Consent Definitions

AI Tools

Understanding Concepts and Terminology

This section provides an overview of the different consent types, consent models, and related terminology supported on Attestr. Consents form the foundation of all verification, KYC, and personal data processing workflows performed through the platform. Understanding the purpose, scope, validity, and permitted operations associated with each consent type is essential for implementing compliant and secure integrations. This guide explains how Single Use and Reusable Consents work, their supported operations, usage scenarios, and how they are applied across various Attestr services and data processing workflows.

1. Roles Defined Under DPDPA

Data Principal

The individual to whom the personal data relates.

Examples: Customer, Employee, Candidate, Vendor, End User

The Data Principal has rights relating to:

  • Access to information

  • Consent withdrawal

  • Grievance redressal

  • Correction and erasure of data

Data Fiduciary

An organization that determines the purpose and means of processing personal data.

Examples: Banks, Employers, Fintech platforms, Insurance companies

The Data Fiduciary is responsible for:

  • Collecting valid consent

  • Maintaining compliance

  • Protecting personal data

  • Ensuring lawful processing

Data Processor

An entity that processes personal data on behalf of the Data Fiduciary.

Examples: Cloud providers, Verification platforms, Consent management providers, SaaS infrastructure vendors

Data Processors act based on instructions provided by the Data Fiduciary. Attestr acts as a Data Processor system in the KYC process.

Consent Manager

A Consent Manager is an interoperable platform that enables Data Principals to provide, manage, review, and withdraw consent through an accessible and transparent mechanism.

Attestr’s consent infrastructure is designed to support organizations in implementing Consent Manager-style workflows for enterprise-grade consent governance and lifecycle management.

Consent Purpose defines the specific reason or business objective for which the Data Principal’s personal data is being collected, processed, verified, stored, or shared on the Attestr Platform. It provides clear context to the Data Principal regarding how their data will be used and determines the scope of permitted processing activities associated with a consent. Every consent registered on the platform must include a valid and lawful consent purpose to ensure transparency, accountability, and regulatory compliance for all verification and data processing operations. Data collected or processed for a specific consent purpose must not be used for any other unrelated purpose without obtaining fresh and valid consent from the Data Principal. Any usage of personal data beyond the originally agreed consent purpose is considered unauthorized processing and may violate applicable data protection and privacy regulations.

Attestr restricts and standardizes the allowed Consent Purpose values that can be used while accessing services / products on the platform. Clients must select and register an appropriate consent purpose from the supported purpose definitions provided by Attestr. This ensures consistent consent management, purpose-based access control, regulatory compliance, and proper governance of personal data processing across all platform services.

Consent Purpose

Description

kyc_verification

Use this for data processing and operations related to KYC verifications

background_verification

Use this for data processing and operations related to employee background check verifications

Consent Type governs the operational lifecycle and reuse limitations of the consent.

Type

Description

single_use

Single Use Consents are intended for one-time verification and data retrieval operations. These consents are designed for scenarios where the Data Principal authorizes the Data Fiduciary to perform a single verification transaction for a specific purpose. Once a Single Use Consent has been consumed in a successful operation, the associated consent becomes invalid and cannot be reused for any subsequent requests or processing activities. Data storage and recurring workflows are not supported for single use consents.

multi_use

Reusable Consents are validity-based consents that allow multiple verification and data processing operations to be performed using the same consent within the approved consent validity period. Unlike Single Use Consents, Reusable Consents can be used across multiple workflows and transactions, making them suitable for recurring verification and ongoing data processing requirements. These consents remain valid until their configured expiry or revocation and may be reused for multiple authorized operations within the consent scope defined during consent registration.

Consent Mode defines the mechanism or channel through which consent is obtained from the Data Principal. It represents the method used by the Data Fiduciary to capture, validate, and record the Data Principal’s authorization for personal data processing and verification activities. Following values are allowed.

