We wanted to confirm whether the following scenario is supported by CDR where:
Whether as a Provider with a registered Software Product with CDR can collect data on behalf of a Principal for a consent was not established by our Software Product (e.g. by the Principal's own Software) but is provided with the CDR arrangement ID and access token in order to perform the data retrieval?
The model you have proposed does not align with the collection arrangement model.
The collection arrangement has the Provider managing the Provider's software product. The Provider uses their own platform and services, but the registration, keys, certificates, consent arrangements and collected data must be tied to that software product.
The Provider's product manages everything on the backend (i.e. registration with CDR, managing consent arrangements, data collection, etc) but it can expose API endpoints (i.e. details on the consent arrangment to be provided) to the Principal such as they can then build their own customer facing front-end on top of this?
The CDR Rules don't dictate what services a Provider may offer the Principal. The article on collection arrangements takes a technical lens to the rules and articulates what services may be offered.
It seems logical though that the Provider will offer all services required for data collection, leaving the Principal confident that all the security artefacts and collection logic are handled by an expert and they can focus on their own customer value propositions.
The Provider can then provide an integration layer to allow Principals to build there apps on top of this, in what-ever form is appropriate to their use-case.