In-house minimal | SaaS-dependent agency | Roibase engineering |
|---|---|---|---|
| Data ownership | Fragmented (every tool its own DB) | With the SaaS vendor | In your own warehouse |
| sGTM + CAPI | Partial (client-only) | None or vendor-managed | On your own infrastructure, full ownership |
| Consent Mode v2 + TCF 2.2 | Basic integration | Pre-set CMP, no customization | Written policy + legal review + tests |
| Identity resolution | None or email-only | Vendor black-box | Deterministic + probabilistic, open model |
| PII governance + audit log | Ad-hoc | Contractual, not operational | Runbook + monthly compliance report |
| Data contracts + schema registry | None | Bound to SaaS schema | Versioned, testable, owned |
| Reverse ETL + activation | Manual CSV | SaaS-locked | Warehouse-native, free choice |
| Total annual cost | 50-120k€ (fragmented SaaS) | 120-250k€ (agency + licenses) | 80-180k€ (setup + warehouse) |
PROOF
Outcomes, measured
+45%
Signal recovery
Recovering unattributed conversions after iOS 14+/ATT through sGTM + CAPI.
94%
Consent compliance rate
Acceptable consent state distribution after TCF 2.2 + Consent Mode v2.
12
Tool consolidation
Typical number of separate data/analytics SaaS tools consolidated per customer.
€0
Monthly data license cost
In your own warehouse — only query + storage cost; no SaaS per-seat fee.
8
Weeks to deploy
Typical mid-market timeline from audit to live shadow mode.
99.8%
Event delivery rate
Average event delivery success after sGTM + CAPI dual-path.
WHAT WE DO
Engagement scope
Every offering is an outcome-based work package. Roibase blends strategy and execution inside a single team — no hand-offs.
01 / 10
Server-side GTM (sGTM)
Your own sGTM container on Google Cloud Run / AWS Fargate: data ownership is yours, no vendor lock-in, client load drops; PII redaction happens on the server.
02 / 10
Consent Mode v2 + TCF 2.2
IAB TCF 2.2 compliant CMP integration, dynamic propagation of ad_user_data + ad_personalization signals based on consent state; KVKK/GDPR 'legal basis' separation backed by written policy.
03 / 10
Conversion API (CAPI)
Server-side conversion events for Meta, Google, TikTok, Pinterest; hashed PII + event deduplication; 30-50% signal recovery and iOS 14+/ATT compliance.
04 / 10
BigQuery / Snowflake data lake
Raw event streaming + dbt models + semantic layer + Looker Studio/Metabase/Looker visualization; partition + clustering + cost optimization included.
05 / 10
Identity resolution
Deterministic (login, email hash) + probabilistic (device fingerprint, household) identity graph; a single user identity for cross-device journeys and cross-channel attribution.
06 / 10
CDP readiness
Segment / RudderStack / mParticle integration, or warehouse-native CDP (Census, Hightouch) reverse ETL pipelines; CDP selection made through independent evaluation.
07 / 10
Reverse ETL & activation
Automated push of computed segments (churn risk, LTV tier, product affinity) to Meta Custom Audience, Google Customer Match, Klaviyo, HubSpot, Braze.
08 / 10
Customer Match rebuild
Lookalike + retargeting rebuilt with hashed PII + CAPI; infrastructure that preserves ad platform performance in a pixel-less world.
09 / 10
Schema registry + PII governance
Event schema is versioned and testable; PII fields are tagged, retention + masking policy enforced; schema drift alerts for data quality monitoring.
10 / 10
Audit log + access monitoring
Every data access is logged — who, when, why; role-based access control (RBAC), data contracts, and automated monthly compliance reports.
— BENEFIT
The tangible, measurable return on data ownership
First-party data architecture isn't just compliance; it's direct leverage on ad performance, customer understanding and team velocity.
+45% signal
Ad signal recovery
30-50% signal recovery with Meta/Google/TikTok CAPI; ad platforms learn faster and optimize better.
-52% SaaS spend
Tool costs drop
Fragmented SaaS stack is consolidated into a single warehouse + dbt layer; annual license spend falls 40-60%.
+38% decision speed
Your team moves faster
A self-serve semantic layer lets business units answer their own questions; the data team shifts from bottleneck to enabler.
100% audit-ready
Consent compliance, written
TCF 2.2 + Consent Mode v2 + KVKK policy is audited and testable; the evidence file is ready for regulators.
+28% attribution accuracy
Cross-channel journey visible
Identity resolution reveals user journeys across devices and channels; attribution models and cohort analysis run on unified data.
Runbook + RACI
Data governance is sustainable
Schema registry, PII tagging, retention, RBAC, audit log — handed over to your team with a runbook and monthly compliance report.
DELIVERABLES
Concrete, written deliverables for every first-party project
Architecture, code, configuration, documentation and training — every artifact is versioned and handed over to your team.
Signal audit report
Quantitative assessment of existing signal loss, consent violations and tool duplication, 40-60 pages.
Event taxonomy & data contracts
Every event's name, properties, owner, schema version and backward compatibility rules.
sGTM container setup
Live sGTM on Google Cloud Run / AWS Fargate, blue/green deployment + CI/CD pipeline + rollback plan.
CAPI integrations
Server-side conversion events for Meta, Google, TikTok, Pinterest; event deduplication + hashed PII + error handling.
Consent Mode v2 + CMP policy
IAB TCF 2.2 compliant CMP configuration, dynamic ad_user_data/ad_personalization signals, written consent policy + legal review.
BigQuery/Snowflake warehouse
Raw event streaming pipeline, partition + clustering, cost optimization, monitoring + alerting.
dbt models + semantic layer
Staging to intermediate to marts layers, dbt tests, exposures, lineage graph + documentation site.
Identity resolution pipeline
Deterministic + probabilistic matching rules, household detection, cross-device journey table.
