Skip to content
Last updated: 2026-04-06
Reference

Data Processing Sequence

Overview of how Dxtra processes customer data from webhook events to compliance records.

Related Documentation

Architecture: Platform OverviewData SchemasData Flow Diagrams

API: GraphQL APIWebhooks

Webhook Event Processing

When external platforms (Shopify, Stripe, Mailchimp) send webhook events to Dxtra:

sequenceDiagram
    participant Platform as Your Platform
    participant Dxtra as Dxtra API
    participant DB as Privacy Database

    Note over Platform,DB: Webhook Processing Flow

    Platform->>Dxtra: POST /integrations/{platform}/webhook<br/>+ HMAC Signature

    Dxtra->>Dxtra: Validate HMAC signature
    Dxtra->>Dxtra: Parse webhook payload

    alt Valid request
        Dxtra->>Dxtra: Extract PII fields
        Dxtra->>Dxtra: Generate privacy hashes
        Dxtra->>DB: Create/update data subject
        Dxtra->>DB: Log processing activity
        Dxtra-->>Platform: 200 OK
    else Duplicate event
        Dxtra-->>Platform: 200 OK (idempotent)
    else Invalid signature
        Dxtra-->>Platform: 401 Unauthorized
    end

Data Subject Registration

When a new data subject is created through the API or webhook:

sequenceDiagram
    participant Client as Your App
    participant API as Dxtra API
    participant Auth as Authentication
    participant DB as Privacy Database

    Note over Client,DB: Data Subject Registration Flow

    Client->>API: insertDataSubject mutation
    API->>Auth: Validate JWT token
    Auth-->>API: Token valid + claims

    API->>DB: Create data subject record
    DB-->>API: Data subject created

    opt DID generation enabled
        API->>API: Generate decentralized identifier
        API->>DB: Update data subject with DID
    end

    API-->>Client: DataSubject response

Processing Activity Logging

When data processing activities are recorded:

sequenceDiagram
    participant Webhook as Webhook/API
    participant Dxtra as Dxtra Platform
    participant DB as Privacy Database

    Note over Webhook,DB: Processing Activity Flow

    Webhook->>Dxtra: Event with PII fields

    Dxtra->>Dxtra: Extract field types<br/>(email, phone, name, etc.)
    Dxtra->>Dxtra: Hash identifiers (SHA-256)

    Dxtra->>DB: Find or create data subject
    DB-->>Dxtra: data_subject_id

    Dxtra->>DB: Insert processing activity
    Note right of DB: Links to:<br/>- Data subject<br/>- Source (platform)<br/>- Activity type<br/>- Field types

    opt Privacy-preserving links
        Dxtra->>DB: Store hashed identifier links
        Note right of DB: For cross-platform matching
    end

Rights Request Processing

When a data subject submits a rights request (access, deletion, portability):

sequenceDiagram
    participant Subject as Data Subject
    participant Portal as Transparency Center
    participant API as Dxtra API
    participant DB as Privacy Database

    Note over Subject,DB: Rights Request Flow

    Subject->>Portal: Submit rights request
    Portal->>API: insertRightsRequest mutation

    API->>DB: Create rights request
    Note right of DB: Status: pending<br/>Type: access|deletion|portability

    DB-->>API: Request created

    Note over API,DB: Async processing begins

    alt Access Request
        API->>DB: Query all processing activities
        API->>API: Compile data export
    else Deletion Request
        API->>DB: Anonymize/delete records
    else Portability Request
        API->>API: Generate portable format
    end

    API->>DB: Update request status
    API->>Subject: Send notification email

When consent preferences are updated:

sequenceDiagram
    participant Widget as Consent Widget
    participant API as Dxtra API
    participant DB as Privacy Database

    Note over Widget,DB: Consent Update Flow

    Widget->>API: POST consent update
    API->>DB: Insert consent form values
    Note right of DB: Links to:<br/>- Data subject<br/>- Consent form<br/>- Preference values

    DB-->>API: Consent recorded
    API-->>Widget: 200 OK + updated preferences

Key Data Tables

The primary data types in these flows:

Type Purpose
dataControllers Organization accounts
dataSubjects Customer privacy profiles
dataProcessingActivities Processing event audit log
dataSubjectRightsRequests GDPR/CCPA rights requests
dataSubjectConsentFormValues Consent preferences
privacyPreservingLinks Cross-platform identity hashes