Done-for-you offer · Fractional CMO with AI Swarm · deterministic-probabilistic-identity-resolution skill · customer-graph agent
Deterministic + probabilistic identity resolution for DTC ecommerce and multi-location operators — hybrid resolution with per-source strategy, Bayesian-updating feedback, and a 5-anchor compliance gate
You run Shopify or BigCommerce or Salesforce Commerce Cloud + a CDP (Segment or mParticle or Rudderstack or Tealium or Treasure Data or Amperity) + an identity graph (LiveRamp or Neustar or TransUnion TruAudience or Acxiom or InfoSum) + marketing automation (Klaviyo or Iterable or Braze) + ad platforms (Google Ads + Microsoft Advertising + Meta + TikTok via Conversions API) + a loyalty or subscription program + (possibly) a brick-and-mortar pop-up footprint. The same customer can appear in six representations across those systems. The orchestration above the vendor stack — deterministic-first then probabilistic-fallback hybrid resolution, per-source match-strategy selection, confidence-tier explainability on every edge, cross-source + cross-touchpoint consistency enforcement, Bayesian-updating feedback against operator-data-science-team precision/recall targets, right-to- erasure fan-out across every linked source — is operator-side architecture. The compliance gate is anchored on five real anchors: GDPR Articles 6 + 9 + 17 + 22 + 30 + ePrivacy; CCPA/CPRA + state-comprehensive-privacy patchwork; FCRA + GLBA Safeguards Rule when outputs touch consumer-report-like uses; PCI DSS 4.0 tokenization (raw PAN never enters the graph); state biometric privacy laws (Illinois BIPA + Texas CUBI + Washington HB 1493) when probabilistic match touches photo recognition or voiceprint. You keep the canonical-identity contract, the per-source strategy library, the customer graph, the WORM audit trail, the policy-as- code policies, and the LLM prompts. You keep the ability to in- house at any time.
Published September 24, 2026
The real ecosystem this sits above
CDP + identity activation
Segment, mParticle, Rudderstack, Twilio Engage, Tealium, Treasure Data, ActionIQ, Lytics, BlueConic, Amperity, Hightouch. Each ships strong CDP + identity-activation primitives. The canonical- identity contract that reconciles divergent CDP representations is operator-side architecture.
Identity graphs
LiveRamp, Neustar, TransUnion TruAudience, Acxiom, Epsilon, Merkle, InfoSum, Throtle, FullContact, Adstra. Each ships strong identity-graph + household-graph primitives under their own privacy guarantees. Per-graph integration + cross-graph reconciliation under operator-counsel policy is operator-side architecture.
Graph databases
Neo4j, ArangoDB, TigerGraph, JanusGraph, Amazon Neptune, Memgraph, Dgraph, RedisGraph. Each ships strong graph-database primitives. The canonical-identity schema + edge typing + confidence-tier modeling on top is operator-side architecture.
ML match + probabilistic resolution
Senzing, Tamr, Tilores, dedupe.io, scikit-learn fuzzy matching, XGBoost / LightGBM / Bayesian-network probabilistic models. Each ships strong matching primitives. Per-source strategy selection + confidence-floor tuning + Bayesian-feedback recalibration above them is operator-side architecture.
Clean rooms + privacy-preserving collaboration
AWS Clean Rooms, Snowflake Data Clean Rooms, InfoSum, Habu, LiveRamp Safe Haven, Google Ads Data Hub, Meta Advanced Analytics. Each ships strong clean-room primitives. Per-partner clean-room policy selection + identifier-hashing-and-tokenization pre-flight above them is operator-side architecture.
Tokenization, consent management, policy-as-code, WORM storage
Tokenization: Skyflow, Very Good Security, Basis Theory, TokenEx. Consent: OneTrust, TrustArc, Ketch, Securiti, BigID. Policy-as-code: OPA Rego, AWS Cedar, Casbin, Cerbos, Oso. WORM: AWS S3 Object Lock, GCS retention, Azure Blob immutable, Snowflake Time Travel. Each ships strong primitives. The per- event gate that maps GDPR + CCPA + FCRA + GLBA + PCI DSS 4.0 + BIPA-class biometric privacy onto an operator-counsel- approved policy bundle is operator-side architecture.
