I configured the mandatory webhooks in the app setup:
I submitted the app for approval, but I get a rejection with only this description included: "Your app hasn't subscribed to mandatory GDPR webhooks." I was able to verify the data_request one was correctly invoked (by requesting to view data for a given customer).
Anyone can shed some light?
The submission process, and specifically the rejection reason(s), is quite a blackbox. However, my webhooks implementation was returning a 400 upon hmac validation failure. I changed it to return 401 and it seemed to do the trick. My app passed the webhooks acceptance criteria. Would be nice if the rejection would contain more information about the reason why it failed.