Last reviewed: 8 July 2026 - reviewed quarterly

DPDPA Compliance Statement

How we walk the talk - our own compliance with the DPDPA 2023 and Rules 2025.

1. Our Role

We operate in two capacities under the DPDPA 2023:

  • Data Fiduciary for personal data of our own customers, demo requesters, and website visitors. We decide why and how this data gets processed.
  • Data Processor for personal data our customers push through the platform (consent records, rights requests, breach data). We only process this on our customers' instructions, governed by a Data Processing Agreement.

2. Our Consent Practices

Before we process your personal data for marketing, we get your free, informed, specific, and unambiguous consent - per DPDPA S.6. Our consent notice:

  • Is written in plain language (no legal fog)
  • Lists each processing purpose separately
  • Names DPDPA Shield as the Data Fiduciary
  • Tells you exactly how to withdraw consent

Want to withdraw consent? Email hello@dpdpashield.in with subject “Withdraw Consent”. We'll action it within 3 business days.

3. Data Principal Rights

We honour all rights under DPDPA S.11-14 for individuals whose data we process as Data Fiduciary:

  • Access (S.11): Ask us what personal data we hold about you
  • Correction & Erasure (S.12): Get it fixed or deleted
  • Grievance Redressal (S.13): Complain about our data practices
  • Nomination (S.14): Nominate someone to exercise your rights if needed

Email hello@dpdpashield.in with subject “Data Rights Request”. We respond within 30 days.

4. Security

We maintain security safeguards per DPDPA S.8(5) and Rule 6:

  • All personal data encrypted at rest and in transit
  • Role-based access controls - cross-tenant access is impossible by design
  • Immutable audit logs on every data operation
  • Regular vulnerability assessments and dependency updates
  • Defined incident response plan with specific timelines

Full details in our Security Policy.

5. Breach Response

If we experience a breach of personal data where we're the Data Fiduciary:

  • We notify the Data Protection Board within 72 hours per DPDPA S.8(6) and Rule 7
  • We notify affected Data Principals without undue delay
  • We provide full details - what happened, what data was affected, and what we're doing about it

For breaches affecting Customer data (where we're the Processor), we notify the Customer within 24 hours per our DPA.

6. Processor Commitments

When we process data on behalf of our customers, we:

  • Only process on documented instructions from the Customer
  • Maintain a Data Processing Agreement with every Customer
  • Use only the sub-processors listed in the DPA (currently AWS and Resend)
  • Help Customers respond to Data Principal rights requests
  • Delete all Customer data within 30 days of subscription termination

Full details in our Data Processing Agreement.

7. Children's Data

DPDPA Shield is for business users (18+). We don't collect personal data from minors in our own operations.

Our platform includes a Children's Data Module, but that helps our customers comply with DPDPA S.9 in their own products - it doesn't involve us processing children's data directly.

8. Grievance Mechanism

Got a data protection complaint? Here's how to reach us:

Email: hello@dpdpashield.in
Subject: “Data Protection Grievance”

We'll acknowledge within 3 business days and resolve within 30 days. If you're not satisfied with our resolution, you can escalate to the Data Protection Board.

9. Updates

We review this statement quarterly and update it when our data practices or the regulatory framework change. The review date is at the top of this page. If we make material changes, we'll email customers directly.