Built for India's DPDP Rules 2025

Get DPDPA compliantbefore the Board calls.

Consent, rights, breach response, vendor DPAs, and live compliance scoring in one platform. Zero to audit-ready in days, not months.

Rules 2025 readyAWS Mumbai hosted22 Indian languagesSetup in 48 hours

Built for regulated and high-growth Indian companies

FintechEdTechHealthtechBFSIIT ServicesD2C / E-commerce

The compliance reality, today

You already know what's wrong.You just don't know where to start.

Read these. Tell us which one you have actually solved.

Consent lives in a spreadsheet.

Section 6(10)

You collected user agreement somewhere - a checkbox at signup, a tick on a form, an email reply. But you cannot produce a timestamped, purpose-specific record of what was shown and what was agreed to. Section 6(10) of the Act places the burden of proof on you.

Rights requests come over WhatsApp and email.

Rule 14(3)

A user emails asking for their data to be deleted. It sits in someone's inbox. The 90-day Rule 14(3) clock has started, but nobody knows it. No SLA tracking. No audit trail. No way to prove the request was resolved on time.

No breach plan exists.

Section 8(6) + Rule 7

If a breach happens at 11pm on a Saturday, who decides the severity? Who drafts the Board notification? Who signs off on what gets sent to users? Section 8(6) requires notification "without delay" - and a detailed report within 72 calendar hours. Weekends count.

Your vendor list is a liability.

Section 8(2)

Razorpay processes payment data. AWS hosts your database. Mailchimp holds your user list. Mixpanel tracks behaviour. Each one is processing personal data on your behalf. Section 8(2) requires a signed Data Processing Agreement with every one. How many do you have?

The Data Protection Board is operational. Enforcement is no longer hypothetical. Penalties extend up to 250 crore per violation.

See how DPDPA Shield fixes each of these

The enforcement timeline

Where we are. Where this is going.

Indian regulatory enforcement does not arrive in a single moment. It arrives in stages - and each stage closes a door.

11 August 2023

DPDPA Act enacted

The Digital Personal Data Protection Act receives Presidential assent. The framework becomes law.

14 November 2025

DPDP Rules 2025 notified

The full operational framework is published. Rules 1, 2, and 17 to 21 take effect immediately. The remaining Rules - including Rule 14(3) on rights request SLAs - take effect 18 months later.

Early 2026

Data Protection Board operational

The Indian Data Protection Board is formally established. The Board begins receiving complaints and inquiries.

Mid-2026

Current state

Organisations are still in the readiness phase. Most compliance work is reactive. The Board is observing - and gathering evidence of how organisations are preparing.

14 May 2027

Full Rules enforcement

Sections 11 to 17 (rights of Data Principals), Rule 7 (breach notification details), and the bulk of operational obligations take full effect. From this date forward, every gap is enforceable.

The CERT-In 6-hour intimation rule for cybersecurity incidents is already binding. DPDPA breach reporting under Rule 7 becomes binding from 14 May 2027. Two separate obligations. One incident.

What DPDPA Shield does

Every obligation under DPDPA.Mapped to a working module.

Not a checklist tool or a policy generator. Operational infrastructure - each module produces audit evidence, runs on AWS Mumbai, and maps to the specific section of the Act it satisfies.

All plansConsent · Rights · Breach · Dashboard · RoPA · Shield AI
Growth+Vendor Risk · Risk Register
Business+Children's Data · Policy Manager · Cloud Security
EnterpriseDPIA / SDF · Policy Manager
Shield AI

Shield AI

All plans

India-hosted AI compliance assistant on AWS Bedrock. Context built from your actual compliance data. Suggested prompts from your top failing controls. AI-assisted onboarding, PII classification, and policy drafting. Inference happens in India.

All plans

Consent Management

Notice builder in 22 Indian languages. SHA-256 cryptographic receipt per consent event. Version-controlled notices with re-consent campaigns.

Section 5, 6 and Rule 3

22-language SDK widget
SHA-256 proof vault
Version-controlled notices
Re-consent campaigns
Learn more
All plans

Data Principal Rights Portal

Branded, OTP-verified portal for all 5 request types. 90-day SLA engine with escalation alerts. Closure PDF with SHA-256 hash stored immutably in S3.

Sections 11-14 and Rule 14

OTP-verified identity
90-day SLA engine
Closure PDF auto-generated
Grievance management
Learn more
All plans

Breach Incident Management

Dual clock - CERT-In 6-hour and DPDPA 72-hour tracked in parallel. Rule 7 compliant PDFs auto-generated. Tabletop Drill Mode. 7-year WORM evidence vault.

Section 8(6), Rule 7, CERT-In 6hr

Dual CERT-In + DPDPA clocks
Rule 7 PDF artefacts
Tabletop Drill Mode
7-yr WORM vault
Learn more
All plans

Compliance Health Dashboard

0-100 readiness score across 6 modules. Penalty-weighted - gaps sized by regulatory cost. 19 DPDPA controls with hourly drift detection.

