Title
Create new category
Edit page index title
Edit category
Edit link
Migration Guide For Existing Customers
API Version Deprecation and Migration Policy
With the introduction of Version V3 APIs, all previous API versions (including V2 and prior) are now deprecated. Existing customers are required to migrate their integrations to the latest DPDPA-compliant API version to continue using Attestr services in accordance with updated compliance and consent management standards.
Attestr will notify all affected customers via email and provide a migration timeline of 60 working days to complete the integration upgrade process. Customers requiring additional time may raise a support ticket requesting an extension. Any such extension requests will be reviewed and approved at Attestr’s sole discretion based on internal evaluation and operational considerations.
DPDPA Agreement Signing (Mandatory)
To initiate the DPDPA onboarding and compliance process, customers must contact their respective account manager or write to contact@attestr.com requesting execution of the updated DPDPA agreement. Upon receiving the request, Attestr will share the draft agreement for review by the customer’s legal and compliance teams. The agreement may undergo further discussions and vetting between both parties before finalisation. Production or live deployment access for DPDPA-compliant APIs and workflows will be enabled only after the agreement has been duly executed and signed by both Attestr and the customer.
Understanding Consent Concepts and Definitions (Mandatory)
To better understand the consent management framework and DPDPA-related implementation requirements, customers are encouraged to refer to the following documentation resources:
- DPDPA Implementation At Attestr – Overview of DPDPA compliance and platform implementation guidelines
- Consent Definitions – Detailed explanations of consent-related concepts and terminology
- Data Storage Policy – Information regarding data retention, encryption, storage controls, and consent revocation policies
These documents provide important guidance on consent registration, lifecycle management, privacy controls, and regulatory compliance workflows. If required, Attestr can also facilitate online walkthrough sessions or discussion meetings to explain the concepts and implementation process in greater detail.
Also go through the Attestr Consent Manager Dashboard and available product features for consent lifecycle events, reporting and audit.
Plan Data Storage Requirements (Mandatory)
Review the supported Consent Types and determine whether your use case requires a one-time verification flow or long-term storage of the Data Principal’s information for future operations. Future operations may include generating PDF reports, performing recurring verifications, executing batch Excel-based checks, data sharing workflows, or other reusable consent-based activities.
Based on your requirements, choose between Single Use Consents and Reusable Consents accordingly. If reusable consent and data storage are required, you should additionally determine the desired data retention duration for each product or workflow.
By default, Attestr stores encrypted data at no additional cost for a maximum period of 7 days only. Extended storage durations may require purchase of additional storage capacity or applicable Data Storage Packs. Refer to our Data Storage Policy documentation for detailed information regarding retention duration, storage controls, encryption, and pricing considerations.
Once your storage and retention requirements are finalised, communicate the same to the Attestr team so that appropriate storage configurations and data storage packs can be purchase and provisioned accordingly.
Development Effort And Required Code Changes (Mandatory)
It is mandatory to register the end user’s (Data Principal’s) consent on the Attestr platform before using any product or service offered through the Attestr APIs. Consent registration requires specific input parameters, which are documented in the Register Consent API documentation.
Upon successful consent registration, Attestr generates a unique Consent ID, which is returned in the Register Consent API response. This Consent ID must subsequently be passed along with the request data in all applicable API requests made to the Attestr platform.
For example, to perform a DPDPA-compliant bank account verification, the generated Consent ID must be included in the request payload submitted to the Bank Account Verification API
Developers must also update their integrations to handle the new consent-related error codes and validation responses introduced as part of DPDPA-compliant workflows.
These error codes may relate to scenarios such as invalid consent, expired consent, insufficient consent permissions, unsupported consent operations, missing Consent IDs, revoked consents, or consent validity mismatches. The complete list of applicable error codes and their handling behaviour is documented within the respective product API documentation pages.
Customer Side Consent Infrastructure Update and Responsibilities (Mandatory)
Customers (Data Fiduciary) are responsible for implementing the necessary operational, technical, and legal measures required to comply with applicable DPDPA obligations before integrating with Attestr’s (Data Processor) consent-driven APIs and services.
As part of the compliance process, customers must plan and upgrade their internal infrastructure to securely store consent records and associated audit information for the minimum duration mandated under applicable laws, internal governance policies, or regulatory requirements. Customers should also ensure that their systems are capable of maintaining proper consent traceability, auditability, and revocation handling mechanisms.
In all user-facing applications, portals, forms, or onboarding workflows where personal data is collected from the Data Principal, customers must explicitly disclose that the collected information may be shared with Attestr and/or authorised third parties for KYC, verification, compliance, fraud prevention, or related operational purposes.
Before registering consent on the Attestr platform, customers must obtain explicit approval from the Data Principal regarding:
- Consent purpose and usage
- Consent validity duration
- Permitted consent operations
- Applicable data categories and data types
- Data sharing and processing permissions
Customers must additionally implement appropriate security and privacy safeguards, including encryption, access controls, data minimisation practices, and lawful storage mechanisms to ensure that only legally permitted personal data is collected, processed, and retained. These measures are essential to maintain compliance with DPDPA and other applicable privacy and data protection regulations.
Using Attestr Hosted Consent Pages (Optional)
Customers who do not have their own portal or infrastructure to collect consent from the Data Principal can use Attestr’s Hosted Consent Pages solution. This feature enables customers to collect DPDPA-compliant consent directly through the Attestr platform without building their own consent management interface.
Attestr Hosted Pages support customised branding, white-labelled domains, and configurable consent workflows. These consent links can be delivered to the Data Principal through SMS, email, WhatsApp, or other notification channels. The end user can then review the consent details and provide consent directly on the hosted Attestr interface.
Once the consent is successfully captured, Attestr generates a unique Consent ID and shares it with the customer system through configured webhooks or APIs. This Consent ID can subsequently be used to perform KYC, verification, onboarding, compliance, and other consent-driven operations on the Attestr platform.
Under this model, Attestr assists in collecting and managing consent records on behalf of the customer, including consent lifecycle tracking and self-service consent management capabilities where applicable.
Customers interested in enabling Hosted Consent Pages may contact their respective account manager or write to for additional details, onboarding assistance, pricing, and subscription requirements. Hosted Consent Pages is a premium feature and requires a separate commercial subscription.
Data Deletion Activity Post Migration
Upon successful migration to Version V3 APIs by the Customer (Data Fiduciary), Attestr will initiate deletion or irreversible transformation of personal data that was processed, verified, and/or stored using older API versions. This activity is part of Attestr’s DPDPA compliance and data minimisation measures for legacy systems and workflows.
Customers who wish to retain historical records for their internal business, compliance, audit, or operational purposes are advised to download the required PDF reports, transaction logs, verification records, and other relevant information before the migration and cleanup activity is completed.
Once the legacy data is deleted or transformed into a non-recoverable format, it will no longer be accessible through the Attestr Dashboard, APIs, reports, or export mechanisms. Attestr will not be able to restore or regenerate such historical data after the cleanup process is completed.
Copyright © Attestr