End-User Identity Verification
Before a user can submit a new DSR through the Privacy Center or check on the status of a past request, the user will need to authenticate themselves.
The following identity verification methods are available through the Privacy Center:
- Email verification (magic link)
- Account login via JSON Web Tokens (JWT)
- Account login via OAuth 2
Each of these identifications strategies returns a unique & verified "Core Identifier" that can be used to look up past requests. In addition to these verification methods, Transcend supports a series of additional preflight and verification checks that can be run after the request is already submitted. You can read more about configuring these preflight checks here. These additional preflight checks include Twilio Text Code Verification and Stripe Government ID Verification.
All identity verification settings can be configured on the "Request Settings" page under the "Data Subjects" and "Authentication Methods" sections. The "Authentication Methods" section is where OAuth and JWT Settings can be configured:
Once new authentication methods are configured, they can be enabled for specific Data Subjects by clicking the pencil icon next to each Data Subject, and then specifying the "Authentication Method" setting. You can read more about configuring Data Subjects here.
Transcend comes pre-configured with email verification. Before a user can submit a request, they must input their email address.
The data subject is sent an email where they are asked to click a magic link to verify their identity.
If you wish to customize the email that is sent in this verification flow, you can do so by modifying the Email Template with the title "Privacy Center Email Login".
The magic link is automatically injected into the email in a button below the email template. When the data subject clicks the link, they will be redirected into the Privacy Center with the "Core Identifier" verified as the verified email address. The data subject will then be able to check on the status of their past requests or confirm the submission of new requests.
Note that this email verification step on the Privacy Center happens before a DSR shows up in the Incoming Requests feed. This means all Data Subject workflows using the "Email" Authentication Method will have their emails pre-verified. When using Transcend's DSR API or when Manually submit a Data Subject Request through the Admin Dashboard, there is a separate Email Verification Preflight Check that can be configured.
If you have end-users with accounts, it's best to have them prove they can sign in to their account. Transcend supports asymmetrically-signed JSON Web Tokens as a form of authentication to the Privacy Center. To support this form of authentication, you will need to host an endpoint on your authentication service that can check a user's session and redirect back to your Privacy Center.
- Data subject is redirected from your Privacy Center to your backend server
- If the data subject has an active valid session, your server redirects the user back to the Privacy Center with a JSON Web Token containing the core identifier for that user
- If the data subject has no active session, redirect them through their account login and then back to the JSON Web Token endpoint.
- Sombra will validate the JSON Web Token using whatever public key you've set.
To set up JWT account login, visit the "Request Settings" page. There should be a section for "Authentication Methods > JWT" where you can set the public key that Sombra can use to validate the session JWT.
Read more on how to write the endpoint on your backend here.
If you are self-hosting Sombra, you will need to provide this public key in the environment variables for your Sombra gateway as described here.
If your website has the ability to create OAuth 2 applications, you can create an application for your Privacy Center to allow data subjects to log in with their account. The application will only need permission to receive the email address associated with the user.
OAuth 2 verification is performed with Sombra (End-to-End Encryption) meaning you don't have to trust Transcend to authenticate the user.
If you already have OAuth 2, just register a new application on your side (you can call it "Transcend Privacy Center"), and then input the needed Client ID, scopes, etc. in the "Request Settings" settings page, under "Authentication Methods > OAuth".
If you are self-hosting Sombra, you will need to provide the OAuth configuration settings in the environment variables for your Sombra gateway as described here.