Frequently asked
What does deterministic + probabilistic identity resolution actually deliver?
An orchestration layer that sits above the operator CDP + identity-graph + graph-database + ML-match + clean-room + tokenization + consent-management + policy-as-code + WORM-storage stack and produces a resolved customer graph that is defensible against GDPR + CCPA + FCRA + GLBA + PCI DSS + state biometric privacy gates. Deterministic resolution runs first on the high-confidence join keys the operator has consent for: hashed email, hashed phone, hashed payment token (via PCI-compliant tokenization vendors — Skyflow, Very Good Security, Basis Theory, TokenEx; raw PAN never enters the graph), hashed loyalty ID, hashed device ID, hashed account ID, hashed receipt ID, hashed call canonical record ID, deterministic cookie ID, and deterministic device fingerprint. Probabilistic resolution runs on the lower-confidence signals only after deterministic has exhausted: name + address fuzzy match, device fingerprint, IP cluster, behavioral fingerprint, temporal coincidence, geospatial coincidence, co-purchase pattern, and (where operator counsel has cleared biometric-privacy-law exposure under Illinois BIPA + Texas CUBI + Washington HB 1493) photo recognition + voiceprint + household graph + co-residence. Per-source match-strategy selection lets the operator choose deterministic-only for source A, deterministic-then-probabilistic for source B, weighted-hybrid for source C, ensemble-meta-learner for source D — per operator-data-science-team and operator-counsel policy. Every edge carries a confidence tier + explainability + match-rule citation. Cross-source + cross-touchpoint + cross-vertical + cross-jurisdiction consistency checks run continuously. Bayesian-updating feedback recalibrates probabilistic priors against deterministic ground truth as new data accumulates. Vendors below ship strong primitives. The orchestration above them — hybrid sequencing, per-source strategy, confidence tiering, consistency enforcement, Bayesian feedback, compliance gate, audit trail — is operator-side architecture.
Where does single-vendor identity resolution stop compounding for DTC ecommerce and multi-location operators?
Single-vendor identity resolution is solved. Amperity ships strong probabilistic resolution for retail. Segment Unify ships strong deterministic resolution for CDP-resident data. LiveRamp ships strong identity-graph services. Neustar / TransUnion TruAudience ships strong household-graph data. Senzing ships strong entity-resolution algorithms. The compound case the customer-graph agent has to handle is the one where a DTC ecommerce operator running Shopify + Klaviyo + Google Ads + Meta + a loyalty program + a subscription program + a wholesale channel + a brick-and-mortar pop-up footprint asks: "Is the same person who bought through Shopify in March, opted into SMS in April, hit the loyalty program in May, replied to a Meta retargeting ad in June, redeemed a discount in a pop-up in July, and started a subscription in August — and what confidence do I have in that match before I trigger the abandon-cart sequence?" That question requires per-source match-strategy selection across 6+ sources, hybrid sequencing (deterministic-first then probabilistic-fallback per operator counsel policy), confidence tiering on every edge, cross-source consistency checks (the Shopify customer record and the Klaviyo profile and the loyalty program account all need to converge on the same canonical identity), Bayesian recalibration as new ground truth arrives, and a compliance gate that prevents probabilistic links from triggering legally-sensitive downstream decisions (FCRA-adjacent eligibility, GLBA-adjacent financial-product surfacing, biometric-data-touching match types). Without an orchestration layer above the vendors, every channel sees a different version of the customer, the abandon-cart sequence fires against fragmented profiles, the GDPR Article 17 erasure request fails to find every linked record, and the CCPA right-to-know response returns inconsistent data. The orchestration above the vendors is what holds the cross-source + cross-touchpoint + cross-jurisdiction invariants.
How does deterministic-first then probabilistic-fallback hybrid resolution work in practice?