Reverse ETL pipelines
Segment syncs to Meta CA, Google CM, Klaviyo, HubSpot, Braze via Census/Hightouch; schedule + monitoring.
Schema registry & PII governance
Versioned schema records, PII tagging, retention + masking policy, schema drift alerts.
Audit log + compliance report
RBAC configuration, data access log, automated monthly compliance report (KVKK/GDPR + ad platform policy).
Runbook + 3-week training
Operational runbook, on-call rotation, SLA contract + 3 weeks of hands-on training for your team.
— SCOPE
What we do, what we don't — clear boundaries
First-party architecture is an engineering discipline; defining scope precisely prevents surprises and downstream billing.
We do
- Signal audit + consent health assessment
- Event taxonomy + data contracts design
- sGTM container setup + CI/CD + monitoring
- Meta/Google/TikTok/Pinterest CAPI integrations
- Consent Mode v2 + TCF 2.2 + CMP configuration
- BigQuery/Snowflake warehouse + streaming pipeline
- dbt models + semantic layer + tests
- Identity resolution (deterministic + probabilistic)
- Reverse ETL pipelines (Census/Hightouch)
- Schema registry + PII governance + audit log
- Legal/compliance review coordination
- Runbook + 3-week hands-on training
We don't
- Legal counsel (coordinated via partner lawyer + policy review)
- CDP license resale (we give vendor-agnostic recommendations, no commission)
- Maintaining fragmented SaaS stacks (consolidation is recommended)
- Raw analytics agency retainers (engineering sprints, not packages)
- Guaranteed 'pre-pixel' signal recovery (we give a realistic range)
- Warehouse licenses / cloud invoices (stay on the customer's account)
- Ad account management (separate scope with PPC/Growth teams)
- Plug-and-play SaaS deployment (every customer gets a custom architecture)
HOW WE WORK
First 8-week rollout to 6-month operation — who does what and when, in writing
01
Weeks 1-2: audit + discovery
Current GTM/GA4/CMP/pixel audit, consent health check, stakeholder interviews, architecture requirements document.
02
Weeks 3-4: design + data contracts
Event taxonomy, identity strategy, warehouse schema, consent policy, data contracts — approved by legal + IT + marketing.
03
Weeks 5-6: sGTM + CAPI deploy
Cloud Run/Fargate container goes live; Meta/Google/TikTok CAPI integration; shadow mode starts.
04
Weeks 7-8: warehouse + dbt
BigQuery/Snowflake streaming pipeline, dbt staging + intermediate + marts, first version of semantic layer.
05
Weeks 9-10: validate + cutover
Event parity testing, QA checklist, blue/green cutover; decommission plan for the old architecture.
06
Weeks 11-12: govern + handoff
Schema registry, PII tagging, audit log, RBAC; hands-on training begins, runbook delivered.
07
Months 4-5: activation + optimization
Reverse ETL pipelines, first segment activations, MMM/attribution data preparation, cost optimization.
08
Month 6+: steady state + audit
Monthly compliance report, quarterly data governance council, schema drift monitoring, SLA + on-call rotation.
— TOOLKIT
The tools we use — vendor-agnostic but decisive choices
We pick what fits each customer; we protect independence by taking no commissions.
SERVER-SIDE TRACKING
Google Tag Manager ServerStape.ioGoogle Cloud RunAWS FargateMeta Conversion APIGoogle Ads Enhanced ConversionsTikTok Events APIPinterest CAPI
CMP & CONSENT
OneTrustCookiebotDidomiUsercentricsGoogle Consent Mode v2IAB TCF 2.2
WAREHOUSE & CDP
BigQuerySnowflakeRedshiftdbt Core/CloudSegmentRudderStackmParticleAmplitude
REVERSE ETL & ACTIVATION
CensusHightouchPolytomicFivetranAirbyteStitchMeta Custom Audience APIGoogle Customer Match API
QUESTIONS
Frequently asked
Three concrete benefits: (1) 30-50% signal recovery by bypassing ad-blockers + ITP, (2) Data ownership — PII redaction happens on the server, (3) Faster page loads — client-side script load drops. On top of that, vendor lock-in breaks; all tag logic lives in your cloud.
— GLOSSARY
First-party data engineering terminology
Twelve critical terms that give your team and stakeholders a shared language.
- sGTM
- Server-side Google Tag Manager — a proxy that takes the browser GTM payload, sanitises and enriches it, then fans out to multiple destinations (GA4, Meta CAPI, TikTok, etc.). Extends cookie lifetime, resists ad-blockers and is the backbone of server-side conversion APIs.
- CAPI
- Meta's server-to-server event API running in parallel to the Pixel. Recovers the 20-40% of conversion signal lost in the browser due to ITP and ad-blockers; deduplication requires every event to carry an event_id and matching timestamp. A foundation of any modern paid-social stack.
- Consent Mode v2
- Google's TCF 2.2 compliant consent signal mechanism; ad_user_data + ad_personalization states.
- TCF 2.2
- The IAB Europe Transparency & Consent Framework version mandatory since 2024. Standardises the consent signal between publisher, vendor and user; CMPs (OneTrust, Cookiebot, Didomi) deliver mandatory compliance together with Google Consent Mode v2.
- Identity resolution
- Linking user activity across devices and channels to a single identity; deterministic + probabilistic.
- CDP
- Customer Data Platform; the system that unifies user profiles and exposes them to activation channels (Segment, mParticle, warehouse-native).
- Reverse ETL
- Pushing data from the warehouse to operational tools (Meta, Google, Klaviyo); Census, Hightouch are typical vendors.
- Customer Match
- Using a hashed first-party list (email, phone, mailing address) as a targeting/exclusion audience across Google Search, YouTube and Display. The base for lookalike seeds and win-back; the minimum match rate to be useful is typically 30%+.
- Data warehouse
- The cloud data store where raw and modelled event data live (BigQuery, Snowflake, Redshift, Databricks).