Consent Mode

Description

checkbox

Consent obtained through explicit checkbox acceptance in digital interfaces

mobile_otp

Consent validated using a One-Time Password (OTP) sent to the registered email address

email_otp

Consent validated using a One-Time Password (OTP) sent to the registered mobile number

digilocker

Consent obtained through DigiLocker authorization workflows

ivr

Consent captured through Interactive Voice Response (IVR) systems

physical_form

Consent collected using signed physical consent forms

offline

Consent obtained through offline or non-digital channels

Consent Operations define the specific actions and processing activities that are permitted under a registered consent on the Attestr Platform. These operations determine how the Data Principal’s personal data can be accessed, processed, stored, exported, or shared within the scope of the granted consent. Only the operations explicitly authorized as part of the consent may be performed using the associated consent id.

Supported Consent Operations include:

Operation

Description

VERIFY

Perform real-time verification and validation operations

FETCH

Retrieve data or verification results from supported sources

STORE

Store and retain processed or verified data for future use

REPORT

Generate detailed reports, including PDF downloads, portal-based views, and asynchronous retrieval operations

EXPORT

Export or download data in bulk or batch processing workflows

SHARE

Share data or verification outputs with authorized third parties, such as banks, financial institutions, or partner organizations

Consent Validity defines the lifecycle and active duration of a consent registered on the Attestr Platform. It specifies when the consent was collected, when it becomes effective for processing activities, and the time until which the consent remains valid for authorized operations.

The Consent Validity model consists of the following timestamps:

Timestamp Type

Description

consentTimestamp

Consent Timestamp - The exact date and time at which the consent was obtained from the Data Principal

consentValidFrom

Consent Effective Timestamp - The date and time from which the consent becomes active and can be used for verification or data processing operations

consentValidTill

Consent Expiry Timestamp - The date and time after which the consent is considered expired and can no longer be used for any processing activity

Consent Reference ID is a unique client-generated identifier or internal tracking tag associated with a consent registration on the Attestr Platform. It allows clients to map and track consents within their own internal systems, workflows, customer records, onboarding journeys, or transaction processes. The Consent Reference ID can be used for reconciliation, audit tracking, reporting, customer support, and future consent lookup operations without relying solely on the platform-generated consent id. Clients are responsible for ensuring that the reference ID remains unique and meaningful within their internal systems.

Consent Principal User ID (consentPrincipalUserId) is the unique identifier assigned by the client to represent the Data Principal within the client’s internal systems. This identifier is used to associate a consent record with a specific end user, customer, account, employee, or entity for whom the consent has been collected. The consentPrincipalUserId enables clients to manage, track, retrieve, and map consent records against their internal user management, onboarding, compliance, and verification workflows. This value should remain consistent and unique for the corresponding Data Principal across related transactions and consent operations.

9. Client Privacy Policy URL and Version

Client Privacy Policy URL and Version represent the privacy policy document and its corresponding version that were applicable at the time the consent was collected from the Data Principal. The Privacy Policy URL provides a publicly accessible link to the client’s privacy notice or data processing policy, while the Privacy Policy Version identifies the specific version of the policy accepted by the Data Principal during the consent flow. These fields help maintain transparency, auditability, and regulatory compliance by establishing the exact privacy terms under which the consent was obtained.

10. Client Declaration

Client Declaration (clientDeclaration) is a formal declaration made by the client on the Attestr Platform, confirming that it has lawfully collected valid consent from the Data Principal for the specified purpose, data categories, and intended processing activities. Through this declaration, the client acknowledges and affirms that the consent has been obtained in compliance with applicable laws, regulations, privacy requirements, and platform policies before initiating any verification or data processing operation using Attestr services.

11. Client Obtained By

Client Obtained By User / App ID identifies the specific user, employee, agent, application, platform, or system through which the consent was collected from the Data Principal before being registered on the Attestr Platform. This field helps clients maintain operational traceability and audit records by capturing the source entity responsible for obtaining the consent, such as a mobile application, web portal, partner platform, branch system, API client, sales agent, or internal user account. It can be used for compliance monitoring, audit investigations, workflow tracking, and internal accountability purposes.

Based on the services offered and the corresponding data inputs and outputs, personal information is organized into structured data categories and data types to enable standardized consent management and processing.

