"We have 10 times more reviews than before. And each review is at least 10 times more in depth. We're looking at things we were not even able to look at before."
— Oray Oktay / VP of IT
From Fragmented Spreadsheets to a Scaled, AI-Augmented Privacy & Security Operation
Jam City is one of the largest mobile gaming companies in the world, with a portfolio spanning puzzle, collection, casual casino, and narrative game verticals, including titles built on franchises like Harry Potter and Disney. After years of acquiring and integrating studios across San Francisco, San Diego, Toronto, and beyond, the company restructured around four game verticals supported by central functions including IT, Legal, User Acquisition, and Marketing.
Oray, VP of IT, has spent over a decade at Jam City and owns the company's privacy, security, and vendor risk programs. He runs a lean operation: a small IT engineering team, one dedicated security engineer, a privacy specialist, and a support team. Privacy, security, and vendor risk all roll up to this VP.
That structure made one thing clear: scale could not come from headcount. It had to come from better systems and AI leverage.
THE CHALLENGE
A Working Program That Couldn't Scale
The company had documented processes, defined controls, and an information security program he rates at roughly a 2.1 on a 1 to 4 maturity scale. The issue was not the absence of process. It was fragmentation and consistency.
"We had processes. Everything was documented. But were we actually up to par with all those controls? No. From a risk management perspective, yes, we were doing it, but it was not perfect. Sometimes things slipped through. It wasn't consistent. It was too fragmented."
The workflow stitched together Google Forms sent to vendors, responses tracked in Google Drive, assessments managed in Jira, and approvals routed through Jira tickets. The system worked when it worked, and broke when it didn't.
The three core problems Oray set out to solve:
- Fragmentation: Vendor intake, privacy assessments, and approvals lived across four to five disconnected tools, with no single source of truth.
- Visibility: Internal and external stakeholders had no shared view of where a review stood or what had been reviewed.
- Institutional knowledge: Three to five years of privacy and risk expertise lived in Oray's head. If he left, or if he wanted to add team members, none of it was transferable.
"If I go tomorrow, whoever comes in is not going to pick it up. But if you have a tool with defined processes, everything in place, with documentation, it could be much easier to ramp up somebody else."
Why TerraTrue: Partnership and a Holistic Approach
Jam City ran a thorough evaluation process across multiple vendors before selecting TerraTrue. Two factors tipped the decision.
The first was the approach. Other contenders offered scanning-based models that plug into source code to detect data flows. TerraTrue offers a framework-based approach that combines workflow, process, and assessments with data mapping. For a company that wanted to build the operating system for privacy, not just observe it, the framework approach was the better fit.
"Your approach was more holistic. We liked your approach better, building the whole framework rather than just scanning and finding."
The second was partnership. From the very first evaluation conversations, the TerraTrue team showed up differently than Oray expected from a vendor in an active sales cycle. Anthony, his primary point of contact at TerraTrue, ran working sessions that felt collaborative rather than transactional, taking hard questions head-on and engaging with the specific operational realities of running privacy at a lean, multi-studio gaming company.
"Anthony was great during sessions. I'm a very thorough person. I always ask hard, hard questions. The way they engaged with those questions, that's what stood out."
That posture carried directly into the customer relationship. Anthony and Oray now hold standing weekly to bi-weekly meetings focused on big-picture program direction, not just support tickets or feature requests. For Oray, who sits at the intersection of IT, security, and privacy with no dedicated privacy team behind him, having a vendor partner who operates at the program level rather than the platform level is a meaningful force multiplier.
"I'm super connected with Anthony. We still have weekly, bi-weekly meetings from a big picture standpoint. That's the kind of partnership that matters from a customer perspective."
The partnership signal during evaluation turned out to be predictive. The same responsiveness that won the deal is what later enabled the one to two week API delivery cycles that unlocked the AI agent project.
IMPLEMENTATION
Faster Than Expected
Oray expected the kind of multi-month deployment cycle that platform migrations usually require. The actual experience was different.
"My experience during the implementation was really, really good. Very quick. We never had any blockers. The implementation team did a great job delivering all the milestones on time. They were very engaged and prepared."
Two structural choices made the difference:
- A dedicated Slack Connect channel between the Jam City and TerraTrue teams, used for live questions, weekly check-ins, and rapid iteration.
- Built-in taxonomy and out-of-the-box assessment templates that meant Jam City did not have to design the platform from scratch. SSO, provisioning, and base configuration were straightforward.
"Not all companies have that level of partnership. Having a dedicated Slack channel, doing everything during implementation, being available when we have questions, iterating fast. Those are important things."