- Event schema
- Written, versioned definition of event names, properties, data types and owners; stored in the schema registry.
- PII
- Personally Identifiable Information; data that identifies a person (email, phone, IP, device ID). Managed under tagging + retention.
- Data governance
- The combined disciplines of data quality, access, stewardship and compliance; RBAC + audit log + data contracts are standard.
- GA4 Measurement Protocol
- A server-to-server protocol that sends events directly to GA4 over HTTP. Generates conversion signal from environments without a web pixel (CRM, IoT, app server); authenticates with api_secret + measurement_id and is wired to respect Consent Mode.
- Enhanced Conversions
- A measurement layer in Google Ads that ties a conversion to a user via hashed first-party data (email, phone). Recovers 3-15% of attribution lost to ITP and cookie decay; ships in web and lead-form variants.
- Offline Conversions
- The process of feeding back conversions that happen in CRM (lead-to-sale, call closure, store visit) to the ad platform via the click ID (gclid/wbraid/fbclid). The most reliable way to feed tROAS with real revenue.
- First-party Data
- Data the brand collects directly from its own properties (web, app, CRM, call centre, email, membership) under user consent. The most defensible fuel for performance marketing post-third-party-cookie; hashed and activated into ad platforms.
- Data Clean Room
- A secure compute environment where two parties (e.g. brand + media platform) can match and aggregate without exposing each other's raw PII. Google Ads Data Hub, Amazon AMC, Snowflake/Databricks clean rooms — used for overlap analysis, attribution and audience building.
- Identity Graph
- A relational graph that links one person across their devices, email, phone, payment identifier and hashed IDs. Foundation for cross-device attribution, retention modelling and LAL seed quality — the heart of any CDP.
- First-party Cookies
- Cookies set by the site's own domain and only sent on its own page requests. After third-party cookies were blocked, ITP further capped this category — server-side cookie setting + 1y+ rotation policy is now essential.
- Server-side Events
- Conversion events sent to the ad platform via API from your own server (sGTM, own backend) rather than from the browser. Immune to ad-blocker and browser caps; works with specs like CAPI (Meta), GA4 MP, TikTok Events API.
- Hashed PII
- A personally identifiable value (email, phone, name) frozen via a one-way cryptographic function (usually SHA-256). Mandatory for matching, custom-audience upload and Enhanced Conversions on ad platforms — a privacy and compliance requirement.
- Privacy Sandbox
- Google's suite of Chrome APIs designed to enable ad measurement, retargeting and fraud detection without third-party cookies: Topics, Protected Audience (FLEDGE), Attribution Reporting. The Google side of the cookieless future.
- CORS (Cross-Origin Resource Sharing)
- A browser security mechanism that requires the server to explicitly approve fetch/XHR requests crossing origins. Controlled via Access-Control-Allow-* headers; misconfiguration is the most common integration bug for SaaS APIs.
- CSP (Content Security Policy)
- An HTTP header that declares which sources a page may load scripts, styles, images and iframes from. The strongest browser-side defence against XSS; nonce + strict-dynamic is modern best practice, paired with report-uri/report-to for monitoring.
- TLS / SSL
- The protocol that encrypts all traffic between client and server and authenticates the server via certificate. The layer underneath HTTPS; TLS 1.3 is the modern standard, Let's Encrypt provides free certificates, HSTS header is mandatory.
- Zero-Trust
- A security model that trusts no network location and re-authenticates + re-authorises every request based on user + device + context. The modern alternative to VPN; built on platforms like BeyondCorp, Cloudflare Access and Tailscale.
- AWS IAM (Identity and Access Management)
- The auth layer in AWS that answers "who can do what to which service". User/Group/Role/Policy hierarchy; least-privilege principle; SCP (Service Control Policy) for organisation-wide guardrails; the security foundation of every AWS workload.
- OWASP Top 10
- OWASP's yearly-updated list of the ten most critical web-application security risks. The 2021 edition is led by Broken Access Control, Cryptographic Failures, Injection and Insecure Design. The industry standard for security self-assessment.
- SQL Injection
- A classic web vulnerability where an attacker injects SQL fragments into input fields to manipulate database queries. Leads to login bypass, full DB dumps and DROP TABLE-style attacks. The fix is parameterised queries / prepared statements (or an ORM).
- XSS (Cross-Site Scripting)
- An attacker injects malicious JavaScript into a web page so it runs in the victim's browser. Three flavours: Reflected, Stored, DOM-based — leading to cookie theft and session hijacking. Mitigations: output escaping, CSP headers, HttpOnly + SameSite cookies.
- CSRF (Cross-Site Request Forgery)
- An attack that abuses the victim's authenticated session to perform unwanted actions. The attacker tricks the victim's browser via another site into auto-submitting a form to the victim's bank. Mitigations: anti-CSRF tokens, SameSite=Lax/Strict cookies, double-submit-cookie pattern.
- Clickjacking
- An attacker overlays the target site as a transparent iframe on their own page and tricks the user into clicking invisible buttons — likes, transfers, permission grants happen without consent. Mitigations: X-Frame-Options: DENY or a CSP frame-ancestors header.
- MITM (Man-in-the-Middle)
- An attack that intercepts or modifies the communication between two parties. Typical vectors: open Wi-Fi, rogue certificates, ARP spoofing. Mitigated by HTTPS, HSTS preload, certificate pinning and DNS over HTTPS (DoH).
- Certificate Pinning
- A mobile/desktop app accepts only a specific server-certificate (or CA) public key. Even if an attacker installs a rogue CA on the victim's device, the app refuses to trust it. One of the strongest defences against MITM, but key rotation gets harder.
- MFA / 2FA (Multi-Factor Authentication)
- An auth method that requires a second proof factor on top of a password. Factors: something you know (password), have (phone, hardware key) and are (biometrics). SMS is weak; TOTP (Authenticator apps), push notifications and FIDO2/WebAuthn are the modern picks.