Data Category A Data Category represents a logical grouping of related personal data types associated with a Data Principal.

Data Type A Data Type refers to an individual piece of personal information within a category, such as name, mobile number, PAN, address, or bank account number.

Attestr supports the following data categories and nested data types. We'll keep updating the list as support for more data types and products are added. We recommend using the Consent Data Categories API for the most recent published list for each of our product and for API integration purposes.

Data Category

Included Data Types (PII)

personal_information

name, dob, age, gender, address, guardian_name, mother_name, father_name, spouse_name, marital_status, religion, nationality, social_category, specially_abled, other

identity

aadhaar, voter_id, drivers_license, passport, pan, ckyc_id, icai_id, central_gov_id, state_gov_id, job_id, student_id, uan, epfo_member_ id, din, customer_id, other

photo_identity

photo_id_card, photo_document, other

asset_identity

property_registration, vehicle_registration, other

business_identity

business_name, business_registration_number, business_taxid, director_id, other

contact

phone, email, social_media_handle, other

financial

bank_account, ifsc, credit_card, debit_card, upi_id, wallet_id, tax_info, income_details, revenues, itr_details, insurance_details, charge_details, investments, invoice_id, invoice_value, other

health

medical_history, current_medication, allergies, disabilities, mental_health, health_insurance, other

education

course_name, course_code, course_degree, course_grade, course_duration, institute_name, institute_address, institute_certificate, marksheet, other

employment

employer_name, employee_id, job_title, salary_details, work_experience, work_documents, work_duration, reference_details, other

biometric

fingerprint, iris_scan, facial_recognition, voice_sample, handwritten_signature, electronic_signature, photo, video, other

location

address, gps_data, ip_address, cell_tower_data, other

legal

court_records, legal_cases, compliance_documents, other

usage

browsing_history, purchase_history, app_usage, other

derived

risk_score, predictions, reputation_score, other

Consent Status represents the current operational state of a consent registered on the Attestr Platform. It indicates whether the consent is active, usable, pending approval, expired, revoked, or restricted for processing activities. Consent Status is used to determine whether verification, data processing, storage, sharing, or other authorized operations can be performed using the associated consent id.

The Consent Status may change throughout the Consent Lifecycle based on consent validity, usage, revocation requests, expiry, or administrative actions. All processing operations are permitted only when the consent is in a valid and active state. Following are the different status values:

Status

Description

REGISTERED

The consent has been registered on the platform but may not yet be fully captured or activated

CAPTURED

The consent has been successfully collected and recorded from the Data Principal

ACTIVE

The consent is valid, active, and available for permitted processing operations within its defined scope and validity period

CONSUMED

The consent has been utilized and exhausted, typically applicable for Single Use Consents

EXPIRED

The consent validity period has ended, and the consent can no longer be used for processing activities

REVOKED

The consent has been withdrawn or revoked by the Data Principal or client, making it invalid for further operations

The Consent Lifecycle defines the end-to-end journey of a consent on the Attestr Platform. from the moment consent is registered until its expiry, revocation, or termination. It governs how consents are registered, validated, utilized, monitored, and managed throughout their active duration to ensure compliant and auditable personal data processing.

Attestr supports the following lifecycle events:

Event Type

Description

STATUS_CHANGED

Triggered when the status of a consent changes, such as activation, expiry, suspension, or revocation

ACCESSED

Triggered when the consent or associated data is accessed for an authorized operation

REVOKE_REQUESTED

Triggered when a revocation request is initiated for the consent by the Data Principal or client

ADDITIONAL_REQUEST

Triggered when additional consent, permissions, data scope, or processing authorization is requested

ADDITIONAL_REQUEST_REJECTED

Triggered when an additional consent or authorization request is rejected by the Data Principal

ADDITIONAL_REQUEST_COMPLETED

Triggered when the requested additional consent or authorization process is successfully completed

ADDITIONAL_REQUEST _MODIFIED

Triggered when an existing additional consent request is modified or updated


  Last updated