All obligations

Penalty-weighted 0-100 score
19-control grid
Hourly drift detection
Board PDF report
Learn more
All plans

RoPA and Data Inventory

44 DPDPA-specific data categories. Visual data flow maps with encryption status. RoPA export in PDF, Excel, or CSV. Cross-border transfer tracking.

Section 8 obligations

44 DPDPA data categories
Visual flow map
RoPA PDF/Excel/CSV
Cross-border tracking
Learn more
Growth+

Vendor Risk Intelligence

DPA status across your vendor stack. 5-factor risk scoring via HIBP breach checks, RDAP, SSL and domain age. Portfolio risk report PDF.

Section 8(2) and 8(5)

0-100 security score
HIBP + RDAP auto-enrichment
DPA expiry alerts
Portfolio report PDF
Learn more
Growth+

Risk Register

Risks mapped to 12 DPDPA obligations. 5x5 heatmap. Daily trend snapshots. Board report PDF with attestation page.

Section 8 risk management

12 DPDPA obligations mapped
5x5 risk heatmap
Daily trend snapshots
Board report PDF
Learn more
Business+

Privacy Policy Manager

AI-assisted policy generation from your actual RoPA. Version-controlled with field-by-field diff. Material change detection triggers re-consent.

Section 5

AI drafting from RoPA
Version diff & impact analysis
Ack capture via SDK
Re-consent trigger
Learn more
Business+

Children's Data Module

Age-verification gate. Verified parental consent via OTP. Rule 11 disability guardian support. Default restrictions on ad targeting, profiling, data sharing.

Section 9 and Rules 10-11

Age gate JS widget
Guardian OTP flow
Rule 11 disability support
Birthday check cron
Learn more
Enterprise

DPIA / SDF Workflow

20-question DPIA wizard with risk scoring. Algorithm registry. Cross-border transfer tracking. DPIA PDF stored immutably in S3.

Section 10 SDF obligations

20-Q risk scoring
Algorithm risk registry
Cross-border tracking
DPIA PDF to S3
Learn more
Free Tool

PII Scanner

Identifies Aadhaar (Verhoeff checksum), PAN, and other India-specific identifiers. Aadhaar masking via AWS Rekognition. CLI for engineering teams.

S.8 and Rule 6

Aadhaar + PAN detection
Rekognition masking
CLI for CI/CD
Feeds Data Inventory
Learn more
Business+

Cloud Security Mapping

AWS scanner with CIS → ISO 27001 → DPDPA triple control mapping. 5 scanners in parallel. Score impact per finding. Daily auto-scan.

Security safeguards - Rule 6

5 AWS scanners in parallel
CIS + ISO + DPDPA badges
Score impact per finding
Daily auto-scan
Learn more

What onboarding actually looks like

From signup to operational compliance in 30 minutes.

No engineers required. No legal consultants needed. No 30-day onboarding cycle.

01

Sign up and describe your business

Create your account. Complete the 7-question compliance assessment. Get your penalty exposure and priority actions immediately. Takes under 5 minutes.

02

Let AI map your data

Describe your business in plain English. Shield AI generates your processing purposes, consent notice, and suggested vendors - pre-mapped to DPDPA legal bases and retention periods. Review, adjust, publish.

03

Embed the consent widget

Add two lines of JavaScript to your website or product. The consent widget goes live - collecting purpose-specific, SHA-256 timestamped consent in any of 22 Indian languages from the next visitor onward.

04

Activate the rights portal

Publish your branded rights request portal. Link it from your privacy notice. Your 90-day SLA engine starts the moment a request arrives. Done.

Most customers reach operational compliance in their first session. Full setup across all 11 modules typically takes 2 to 4 hours depending on the complexity of your vendor stack and data inventory.

Book Your Onboarding Call

What DPDPA Shield actually does in practice

Three real situations. Three real responses.

Compliance is not abstract. These are the moments where it either works or fails.

Scenario 01

A user emails asking for their data to be deleted.

Without DPDPA Shield

The email lands in support. Someone tries to figure out what data the user has. They forget to confirm receipt. Eight weeks pass. The user files a complaint with the Data Protection Board, citing Rule 14(3).

With DPDPA Shield

1

User fills out request on your branded portal

2

OTP verifies identity in 30 seconds

3

System auto-acknowledges. 90-day SLA clock starts.

4

Team gets alerts at Day 60, 80, and 89

5

Request closes with a closure PDF - SHA-256 hashed and stored immutably in S3

Compliant. Evidence generated.
Scenario 02

Your engineering team finds an exposed database at 11pm on a Saturday.

Without DPDPA Shield

Slack panic. WhatsApp messages. Someone googles "DPDPA breach notification format" at 1am. The 72-hour Rule 7 clock has been running since the exposure began. CERT-In's 6-hour intimation window may have already closed.