- SSO (Single Sign-On)
- A single login that grants access to multiple connected apps. SAML 2.0 (enterprise) and OIDC (modern web/mobile) are the main protocols; Okta, Azure AD and Google Workspace are typical IdPs. Improves UX and gives IT centralised user-lifecycle management.
- SAML 2.0
- The XML-based legacy standard for enterprise SSO (2005). Carries authentication assertions from an IdP (Okta, ADFS) to a Service Provider via browser-POST or redirect binding. Still standard in modern SaaS, but new projects increasingly prefer OIDC.
- OIDC (OpenID Connect)
- An identity layer built on top of OAuth 2.0. Adds an ID token (a JWT) on top of the access token; the technology behind "Sign in with Google/Apple/Microsoft" flows. JSON-based, mobile/SPA-friendly and more modern than SAML.
- JWT (JSON Web Token)
- A portable signed identity/authorisation token in Header.Payload.Signature form. Powers stateless sessions, identity passing between microservices and the OIDC ID-token format. Best practice: short-lived access + long-lived refresh; prefer RS256/ES256 over HS256.
- Security Headers
- HTTP response headers that push security rules to the browser: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Proper configuration drastically reduces XSS, MITM and sniffing risk.
- WAF (Web Application Firewall)
- A security layer that inspects OSI Layer-7 traffic and blocks SQL injection, XSS, RCE and bot attacks. Cloudflare WAF, AWS WAF, Imperva and F5 are the main products; combine managed rule sets with custom rules and rate limiting.
- Penetration Testing (Pentest)
- A controlled security audit that tests a system's defences with a real attacker mindset. Black-box, gray-box and white-box approaches; web-app, mobile, network and social-engineering scopes. Output: a prioritised findings list plus a retest of fixes.
- Bug Bounty
- A programme where a company pays external researchers cash for finding security vulnerabilities. Run via HackerOne or Bugcrowd, or self-hosted; scope, rules and reward tiers are published openly. Effectively delivers continuous pentest pressure.
- Zero Trust
- A "never trust anyone or any network by default — verify every request" approach. Replaces the traditional castle-and-moat model with access based on identity, device posture and context. BeyondCorp, Cloudflare Access and Zscaler are key examples.
- DDoS (Distributed Denial of Service)
- An attack that floods a target service from thousands of compromised devices simultaneously to take it down. Volumetric (bandwidth saturation), protocol (SYN flood) and application-layer (HTTP flood) variants exist. Anycast networks like Cloudflare, AWS Shield and Akamai are the main defence.
- Secrets Management
- Storing sensitive values — API keys, DB passwords, certificates, OAuth client secrets — centrally, auditably and with rotation. HashiCorp Vault, AWS Secrets Manager, Doppler and 1Password Secrets are standard tools; ends the bad habit of committing .env files to Git.
- Prompt Injection
- An attack where an attacker plants hidden instructions in user or tool input to coerce the LLM into ignoring its system prompt — e.g. "Forget all previous instructions and…". The XSS of LLM applications; defence requires layered input sanitisation, output filtering and sandboxing.
- LLM Jailbreak
- An attempt to bypass a model's built-in safety rules (refusing harmful content, not leaking the system prompt, etc.). Common techniques: DAN, the "grandma exploit", roleplay framings, encoding tricks and multi-turn manipulation. The surface red teams stress-test continuously.
- GDPR (General Data Protection Regulation)
- The European Union data-protection regulation, in force since 2018. Explicit consent, data minimisation, the rights to access and erasure, 72-hour breach notification and fines up to 4% of global revenue or €20 M. Binds anyone doing business with the EU.
- CCPA / CPRA
- California Consumer Privacy Act (2020) and its enhancement, the CPRA (2023). Grants California residents the right to know, the right to delete and a "Do Not Sell or Share" opt-out. With no federal counterpart, this is the de-facto US privacy standard; other state laws (Virginia VCDPA, Colorado CPA) reference it.
- LGPD (Lei Geral de Proteção de Dados)
- Brazil's GDPR-like data-protection law, in force since 2020. Enforced by the ANPD (Autoridade Nacional de Proteção de Dados); 9 data-subject rights, explicit consent and a mandatory DPO. Fines: up to 2% of revenue per violation, capped at 50 M BRL.
- KVKK (Turkey)
- Turkey's Personal Data Protection Law, no. 6698, enacted in 2016. Enforced by the KVKK Board; the VERBİS register, explicit consent, 11 data-subject rights and an adequacy requirement for cross-border transfers. Aligned with GDPR but stricter on some points.
- DSA (Digital Services Act)
- The EU's large-platform regulation, in full force from 2024. For VLOPs (Very Large Online Platforms, 45 M+ EU users — Meta, Google, TikTok, etc.) it imposes annual risk assessments, illegal-content tracking, algorithmic transparency and a ban on dark patterns. Fines up to 6% of global revenue.
- DMA (Digital Markets Act)
- The EU's competition rule targeting "gatekeeper" platforms (Apple, Google, Meta, Microsoft, Amazon, ByteDance, Booking) since 2024. Mandates third-party app stores, browser-engine choice, messaging interoperability and bans self-preferencing. The reason iOS opened side-loading in the EU.
- ePrivacy Directive ("Cookie Law")
- The 2002 EU directive (updated in 2009) — the original requirement for explicit consent before using cookies and trackers. Still in force as a complement to GDPR; the legal source of the cookie banners we see on EU sites. A successor ePrivacy Regulation is still being negotiated.
- FLEDGE / Protected Audience API
- A Google Privacy Sandbox API designed to keep remarketing alive after third-party cookies disappear. Interest groups are stored in the browser, the ad auction runs in the browser too, and IPs/IDs never leak out. Default in Chrome 109+ with IAB testing ongoing.
