Get DPDPA compliant
before the Board calls.
Consent, rights, breach response, vendor DPAs, and live compliance scoring in one platform.
Zero to audit-ready in days, not months.
Compliance Overview
Compliance Score
96%
↑ 12% vs last month
Recent Activity
Compliant
1,248 consents
this month
Vendor Risk
82
Vendors Assessed
12 High Risk
3
Pending Requests
Avg. resolution time
4.2 days
72-hour Breach Timer
71:18:42
Time Remaining

Built for regulated and high-growth Indian companies
The compliance reality, today
You already know what's wrong.
You just don't know where to start.
Read these. Tell us which one you have actually solved.
Consent lives in a spreadsheet.
Section 6(10)You collected user agreement somewhere - a checkbox at signup, a tick on a form, an email reply. But you cannot produce a timestamped, purpose-specific record of what was shown and what was agreed to. Section 6(10) of the Act places the burden of proof on you.
Rights requests come over WhatsApp and email.
Rule 14(3)A user emails asking for their data to be deleted. It sits in someone's inbox. The 90-day Rule 14(3) clock has started, but nobody knows it. No SLA tracking. No audit trail. No way to prove the request was resolved on time.
No breach plan exists.
Section 8(6) + Rule 7If a breach happens at 11pm on a Saturday, who decides the severity? Who drafts the Board notification? Who signs off on what gets sent to users? Section 8(6) requires notification "without delay" - and a detailed report within 72 calendar hours. Weekends count.
Your vendor list is a liability.
Section 8(2)Razorpay processes payment data. AWS hosts your database. Mailchimp holds your user list. Mixpanel tracks behaviour. Each one is processing personal data on your behalf. Section 8(2) requires a signed Data Processing Agreement with every one. How many do you have?
The Data Protection Board is operational. Enforcement is no longer hypothetical. Penalties extend up to 250 crore per violation.
See how DPDPA Shield fixes each of theseThe enforcement timeline
Where we are. Where this is going.
Indian regulatory enforcement does not arrive in a single moment. It arrives in stages - and each stage closes a door.
DPDPA Act enacted
The Digital Personal Data Protection Act receives Presidential assent. The framework becomes law.
DPDP Rules 2025 notified
The full operational framework is published. Rules 1, 2, and 17 to 21 take effect immediately. The remaining Rules - including Rule 14(3) on rights request SLAs - take effect 18 months later.
Data Protection Board operational
The Indian Data Protection Board is formally established. The Board begins receiving complaints and inquiries.
Current state
Organisations are still in the readiness phase. Most compliance work is reactive. The Board is observing - and gathering evidence of how organisations are preparing.
Full Rules enforcement
Sections 11 to 17 (rights of Data Principals), Rule 7 (breach notification details), and the bulk of operational obligations take full effect. From this date forward, every gap is enforceable.
The CERT-In 6-hour intimation rule for cybersecurity incidents is already binding. DPDPA breach reporting under Rule 7 becomes binding from 14 May 2027. Two separate obligations. One incident.
What DPDPA Shield does
Every obligation under DPDPA.
Mapped to a working module.
Not a checklist tool or a policy generator. Operational infrastructure - each module produces audit evidence, runs on AWS Mumbai, and maps to the specific section of the Act it satisfies.

Shield AI
All plansIndia-hosted AI compliance assistant on AWS Bedrock. Context built from your actual compliance data. Suggested prompts from your top failing controls. AI-assisted onboarding, PII classification, and policy drafting. Inference happens in India.
Consent Management
Notice builder in 22 Indian languages. SHA-256 cryptographic receipt per consent event. Version-controlled notices with re-consent campaigns.
Section 5, 6 and Rule 3
Data Principal Rights Portal
Branded, OTP-verified portal for all 5 request types. 90-day SLA engine with escalation alerts. Closure PDF with SHA-256 hash stored immutably in S3.
Sections 11-14 and Rule 14
Breach Incident Management
Dual clock - CERT-In 6-hour and DPDPA 72-hour tracked in parallel. Rule 7 compliant PDFs auto-generated. Tabletop Drill Mode. 7-year WORM evidence vault.
Section 8(6), Rule 7, CERT-In 6hr
Compliance Health Dashboard
0-100 readiness score across 6 modules. Penalty-weighted - gaps sized by regulatory cost. 19 DPDPA controls with hourly drift detection.
All obligations
RoPA and Data Inventory
44 DPDPA-specific data categories. Visual data flow maps with encryption status. RoPA export in PDF, Excel, or CSV. Cross-border transfer tracking.
Section 8 obligations
Vendor Risk Intelligence
DPA status across your vendor stack. 5-factor risk scoring via HIBP breach checks, RDAP, SSL and domain age. Portfolio risk report PDF.
Section 8(2) and 8(5)
Risk Register
Risks mapped to 12 DPDPA obligations. 5x5 heatmap. Daily trend snapshots. Board report PDF with attestation page.
Section 8 risk management
Privacy Policy Manager
AI-assisted policy generation from your actual RoPA. Version-controlled with field-by-field diff. Material change detection triggers re-consent.
Section 5
Children's Data Module
Age-verification gate. Verified parental consent via OTP. Rule 11 disability guardian support. Default restrictions on ad targeting, profiling, data sharing.
Section 9 and Rules 10-11
DPIA / SDF Workflow
20-question DPIA wizard with risk scoring. Algorithm registry. Cross-border transfer tracking. DPIA PDF stored immutably in S3.
Section 10 SDF obligations
PII Scanner
Identifies Aadhaar (Verhoeff checksum), PAN, and other India-specific identifiers. Aadhaar masking via AWS Rekognition. CLI for engineering teams.
