Title
Create new category
Edit page index title
Edit category
Edit link
Consent Definitions
Understanding Consent Concepts and Terminology
This section provides an overview of the different consent types, consent models, and related terminology supported on Attestr. Consents form the foundation of all verification, KYC, and personal data processing workflows performed through the platform. Understanding the purpose, scope, validity, and permitted operations associated with each consent type is essential for implementing compliant and secure integrations. This guide explains how Single Use and Reusable Consents work, their supported operations, usage scenarios, and how they are applied across various Attestr services and data processing workflows.
1. Roles Defined Under DPDPA
Data Principal
The individual to whom the personal data relates.
Examples: Customer, Employee, Candidate, Vendor, End User
The Data Principal has rights relating to:
- Access to information
- Consent withdrawal
- Grievance redressal
- Correction and erasure of data
Data Fiduciary
An organization that determines the purpose and means of processing personal data.
Examples: Banks, Employers, Fintech platforms, Insurance companies
The Data Fiduciary is responsible for:
- Collecting valid consent
- Maintaining compliance
- Protecting personal data
- Ensuring lawful processing
Data Processor
An entity that processes personal data on behalf of the Data Fiduciary.
Examples: Cloud providers, Verification platforms, Consent management providers, SaaS infrastructure vendors
Data Processors act based on instructions provided by the Data Fiduciary. Attestr acts as a Data Processor system in the KYC process.
Consent Manager
A Consent Manager is an interoperable platform that enables Data Principals to provide, manage, review, and withdraw consent through an accessible and transparent mechanism.
Attestr’s consent infrastructure is designed to support organizations in implementing Consent Manager-style workflows for enterprise-grade consent governance and lifecycle management.
2. Consent Purpose
Consent Purpose defines the specific reason or business objective for which the Data Principal’s personal data is being collected, processed, verified, stored, or shared on the Attestr Platform. It provides clear context to the Data Principal regarding how their data will be used and determines the scope of permitted processing activities associated with a consent. Every consent registered on the platform must include a valid and lawful consent purpose to ensure transparency, accountability, and regulatory compliance for all verification and data processing operations. Data collected or processed for a specific consent purpose must not be used for any other unrelated purpose without obtaining fresh and valid consent from the Data Principal. Any usage of personal data beyond the originally agreed consent purpose is considered unauthorized processing and may violate applicable data protection and privacy regulations.
Attestr restricts and standardizes the allowed Consent Purpose values that can be used while accessing services / products on the platform. Clients must select and register an appropriate consent purpose from the supported purpose definitions provided by Attestr. This ensures consistent consent management, purpose-based access control, regulatory compliance, and proper governance of personal data processing across all platform services.
| Consent Purpose | Description |
|---|---|
| kyc_verification | Use this for data processing and operations related to KYC verifications |
| background_verification | Use this for data processing and operations related to employee background check verifications |
3. Consent Type
Consent Type governs the operational lifecycle and reuse limitations of the consent.
| Type | Description |
|---|---|
| single_use | Single Use Consents are intended for one-time verification and data retrieval operations. These consents are designed for scenarios where the Data Principal authorizes the Data Fiduciary to perform a single verification transaction for a specific purpose. Once a Single Use Consent has been consumed in a successful operation, the associated consent becomes invalid and cannot be reused for any subsequent requests or processing activities. Data storage and recurring workflows are not supported for single use consents. |
| multi_use | Reusable Consents are validity-based consents that allow multiple verification and data processing operations to be performed using the same consent within the approved consent validity period. Unlike Single Use Consents, Reusable Consents can be used across multiple workflows and transactions, making them suitable for recurring verification and ongoing data processing requirements. These consents remain valid until their configured expiry or revocation and may be reused for multiple authorized operations within the consent scope defined during consent registration. |
4. Consent Mode
Consent Mode defines the mechanism or channel through which consent is obtained from the Data Principal. It represents the method used by the Data Fiduciary to capture, validate, and record the Data Principal’s authorization for personal data processing and verification activities. Following values are allowed.
