Privacy and security architecture
Our consent manager is carefully designed to protect its own internal state and regulation capabilities from other potentially malicious scripts running in the same environment. We employ the following techniques to ensure the security of our consent manager:
We use an extensive runtime reference caching & utility framework as the standard library through which all of our security-critical code is built. This library is completely resistant to all prototype pollution attacks, and dynamically adjusts for implementation differences between browsers to always provide the most secure level of abstraction available.
We require a genuine user-initiated
'submit' event or a trusted Transcend XDI consent sync to change consent after initialization.
data-tamper-resist="off"attribute on your airgap.js script.
Tamper Resistance is an optional advanced mode that helps airgap.js avoid interference from potentially malicious adtech installed on a website.
Note that Tamper Resistance mode is not required for Transcend Consent's regulation functionality and is an optional additional protection.
Tamper resistance mode was formerly enabled by default. Beginning in airgap.js version 8.11.11 it is now disabled by default. If you're running airgap.js 8.11.11 or higher and would like to enable Tamper Resistance, you can set the
data-tamper-resist="on" attribute on your airgap.js script.
The following are the storage areas used by each Transcend Consent Management component and their purpose:
localStorage.tcmConsent: A JSON object storing the user's consent state. The format of the JSON object is .
localStorage.tcmMPConsent: A JSON object keyed by site-defined partitions. Each entry represents an individual entry in the same format as
localStorage.tcmConsent. This is used to segregate consent for sites with multiple discrete same-origin sub-sites.
localStorage.tcmQuarantine: A stringified JSON object storing the requests and cookies that are held in "quarantine" before the user consents to having their data be used for various tracking purposes. You can read more about event quarantine capabilities . Transcend Consent Management can be configured to not store this information by following the instructions .
localStorage.tcmu: Unreported count of "page views" that we track for reporting purposes and for triggering pageview-based auto-consent-prompting. This data is sent to our backend and processed as an aggregate count.
localStorage.tcmr: Reported count of "page views" that we track for reporting purposes and for triggering pageview-based auto-consent-prompting.
sessionStorage.tcms: Random session identifier used to track cumulative for reporting purposes. This data is not directly shared with our backend, but it is used to generate a session count that is sent to our backend.
- Future: IndexedDB
tcmdatabase: This database will be used to store quarantined events.
|Encrypted Identifier||Encrypted identifier provided by the Transcend Customer for the end user associated with the consent record.|
|Partition||The bundle ID of the Transcend Consent Management instance that collected consent. For customers with multiple partitioned airgap bundles, this will be the partition ID.|
|Purposes||Map of consent purposes associated with the record|
|Timestamp||When consent record was created in ISO format (e.g. "2023-05-11T19:32:31.707Z")|
|Airgap.js Version (Optional)||airgap.js version in use at time of collection|
|Metadata (Optional)||Storage of additional metadata - can be configured by the customer as needed|
|Metadata Timestamp (Optional)||Timestamp for last optional metadata update|
localStorage.tcm: A JSON object storing user consent, consent metadata, and quarantine data for multiple third-party sync groups. This value was stored at
localStorage.tcm3PConsentprior to airgap.js 7.29.0.