The AI Agent: Where Jam City Pulled Ahead
The piece that makes Jam City's story distinct is what Oray built on top of TerraTrue, not just what he deployed inside it.
Recognizing that volume would outpace his team's capacity, Oray built a custom AI agent using Gemini Enterprise, which the company runs through its Google Workspace deployment. He internally calls it the "Oray gem," an agent fine-tuned on his own three to five years of privacy and risk assessment knowledge, supplemented with Jam City's Confluence documentation, internal product context, and specific operating instructions.
The agent acts as a privacy assistant. When a vendor review comes in, it pulls together the relevant documents and contracts, stitches the context, and surfaces what matters: the risk clauses, the missing elements, the gaps in data handling commitments.
"It does the initial work of stitching all those documents together and surfacing the important stuff. Then it acts as your assistant. Here's the risk, because there's a clause here in the contract, and it's not sufficient for data handling. Here are the missing elements."
This is where the TerraTrue partnership became a force multiplier. To make the agent work end to end, Oray's team needed API and webhook capabilities that did not yet exist in TerraTrue. One specific example: third-party risk assessment attachments, like ISO certifications, SOC reports, and HIPAA documentation, were accessible through one part of the API but not the part the agent needed to pull from.
Oray expected the feature requests to take six months or land on a next-year roadmap. TerraTrue shipped them in one to two weeks.
"The expectation was that this is probably going to be six months or next year. When you want something from Google, they don't do that right away. You guys listened, went back, built it, and shipped it in two weeks. That's incredible."
"It was a big quality of life improvement for us. Otherwise I would have had to manually pull those attachments and attach them somewhere else for the agent to ingest. Now the whole pipeline works."
THE RESULTS
10x Coverage, 10x Depth, Same Hours
Oray is direct about what changed and what didn't. Review time per assessment did not drop dramatically. That is not the story.
The story is what fits inside the same hours.
10x more reviews completed. Reviews that used to slip through the fragmented Google Forms and Jira workflow now run end to end with full audit trails. Volume that was invisible before is now visible and managed.
"We have 10 times more reviews than before. We surface all that hidden stuff. We have a much more managed process versus what was prone to human error, where steps could get missed."
10x more depth per review. The previous process averaged 10 to 20 surface-level questions per vendor. Today's process runs five specialized assessment forms covering infrastructure security, web application security, physical security, secret management, and a full privacy worksheet.
"It's like going from 300 pixel resolution to 8K. We're going through all these different details that we were not even looking at before."
Faster feature delivery from the platform partner. API and webhook requests that would typically take quarters with a larger vendor have shipped in one to two week cycles, enabling the AI agent project to keep moving without TerraTrue becoming the bottleneck.
A scalable foundation for the team. With institutional knowledge encoded in both TerraTrue's workflows and the custom Gemini agent, Oray is now able to onboard team members at a foundational level of privacy knowledge rather than requiring deep subject matter expertise on day one. This is the unlock for the team expansion he is planning this year.
"AI doesn't reduce my workforce. It speeds things up so we can actually do more. We have so much important work we couldn't even touch for the last three years. Now we can."
What's Next: Vertical-Specific AI Agents
Oray's next phase is verticalizing the agent. A vendor review for an ad tech partner that runs programmatic ad bidding networks involves different data flows, different responsibilities, and different risk surfaces than a vendor review for a customer service platform or an HR tool.
He is now building sector-specific playbooks so the agent can apply tailored review logic for ad tech, customer service, HR, and other vendor categories, with TerraTrue's taxonomy customized to match.
"The agent will understand: the vendor I'm reviewing is an ad tech vendor, Jam City is the customer, and here's how data transfers in this pipeline. Versus a customer service vendor, which is a different story. We're going to define different playbooks for each sector. The reviews will be even more customized and more accurate."
Five Takeaways for IT and Security Leaders
- Partnership matters more than feature lists at the point of evaluation. The vendors that ship in two weeks instead of six months are the ones that compound over time.
- AI agents work best on top of a structured foundation. Oray's agent succeeded because TerraTrue gave it consistent, structured data to operate on. Agents on top of fragmented spreadsheets would not have produced the same result.
- Speed is not always the right metric. Depth and coverage often matter more. A 10x increase in review depth at constant time is a bigger risk reduction than a 50% time savings on shallow reviews.
- Codify institutional knowledge before you scale headcount. Oray invested upfront in encoding his expertise into both the platform and the agent. That is what makes adding junior team members viable.
- Use Slack Connect channels with critical vendors. Asynchronous, persistent partner communication beats email tickets for fast-moving programs.