| Consent Mode | Description |
|---|---|
| checkbox | Consent obtained through explicit checkbox acceptance in digital interfaces |
| mobile_otp | Consent validated using a One-Time Password (OTP) sent to the registered email address |
| email_otp | Consent validated using a One-Time Password (OTP) sent to the registered mobile number |
| digilocker | Consent obtained through DigiLocker authorization workflows |
| ivr | Consent captured through Interactive Voice Response (IVR) systems |
| physical_form | Consent collected using signed physical consent forms |
| offline | Consent obtained through offline or non-digital channels |
5. Consent Operations
Consent Operations define the specific actions and processing activities that are permitted under a registered consent on the Attestr Platform. These operations determine how the Data Principal’s personal data can be accessed, processed, stored, exported, or shared within the scope of the granted consent. Only the operations explicitly authorized as part of the consent may be performed using the associated consent id.
Supported Consent Operations include:
| Operation | Description |
|---|---|
| VERIFY | Perform real-time verification and validation operations |
| FETCH | Retrieve data or verification results from supported sources |
| STORE | Store and retain processed or verified data for future use |
| REPORT | Generate detailed reports, including PDF downloads, portal-based views, and asynchronous retrieval operations |
| EXPORT | Export or download data in bulk or batch processing workflows |
| SHARE | Share data or verification outputs with authorized third parties, such as banks, financial institutions, or partner organizations |
6. Consent Validity
Consent Validity defines the lifecycle and active duration of a consent registered on the Attestr Platform. It specifies when the consent was collected, when it becomes effective for processing activities, and the time until which the consent remains valid for authorized operations.
The Consent Validity model consists of the following timestamps:
| Timestamp Type | Description |
|---|---|
| consentTimestamp | Consent Timestamp - The exact date and time at which the consent was obtained from the Data Principal |
| consentValidFrom | Consent Effective Timestamp - The date and time from which the consent becomes active and can be used for verification or data processing operations |
| consentValidTill | Consent Expiry Timestamp - The date and time after which the consent is considered expired and can no longer be used for any processing activity |
7. Consent Reference ID
Consent Reference ID is a unique client-generated identifier or internal tracking tag associated with a consent registration on the Attestr Platform. It allows clients to map and track consents within their own internal systems, workflows, customer records, onboarding journeys, or transaction processes. The Consent Reference ID can be used for reconciliation, audit tracking, reporting, customer support, and future consent lookup operations without relying solely on the platform-generated consent id. Clients are responsible for ensuring that the reference ID remains unique and meaningful within their internal systems.
8. Consent Principal User ID
Consent Principal User ID (consentPrincipalUserId) is the unique identifier assigned by the client to represent the Data Principal within the client’s internal systems. This identifier is used to associate a consent record with a specific end user, customer, account, employee, or entity for whom the consent has been collected. The consentPrincipalUserId enables clients to manage, track, retrieve, and map consent records against their internal user management, onboarding, compliance, and verification workflows. This value should remain consistent and unique for the corresponding Data Principal across related transactions and consent operations.
9. Client Privacy Policy URL and Version
Client Privacy Policy URL and Version represent the privacy policy document and its corresponding version that were applicable at the time the consent was collected from the Data Principal. The Privacy Policy URL provides a publicly accessible link to the client’s privacy notice or data processing policy, while the Privacy Policy Version identifies the specific version of the policy accepted by the Data Principal during the consent flow. These fields help maintain transparency, auditability, and regulatory compliance by establishing the exact privacy terms under which the consent was obtained.
10. Client Declaration
Client Declaration (clientDeclaration) is a formal declaration made by the client on the Attestr Platform, confirming that it has lawfully collected valid consent from the Data Principal for the specified purpose, data categories, and intended processing activities. Through this declaration, the client acknowledges and affirms that the consent has been obtained in compliance with applicable laws, regulations, privacy requirements, and platform policies before initiating any verification or data processing operation using Attestr services.
11. Client Obtained By
Client Obtained By User / App ID identifies the specific user, employee, agent, application, platform, or system through which the consent was collected from the Data Principal before being registered on the Attestr Platform. This field helps clients maintain operational traceability and audit records by capturing the source entity responsible for obtaining the consent, such as a mobile application, web portal, partner platform, branch system, API client, sales agent, or internal user account. It can be used for compliance monitoring, audit investigations, workflow tracking, and internal accountability purposes.
