Reference
Every signed Sanad artifact carries a typed prefix that maps to a specific regulatory section. The prefix also names which per-tenant cryptographic chain the artifact belongs to. 19 types currently in use.
/verify/<number> (e.g. /verify/CR-2026-000123).| Prefix | Type | Regulatory anchor | Example |
|---|---|---|---|
CR- | Consent receipt A signed proof that a data principal agreed to specific processing. | DPDP §6 + Rule 4 (consent manager) | CR-2026-000123 |
RR- | Rights request Intake of a §11 access / §12 correction-erasure / §13 grievance / §14 nomination / §6.4 withdrawal. | DPDP §11–§14 + §6(4) | RR-2026-000045 |
IN- | Incident Personal-data breach record. CERT-In 6h + DPDP 72h clocks start at discovered_at. | DPDP §29 + Rule 7.1 + CERT-In Direction (April 2022) | IN-2026-000007 |
IR- | Incident report Regulator-format notification rendered + signed from an incident. One per regulator (CERT-In, DPB, data principal, Board, SEBI, RBI, IRDAI). | DPDP §29 + applicable sectoral | IR-2026-000012 |
EV- | Forensic evidence Signed attachment to an incident — log dump, screenshot, system-state snapshot. | DPDP §29 supporting evidence | EV-2026-000004 |
BR- | Board report Quarterly signed aggregate across consent / rights / incidents / DPIA / RoPA / vendors / transfers. The artifact a DPO hands to the Board. | DPDP §10(2)(c) reporting obligation | BR-2026-Q2-000001 |
DP- | DPIA record Data Protection Impact Assessment for a high-risk processing activity. | DPDP §10(2)(c) DPIA obligation for SDFs | DP-2026-000003 |
PR- | Processing record (RoPA) Records of Processing Activities — what data is processed, for what purpose, on what basis, with whom shared, how long kept. | DPDP §11 + Rule 11 | PR-2026-000018 |
TR- | Cross-border transfer Registered transfer of personal data outside India with the safeguard under which it is lawful. | DPDP §16 + Rule 14 | TR-2026-000009 |
TN- | Training record Signed record of staff training delivered (DPDP, breach response, role-specific). Auditor will ask for these on day one. | DPDP §11(g) Rule 11(d) | TN-2026-000022 |
PL- | Policy Versioned organisational policy (privacy, retention, data sharing, breach response, grievance) with approval lifecycle. | DPDP §10 governance + sectoral | PL-2026-000005 |
VN- | Vendor Processor / sub-processor record with signed DPA hash + risk assessment + DPA expiry tracking. | DPDP §11 + §8(2) processor due diligence | VN-2026-000014 |
RS- | Retention schedule Per-category data retention rule — how long, when the clock starts, what happens at the end. | DPDP §8(7) retention limitation | RS-2026-000011 |
ER- | Erasure attestation Signed proof that data was erased at time T by method M for principal P / category C. | DPDP §12 + §8(7) — proof-of-erasure | ER-2026-000028 |
SX- | Subject export Signed bundle of every artifact concerning a single data principal. The artifact you hand back as a §11 access response. | DPDP §11 access right | SX-2026-000006 |
WS- | Webhook subscription Tenant's outbound HMAC-SHA256-signed event subscription. Signed snapshot at create time. | (Not regulator-mandated — internal audit) | WS-2026-000003 |
AL- | Sentinel alert Endpoint-level signed alert — disabled antivirus, OS patch overdue, missing MFA, etc. | CERT-In CIAD-2026-0020 + sectoral cyber-hygiene | AL-2026-000089 |
DR- | Detection rule Tenant-defined Sentinel detection rule. Enable/disable lifecycle is signed. | (Configuration, not regulatory) | DR-2026-000012 |
CS- | Chain snapshot Frozen attestation of an entire chain at a point in time — for off-platform custody (regulator handover, board minutes). | Custody-of-evidence support | CS-2026-000002 |
Auditors / regulators verifying a Sanad artifact by hand should expect these fields inside signed_payload. Additional fields may be present for forward-compatibility.
