Webhook Automation explained
Webhook Automation is a feature in Kertos that allows you to automatically forward incoming data subject requests (DSRs) to external systems. This enables real-time triggering of internal deletion or access workflows without manual input.
It helps you:
- Automate GDPR processes (Art. 12, 15, 17)
- Reduce manual effort when processing DSRs
- Integrate Kertos with your internal APIs via a secure webhook
What happens when a DSR is received?
When a new data subject request (either “read” or “delete”) is created in Kertos, a webhook call is sent to your configured endpoint. The payload contains all required information to process the request in your system.
Field breakdown
| Field | Description |
|---|---|
data_subject_identifier | Unique string to identify the data subject (usually an email) |
operation | "read" for access requests or "delete" for deletion requests |
received_at | ISO 8601 timestamp of when the request was submitted in Kertos |
How authentication works
Kertos uses a static API key to authenticate outgoing webhook requests. This key is added as a custom HTTP header:
X-API-KEY: your-api-key-here
Your system must validate this key to ensure the request is legitimate.
What happens when a DSR is received?
When a new data subject request (either “read” or “delete”) is created in Kertos, a webhook call is sent to your configured endpoint.
Example POST request
POST https://api.yourdomain.com/webhooks/gdpr/
Header: X-API-KEY: your-api-key-here
Example request payload
{
"data_subject_identifier": "jane.miller@kertos.io",
"operation": "delete",
"received_at": "2024-08-24T14:15:22Z" }
This request means that a deletion request for jane.miller@kertos.io was received on August 24, 2024 at 14:15 UTC, and your system should now delete all associated data.
Field breakdown
| Field | Description |
|---|---|
data_subject_identifier | Unique string to identify the data subject (usually an email) |
operation | "read" for access requests or "delete" for deletion requests |
received_at | ISO 8601 timestamp of when the request was submitted in Kertos |
How to respond to webhook requests
Your system must return the appropriate HTTP status code to let Kertos know whether the request was successfully processed.
| HTTP Code | Meaning | When to use it |
|---|---|---|
200 OK | Success | Request processed successfully |
401 Unauthorized | Invalid/missing key | API key missing or invalid |
404 Not Found | Data subject not found | Identifier not present in your system |
422 Unprocessable Entity | Bad request | Payload format is invalid or incomplete |
How to enable Webhook Automation in Kertos
1. Navigate to Systems from the main navigation
2. Click “Add System”
3. Search for “Webhook Call” and select it
4. In the System Detail view, scroll down to Request Automation
5. Click “Enable Automation”
6. Enter the required configuration:
- Webhook URL
- API Key for authentication
7. Click Save
Webhook calls will now be triggered automatically for every incoming DSR.
FAQs
Which DSR types are supported?
Webhook Automation currently supports read and delete operations.
Can I use different URLs for each request type?
No, one URL handles both request types. You can branch internally based on the operation field.
Does Kertos retry failed webhooks?
No. If your system returns anything other than 200 OK, Kertos will log the failure but not retry the request.
How secure is the integration?
All requests are sent over HTTPS and authenticated using a shared API key.