Privacy Impact Assessment (APIA) System

The AvePoint Privacy Impact Assessment (APIA) System can help you automate the process of evaluating, assessing and reporting on the privacy implications of your enterprise IT systems. Exclusively available through the IAPP, the APIA System allows you to select questions from the prepopulated bank of PIA questions or create your own, meaning you can build and save PIA templates to be reused and reported out.

  • Comply with Privacy Regulations
  • Automate Privacy Impact Assessments
  • Report on PIAs for Stakeholder Review
  • Extend to Security and Vulnerability Assessments


Read the terms of use or click here for notes on installing and configuring APIA

Notes on Installing and Configuring APIA

  1. APIA is a web application that is designed to be installed and run on a web server. It is recommended that the installation be performed by an IT professional familiar with configuring Services, Websites, and Databases.
  2. Most laptop or desktop PCs will not have all the required software services installed or enabled in order to allow the application to be successfully installed. However, APIA will automatically detect any missing components in the environment, and will also automatically install and enable all such required components and services.
  3. If installing to a non-server laptop or desktop computer, you will not have the ability to provide access to the system to others participating in the assessment (i.e., it will be limited to local access on the machine on which it is installed).

Note: When a web browser accesses an HTTPS protected web site, it will attempt to validate the certificate of the sites. If the certificate on the web site is not an official one, the browser will give end-user warning that it cannot validate the certificate (something like ‘the certificate authority is not trusted’). Typically when software is deployed, the official certificate will be installed by IT administrators, then end-users will not see the warning message.

In this case, as the software is installed by end-user on his/her own machine, the official certificate is not in place. Therefore the browser will give the warning message. There are a few ways to continue:

  1. Ask IT admin to help deploy and install an official certificate
  2. Ignore the warning, as it’s pointing to the local machine, not a potential malicious web site on the internet
  3. Or add the certificate to trusted list for the local machine

Free Web Conference Recording

Installing and Configuring the APIA System



  • Help Make APIA Better

    • Have you created a PIA question set that you think others would find useful? Use this submission form to share your PIA and help others in the industry. It’s as simple as answering a few questions, like the applicable industry and region, and attaching your PIA. And thanks for being a productive part of the IAPP community!

      Note: The IAPP reviews all template submissions prior to sharing with the community

  • Download PIA Templates Contributed by the Privacy Community

    • Third Party Vendor Assessment Template
      The Third party vendor assessment is a collection of sample questions designed to allow a company to build a consistent and repeatable process for managing due diligence procedures for value-added resellers, solutions partners, perpetual referral partners, and all Intermediaries that interact with government officials, customers, or investors on an ongoing basis behalf of the Company. This template is provided “as-is” with no warranties or assumptions of liability of any kind and as with all APIA templates should be modified to meet the compliance practices of each user and organization.
    • Cloud Readiness Assessment Template
      The Cloud Readiness assessment is acollection of sample questions designed to allow a company to understandcurrent “data discovery and classification” practices as part building an informed decision about readiness for and migration of data and applications to a cloud provider. This template is provided “as-is” with no warranties or assumptions of liability of any kind and as with all APIA templates should be modified to meet the compliance practices of each user and organization.
    • ISO/IEC 27002 Code of Practice for Information Security Controls Template
      ISO/IEC 27002:2013 is an international best practice standard for a set of commonly used information security controls. Whilst none of the controls are mandatory or exhaustive, the standard is commonly used as a “cross check” to ensure organizations have not overlooked any important security areas. It is also referenced by ISO 27001, which requires that an organization undertake an information security risk assessment and, as part of that process, looks to ISO 27002 controls as a basis for risk treatment and to produce a “statement of applicability” that references the controls chosen for selection based on the organization’s risk appetite.Here

      This APIA template is designed to list the controls found in ISO 27002 and turn them into a set of questions to allow security managers to “self-assess” any gaps in their control framework. However it is recommended that organizations first perform a risk assessment to determine the applicability of the controls.
    • ISO/IEC 27001 Information Security Management Template
      ISO/IEC 27001:2013 is the international standard for creating an information security management system. The standard is designed to be a framework and an approach for organizations regardless of size, industry or location and aims to ensure an organization has an effective, continually improving management regime and focuses on planning a level of security “appropriate” to the organisation's legal, regulatory and contractual requirements and management risk appetite.  Here

      This APIA template takes the requirements of ISO 27001 and turns them into a set of questions, so that organisations, security managers and auditors can “self-assess” themselves or their partners against the requirements for assurance of compliance.
    • UK Information Commissioner's Office PIA Template
      This template was created to align with PIA guidance issued by the UK Information Commissioner's Office.
    • Singapore PDPC Privacy Impact Assessment Template
      This template was created to align with general guidance issued by the Personal Data Protection Commission of Singapore.
    • Breach Preparation Template
      This template assists APIA users assess key steps for building your breach response team and plan and will help your organization determine key issues around Forensic IT, Data, Data Subject, Cyber Liability Insurance and your Communications strategy.
    • Cybersecurity Template
      This Cybersecurity template assists APIA users in assessing key elements of their cybersecurity program from roles and responsibilities to cyber evaluation of Hardware, data, encryption and technology, Third parties, Remote access/BYOD and User accounts / passwords.