General Developer FAQs
AWS – Sydney (ap-southeast-2)
ECDH, RSA
Developer Portal FAQS
Our dev portal uses a self-serviced sign up process. You can log in using your Google, GitHub or LinkedIn account. Adatree won’t see your login details.
First, you’ll need to register for an account on Adatree’s Developer Portal. Navigate to Create A New Consent, under the Consent menu.
Then follow the steps outlined on the portal:
Choose a use case
Opt into the required data clusters (categories of data)
Adjust your data sharing preferences
Choose your data source
Read and agree to the required confirmations
You’ll then be redirected to the bank you choose. Adatree doesn’t see any information at this stage of your journey, and we only know when you successfully finish your consent journey back with us.
We offer a few sample use cases for demonstration, so you can test them out based on what data you’re interested in seeing. When you’re ready to integrate CDR into your business, we can configure any use case via API so it has the data, configurable duration, treatments and other aspects required for your unique use case.
CDR data requires the consumer to use their username or online banking identifier to participate.
In the Consumer Data Right, your password will never be shared, stored or exchanged. In most cases your bank will send you a single-use password for each unique data sharing consent.
There are 3 ways to check your consent status:
1) In the Developer Portal, navigate to ‘My consent data‘. There you will see all active, expired and revoked consents. If it isn’t there, then the data didn’t pull from your data holder (bank or energy provider).
2) Check your email inbox. Adatree is required to send you a confirmation email when consent is granted. If you didn’t receive that, then consent wasn’t completed.
3) You can also check your consent dashboard with the data holder (your bank) too!
If you’re certain you followed the proper consent process, you’ll need to raise the issue with your data holder. Alternatively, try the consent process again.
Once the duration of your consent expires, the data is deleted by default. In some cases it can be de-identified, but only where that option is made available to the consumer in the consent process.
In the Developer Portal, navigate to ‘My consent data‘. Select the consent you wish to delete. In the top-right corner, select the trash icon to withdraw/delete the consent. This will immediately revoke your consent and you’ll receive email to confirm the consent withdrawal.
Otherwise you can let the consent expire after 24 hours and your data will be deleted.
This is a CDR Receipt. It is required by law to be sent to you to confirm your data sharing arrangement. You will receive notifications when you grant, withdraw, extend, expire or amend your consent. You’ll also get a reminder every 90 days – which again is required by law.
Adatree will never sell your data. Data will only ever be shared when it is explicitly consented to by you the consumer – including the exact purpose, the data being shared, and the duration for which it is available to the data recipient.
We offer API documentation on all of our client-facing APIs, including our Data API, Consent API, Banking API and Energy API.
The data clusters include:
Get Banking Transactions
Get Banking Accounts
Get Banking Payees
Get Direct Debits
Get Scheduled Payments
Get Energy Plans
Get Energy Accounts
Get Energy Invoices
Get Energy Bills
Get Electricity Service Points
Get Electricity Usage
You’ll can also see example data schemas on the different data clusters
Navigate to ‘API documentation‘ and click on the data cluster where you’re interested. There are examples available even if you choose not to share your own data.
Our schema aligns with the Consumer Data Standards outlined in CDR regulations.
We change our APIs based on regulatory changes, product improvements and general platform improvements.
Adatree clients get further documentation, onboarding information and more detailed platform-related information and diagrams. This is part of our IP so it’s only shared with our clients and isn’t made public.
Testing Your Data
Make sure you have an active consent in ‘My Consent Data‘.
Then navigate to ‘Consent API’ and click on the settings cog at the top right to see your ‘Consent record’. There you’ll find each of your consents. If you click on a specific consent you’ll see each of the data IDs. These consent IDs are needed to get any data.
Navigate to any of the APIs under ‘API Reference’ and select GET next to any of the data types you’d like to retrieve.
For those who aren’t technologists and just want to see how it works, we recommend choosing the Data API which only requires your cdrArrangementId (copied and pasted from your ‘consent record’) to display the consent data.
Most of the time we get data updates in <100ms! If it takes longer, it could depend on a few things, being your bank or how many transactions you have in the first API call (could be thousands!). If the first time takes longer, subsequent API calls are done in a flash.
CDR data currently goes back to 2017. But the longer CDR is around the further back the data will go, to a maximum of 7 years of data.
Adatree passes through your data directly from the source, so the best place to start is with the data holder (your bank or energy provider).
With screen scraping customers provide their bank login credentials, such as their username and passwords, to a third-party service who is collecting the data on behalf of the inquiring business like your bank or a lender. That third-party facilitates the scraping of a customer’s information by logging into a consumer’s account and accessing all the same information the consumer would see in their account. Once logged in, the third party is able to “scrape” the data.
The scraping extracts the data from a digital display, collects it as raw text, and converts it for use by the collecting business. Data can continuously be “scraped” and updated from the customer’s accounts when refreshed. To facilitate this automatic process, screen scraping utilises image processing, so it’s not always accurate.
Unfortunately many consumers are unaware and non-consenting to this third-party accessing their personal data. Furthermore, many screen scrapers will sell your data and keep it indefinitely.
Conversely, CDR uses secure APIs provided by the Data Holder (e.g. a bank) organisations so Data Recipients (e.g. mortgage brokers) can access the data consistently, reliably, and in near real-time.
CDR rules and regulations dictate what customers and data recipients can view and do in terms of data sharing as well as the underlying technical standards, which ensures that consumers know what data is shared, with whom, for how long, and for what purpose. This is managed through an interface called a consent dashboard, which the customer can operate through both the Data Holder and the Data Recipient.
You may withdraw your consent at any time and can be done in three (3) ways:
1 – Through the data recipient consent dashboard;
2 – Through the data holder consent dashboard; or
3 – In writing to either party.
If you use the consent dashboard to withdraw your consent, the status of your consent will be updated in near real-time and reflect your change almost immediately. If you choose to withdraw your consent in writing, this will be completed by the data recipient or data holder within two business days.
If you withdraw your consent we’ll delete your data. However some services require your active consent and withdrawing consent could mean the services provided by the data recipient may cease.
Consumers receive a notification every 90 days to confirm the data they’ve shared, the expiry date and other consent information. They’ll receive a notification with a summary of these details any time they:
Grant consent
Commence allowing Adatree to collect CDR data
Commence allowing Adatree to disclose CDR data;
Manage consent;
Withdraw consent; or
Have consent that is expired.
You may not opt out of these notifications at any time.
Adatree must adhere to the data minimisation principle. This principle outlines that a data recipient can only ask you for data that is absolutely necessary and can only hold it for the minimum amount of time it is needed to provide their service.
Any time you give consent to a data recipient, you can also request that your CDR data, and any data derived from it, be deleted as soon as it becomes redundant. This can be managed when you first give consent or at any time your consent status is active..
We’ll only use your data for the purpose you have agreed to, and we will delete it after it has been used for that purpose.
When you withdraw data sharing consent or your consent expires, we’ll automatically irretrievably destroy your data within seconds. We’ll also automatically notify any Outsourced Service Provider or CDR Representative with whom your data has been shared and require them to irretrievably destroy your data as well.
Your data is held by Adatree in our secure and audited environment. Adatree only stores your data in Australia. Adatree does not share data with accredited parties based outside of Australia.