The resolution pipeline runs in priority order. Step 1: deterministic match on hashed join keys the operator has cleared under counsel-approved consent. The hashing is operator-controlled (typically SHA-256 with a per-environment salt, or operator-managed-key tokenization through Skyflow / Very Good Security / Basis Theory / TokenEx for payment tokens). Step 2: when deterministic match returns a result above the operator-counsel-approved deterministic confidence floor, the edge is committed to the graph with deterministic tier. Step 3: when deterministic match returns no result (or returns below the floor), the probabilistic pipeline takes over — but only on signals the operator-data-science-team and operator-counsel have approved for probabilistic use. Probabilistic features include name string distance (Levenshtein, Jaro-Winkler, soundex, metaphone), address normalization through USPS or equivalent + fuzzy match, device fingerprint distance, IP cluster membership, behavioral fingerprint similarity (browsing pattern + session timing), temporal coincidence (same minute, same hour, same day), geospatial coincidence (same H3 cell, same store visit), co-purchase pattern overlap. Step 4: probabilistic match runs through the operator-chosen ML stack — Senzing, Tamr, Tilores, dedupe.io, scikit-learn fuzzy matching, or a custom XGBoost / LightGBM / Bayesian-network model the operator-data-science-team maintains. Each candidate edge gets a probability score. Step 5: edges above the operator-counsel-approved probabilistic confidence floor are committed with probabilistic tier; edges between floor and ceiling enter active-learning queue for human review; edges below floor are dropped. Step 6: ensemble or meta-learner combines deterministic and probabilistic signals when both are present, with the operator-counsel-approved weighting scheme. Step 7: Bayesian-updating feedback — when downstream evidence confirms or contradicts a probabilistic edge (the customer logs in with the deterministic key, or the abandon-cart sequence fires on the wrong person), the prior is updated. The full sequencing + per-source strategy selection + confidence tiering + feedback loop is operator-side architecture. The vendors ship strong primitives; the sequencing above them is the skill.
What does cross-source consistency, clean-room collaboration, and right-to-erasure enforcement look like?
Cross-source consistency: the same canonical identity must reconcile across the CDP (Segment, mParticle, Rudderstack, Tealium, Treasure Data, ActionIQ, Lytics, BlueConic, Amperity), the marketing automation tools (Klaviyo, Iterable, Braze, Customer.io), the ad platforms (Google Ads, Microsoft Advertising, Meta, TikTok via Conversions API), the commerce platform (Shopify, BigCommerce, Salesforce Commerce Cloud), and the loyalty / subscription / point-of-sale systems. The orchestration layer holds the canonical-identity contract and reconciles divergent representations through reverse-ETL (Hightouch, Census, Polytomic, RudderStack Reverse ETL). When the orchestration layer detects a drift (one source has merged two identities that the canonical graph treats as distinct, or one source has split one canonical identity), the conflict is logged, the affected downstream skills are notified, and operator-counsel-policy determines whether the drift is auto-resolved or held for human review. Clean-room collaboration: for partner data joins (publisher + advertiser, brand + retailer), the orchestration layer routes through AWS Clean Rooms, Snowflake Data Clean Rooms, InfoSum, Habu, LiveRamp Safe Haven, Google Ads Data Hub, or Meta Advanced Analytics — operator chooses one or more per operator-counsel-approved data sharing policy. Identity resolution inside the clean room runs only on identifiers that have been hashed + salted + tokenized per the clean-room operator’s privacy guarantees; raw PII never crosses the operator boundary. Right-to-erasure enforcement: when a customer exercises GDPR Article 17 right to erasure, CCPA right to delete, or a state-comprehensive-privacy right to delete, the canonical graph is the source of truth that drives fan-out deletion across every linked source (CDP + identity graph + marketing-automation + ad platforms + commerce + loyalty + clean-room collaborations + reverse-ETL destinations). The orchestration layer fans the deletion out, tracks per-source acknowledgement, retries on failure, and logs the cross-source completion to the WORM audit trail. The skill on this page is the orchestration that makes erasure actually erase everywhere.
What compliance does the per-event gate enforce, and how does it map to GDPR Articles 6/9/17/22/30, CCPA/CPRA + state privacy, FCRA + GLBA, PCI DSS 4.0 tokenization, and state biometric privacy laws?
