OneTrust supports the creation of custom subdomains to allow you to customize the branding of your OneTrust application both within the application and the web browser to enrich the experience presented to your application users.
What is a Custom Subdomain?
A custom subdomain is the key to personalizing the user experience for your OneTrust application and making it your own. Let's simplify this idea using the concept of standard edition versus special edition.
Without a custom subdomain, you would get the standard edition user experience. This means that your users would access the OneTrust application with a generic OneTrust assigned URL (i.e. app.onetrust.com). On the other hand, with a custom subdomain, you would get the special edition user experience, and your users would access the OneTrust application using a one-of-a-kind, personalized URL that is completely unique to your organization (i.e. youramazingcompany.my.onetrust.com). In this special edition URL, "youramazingcompany" would be the requested custom subdomain within the OneTrust domain ".my.onetrust.com".
Benefits of Using a Custom Subdomain
Custom subdomains provide you with the ability to customize your URL and control additional branding elements for your OneTrust application. Using a custom subdomain includes a variety of benefits that can effectively transform the user experience. With the use of custom subdomains, you can:
Fully customize how the application displays in the web browser and Login screen with the added capability of configuring the favicon and page title that display in the web browser and customizing the image that displays on the Login screen. For more information, see Customizing Branding for Subdomains.
Eliminate disruptions to the user experience with better account portability that can retain all consent collection points, request web forms, and more when migrating environments or moving from one data center to another.
Note
This benefit is specific to migrations when already on a custom subdomain.
Creating a Custom Subdomain
You can set up a custom subdomain using the Email and Branding > Domains screen in Global Settings. You will need to configure the desired subdomain to use when accessing the application from both an application user point of view and a data subject point of view. Once you have validated, saved, and confirmed your domain changes, you will be able to access your account using the custom URL you created.
Warning
Once you have saved your domain changes, you will not be able to modify your domain without contacting OneTrust Support. If changes are necessary after you have completed this process, click here to submit a request to OneTrust Support.
Click the gear icon in the upper right-hand corner to access Global Settings.
On the Global Settings menu, select Email and Branding > Domains. The Domains screen appears.
In the Application Domain field, provide the desired subdomain to use when accessing the application from an application user point of view.
In the Data Subject Portal Domain field, provide the desired subdomain to use when accessing the application from a data subject point of view.
Note
The entry in this field will automatically populate with the entry you make in the Application Domain field followed by -privacy. For example, entering gilberthughes in the Application Domain field will result in gilberthughes-privacy being entered in the Data Subject Portal Domain field. However, this entry can be modified based on your organization's needs.
Click the Validate button. A message will appear below each domain field to indicate whether the domain is valid and ready to use. If the domain is already in use, you will be prompted to enter a different subdomain instead.
Note
Subdomains must be unique and must be validated before further action can be taken. If changes are made to either domain field after validating, you will need to repeat the validation process by clicking the Validate button once more.
Click the Save button. The Confirm Domain Changes modal appears.
Note
Once you click the Confirm button on the Confirm Domain Changes modal, you will no longer be able to make additional changes without contacting OneTrust Support.
Click the Confirm button. The custom domains are registered and you are provided with the updated URLs. You can then click the Copy icon to copy your new URLs and access your account using the new links.
Note
All links and integrations referencing the old URL will continue to work to prevent user disruption. However, once converted to a custom subdomain, you will have to use the unique URL for logging in to the application with Single Sign-On (SSO) as the old URL will no longer work.
Try out your new custom subdomain by navigating to the URL you entered in the Application Domain field above. You can now use this page instead of your previous login page.
Creating or moving an account to your company's domain
If you would like to use your company's domain, such as privacy.myawesomecompany.com, complete the following procedure.
Note
To create or move your account to your company's domain, you will need to adjust the account settings for your DNS provider. First, determine who your hosting provider is (e.g. GoDaddy, Cloudflare, Microsoft Azure, etc.) and if you have access. If you do not have access to the account, you will need to involve the IT administrator for your organization's hosting provider.
Click here to submit a request to OneTrust Support to create or move your account to a fully branded URL on your company's domain. In your request, please include the following details:
Desired fully qualified domain name (FQDN) for the application point of view, such as privacy.myawesomecompany.com, and the associated Canonical Name (CNAME). This will be the domain that your application users will use to access the available modules in the main OneTrust application.