- Topics API
- The successor to FLoC in Google's Privacy Sandbox (2023). The browser derives 5 "topics" per week from the user's browsing history (e.g. /Sports/Soccer); advertisers see a random subset. The goal: interest matching without cross-site tracking.
- CHIPS (Cookies Having Independent Partitioned State)
- Chrome technology that splits third-party cookies into per-site partitions. An embedded widget's cookie is now isolated per top-site, breaking cross-site tracking while preserving in-site state. Implemented by adding the Partitioned attribute on Set-Cookie.
- SKAdNetwork (Apple)
- Apple's iOS framework for ad attribution without IDFA. Provides a deterministic match between the ad-serving network and the install-triggering ad; supports a 0-63 conversion value and 24-hour aggregated postbacks. The post-ATT standard of the mobile ad ecosystem.
- ATT (App Tracking Transparency)
- An Apple feature shipped in iOS 14.5 (2021) that blocks apps from accessing the IDFA without showing the system "Allow / Ask Not to Track" dialog. About 75% of users opted out, fundamentally changing the mobile attribution industry and pushing it toward SKAdNetwork.
- IDFA / GAID
- IDFA (Identifier for Advertisers, iOS) and GAID (Google Advertising ID, Android) — device-bound, user-resettable advertising IDs. Pre-ATT they were the backbone of mobile attribution; today GAID is still active on Android while IDFA has moved to an opt-in model.
- OpenRTB
- The IAB open protocol that standardises programmatic display and video ad buying/selling. Defines the JSON shapes of bid requests, bid responses and win notices between SSPs and DSPs; v2.6 (2024) adds audio, CTV and identity-solution support. The technical foundation of header bidding and PMPs.
- Prebid.js
- The most widely used open-source header-bidding library. On the publisher's page it fires parallel bid requests to 10+ SSPs before the ad-server (GAM) call; the highest bid wins. By lifting publisher eCPM 20-50% and bringing transparency to the programmatic ecosystem, it was a revolution.
- Cookie Consent Banner
- The familiar modern-web banner that asks "Do you accept our cookies?" when a site loads. Required by EU ePrivacy + GDPR; "Reject All" must be just as easy, and consent must be granular by category. CookieYes, OneTrust and Cookiebot are the main CMPs.
- CMP (Consent Management Platform)
- A platform that collects, stores and propagates user consent across a site. Integrates with IAB TCF v2.2 and signals third-party vendors via a consent string. OneTrust, TrustArc, CookieYes, Cookiebot and Iubenda are common choices; a mandatory piece of any modern privacy stack.
- IAB TCF v2.2 (Transparency & Consent Framework)
- IAB Europe's standard for sharing consent across adtech vendors in the EU market. A binary consent string encodes which of the 12 purposes and which of 1,000+ vendors the user has approved; it's carried CMP→SSP→DSP. v2.2 (2023) clarified the granularity of "purpose 1: device storage".
- DSAR (Data Subject Access Request)
- Under GDPR Article 15 / KVKK / CCPA, an individual's right to a documented answer within 30 days to "what data do you hold on me and with whom have you shared it?". A DSAR portal, runbook and automated data-pulling pipeline are non-negotiable parts of any modern privacy programme.
- Privacy by Design
- Ann Cavoukian's seven principles (1995, embedded in GDPR Article 25): be proactive, make the default privacy-friendly, design systems privacy-first, end-to-end encryption, full-lifecycle protection, visibility and respect for the user. The ethical foundation of modern security architecture.
- Right to be Forgotten
- GDPR Article 17 — an individual's right to ask for their personal data to be deleted. Without a legal basis to keep it, the company has 30 days to delete — including backups, logs and third-party vendors. Extended to Google search results by the 2014 ECJ Costeja ruling.
- SPF (Sender Policy Framework)
- An anti-spoofing DNS TXT standard that lists the IPs allowed to send mail for a domain. Looks like v=spf1 include:_spf.mailgun.org -all. The receiving MTA matches the sending IP against SPF; failure means spam folder or rejection.
- DKIM (DomainKeys Identified Mail)
- A standard that proves email authenticity via a cryptographic signature from the sending domain. A DKIM-Signature header is added to the message; the receiver validates it against the public key published in DNS. The second leg of modern email auth, alongside SPF.
- DMARC (Domain-based Message Authentication, Reporting & Conformance)
- A standard that combines SPF + DKIM and lets the domain owner say what should happen when authentication fails. Policy values p=none / quarantine / reject; rua=mailto:dmarc@… collects aggregate reports. Mandatory for bulk senders to Gmail/Yahoo from 2024.
- BIMI (Brand Indicators for Message Identification)
- A standard that displays a sender's brand logo next to the "from" line in Gmail / Yahoo inboxes once the domain enforces DMARC. Requires an SVG Tiny logo and a Verified Mark Certificate (VMC); mailbox support has been expanding since 2023. Lifts open rate by 3-15%.
- CAN-SPAM (US email law)
- A 2003 US law that sets mandatory rules for commercial email: no misleading headers/subjects, a clear opt-out link, a physical postal address inside the message and acting on opt-outs within 10 days. Fines up to $51K per violation. Unlike GDPR, it's an opt-out regime — opt-in is not required.
- CBDC (Central Bank Digital Currency)
- A digital token issued by a central bank with the legal-tender status of regular currency. The Bahamas Sand Dollar, Nigeria's eNaira and China's e-CNY are live; Europe's Digital Euro is in pilot. The regulator's answer to stablecoins, central to cross-border payment and cashless-society projects.
- Sign-In with Ethereum (SIWE)
- A standard (EIP-4361) for logging in with an Ethereum-wallet signature instead of email/password. The dApp generates a message, the user signs it with their wallet and the backend verifies the signature to open a session. The OIDC alternative for Web3 auth, increasingly paired with passkeys.