S.8 and Rule 6
Cloud Security Mapping
AWS scanner with CIS → ISO 27001 → DPDPA triple control mapping. 5 scanners in parallel. Score impact per finding. Daily auto-scan.
Security safeguards - Rule 6
What onboarding actually looks like
From signup to operational compliance in 30 minutes.
No engineers required. No legal consultants needed. No 30-day onboarding cycle.
Sign up and describe your business
Create your account. Complete the 7-question compliance assessment. Get your penalty exposure and priority actions immediately. Takes under 5 minutes.
Let AI map your data
Describe your business in plain English. Shield AI generates your processing purposes, consent notice, and suggested vendors - pre-mapped to DPDPA legal bases and retention periods. Review, adjust, publish.
Embed the consent widget
Add two lines of JavaScript to your website or product. The consent widget goes live - collecting purpose-specific, SHA-256 timestamped consent in any of 22 Indian languages from the next visitor onward.
Activate the rights portal
Publish your branded rights request portal. Link it from your privacy notice. Your 90-day SLA engine starts the moment a request arrives. Done.
Most customers reach operational compliance in their first session. Full setup across all 11 modules typically takes 2 to 4 hours depending on the complexity of your vendor stack and data inventory.
Book Your Onboarding CallWhat DPDPA Shield actually does in practice
Three real situations. Three real responses.
Compliance is not abstract. These are the moments where it either works or fails.
“A user emails asking for their data to be deleted.”
Without DPDPA Shield
The email lands in support. Someone tries to figure out what data the user has. They forget to confirm receipt. Eight weeks pass. The user files a complaint with the Data Protection Board, citing Rule 14(3).
With DPDPA Shield
User fills out request on your branded portal
OTP verifies identity in 30 seconds
System auto-acknowledges. 90-day SLA clock starts.
Team gets alerts at Day 60, 80, and 89
Request closes with a closure PDF - SHA-256 hashed and stored immutably in S3
“Your engineering team finds an exposed database at 11pm on a Saturday.”
Without DPDPA Shield
Slack panic. WhatsApp messages. Someone googles "DPDPA breach notification format" at 1am. The 72-hour Rule 7 clock has been running since the exposure began. CERT-In's 6-hour intimation window may have already closed.
With DPDPA Shield
Incident logged in Breach Incident Management
Severity auto-classifies in seconds
Dual clock panel shows CERT-In 6-hour and DPDPA 72-hour deadlines live
Rule 7 PDFs - DPB Intimation, Detailed Report, DP Notification - generated with one click
Auto-attached to evidence vault with WORM retention
“An investor's due diligence team asks for your DPDPA compliance evidence.”
Without DPDPA Shield
A scramble. Screenshots from consent banners. Pasted policy text. A list of vendors you think you have agreements with. Missing audit logs. Awkward follow-up questions. The deal slows.
With DPDPA Shield
Open the Compliance Health Dashboard - 0-100 score is live
Generate the Board Report PDF - control grid, risk heatmap, deadlines, attestation
Share the Trust Center link - public page showing compliance posture, DPO contact, sub-processors
Conversation moves forward
Simple, transparent pricing
Built for organisations of every size.
All data stored in India on AWS Mumbai. Plans scale with your team size, data volume, and compliance needs. Talk to us for the right fit.
Starter
Early-stage startups and small teams
Growth
Funded startups scaling compliance with their product
Business
Regulated sectors - Fintech, Healthtech, EdTech, BFSI
Enterprise
Significant Data Fiduciaries and large organisations
What every plan includes
Not sure which plan fits? Let's figure it out together.
No sales pressure. A quick call to map your DPDPA obligations to the right plan.
Book a demoFree DPDPA tools
Start assessing your compliance risk today.
No account required.
Six free tools built on the same infrastructure that powers DPDPA Shield. Use them independently or as a starting point before you sign up.
Cookie Scanner
Scan any website for tracking cookies and third-party scripts. 100+ known trackers including Indian services (Razorpay, CleverTap, WebEngage, MoEngage). Instant compliance score.
Scan Your WebsiteDPDPA Maturity Assessment
20-question self-assessment across 5 DPDPA compliance domains. Maturity band (Basic to Advanced), domain-by-domain scores, and top 3 priority gaps.
Take AssessmentBreach Cost Estimator
Calculate your total financial exposure from a DPDPA breach. Sector-specific multipliers, DPDPA penalty schedule applied, remediation and reputational cost breakdown.
Estimate Your RiskDPDPA Certification
3 courses, 20 modules. Earn a verifiable DPDPA compliance certificate. LinkedIn-shareable with QR verification. Work email required for certificate claim.
Start LearningCompliance Templates
6 free DPDPA compliance templates - RoPA spreadsheet, Privacy Notice, Breach Notification, DPIA, Vendor DPA, Retention Policy. Work email gated.
Download TemplatesDPDPA Glossary
70-term glossary of DPDPA 2023 terminology in plain English. Searchable, categorised, with DPDPA section references.
Browse GlossaryAre you an MSSP, IT services company, or CA firm?
Join the DPDPA Shield Partner Programme and earn recurring commission on every client you bring in.
EXPERT SERVICES
Need an audit, VAPT, ISO / SOC 2, or managed SOC alongside the platform?
Our CERT-In empanelled and accredited certification body partners deliver end-to-end - orchestrated on DPDPA Shield.
The Board is operational.
The clock has started.
The DPDP Rules were notified on 14 November 2025. Full enforcement begins 14 May 2027. Compliance built today is defensible. Compliance built under pressure is not.
30 minutes to operational compliance. Or 18 months to wait and improvise.