Desired FQDN for the data subject point of view, such as portal.myawesomecompany.com, and the associated CNAME. This will be the domain for the public-facing Data Subject Portal that your organization will use when interacting with data subjects through tools including web forms and preference centers.
Account ID
OneTrust processes the request and provides you with the domain name system (DNS) provider records that need to be updated for your DNS.
Update your DNS with the DNS records provided by OneTrust.
OneTrust verifies that the DNS records have been added.
OneTrust completes the FQDN setup process and configures the SSL certificates. This step may take approximately 1 - 5 days.
Note
OneTrust uses Google Trust Services as the designated Certificate Authority (CA) to issue SSL certificates for custom FQDNs. Please ensure that you have added a Certification Authority Authorization (CAA) record for Google Trust Services to your domain.
Custom Subdomain & FQDN FAQ
The following responses are supported solutions to frequently asked questions (FAQ) on custom subdomains and FQDNs. The OneTrust team continuously monitors these inquiries and will make additional FAQ available as they are identified.
1.
Is there an additional cost for using a custom subdomain?
Using a custom subdomain with the standard suffix (i.e. youramazingcompany.my.onetrust.com) is available to all accounts free of charge. Further, accounts with an Enterprise license can select to use a fully custom domain URL, if desired (i.e. privacy.myawesomecompany.com).
2.
Are there any limitations around what the subdomain name can be?
A period (.) cannot be included in the subdomain name, all letters must be lowercase, and the subdomain name cannot already be used. Subdomain names are granted on a first come, first serve basis.
3.
How long will my account be down when swapping to a custom subdomain?
There will be no downtime when swapping to a custom subdomain. All links and integrations referencing the old URL will continue to work to prevent user disruption. However, once converted to a custom subdomain, you will have to use the unique URL for logging in to the application with SSO as the old URL will no longer work.
4.
How long does it take for a FQDN to be set up?
Depending on the volume of requests, it may take approximately 1 - 5 days after you update your DNS records. Please note that this change will affect SSO, so if you want this change to be done after a specific day, you must notify OneTrust of your timeline. Otherwise, this change will be completed in the order it was received.
5.
If I have multiple accounts, can I use the same URL for each account?
No - A unique URL is required for each account.
6.
Can I change the URL after the initial setup? How?
You can change the URL after initial setup, but this is not recommended. To request a change, submit a request to OneTrust Support.
7.
What will happen if I choose to revert back to a standard URL after using a custom subdomain?
Any links generated from the application that used the custom subdomain will no longer work. When you revert back to a standard URL, the routes from the custom subdomain are no longer active, as it was before the custom subdomain was created.
8.
Are there any technical considerations that I should be aware of?
(Enterprise licenses only) If requesting a fully custom domain URL, you will need to update your DNS for your domain. This will require either having access to adjusting these settings or involving the IT administrator for your organization's hosting provider.
9.
Does OneTrust support multiple web application firewalls (WAF)?
No - OneTrust uses Cloudflare as the DNS. Cloudflare will be the single WAF.
10.
Is using Mutual Transport Layer Security (mTLS) authentication supported if I have a OneTrust owned custom subdomain or a FQDN that my company owns?
mTLS is supported for customers holding fully owned FQDNs as well as OneTrust owned custom subdomains. Human User (UI) facing domains vs customer software facing (API) domains operate in the following manner in order to support mTLS:
For customers using a OneTrust owned custom subdomain (i.e. customer.my.onetrust.com), both human users as well as customer software that runs in the customer network will talk to the same domain.
For customers using a FQDN that they fully own (i.e. privacy.customer.com), the UI facing domains will be the customer-owned FQDN, but the customer software will still use the OneTrust owned custom subdomain (i.e. customer.my.onetrust.com) for the API calls.
11.
How are SSL certificates managed for customers using their company's domain (FQDN)?
OneTrust utilizes Cloudflare's Custom Hostname feature (also known as Cloudflare for SaaS or SSL for SaaS) to allow customers to use a custom FQDN to access the OneTrust application. For more information on the Custom Hostname feature, see Cloudflare's documentation on Cloudflare for SaaS. For more information on how SSL certificates are issued and renewed, see Cloudflare's documentation on Cloudflare for Saas > Security.
Troubleshooting
If you would like to revert back from using a custom subdomain, click here to submit a request to OneTrust Support.