- LLM Red Team
- A human + AI team that tests a model's safety rules and internal boundaries. They try adversarial prompts, jailbreaks, PII leakage and prompt-injection scenarios; the gaps they find feed back into the eval set. OpenAI, Anthropic and Google red teams play a critical pre-launch role.
- Adversarial Prompt
- A purpose-built prompt designed to push the model into wrong, harmful or forbidden outputs. Trick vectors include "detail-only", "creative fiction", "system-message override" and base64 encoding. Defending against them requires instruction tuning, RLHF and Constitutional AI together.
- Jailbreak Eval Suite
- A standardised collection of test attempts to bypass an LLM's safety controls. Open benchmarks like AdvBench, HarmBench and JailbreakBench; classic patterns include "DAN", the "grandma exploit" and roleplay framing. Pass-rate scoring is mandatory before any new LLM launch.
- Prompt Leakage
- An attack that tries to surface a model's system prompt — often confidential company business logic. Examples: "print all previous instructions". Hidden RAG context and sensitive business rules can leak. Defences: an instruction wrapper, a repeat-back filter and structured output.
- PII Redaction (LLM)
- A layer that masks personal data in user input — name, phone, email, card number, address — before it reaches the LLM or hits logs. Microsoft Presidio, Google DLP and AWS Comprehend Medical are the typical tools; mandatory for GDPR, KVKK and HIPAA compliance.
- LLM Guardrails
- A control layer that protects model output from unwanted territory — toxic, off-topic, hallucinatory, structured-output-violating. Output filtering, schema validation, classifier-as-judge and tool-call validation; common tools include NeMo Guardrails, Guardrails AI and AWS Bedrock Guardrails.
- Content Moderation API
- A service that classifies text or image input and output across categories — toxicity, NSFW, violence, hate speech, self-harm. OpenAI Moderation, Google's Perspective API, AWS Rekognition and Azure Content Safety. A mandatory pre-filter for any LLM application.
- AI Safety Eval (HHH)
- An alignment evaluation principle measuring the trio "Helpful, Honest, Harmless". Helpful: does it actually help the user; Honest: does it give wrong or covertly motivated answers; Harmless: does it suggest harmful actions. The foundation of Anthropic's safety papers.
- Toxicity Score
- A classifier score from 0 to 1 that measures how toxic, harassing or hateful a piece of text is. Google's Perspective API, OpenAI Moderation, Detoxify and HateBERT are common; thresholds are usually 0.7+. A critical filter for LLM output, comment moderation and brand safety.
- Bias Audit
- A systematic check of whether a model produces unfair output across protected attributes — gender, race, age, religion. Metrics include demographic parity, equal opportunity and counterfactual fairness; common tools are AI Fairness 360 and Fairlearn. Mandatory compliance in regulated industries.
- Anti-Cheat (VAC, EAC, BattlEye)
- A system that blocks cheats, aimbots and wallhacks in multiplayer games. Valve VAC, Easy Anti-Cheat (EAC), BattlEye, Riot Vanguard and FACEIT AC are common; kernel-level access fuels a security/privacy debate. Cheat prevention has no upper limit, but a poor implementation wrecks UX.
- SOC (Security Operations Center)
- A 24/7 team plus infrastructure that monitors and responds to security events. Structured as Tier 1 (alert triage), Tier 2 (deep investigation) and Tier 3 (threat hunter, forensics); the common toolset is SIEM, EDR and SOAR. Modern enterprises run a 100+-person internal SOC or outsource to an MSSP.
- SIEM (Security Information & Event Management)
- A platform that ingests logs and security events centrally and triggers alerts via correlation rules. Splunk, IBM QRadar, Microsoft Sentinel, Elastic SIEM and Sumo Logic are leaders; it answers "who did what" and "which anomaly" — the heart of any modern SOC.
- EDR (Endpoint Detection & Response)
- A platform that delivers real-time malware, ransomware and lateral-movement detection plus response on employee laptops, servers and mobile endpoints. CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Carbon Black and Sophos Intercept X lead. The successor to classic antivirus.
- XDR (Extended Detection & Response)
- The successor to EDR that also unifies network, email, cloud and identity signals. Turns siloed alerts beyond the endpoint into a single correlated view; Palo Alto Cortex XDR, Microsoft Defender XDR, Trellix and SentinelOne Singularity lead. Cuts tickets per SOC analyst by 5-10×.
- SOAR (Security Orchestration, Automation & Response)
- An orchestration platform that runs automated playbooks after SIEM alerts — "block this IP", "isolate this endpoint", "reset this user's password" and other 100+-step responses. Splunk SOAR, Palo Alto XSOAR, Tines and Torq lead; cuts Tier 1 SOC load by 60%+.
- Threat Intelligence
- A discipline that feeds knowledge of active threat actors, their tactics and IoCs (indicators of compromise — IPs, hashes, domains). Recorded Future, Mandiant, CrowdStrike Intel, OTX and MISP supply feeds that are injected into SIEMs; answers "does this leak affect us?".
- CVE (Common Vulnerabilities & Exposures)
- A public catalogue of security-vulnerability IDs maintained by MITRE — for example CVE-2024-12345. Each entry links a vendor patch, exploit details and affected versions, and gets a CVSS score. The atomic unit of any vulnerability-management programme.
- CVSS (Common Vulnerability Scoring System)
- A standard system, run by FIRST.org, that scores a security vulnerability's severity from 0.0 to 10.0. Layers include Base Score (exploitability + impact), Temporal and Environmental; 9.0+ is Critical, 7.0-8.9 High and 4.0-6.9 Medium. The basis for patch-priority decisions.
- NIST CSF (Cybersecurity Framework)
- A framework published by NIST in 2014 that organises a cybersecurity programme into five functions: Identify, Protect, Detect, Respond and Recover. Version 2.0 (2024) added a Govern function. The most widely used reference in US-federal and global-enterprise security.
