Didomi SDK compliance
      Back to home
      1. Help Center
      2. Legal Requirements
      3. Didomi SDK compliance

      Didomi SDK compliance (CNIL Recommendation)

      Mobile SDK Compliance – CNIL Guidelines and Processing Transparency

      In September 2024, the French Data Protection Authority (CNIL) published a dedicated set of recommendations for mobile applications. These guidelines highlight strict expectations in terms of transparency, minimization of system permissions, documentation of processing operations, and proof of valid consent.

      They apply both to app publishers and technical providers like Didomi, acting as data processors.

       

      As part of this regulatory framework, Didomi provides proactive and structured documentation to support its clients’ compliance efforts and to demonstrate the accountability of its mobile SDKs across all supported platforms (iOS, Android, hybrid frameworks).

      Why this page?

      As a data processor, Didomi is responsible for providing its clients — acting as data controllers — with clear, up-to-date, and complete documentation:

      • describing the processing operations carried out via the SDK in mobile apps;
      • clarifying the legal qualification of each processing activity;
      • detailing the contractual guarantees included in the signed Data Processing Agreement (DPA).

      Message from Didomi’s DPO:

      “This page is also designed to help your legal teams and Data Protection Officers (DPOs) meet their documentation obligations (Articles 30 and 28 of the GDPR), and to precisely identify the technical operations involved in the use of the Didomi CMP on mobile,” explains Sébastien Gantou.

      Compliance: Didomi’s key measures

      Didomi aligns its practices with the CNIL’s expectations through robust technical and organizational safeguards:

      • Full legal qualification of SDK processing operations, detailed in the ROPA
      • A comprehensive inventory of SDK read/write operations (ROPO), as required under ePrivacy
      • No use of mobile OS-level permissions by the SDK
      • Modular feature design (consent collection, proof, export, analytics, etc.)
      • No processing of sensitive personal data
      • Full transparency on international data transfers and associated safeguards
      • Documented security architecture (TLS, encryption, endpoint protection)
      • Regular updates to the SDK documentation and proactive client notifications
      • Access to historical consent proof at any time
      • Procedures in place for incident handling and data breach notifications
      • Continuously maintained and accessible public registers

      Transparency: available documents

      To help you evaluate and document your use of the Didomi SDK, we provide two publicly accessible registers:

      Record of Personal Data Processing Activities (ROPA)

      Record of SDK Data Processing Operations (ROPO)

      Both documents are structured according to CNIL expectations and updated upon any significant change.