With DPDPA Shield

1

Incident logged in Breach Incident Management

2

Severity auto-classifies in seconds

3

Dual clock panel shows CERT-In 6-hour and DPDPA 72-hour deadlines live

4

Rule 7 PDFs - DPB Intimation, Detailed Report, DP Notification - generated with one click

5

Auto-attached to evidence vault with WORM retention

Board notified. Evidence sealed.
Scenario 03

An investor's due diligence team asks for your DPDPA compliance evidence.

Without DPDPA Shield

A scramble. Screenshots from consent banners. Pasted policy text. A list of vendors you think you have agreements with. Missing audit logs. Awkward follow-up questions. The deal slows.

With DPDPA Shield

1

Open the Compliance Health Dashboard - 0-100 score is live

2

Generate the Board Report PDF - control grid, risk heatmap, deadlines, attestation

3

Share the Trust Center link - public page showing compliance posture, DPO contact, sub-processors

4

Conversation moves forward

Ready. Legally defensible.

Simple, transparent pricing

Built for organisations of every size.

All data stored in India on AWS Mumbai. Plans scale with your team size, data volume, and compliance needs. Talk to us for the right fit.

Starter

Early-stage startups and small teams

Consent Notice Builder + Widget SDK
Data Principal Rights Portal with 90-day SLA
Breach Incident Management with dual clocks
Data Inventory and RoPA Export
Compliance Health Dashboard (0-100 score)
Trust Center (public compliance page)
Shield AI (50 messages/month)
Up to 3 team members
Book a Demo
Most popular

Growth

Funded startups scaling compliance with their product

Everything in Starter
7 Indian languages (Hindi, Tamil, Bengali + 4 more)
Tabletop Drill Mode for breach testing
Vendor Risk Intelligence with auto-enrichment
Risk Register with board report PDF
Re-consent campaigns
Regulatory Radar (weekly digest)
Shield AI (200 messages/month)
Up to 10 team members
Book a Demo

Business

Regulated sectors - Fintech, Healthtech, EdTech, BFSI

Everything in Growth
All 22 Indian languages
CISO Command Center with 19-control grid
Children's Data Module (Section 9)
Cloud Security mapping (AWS)
Cyber Risk Quantification (FAIR-based)
Shield AI (1,000 messages/month)
Up to 25 team members
Book a Demo
SDF Ready

Enterprise

Significant Data Fiduciaries and large organisations

Everything in Business
SDF / DPIA assessment module
Privacy Policy Manager with AI drafting
White-label portal and branding
Custom domain for rights portal, DPO page, policy page
Shield AI (5,000 messages/month)
Unlimited team members and data principals
Dedicated technical and compliance contact
Contact Sales

What every plan includes

Data stored in India (AWS Mumbai, ap-south-1)Aligned with DPDP Rules 2025SHA-256 evidence vault with WORM storageImmutable audit logsMulti-tenant isolationJWT auth with 15-min access tokens

Not sure which plan fits? Let's figure it out together.

No sales pressure. A quick call to map your DPDPA obligations to the right plan.

Book a demo

Free DPDPA tools

Start assessing your compliance risk today.No account required.

Six free tools built on the same infrastructure that powers DPDPA Shield. Use them independently or as a starting point before you sign up.

Cookie Scanner

Scan any website for tracking cookies and third-party scripts. 100+ known trackers including Indian services (Razorpay, CleverTap, WebEngage, MoEngage). Instant compliance score.

Scan Your Website

DPDPA Maturity Assessment

20-question self-assessment across 5 DPDPA compliance domains. Maturity band (Basic to Advanced), domain-by-domain scores, and top 3 priority gaps.

Take Assessment

Breach Cost Estimator

Calculate your total financial exposure from a DPDPA breach. Sector-specific multipliers, DPDPA penalty schedule applied, remediation and reputational cost breakdown.

Estimate Your Risk
Free

DPDPA Certification

3 courses, 20 modules. Earn a verifiable DPDPA compliance certificate. LinkedIn-shareable with QR verification. Work email required for certificate claim.

Start Learning

Compliance Templates

6 free DPDPA compliance templates - RoPA spreadsheet, Privacy Notice, Breach Notification, DPIA, Vendor DPA, Retention Policy. Work email gated.

Download Templates

DPDPA Glossary

70-term glossary of DPDPA 2023 terminology in plain English. Searchable, categorised, with DPDPA section references.

Browse Glossary

Are you an MSSP, IT services company, or CA firm?

Join the DPDPA Shield Partner Programme and earn recurring commission on every client you bring in.

Learn about the Partner Programme →

EXPERT SERVICES

Need an audit, VAPT, ISO / SOC 2, or managed SOC alongside the platform?

Our CERT-In empanelled and accredited certification body partners deliver end-to-end - orchestrated on DPDPA Shield.

Explore Expert Services →
DPDPA Shield

The Board is operational.
The clock has started.

The DPDP Rules were notified on 14 November 2025. Full enforcement begins 14 May 2027. Compliance built today is defensible. Compliance built under pressure is not.

30 minutes to operational compliance. Or 18 months to wait and improvise.