- ISO 27001
- The international standard for an Information Security Management System (ISMS). Risk assessment + 93 controls (Annex A) + a continuous-improvement cycle; an external audit every 3 years and annual surveillance. A B2B-sales must-have for SaaS companies and a way to demonstrate alignment with GDPR and KVKK.
- SOC 2
- An audit report designed by the AICPA for SaaS companies. Built on Trust Services Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality and Privacy. Type 1 is point-in-time; Type 2 covers 6-12 months of operational evidence. The key to selling enterprise in the US.
- CIS Controls
- A set of the 18 most critical cybersecurity controls published by the Center for Internet Security (formerly the SANS Top 20). Implementation tiers IG1 (small), IG2 (mid) and IG3 (large) cover practical actions like asset inventory, MFA and phishing awareness. The operational map of NIST CSF.
- MITRE ATT&CK Framework
- MITRE's open knowledge base that catalogues real-world attacker TTPs — Tactics, Techniques and Procedures. 14 tactics from Initial Access → Execution → Persistence → … → Impact, with 600+ techniques underneath. The reference for red-team scenarios, detection-rule writing and threat-intel alignment.
- Zero-Day Exploit
- A software vulnerability the vendor isn't yet aware of — 0 days have passed since the patch — and the exploit that abuses it. Worth millions on bug-bounty and dark-web markets; the weapon of choice for APT groups, state actors and Pegasus-style spyware. Defence: defence-in-depth, EDR and virtual patching.
- Supply Chain Attack
- An attack on a target through the software, components or vendors it uses rather than the target itself. Cautionary examples: SolarWinds Orion (2020), Kaseya (2021), MOVEit Transfer (2023) and 3CX (2023). A single vendor compromise can affect 18K+ customers; SBOM, signed artefacts and the SLSA framework are standard defences.
- Ransomware
- Malware that encrypts the victim's files and demands a ransom for the decryption key. Modern "double extortion" both encrypts files and threatens to publish them on the dark web. LockBit, BlackCat (ALPHV), Conti and Ryuk are notorious; in 2024 the average ransom is $2 M and average downtime is 21 days.
- Phishing / Spear Phishing / Whaling
- Attacks that steal credentials or data with a fake email, SMS or page. Phishing is mass and generic; spear phishing targets a specific person or company; whaling targets CEO, CFO and senior execs. AI-generated phishing rose 1500% in 2024; defences: DMARC, an email security gateway and awareness training.
- Credential Stuffing
- An attack that takes username/password pairs leaked elsewhere and tries them automatically on other sites to take over accounts. Bot-driven, millions of requests per second; HaveIBeenPwned tracks 13 B+ leaked records. Defences: rate limiting, CAPTCHA, MFA and unique passwords with a password manager.
- Brute Force Attack
- Systematically trying password combinations. Two flavours: online (against a live login) and offline (against a hash dump). Tooling combines GPUs, dictionaries and rule-based engines (Hashcat, John the Ripper); a top 2024 GPU runs 600 billion hashes/second. Defences: long passphrases plus bcrypt, scrypt or argon2.
- UEBA (User & Entity Behavior Analytics)
- A security-analytics layer that uses ML to learn user and device behaviour patterns and flag anomalies — login time/place anomalies, atypical file access, lateral-movement patterns. Critical for insider-threat and compromised-account detection. Leaders: Splunk UBA, Exabeam, Microsoft Sentinel UEBA.
- CASB (Cloud Access Security Broker)
- A cloud-security layer that monitors and enforces policy on the SaaS apps employees use. Covers shadow-IT discovery, DLP, threat protection and compliance checks. Leaders: Microsoft Defender for Cloud Apps, Netskope, McAfee MVISION and Zscaler CASB. The security DMZ of the SaaS-first era.
- DLP (Data Loss Prevention)
- A system that prevents unauthorised exfiltration of sensitive data — PII, card numbers, trade secrets. Combines deep content inspection with policy enforcement across endpoint, network, email and cloud. Leaders: Symantec DLP, Forcepoint, Microsoft Purview and Netskope. The heart of GDPR, KVKK and HIPAA compliance.
- IAM (Identity & Access Management)
- A platform that answers "who can access which system, with what privileges?". Provides a single source of identity (Okta, Azure AD/Entra, Auth0, Ping Identity), SSO, MFA, joiner-mover-leaver lifecycle automation and RBAC/ABAC. The centre of any modern zero-trust architecture.
- Privileged Access Management (PAM)
- A platform that manages and audits privileged accounts — admin, root, break-glass. Just-in-time access, password vault, session recording and approval workflows. CyberArk, BeyondTrust, Delinea and HashiCorp Boundary lead; the primary control against insider threat and privilege escalation.
- KYC (Know Your Customer)
- A financial-regulation requirement to verify a customer's identity. Steps include documents (ID, passport), liveness check (selfie or video), address (a utility bill) and source of funds. A mandatory step for banks, crypto exchanges and fintechs; non-compliance leads to multi-million-dollar fines and licence revocation.
- AML (Anti-Money Laundering)
- The regulatory and operational controls that prevent money laundering. Includes transaction monitoring, Suspicious Activity Reports (SARs), sanctions screening (OFAC, EU, UN) and PEP (Politically Exposed Person) checks. The compliance function of banks and fintechs; FinCEN and FATF set the global standard.
- PCI DSS Level 1
- The strictest card-security standard, covering companies that process 6 M+ card transactions per year. Includes annual on-site audits by a QSA (Qualified Security Assessor), quarterly vulnerability scans, penetration tests and segmentation reviews. Stripe, Adyen and Shopify Payments are certified at Level 1.
- Embedded Finance
- Embedding financial services — payments, lending, insurance, bank accounts — directly into non-financial products. Examples: Uber's driver accounts, Shopify Capital, Tesla Insurance and Apple Card. Built on Banking-as-a-Service providers like Stripe Treasury, Unit and Synapse; the market is projected to top $7 T by 2030.