CR-Consent receiptSANAD_DPO_CONSENT_GENESIS_2026A signed proof that a data principal agreed to specific processing.
data_principal_id_hashpurposedata_categorieslegal_basisconsent_evidenceretentionRR-Rights requestSANAD_DPO_RIGHTS_GENESIS_2026Intake of a §11 access / §12 correction-erasure / §13 grievance / §14 nomination / §6.4 withdrawal.
data_principal_id_hashrequest_typerequest_detailsla_deadlinestatusIN-IncidentSANAD_DPO_INCIDENT_GENESIS_2026Personal-data breach record. CERT-In 6h + DPDP 72h clocks start at discovered_at.
titleseverityincident_typediscovered_ataffected_principals_countapplicable_regulatorsIR-Incident reportSANAD_DPO_INCIDENT_REPORT_GENESIS_2026Regulator-format notification rendered + signed from an incident. One per regulator (CERT-In, DPB, data principal, Board, SEBI, RBI, IRDAI).
incident_numberregulatorrendered_template_hashsubmission_evidenceEV-Forensic evidenceSANAD_DPO_EVIDENCE_GENESIS_2026Signed attachment to an incident — log dump, screenshot, system-state snapshot.
incident_numberevidence_typecontent_hashuploaded_by_contact_hashBR-Board reportSANAD_DPO_BOARD_REPORT_GENESIS_2026Quarterly signed aggregate across consent / rights / incidents / DPIA / RoPA / vendors / transfers. The artifact a DPO hands to the Board.
period_startperiod_endmetricsnarrativeDP-DPIA recordSANAD_DPO_DPIA_GENESIS_2026Data Protection Impact Assessment for a high-risk processing activity.
titleprocessing_activitiesrisk_assessmentmitigation_measuresnext_review_duePR-Processing record (RoPA)SANAD_DPO_PROCESSING_GENESIS_2026Records of Processing Activities — what data is processed, for what purpose, on what basis, with whom shared, how long kept.
activity_namepurposelegal_basisdata_categoriesrecipientsprocessorsretentioncross_borderTR-Cross-border transferSANAD_DPO_TRANSFER_GENESIS_2026Registered transfer of personal data outside India with the safeguard under which it is lawful.
destination_countrypurposedata_categoriesrecipientsafeguardsgazette_notificationTN-Training recordSANAD_DPO_TRAINING_GENESIS_2026Signed record of staff training delivered (DPDP, breach response, role-specific). Auditor will ask for these on day one.
titletraining_typetopicsdelivered_atduration_minutesattendeespassing_rate_percentPL-PolicySANAD_DPO_POLICY_GENESIS_2026Versioned organisational policy (privacy, retention, data sharing, breach response, grievance) with approval lifecycle.
titlepolicy_typeversioncontent_hasheffective_fromapproved_atVN-VendorSANAD_DPO_VENDOR_GENESIS_2026Processor / sub-processor record with signed DPA hash + risk assessment + DPA expiry tracking.
vendor_namevendor_typerisk_leveldpa_signeddpa_hashdpa_effective_fromdpa_expires_atRS-Retention scheduleSANAD_DPO_RETENTION_GENESIS_2026Per-category data retention rule — how long, when the clock starts, what happens at the end.
data_categoryretention_period_daystrigger_conditiondestruction_methodlegal_basis_to_retainER-Erasure attestationSANAD_DPO_ERASURE_GENESIS_2026Signed proof that data was erased at time T by method M for principal P / category C.
scopedata_categories_erasederasure_methoderased_atrecords_countdata_principal_id_hashSX-Subject exportSANAD_DPO_SUBJECT_EXPORT_GENESIS_2026Signed bundle of every artifact concerning a single data principal. The artifact you hand back as a §11 access response.
data_principal_id_hashbundle_artifact_countslinked_rights_intake_numbermerkle_rootWS-Webhook subscriptionSANAD_DPO_WEBHOOK_GENESIS_2026Tenant's outbound HMAC-SHA256-signed event subscription. Signed snapshot at create time.
nameurlevent_typessecret_hashstatusAL-Sentinel alertSANAD_DETECT_GENESIS_2026Endpoint-level signed alert — disabled antivirus, OS patch overdue, missing MFA, etc.
machine_idalert_typeseveritydetected_atcompliance_tagsraw_eventDR-Detection ruleSANAD_DETECT_RULE_GENESIS_2026Tenant-defined Sentinel detection rule. Enable/disable lifecycle is signed.
rule_numberrule_typematch_expressionseverity_assignedenabledCS-Chain snapshotSANAD_CHAIN_SNAPSHOT_GENESIS_2026Frozen attestation of an entire chain at a point in time — for off-platform custody (regulator handover, board minutes).
chain_prefixsnapshot_timerow_countmerkle_rootlast_chain_hashVerifier source code: JS / Python / Go · Browser verifier: /verify