12. Consent Data Categories
Based on the services offered and the corresponding data inputs and outputs, personal information is organized into structured data categories and data types to enable standardized consent management and processing.
Data Category A Data Category represents a logical grouping of related personal data types associated with a Data Principal.
Data Type A Data Type refers to an individual piece of personal information within a category, such as name, mobile number, PAN, address, or bank account number.
Attestr supports the following data categories and nested data types. We'll keep updating the list as support for more data types and products are added. We recommend using the Consent Data Categories API for the most recent published list for each of our product and for API integration purposes.
| Data Category | Included Data Types (PII) |
|---|---|
| personal_information | name, dob, gender, address, guardian_name, mother_name, father_name, spouse_name, marital_status, religion, nationality, social_category, specially_abled, other |
| identity | aadhaar, voter_id, drivers_license, passport, pan, ckyc_id, icai_id, central_gov_id, state_gov_id, job_id, student_id, uan, epfo_member_id, din, other |
| asset_identity | property_registration, vehicle_registration, other |
| business_identity | business_name, business_registration_number, business_taxid, director_id, other |
| contact | phone, email, social_media_handle, other |
| financial | bank_account, ifsc, credit_card, debit_card, upi_id, wallet_id, tax_info, income_details, revenues, itr_details, insurance_details, charge_details, other |
| health | medical_history, current_medication, allergies, disabilities, mental_health, health_insurance, other |
| education | course_name, course_code, course_degree, course_grade, course_duration, institute_name, institute_address, institute_certificate, marksheet, other |
| employment | employer_name, employee_id, job_title, salary_details, work_experience, work_documents, work_duration, reference_details, other |
| biometric | fingerprint, iris_scan, facial_recognition, voice_sample, handwritten_signature, electronic_signature, photo, video, other |
| location | address, gps_data, ip_address, cell_tower_data, other |
| legal | court_records, legal_cases, compliance_documents, other |
| usage | browsing_history, purchase_history, app_usage, other |
| derived | risk_score, predictions, reputation_score, other |
13. Consent Status
Consent Status represents the current operational state of a consent registered on the Attestr Platform. It indicates whether the consent is active, usable, pending approval, expired, revoked, or restricted for processing activities. Consent Status is used to determine whether verification, data processing, storage, sharing, or other authorized operations can be performed using the associated consent id.
The Consent Status may change throughout the Consent Lifecycle based on consent validity, usage, revocation requests, expiry, or administrative actions. All processing operations are permitted only when the consent is in a valid and active state. Following are the different status values:
| Status | Description |
|---|---|
| REGISTERED | The consent has been registered on the platform but may not yet be fully captured or activated |
| CAPTURED | The consent has been successfully collected and recorded from the Data Principal |
| ACTIVE | The consent is valid, active, and available for permitted processing operations within its defined scope and validity period |
| CONSUMED | The consent has been utilized and exhausted, typically applicable for Single Use Consents |
| EXPIRED | The consent validity period has ended, and the consent can no longer be used for processing activities |
| REVOKED | The consent has been withdrawn or revoked by the Data Principal or client, making it invalid for further operations |
14. Consent Lifecycle Events
The Consent Lifecycle defines the end-to-end journey of a consent on the Attestr Platform. from the moment consent is registered until its expiry, revocation, or termination. It governs how consents are registered, validated, utilized, monitored, and managed throughout their active duration to ensure compliant and auditable personal data processing.
Attestr supports the following lifecycle events:
| Event Type | Description |
|---|---|
| STATUS_CHANGED | Triggered when the status of a consent changes, such as activation, expiry, suspension, or revocation |
| ACCESSED | Triggered when the consent or associated data is accessed for an authorized operation |
| REVOKE_REQUESTED | Triggered when a revocation request is initiated for the consent by the Data Principal or client |
| ADDITIONAL_REQUEST | Triggered when additional consent, permissions, data scope, or processing authorization is requested |
| ADDITIONAL_REQUEST_REJECTED | Triggered when an additional consent or authorization request is rejected by the Data Principal |
| ADDITIONAL_REQUEST_COMPLETED | Triggered when the requested additional consent or authorization process is successfully completed |
| ADDITIONAL_REQUEST _MODIFIED | Triggered when an existing additional consent request is modified or updated |
Copyright © Attestr