- Apple Pay / Google Pay (Wallet)
- A digital wallet in which card details are tokenised and stored on a phone or wearable, then used for NFC or online payments. Fraud rates fall 50%+ on card-not-present transactions; backed by the Visa Token Service and Mastercard MDES. iOS NFC was opened to third-party wallets in 2024 under EU DMA.
- Direct Debit (SEPA DD / BACS)
- A pre-authorised pull from a customer's bank account for recurring payments — rent, bills, subscriptions. SEPA Direct Debit in Europe, BACS Direct Debit in the UK and ACH Debit in the US. The pull-payment standard for subscription businesses and utilities; rules cover pre-notification, mandate ID and chargeback rights.
- Wire Transfer
- A real-time, high-value transfer between bank accounts — domestic via Fedwire in the US, international via SWIFT. Same-day settlement, $25-50 fees, irreversible. The standard rail for high-value B2B and real-estate purchases; faster and pricier than ACH.
- Cross-Border Payment
- An international payment that crosses currencies and bank networks. Classic SWIFT correspondent banking takes 2-5 days at 2-5% in fees; modern alternatives include Wise, Revolut, Stripe Cross-Border and blockchain stablecoins like USDC. Global cross-border B2B payments topped $150 T in 2024.
- Authorization vs Settlement
- The two steps of a card transaction. Authorisation places a hold on the cardholder's limit in seconds; settlement converts that hold into a real debit 1-3 business days later. E-commerce typically authorises at order time and captures (settles) at shipment; restaurants authorise then adjust at settlement to capture the tip.
- Chargeback
- When a customer's bank reverses a transaction — leading to a refund plus a $15-50 chargeback fee for the merchant. Common reasons: "item not received", fraud and duplicate charge. Modern sequence: pre-arbitration → arbitration. Visa Compelling Evidence 3.0 (2023) gives merchants stronger evidence-bundling tools.
- Friendly Fraud
- When a customer actually received and used the product but files a chargeback claiming "I don't recognise this". 60-80% of e-commerce chargebacks are friendly fraud. The merchant's defence: order screenshots, tracking, IP-matching and signature-delivery confirmation.
- Interchange Fee
- A fee the acquirer bank pays to the issuer bank (the cardholder's bank). Set by Visa and Mastercard schedules — about 1.5-3% in the US and 0.2-0.3% in the EU under the PSD2 cap. The biggest slice of the total ~2.5% merchant fee and the most profitable revenue line for fintechs.
- Acquirer Bank vs Issuer Bank
- The two ends of a card transaction. The issuer bank gives the cardholder the card and handles credit limit and billing; the acquirer bank integrates with the merchant's payment processor and handles merchant funding and settlement. Stripe and Adyen plug into the acquirer side — the merchant's back-end partner.
- eKYC / Digital KYC
- The fully digital successor to KYC. AI verification of selfie + ID document via Onfido, Jumio, Veriff or Persona; onboarding in 30 seconds to 2 minutes with manual review as fallback. AI document-tampering detection and liveness anti-spoofing are essential. The conversion edge of modern fintechs.
- Card Brand (Visa / Mastercard / Amex)
- The owners of card networks. Visa and Mastercard run open-loop networks (any bank can be issuer or acquirer); Amex and Discover are closed-loop (they are the bank). Visa holds about 38% global volume share, Mastercard 28% and Amex 22%; Troy is Turkey's local network. Their interchange and network fees set the merchant cost base.
- Card-Present vs Card-Not-Present
- CP: the customer is physically at the store with the card — chip + PIN, NFC, swipe. CNP: e-commerce, phone or mail-order. CNP fraud is 8-10× CP; 3DS2, tokenisation and fraud scoring become mandatory. The fundamental risk-profile gap between brick-and-mortar and online retail.
- Open Banking / PISP / AISP
- Two third-party roles created by PSD2. AISP (Account Information Service Provider) handles account aggregation and financial planning — Mint, Tink. PISP (Payment Initiation Service Provider) initiates payments directly from a bank account — Trustly, GoCardless Instant. A direct rival to the card networks.
- HIPAA
- A 1996 US law that governs health-data privacy. PHI (Protected Health Information) is the combination of patient identity and health status; encryption in storage and transit, access logs and a 6-year audit trail are mandatory. Fines run from $50K to $1.5 M per violation; HIPAA compliance is non-negotiable for any SaaS selling into healthcare.
- RegTech (Regulatory Technology)
- A tech segment that automates compliance and regulatory processes. Covers AML/KYC (ComplyAdvantage, Chainalysis), regulatory reporting (NICE Actimize, FIS Protegent), tax automation (Avalara, TaxJar) and GDPR/CSRD reporting. RegTech investment topped $15 B in 2024; the fastest-growing supplier category for banks, insurers and fintechs.
- InsurTech
- The technology segment digitalising insurance. Lemonade (P&C, AI claims), Root (telematics auto), Hippo (smart-home insurance), Coalition (cyber insurance) and Wefox lead globally; Quick Sigorta and BoMonti lead in Turkey. The data-driven, customer-experience-first counterpart to legacy insurance.
01
CAPIConsent Mode v2
02
sGTMCustomer Match
03
TCF 2.2PII
04
Consent Mode v2
05
CDPCustomer Match
06
Reverse ETLData warehouse
07
CDPData warehouse
08
CAPIPII
09
Event schemaData governance
10
Data governance
11
Data governanceConsent Mode v2
12
PIIEvent schema
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
— DECISION TREE
Is a first-party data operation right for you?
Answer 4 questions Yes/No; get a clear recommendation.
01 / 04
Is your monthly ad budget above 30k USD?
The threshold for signal recovery to be economically meaningful.
— LET'S BEGIN
How much do you trust your pixels?
In a 2-hour signal audit we surface lost conversions, consent issues and warehouse opportunities.