Five anchors. Anchor 1: GDPR (Regulation 2016/679) Articles 6 + 9 + 17 + 22 + 30 + ePrivacy Directive 2002/58/EC. Article 6 lawful basis must be established before any per-source resolution is performed on EU resident data; Article 9 special categories require explicit consent or other Article 9(2) basis (health, biometric, sex life, political opinion, religious belief — relevant when probabilistic match touches photo recognition or voiceprint); Article 17 right to erasure requires the orchestration layer to fan deletion across every linked source; Article 22 right not to be subject to solely automated decisionmaking applies when probabilistic identity drives material decisions; Article 30 records of processing requires the orchestration layer to maintain operator-controlled records of every per-source, per-purpose, per-recipient processing operation. The gate refuses to perform per-source resolution until lawful basis + Article 9 condition + Article 30 record are verified. Anchor 2: CCPA/CPRA + state-comprehensive-privacy patchwork (Connecticut CTDPA + Texas DPSA + Virginia CDPA + Colorado CPA + Utah CPA + Oregon + Tennessee + Montana + Indiana + Iowa + Florida + Delaware + additional states in effect). Identity resolution touches personal information directly; the gate enforces right to know + right to delete + right to opt out of sale/sharing + sensitive personal info opt-out (CPRA Section 1798.121) + right to correct + right to limit use of sensitive PI. Per-state consent regimes determine whether deterministic or probabilistic match is permitted on a given residence. Anchor 3: FCRA (15 USC 1681) + GLBA Safeguards Rule (16 CFR Part 314). When identity-resolution outputs feed into consumer-report-like uses (eligibility for credit, employment, insurance, housing), FCRA applies — permissible purpose verification, adverse-action notice obligations, accuracy + correction rights, dispute procedures. GLBA Safeguards Rule applies when the operator is a financial institution (or affiliated with one) and identity-resolution touches nonpublic personal information. The gate refuses to surface probabilistic edges to FCRA-adjacent downstream skills until permissible-purpose attestation has been logged. Anchor 4: PCI DSS 4.0 (March 2024 effective + March 2025 future-dated requirements effective). When identity resolution uses hashed payment tokens, the tokenization layer must comply with PCI DSS Requirement 3 (protect stored account data) + PCI Council Tokenization Guidelines + EMVCo Payment Tokenisation Specification. Raw PAN never enters the resolution graph; only tokens issued by PCI-compliant tokenization vendors (Skyflow, Very Good Security, Basis Theory, TokenEx) cross the boundary. The gate enforces tokenization-vendor attestation before any payment-token-based match is performed. Anchor 5: State biometric privacy laws — Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14) with statutory private right of action and statutory damages, Texas Capture or Use of Biometric Identifier (CUBI, Tex Bus & Com Code 503.001), Washington HB 1493, and a growing patchwork (New York City BIPA 22-1201 et seq, Portland OR Ordinance 2020-22, and others under consideration). When probabilistic match uses photo recognition or voiceprint, BIPA-class informed consent + retention-limit + destruction-policy + private right of action exposure all apply. The gate refuses to enable biometric match types until operator-counsel-approved per-state consent + retention + destruction policy is loaded. Broader gate also enforced: HIPAA (when identity resolution touches healthcare-adjacent surfaces) + ADA Title III + WCAG 2.2 AA + NIST AI RMF + ISO 27001 + ISO 42001 + SOC 2 Type II via policy-as-code (OPA Rego + AWS Cedar + Casbin + Cerbos + Oso). WORM audit trail (AWS S3 Object Lock + GCS retention + Azure Blob immutable + Snowflake Time Travel) with per-statute retention (GDPR 6yr + CCPA 3yr + FCRA 5yr + GLBA 6yr + BIPA 3yr after last interaction + state variable + IRS 7yr) per operator counsel policy.
What does the engagement look like across Tier 1 → Tier 2 → Tier 3, and what does the Tier 3 reporting cycle commit to?
