Server Webhook Integration

When a new data subject request is made, Transcend can send a webhook to one of your servers. Your server can implement some business logic required to fulfill the request and then asynchronously notify Transcend once that request has been fulfilled.

We have examples on GitHub. The javascript example is deployed live at our demo Privacy Center.

There are four steps to integrating your server with Transcend:

1. Create the integration on Transcend Using the Transcend Admin Dashboard, create a new integration and input the webhook URL that should be notified.

2. Receive a webhook Transcend will send a notification to your server for each new data subject request.

3. Look up and operate on user data Your server will need to find the user specified by the webhook and perform an operation such as retrieving or deleting their personal data.

4. Notify the Transcend API of completion Use our API to notify Transcend when the server has completed processing. For an access request, this means uploading data. For an erasure or opt out request, this means notifying Transcend that the job has been completed. Diagram showing the webhook sent by Transcend to your server, and the POST request sent by your server to Transcend.

  1. Go to Integrations to connect the "Server Webhook" integration type.
  2. Give your integration a title (e.g. "Core Backend Application")
  3. Set the webhook URL that we should notify

  1. Click Connect to create the integration and store the newly created API key
  2. Navigate to this integration in your Integrations and select the "Manage Datapoints" tab to configure what types of requests your server should be notified about.

Transcend will send a POST request to the URL from step 1. The route should first validate that the webhook is in fact coming from your Sombra gateway by validating the incoming x-sombra-token header.

See the webhook reference.

Upon receiving the webhook, you should validate that the incoming event type is able to be processed by your server, enqueue the job to be processed and then respond back to the webhook with:

  • a status code 200 OK if the request is queued up properly
  • status code 401 if the event type is unknown or the signature failed to validate
  • status code 204 if no user was found to be processed. You may also respond with status code 200 and report later that no users were found when Responding to DSRs.

Using the webhook fields type, extras.profile.identifier and extras.profile.type to implement the event type on your server. This part of the process is going to be a unique to your business. This may involve:

  • returning or removing rows from a database
  • returning or removing file from a filesystem
  • replacing fields containing personal data with anonymized placeholders

Please consult with your Transcend account representative on recommendations or guidelines for this process.

Once your server has successfully completed the processing of the request, you must send a POST request to Transcend that indicates that processing has been completed. In the case of a Data Subject Access Request, this will also include uploading any data associated with the end user.

Please refer to this guide for information on responding to DSRs.