W3C DPV · DPDP ACT 2023 · GDPR · OID4VCComing soon

Consent that's provable. Not just performed.

Sovio Consent replaces checkbox theatre with W3C DPV consent receipts — cryptographically signed, wallet-held, audit-trailed and revocable on the data subject's terms.

Get notified at launchJoin waitlist
consent.sovio.id / receipt
v1.8
Overview
Receipts
Purposes
Revoke
Audit
Export
Active consent receipt
Sovio Consent
active
RECEIPT · URN:UUID
a0b0c0d4-…-91fe
purpose
dpv:Purpose_Healthcare
subject
did:key:z6Mk…91fe
Audit trail · ledgerappend-only · signed
txn:0xabcd…12345tamper-evident
Consent that regulators verify. Subjects own. Processors trust.

Built on W3C, IETF and open standards — interoperable with DPDP Act, GDPR and every emerging privacy regulation worldwide.

W3C Data Privacy VocabularyDPDP Act 2023 · IndiaW3C Verifiable CredentialsGDPR Article 7 AlignmentOID4VC · OpenID4VPDID · Decentralised IdentifiersEd25519 · ECDSA SignaturesAppend-Only Audit LedgerWallet-Native ReceiptsW3C Data Privacy VocabularyDPDP Act 2023 · IndiaW3C Verifiable CredentialsGDPR Article 7 AlignmentOID4VC · OpenID4VPDID · Decentralised IdentifiersEd25519 · ECDSA SignaturesAppend-Only Audit LedgerWallet-Native ReceiptsW3C Data Privacy VocabularyDPDP Act 2023 · IndiaW3C Verifiable CredentialsGDPR Article 7 AlignmentOID4VC · OpenID4VPDID · Decentralised IdentifiersEd25519 · ECDSA SignaturesAppend-Only Audit LedgerWallet-Native Receipts
01 · The problem

Consent today is theatre — not a contract.

01
Consent is performance, not proof
the dominant consent UX — and a legal fiction

Pre-ticked checkboxes and accept-all banners are not consent.

Users click without understanding. There is no verifiable record of what was agreed, no machine-readable purpose, and no way for the data subject to revoke that propagates downstream. The fiduciary shifts liability — the subject loses agency.

02
DPDP demands an audit trail
0tamper-evident consent ledgers in most stacks

Spreadsheet compliance is not a regulatory defence.

The Digital Personal Data Protection Act 2023 requires accurate records of every grant, modification, revocation and expiry. Without cryptographic anchoring, server logs can be disputed, deleted or tampered with. Regulators expect proof — not promises.

Step 01 · Notice

The data subject sees what is being asked — in plain semantics

Purpose, data categories and processing operations are surfaced from the W3C DPV ontology. No buried policy text, no blanket scope, no pre-ticked boxes.

Specific. Granular. Machine-readable.

03 · Three pillars of Sovio Consent

From legal liability checkbox to verifiable cryptographic asset.

Owned by the data subject, auditable by the regulator, interoperable across every processor in the data supply chain.

PILLAR 01
Verifiable Consent Receipts

Every consent event produces a W3C DPV-compliant, cryptographically signed receipt. Proves when, what and how consent was given — not just claims it.

PILLAR 02
Immutable Audit Trails

Lifecycle events recorded on an append-only ledger. Tamper-evident, regulator-ready, DPDP Act compliant — the end of spreadsheet compliance.

PILLAR 03
Data Subject In Control

Receipts live in the user's wallet. Revocation is instant and propagates to every downstream processor — the subject, not the fiduciary, holds the keys.

04 · End-to-end flow

Hospital · Insurer · Patient — one consent, verified end to end.

