The Digital Personal Data Protection Act applies to every organisation that processes personal data of individuals in India โ regardless of where the organisation is based. Full enforcement begins May 13, 2027.
Complyoo is the first compliance platform built specifically for DPDPA. It assesses your obligations, generates your documents, and gives you a clear path to compliance โ without complexity.
No credit card required ยท Assessment completes in 10 minutes ยท โน2,999/month
Who the DPDPA applies to โ Section 3
Any organisation that collects, stores, or processes personal data of individuals in India โ including organisations headquartered outside India that offer goods or services to people in India.
Source: Section 3, Digital Personal Data Protection Act 2023
Free tools
No account required. Both tools run entirely on publicly available information about your organisation.
Tool 01
Scans your website for undisclosed third-party data processors, missing privacy notices, forms without consent mechanisms, and cross-border data transfers. Results in under 60 seconds.
Run a free scan โTool 02
Five questions about your organisation โ industry, user volume, data types, storage locations, and tools in use. Returns a risk level and directional penalty exposure based on the DPDPA penalty methodology.
Calculate your risk โKey obligations under DPDPA 2023
The following obligations become mandatory from May 13, 2027. The Data Protection Board of India is operational and accepting complaints from that date.
Every Data Fiduciary must publish a standalone privacy notice โ not buried in terms of service โ with an itemised description of personal data collected, purposes of processing, and direct links for consent withdrawal and rights exercise.
Encryption at rest and in transit, access controls, log monitoring, data backups, and a documented Technical and Organisational Measures (TOM) framework. Security clauses must be present in every Data Processor contract.
A signed Data Processing Agreement is required with every third party that processes personal data on your behalf โ including cloud providers, analytics platforms, CRM tools, and communication services.
In the event of a personal data breach, affected Data Principals must be notified without delay. A detailed report must be submitted to the Data Protection Board within 72 hours of the breach being discovered.
Mechanisms for access, correction, erasure, and grievance redressal must be published and operational. Grievance requests must be resolved within 90 days. Correction requests within 7 days.
Retention periods must be defined for every category of personal data collected. Data must be erased when the purpose is no longer served. Processing logs must be retained for a minimum of one year.
How Complyoo works
A 15-question interview covering your data collection practices, processing tools, storage locations, and existing controls. Completed in under 10 minutes.
An immediate compliance risk assessment โ your risk level, estimated penalty exposure in rupees, and the specific gaps that require remediation.
A controls checklist ordered by penalty exposure, with generated documents โ privacy notice, data flow diagram, vendor DPA list โ ready for review.
Platform features
Complyoo generates compliance documents from your answers. Every output is grounded in the specific rule it satisfies.
Following a structured onboarding interview, Complyoo generates a risk assessment specific to your organisation โ including estimated penalty exposure calculated against the DPDPA penalty methodology.
Based on Part 19 penalty methodology
Generates a Rule 3-compliant standalone privacy notice from your company profile โ with itemised data descriptions, stated purposes, and required links for consent withdrawal and rights exercise.
Rule 3(a), DPDP Rules 2025
A curated list of the most commonly used data processors โ with direct links to their Data Processing Agreements and guidance on which clauses to verify before signing.
Section 8(2), DPDPA 2023
A visual map of personal data movement within your organisation โ sources, storage locations, processors, and cross-border transfers โ generated from your onboarding responses.
Rule 15, Section 16, DPDPA 2023
A prioritised list of all controls required under DPDPA, ordered by penalty exposure. Each control includes the applicable Rule, penalty category, and an effort estimate.
Parts 6 + 15, DPDPA reference
A real-time view of your compliance posture โ controls completed, penalty exposure remaining, open tasks, and days to the May 2027 enforcement deadline.
Full V1 feature
Product roadmap
Start with the essentials. Add operational and infrastructure capabilities as your organisation scales.
Assess your obligations. Generate your documents.
Operate your compliance programme.
Full DPDPA compliance infrastructure.
Pricing
One plan. Everything included. No contracts.
V1 โ Starter
or โน24,999/year
No credit card required
Complaints can be filed against Data Fiduciaries through the DPBI portal. Full penalty enforcement begins May 13, 2027. Penalties under Rule 6 reach up to โน250 crore.