The company app
The company app is the Agreely dashboard, served at agreely.ca. It is the
surface where an organization manages its consent accountability end to end: it
declares what it collects and why, publishes the disclosure its customers will
read, issues consent requests, tracks each customer's status, and keeps the
compliance hub that Law 25 requires. It is a workspace for the organization and
its privacy officer, not a citizen surface.
The citizen side (the portal where a person reviews an offer, consents with a passkey, and withdraws consent) is a separate application, described in the Citizen portal.
What the app does
Inside the dashboard, a company:
- Verifies its domain, minting a
did:webcompany identity. Domain verification is the trust anchor: it is what lets consent offers be signed on behalf of the company and verified independently. See Domain and branding. - Declares its data catalog, the set of
(category, purpose)cells that describe the personal information it holds and the purposes it holds it for. See The catalog. - Publishes versioned consent documents, the article 8 disclosure a person consents under. See Consent documents.
- Issues consent requests to its customers, as signed, secure deep links. See Consent requests.
- Sees its customers and each one's consent status, at cell granularity. See Customers.
- Runs its Law 25 compliance hub: the privacy officer, policies, retention, cross-border communication, confidentiality incidents, the rights of the persons concerned, and destruction obligations. See Compliance.
- Manages its team, billing, and API keys. See Team and billing.
Roles and writes
Writes are reserved to the owner and the admin: they are the ones who can declare the catalog, publish a document, issue a request, or edit compliance. A read-only member can view the dashboard without changing it. The separation matters: the actions that commit the organization's accountability stay in authorized hands.
The onboarding path
A new tenant is greeted by an onboarding checklist that puts the steps in the right order. The order is not cosmetic: each step unlocks the next.
- Verify the domain. Without a verified domain, the company has no
did:webidentity and can sign nothing. It is the first step. - Declare the catalog. The
(category, purpose)cells are the building blocks of everything else: a consent document groups catalog cells, and a request targets catalog cells. - Name the privacy officer and fill in the compliance hub (policies, retention, cross-border communication).
- Publish a consent document, the article 8 disclosure the person will read.
- Issue a first consent request to a customer.
The checklist lets you revisit any step at any time; it simply flags what is still missing before an issuance becomes possible.
Issuing requires a verified domain and a signing key
A consent request is an offer signed on behalf of the company. Until the domain is verified and an active signing key exists, issuing is blocked. That is why domain verification opens the checklist.
Where to go next
- The catalog: declaring
(category, purpose)cells, the bilingual question, locking, and archiving. - Consent documents: the article 8 disclosure, immutable versions, and assisted generation.
- Consent requests: issuing an offer to a customer, via the dashboard or the API.
- Citizen portal: what the person concerned sees and does on the other side.
- API reference: issuing and checking programmatically.