End-user Identity Verification
Before accepting a DSR, it is important that we first verify that the end-user is who they claim they are.
Currently, the following identity verification methods are available:
- Email magic link verification
- JWT Account Login
All identifier verification logic can be configured on the "Data Subject Requests" settings page.
- Transcend comes pre-configured with email verification. Before a user can submit a request, they must input their email address.
- The data subject is sent an email where they are asked to click a link to verify their identity.
- The link spits the data subject back into the Privacy Center where they then must confirm the request.
You can disable this email verification step by switching to a different authentication method. You can also enable email verification in addition to JWT Account Login or OAuth verification.
If you have end-users with accounts, it's best to have them prove they can sign into their account. Transcend supports asymmetrically-signed JSON Web Tokens as a form of authentication to the Privacy Center. To support this form of authentication, you will need to host an endpoint on your authentication service that can check a user's session and redirect back to your Privacy Center.
- Data subject is redirected from your Privacy Center to your backend server
- If the data subject has an active valid session, your server redirects the user back to the Privacy Center with a JSON Web Token containing the core identifier for that user
- If the data subject has no active session, redirect them through their account login and then back to the JSON Web Token endpoint.
- Sombra will validate the JSON Web Token using whatever public key you've set.
To setup JWT account login, visit the "Data Subject Requests" settings page. There should be a section for "Authentication Methods > JWT" where you can set the public key that Sombra can use to validate the session JWT.
Read more on how to write the endpoint on your backend here.
If your website has the ability to create OAuth 2 applications, you can create an application for your Privacy Center to allow data subjects to log in with their account. The application will only need permission to receive the email address associated with the user.
OAuth 2 verification is performed with Sombra (End-to-End Encryption) meaning you don't have to trust Transcend to authenticate the user.
If you already have OAuth 2, just register a new application on your side (you can call it "Privacy Center"), and then input the needed Client ID, scopes, etc. in the "Data Subject Requests" settings page, under "Authentication Methods > OAuth".
If you have several classes of end-users (such as account-holders and newsletter-subscribers), you can use different authentication methods for each class. Please refer to the "Data Subjects" guide to set this up.