Tier 1 AI Readiness Assessment (2-3 weeks, diagnostic): audits the operator’s current identity-resolution posture against the 5-anchor gate + per-source match-strategy selection + Bayesian-feedback policy; deliverable is a gap-pack report identifying which sources have inconsistent canonical-identity contracts, which jurisdictions are unhandled, which probabilistic match types are operating without counsel sign-off, and a recommended remediation sequence for Tier 2. Tier 2 AI Swarm Setup Sprint (4-8 weeks): builds the deterministic-probabilistic-identity-resolution skill on the customer-graph agent, wires per-source ingestion into the operator-chosen CDP + graph database, implements operator-counsel-approved per-source match-strategy selection, configures tokenization-vendor integration, configures clean-room collaboration where applicable, wires policy-as-code engine, wires WORM-storage backend, runs a 30-day shadow + canary period before flipping to enforce-mode. Tier 3 Fractional CMO with AI Swarm (6-month minimum, 1-2 days/wk embedded): continues operating with per-source match-strategy tuning, Bayesian-feedback recalibration as new data accumulates, cross-source drift monitoring, right-to-erasure fan-out testing, clean-room policy maintenance, and compliance evidence-package generation. Tier 3 reporting is a 6-workstream pre-engagement-baseline reporting cycle (per-source match-coverage trend + deterministic vs probabilistic tier distribution + cross-source consistency trend + Bayesian-feedback recalibration trend + right-to-erasure fan-out completeness + WORM audit-trail completeness) measured against the operator’s pre-engagement baseline. Each workstream surfaces trend direction and the gap to operator-defined targets. Reporting carries explicit caveats: per-source vendor API rate limits + per-source ingestion completeness + clean-room operator availability + tokenization-vendor availability + per-statute retention windows + state-comprehensive-privacy statute amendments + EU AI Act implementing-regulation updates + BIPA-class litigation outcomes + FTC + state-AG rulemaking updates sit outside Completions control. Attorney-client privilege preservation across per-source match-strategy library + per-state consent regime + Article 30 records of processing + biometric-consent records is maintained per operator counsel policy.
Who owns the canonical-identity contract, the per-source strategy library, the WORM audit trail, and the customer graph?
Operator owns every artifact. The canonical-identity contract lives in the operator code repo, counsel-and-data-science-team-aligned. The per-source match-strategy library lives in operator code repo. The graph database (Neo4j, ArangoDB, TigerGraph, JanusGraph, Amazon Neptune, Memgraph, Dgraph, RedisGraph — operator chooses) runs under operator billing on operator-controlled cloud. The CDP, identity-graph subscriptions, clean-room collaborations, tokenization-vendor accounts, ML-match tooling, consent-management platform, and policy-as-code engine all run under operator billing. The Bayesian-feedback model code, the ML-match model code, the per-source strategy code, the right-to-erasure fan-out code, and the cross-source drift-detection code all live in the operator code repo. The Article 30 records of processing, the per-state consent register, the biometric-consent records, the FCRA permissible-purpose attestation records, and the GLBA Safeguards Rule risk-assessment records are operator-counsel-maintained. Completions owns the orchestration knowledge — how to design the canonical-identity contract to be defensible across GDPR + CCPA + FCRA + GLBA + PCI DSS + BIPA gates, how to tune deterministic-then-probabilistic sequencing, how to debug cross-source drift, how to design Bayesian-feedback that converges, how to fan right-to-erasure correctly — and that knowledge transfers under the Tier 3 transition path (30-60 days at engagement end with full hand-off of the canonical-identity contract, the per-source strategy library, the Bayesian-feedback wiring, the right-to-erasure fan-out, and the compliance evidence-package generation playbook). Completions credentials revoke on engagement-end.
Engage Completions
Start with the AI Readiness Assessment (Tier 1, 2-3 weeks): audit of current identity-resolution posture against the 5-anchor gate + per-source match-strategy selection + Bayesian-feedback policy. Hand off to Tier 2 AI Swarm Setup Sprint (4-8 weeks): build the skill on the customer-graph agent, wire per- source ingestion into operator-chosen CDP + graph database, implement operator-counsel-approved match-strategy, configure tokenization + clean-room + policy-as-code + WORM-storage, run 30-day shadow + canary before flipping to enforce-mode. Continue under Tier 3 Fractional CMO with AI Swarm (6-month minimum, 1-2 days/wk embedded).
Related reading
- Done-for-you behavioral signal ingestion (sibling architecture on the customer-graph agent)
- Done-for-you cross-touchpoint identity resolution (companion architecture — cross-touchpoint resolution feeding the same canonical graph)
- Fractional CMO with AI Swarm (Tier 3 engagement that operates the identity-resolution cycle)