End-user Identity Verification
Before a user can submit a new DSR through the Privacy Center or check on the status of a past request, the user will need to authenticate themselves.
The following identity verification methods are available through the Privacy Center:
- Email verification (magic link)
- Account login via JSON Web Tokens (JWT)
- Account login via OAuth 2
Each of these identifications strategies returns a unique & verified "Core Identifier" that can be used to look up past requests. In addition to these verification methods, Transcend supports a series of additional preflight and verification checks that can be run after the request is already submitted. You can read more about configuring these preflight checks . These additional preflight checks include Twilio Text Code Verification and Stripe Government ID Verification.
All identity verification settings can be configured on the page under the "Data Subjects" and "Authentication Methods" sections. The "Authentication Methods" section is where OAuth and JWT Settings can be configured:
Once new authentication methods are configured, they can be enabled for specific Data Subjects by clicking the pencil icon next to each Data Subject, and then specifying the "Authentication Method" setting. You can read more about configuring Data Subjects .
Transcend comes pre-configured with email verification. Before a user can submit a request, they must input their email address.
The data subject is sent an email where they are asked to click a magic link to verify their identity.
The magic link is automatically injected into the email in a button below the email template. When the data subject clicks the link, they will be redirected into the Privacy Center with the "Core Identifier" verified as the verified email address. The data subject will then be able to check on the status of their past requests or confirm the submission of new requests.
Email Verification for Requests Submitted through Admin Dashboard or DSR API
Note that this email verification step on the Privacy Center happens before a DSR shows up in the feed. This means all Data Subject workflows using the "Email" Authentication Method will have their emails pre-verified. When using or when , there is a separate that can be configured.
If you have end-users with accounts, it's best to have them prove they can sign in to their account. Transcend supports asymmetrically-signed JSON Web Tokens as a form of authentication to the Privacy Center. To support this form of authentication, you will need to host an endpoint on your authentication service that can check a user's session and redirect back to your Privacy Center.
- Data subject is redirected from your Privacy Center to your backend server
- If the data subject has an active valid session, your server redirects the user back to the Privacy Center with a JSON Web Token containing the core identifier for that user
- If the data subject has no active session, redirect them through their account login and then back to the JSON Web Token endpoint.
- Sombra will validate the JSON Web Token using whatever public key you've set.
Self Hosted Sombra
If your website has the ability to create OAuth 2 applications, you can create an application for your Privacy Center to allow data subjects to log in with their account. The application will only need permission to receive the email address associated with the user.
If you already have OAuth 2, just register a new application on your side (you can call it "Transcend Privacy Center"), and then input the needed Client ID, scopes, etc. in the settings page, under "Authentication Methods > OAuth".
Self Hosted Sombra