Webhook Automation explained

Last updated: April 9, 2026

Automate GDPR-compliant data subject request handling via secure webhook integration

Webhook Automation is a feature in Kertos that allows you to automatically forward incoming data subject requests (DSRs) to external systems. This enables real-time triggering of internal deletion or access workflows without manual input.

It helps you:

  • Automate GDPR processes (Art. 12, 15, 17)

  • Reduce manual effort when processing DSRs

  • Integrate Kertos with your internal APIs via a secure webhook

What happens when a DSR is received?

When a new data subject request (either “read” or “delete”) is created in Kertos, a webhook call is sent to your configured endpoint. The payload contains all required information to process the request in your system.

{  
	"data_subject_identifier": "string",  
	"operation": "read" | "delete",  
	"received_at": "string <date-time>" 
}

Field breakdown

Field

Description

data_subject_identifier

Unique string to identify the data subject (usually an email)

operation

"read" for access requests or "delete" for deletion requests

received_at

ISO 8601 timestamp of when the request was submitted in Kertos

How authentication works

Kertos uses a static API key to authenticate outgoing webhook requests. This key is added as a custom HTTP header:

X-API-KEY: your-api-key-here

Your system must validate this key to ensure the request is legitimate.

Example webhook payload

{  
	"data_subject_identifier": "jane.miller@kertos.io",  
	"operation": "delete",  
	"received_at": "2024-08-24T14:15:22Z" 
}

This request means that a deletion request for jane.miller@kertos.io was received on August 24, 2024 at 14:15 UTC, and your system should now delete all associated data.

How to respond to webhook requests

Your system must return the appropriate HTTP status code to let Kertos know whether the request was successfully processed.

HTTP Code

Meaning

When to use it

200 OK

Success

Request processed successfully

401 Unauthorized

Invalid/missing key

API key missing or invalid

404 Not Found

Data subject not found

Identifier not present in your system

422 Unprocessable Entity

Bad request

Payload format is invalid or incomplete

How to enable Webhook Automation in Kertos

1. Navigate to Systems from the main navigation
2. Click “Add System”

3. Search for “Webhook Call” and select it

4. In the System Detail view, scroll down to Data Processing and select the data subject type which will be used for DSR

5. In the System Detail view, scroll down to Request Automation and click “Enable Automation”

6. Enter the required configuration:

  • API Key for authentication

  • Webhook URL

7. Click Save

Webhook calls will now be triggered automatically for every incoming DSR.

FAQs

Which DSR types are supported?
Webhook Automation currently supports read and delete operations.

Can I use different URLs for each request type?
No, one URL handles both request types. You can branch internally based on the operation field.

Does Kertos retry failed webhooks?
No. If your system returns anything other than 200 OK, Kertos will log the failure but not retry the request.

How secure is the integration?
All requests are sent over HTTPS and authenticated using a shared API key.