Frequently asked questions
- Why do SaaS companies need identity verification for data subject requests?
- Because requests for access, deletion, or correction can expose personal data or trigger irreversible actions. Verification helps ensure the request comes from the right person and reduces privacy and security risk.
- What is a practical verification method for Indonesian SaaS products?
- Use a risk-based flow: confirm the request through the logged-in account, a verified email or phone channel, and stronger checks for sensitive actions such as deletion, account transfer, or export of large datasets.
- Can SaaS teams reject a request if identity cannot be verified?
- Yes, if the company cannot reasonably confirm the requester’s identity, it can ask for additional proof or decline to act until verification is complete. The process should be documented and consistent.
- Does UU PDP require one fixed verification method?
- No. UU PDP does not prescribe a single method. Companies should choose a reasonable method based on the risk, the data involved, and the operational context.
- Should legal counsel or a privacy professional review the workflow?
- Yes, especially for enterprise SaaS, cross-border processing, or high-risk data. A professional review helps align the workflow with contract terms, internal policy, and applicable law.
Time information: This article was automatically generated on July 9, 2026 at 2:12 AM (Asia/Jakarta, 2026-07-08T19:12:19.576Z).
Why identity verification matters in SaaS privacy workflows
For Indonesian SaaS companies, data subject requests are not just a support task. They are a privacy control point. If a requester asks for access, correction, deletion, or export of personal data, the company must first make sure the request is legitimate.
That matters even more in multi-tenant SaaS, where one tenant’s admin may manage many end users, and where a single mistaken action can expose data across accounts. In Jakarta and across Indonesia, many funded startups and enterprise platforms now handle these requests through shared support inboxes, chat channels, or customer success teams. Without a clear identity verification process, that creates avoidable risk.
Under UU PDP, companies are expected to protect personal data and handle requests responsibly. The law does not force one exact verification method, but it does require a reasonable process. In practice, that means the verification step should be proportionate to the sensitivity of the data and the impact of the action.
What counts as a data subject request?
A data subject request is any request made by an individual about their personal data. In SaaS, the most common examples are:
- Requesting access to stored personal data
- Asking for correction of inaccurate data
- Requesting deletion or account closure
- Requesting export or portability of data
- Objecting to certain processing activities
These requests may arrive from a direct end user, a tenant administrator, or sometimes a customer’s internal privacy team. The challenge is that the person making the request is not always the person whose data is affected. In B2B SaaS, that distinction is critical.
What should you verify first?
The first question is simple: is the requester the data subject, an authorized representative, or just someone claiming to be one?
A practical verification flow usually starts with the least intrusive check available. For example:
- If the user is logged in, confirm the request inside the authenticated account
- If the request comes by email, match it to the verified account email on file
- If the request comes through a tenant admin, confirm the admin’s authority under the contract or tenant settings
- If the request is for a sensitive action, ask for an additional step such as a one-time code, in-app confirmation, or signed request form
For Indonesian SaaS teams, the key is to avoid relying on a single weak signal like “this email looks familiar.” That is not enough for deletion, large exports, or requests involving employee, customer, or financial data.
How to build a risk-based verification workflow
A good workflow does not treat every request the same. Instead, it scales verification based on the risk.
Low-risk requests
For simple requests like updating a display name or correcting a typo, a logged-in session plus account email confirmation may be enough.
Medium-risk requests
For access requests or limited exports, add a second factor such as a verified phone number, OTP, or confirmation through the tenant admin portal.
High-risk requests
For deletion, bulk export, account takeover recovery, or requests involving sensitive personal data, use stronger verification. This may include:
- Re-authentication in the product
- OTP to a previously verified channel
- Manual review by support or compliance
- Proof of authority for representative requests
- Approval from the tenant’s designated privacy contact
The workflow should be documented in your internal policy and reflected in your support playbooks. If your team in Jakarta handles requests from customers in Indonesia and abroad, standardization becomes even more important.
What about tenant administrators in B2B SaaS?
This is where many SaaS companies get into trouble. A tenant admin may have technical control over the workspace, but that does not automatically mean they can make every privacy request on behalf of every end user.
You need to define the admin’s authority clearly in:
- The master service agreement
- The data processing addendum, if applicable
- The product’s admin permissions model
- The privacy request SOP
If the admin is authorized to act for the tenant, then the company can process certain requests through that channel. But for requests that affect individual rights directly, especially deletion or disclosure of personal data, it is safer to confirm whether the admin is permitted to make the request and whether the request aligns with the tenant’s internal policy.
For enterprise SaaS in Indonesia, this is especially relevant when the customer is a bank, hospital, school, or government-linked organization. Their internal authorization rules may be stricter than your default support process.
How do you avoid over-verification?
Identity verification should protect privacy, not create unnecessary friction. Asking for too much information can itself become a privacy problem.
Avoid collecting:
- Unnecessary identity documents
- Excessive personal details
- Sensitive data that you do not need to verify the request
- Screenshots or documents that expose more than required
Instead, use the minimum information needed to confirm identity. If you already have a verified account, use that. If you can confirm through an existing secure channel, do that before asking for new documents.
This is especially important for startups trying to move quickly. A support team that asks for KTP scans for every request may slow down operations and increase exposure. A better approach is to define when document-based verification is truly needed and when it is not.
How should teams document the decision?
Every request should leave an audit trail. At minimum, record:
- The date and time of the request
- The type of request received
- The requester’s claimed relationship to the data
- The verification method used
- The decision made and who approved it
- Any follow-up questions or evidence requested
This record helps your team respond consistently and show that it acted reasonably. It also supports internal audits, vendor reviews, and compliance assessments. If your company uses Patuh.ai or a similar compliance workflow, this is the kind of evidence that should be easy to retrieve.
Key takeaways
- Verify identity before acting on access, deletion, correction, or export requests.
- Use a risk-based workflow instead of one fixed verification method for every case.
- In B2B SaaS, tenant admin authority must be defined in contracts and product permissions.
- Collect only the minimum information needed to confirm identity.
- Keep an audit trail so your team can show a consistent, reasonable process.
What should Indonesian SaaS teams do next?
Start by mapping your current request flow. Identify where requests arrive, who approves them, and what proof of identity is currently required. Then compare that process with your actual product architecture, especially if you run a multi-tenant platform or support enterprise customers in Indonesia.
If your workflow is still manual, build a standard operating procedure before the next privacy request arrives. If your product already supports authenticated self-service, make that the default path and reserve manual review for exceptions.
For many companies, this is also a good time to review contracts, admin roles, and data retention rules with a privacy or compliance specialist. APLINDO, based in Jakarta and working remote-first, helps funded startups and enterprises design SaaS engineering and compliance workflows that are practical, auditable, and aligned with UU PDP. That does not replace legal advice, but it can help your team turn policy into a working system.
When should you seek professional review?
Seek a professional audit or legal review when:
- Your SaaS handles sensitive personal data
- You serve enterprise or regulated customers
- Requests may involve cross-border data transfers
- Your tenant structure is complex
- You are unsure whether your verification process is proportionate
A well-designed verification workflow is not only a compliance control. It is also a trust signal for customers who expect their data to be handled carefully.