  1. 00:00
    Patient registers at hospital reception
    Sovio Consent surfaces a request — share diagnosis, prescription and lab reports with SBI General Insurance for claim processing.
  2. 00:04
    Purpose and scope are reviewed
    Purpose (dpv:Purpose_Healthcare), data categories (dpv:PersonalData_Health), processing operations (Store, Share). No blanket consent.
  3. 00:08
    Patient grants consent in wallet
    A single approval signs the W3C DPV receipt with the patient's key and anchors it to the audit trail.
  4. 00:11
    Hospital releases the data
    Hospital systems verify the receipt signature and share only the consented categories with the insurer.
  5. 00:14
    Insurer validates before processing
    Receipt is checked against the Sovio audit trail. Invalid? Expired? Revoked? No data access — by policy and by code.
  6. 00:18
    Patient revokes after settlement
    A signed revocation event propagates to hospital and insurer via webhooks. Downstream retention stops.
  7. 00:20
    Audit trail is complete
    Every state transition logged with timestamps, signatures and cryptographic linkages. Regulator-ready in one query.
05 · Key capabilities

Eight guarantees. Not policy — protocol.

  1. 01Verifiable, W3C DPV consent receipts — portable, signed, machine-readable.
  2. 02Append-only audit trail — tamper-evident lifecycle history for DPDP Act.
  3. 03Granular purpose binding — no blanket scopes, no scope creep, ever.
  4. 04Dynamic revocation — instant propagation to every downstream processor.
  5. 05Wallet-native storage — the subject holds the keys, not the fiduciary.
  6. 06Regulatory exports — DPDP Act, GDPR and ISO-aligned reports out of the box.
  7. 07Consent Portal SDK — embed declarative consent flows in any app.
  8. 08W3C DPV vocabulary — interoperable with GDPR and emerging regulations.
06 · Standards & protocols

Built on W3C, IETF and OpenID — not proprietary lock-in.

Framework
Title
How Consent applies it
W3C DPV
Data Privacy Vocabulary
Machine-readable purposes, data categories, processing operations and legal bases — the semantic backbone of every receipt.
DPDP Act 2023
India's data protection law
Notice, consent, revocation and audit trail requirements supported end to end, out of the box.
W3C VCs
Verifiable Credentials
Consent receipts issued as W3C VCs — cryptographically signed, decentralised, verifiable without a central registry.
GDPR Article 7
European data protection
DPV vocabulary ensures GDPR alignment — interoperable consent records for cross-border data flows.
DID
Decentralised Identifiers
Parties identified by DIDs — no emails, no phone numbers, no centralised identifiers. Privacy-preserving by design.
OID4VC
OpenID for Verifiable Credentials
Consent credentials issued and presented using OID4VC — the same standards powering national digital identity programmes.

Every organisation that processes personal data — and every data subject who deserves real consent.

07 · Technical depth

For architects, security engineers and compliance teams.

consent · receipt.jsonldW3C DPV · Ed25519
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://w3id.org/dpv/schema"
  ],
  "type":   ["VerifiableCredential", "ConsentCredential"],
  "id":     "urn:uuid:a0b0c0d4-...-91fe",
  "issuer": "did:key:z6Mk...",
  "credentialSubject": {
    "id":           "did:key:z6Mk...",
    "purpose":      ["dpv:Purpose_Healthcare"],
    "dataCategory": ["dpv:PersonalData_Health"],
    "processing":   ["dpv:Process_Store", "dpv:Process_Share"],
    "status":       "active",
    "issuedAt":     "2026-05-17T18:30:00Z",
    "expiresAt":    "2027-05-17T18:30:00Z"
  },
  "proof": { "type": "Ed25519Signature2020", "proofValue": "z5..." }
}
// revoke · POST /consent/revoke
body = { receipt_id, reason: "dpv:ReasonWithheldByUser", signature };
ledger.append(revocation_event);
webhooks.notify(downstream_processors);
return { status: "revoked", txn_hash: "0xabcd..." }
Grant
< 2 s
tap to signed receipt
Vocabulary
W3C DPV
purpose · category · op
Signatures
Ed25519 · ECDSA
did:key bound
SDK
iOS · Android · Web
drop-in consent portal
subject-owned by design

Consent receipts live in the data subject's wallet. Revocation is signed by the subject's key and propagated to every downstream processor — by protocol, not by policy.

Purpose-bound Tamper-evident ledger Instant revocation Subject-held keys DPDP & GDPR aligned Cross-processor interop
NOTICE · GRANT · REVOKE · AUDITComing soon

See Sovio Consent
in your ecosystem.

Sovio Consent is launching soon. Join the waitlist to get early access, launch updates and a direct line to our team for design-partner conversations.

Join the waitlist Get launch updates