Why start now if enforcement is May 2027?

The DPDP Rules under the Act are being notified incrementally through 2025-2027 — each Rule constrains the technical implementation more specifically. Building infrastructure that adapts to whichever Rules land is much cheaper than rebuilding once enforcement starts. Also: the 8-12 week build assumes your team has bandwidth. If you wait until Q1 2027 every other startup is competing for the same compliance contractors and DPO talent.

Will we get classified as a Significant Data Fiduciary?

The classification triggers on volume + sensitivity of data, plus risk to data principals. For most startups under Series B, the answer is 'no' — but healthtech, fintech, and any platform handling children's data at scale should plan as if yes. We assess this in the Gap Assessment and design the technical layer to support either path so you're not caught flat-footed if the classification arrives later.

How does this overlap with GDPR work we already did?

Substantial overlap — both Acts are consent-driven, both require DSAR pipelines, both require breach notification. Where they differ: DPDP's notification window is 72 hours and the recipient is the Indian Data Protection Board (not your DPA in the EU); DPDP has explicit children's-data rules that GDPR Article 8 handles slightly differently; the cross-border transfer model is opposite (DPDP is allow-by-default with a notified blocklist, GDPR is allow-only-to-adequate-jurisdictions). We map your existing GDPR controls to DPDP and build only what's missing.

Can you act as our Data Protection Officer?

We can advise the DPO function for startups that don't yet need a formal in-house hire. For Significant Data Fiduciary classification, the Act expects an in-house DPO and we help scope the role + interview candidates. Our retainer can act as the technical arm of the DPO function but not the legal+regulatory representation that an in-house DPO provides.

We've assessed similar data flows for other clients — anyone you can reference?

Saysri.ai is our publicly named client and an AI recruitment platform handling candidate PII at moderate volume. The DPDP-shaped data handling we've built for them — consent capture per processing purpose, retention policies, DSAR readiness — translates directly to most B2C SaaS and healthtech use cases. We can walk through the specifics in a free 20-minute review.

All Services

DPDP Act Compliance for Indian Startups

Get your startup ready for the Digital Personal Data Protection Act before May 2027 enforcement. Data inventory, consent management, 72-hour breach notification pipeline, DPO scope, child-data special handling — built into your codebase, not into a privacy policy nobody reads. Penalty exposure up to ₹250 crore.

10 days for the gap assessment, 8-12 weeks for the build-out, plus optional monthly retainer through 2027 enforcement

The Problem

The Digital Personal Data Protection Act 2023 is enforceable from May 2027. Most Indian startups have no data inventory, no consent management beyond a checkbox, no breach detection that could meet the 72-hour notification window, and no defined Data Protection Officer (DPO) — even though the penalty structure runs up to ₹250 crore per incident. The Act applies to almost every B2C startup in India and many B2B startups handling personal data. The 2027 deadline feels far, but the technical work — building consent infrastructure, mapping data flows, instrumenting breach detection — is 3-6 months of focused engineering. Founders who start in late 2026 will scramble.

Who This Is For

Indian startups handling personal data of users — B2C apps almost universally, B2B SaaS handling employee or customer PII, healthtech and edtech with sensitive personal data, fintech adjacent to RBI rules, and anyone who processes children's data (additional consent and protection requirements apply). Especially relevant if you're 5-50 engineers, have a real product collecting real user data, and your privacy posture is currently 'we have a Privacy Policy page someone wrote in 2023.'

Typical Outcomes

Pre-May-2027 enforcement readiness — your team is ready before the deadline, not scrambling in Q1 2027

₹250 crore penalty exposure eliminated for the categories where penalties apply — the technical controls cut the most expensive failure modes

DSAR response time goes from weeks-of-manual-work to hours-of-automated-pipeline

Breach response time inside the 72-hour window with documented evidence trail

Vendor risk surface mapped and contractually managed, no more surprise data leaks via a third-party SaaS

Privacy posture defensible to enterprise customers asking DPDP-shaped questions in their security questionnaires

Timeline Options

DPDP Gap Assessment (10 days)

Data inventory across your application + databases + analytics + top-10 third-party SaaS
DPDP article-by-article gap matrix (your current state vs. each obligation)
Significant Data Fiduciary risk assessment — likelihood your startup gets classified, and what that triggers
Top 15 prioritized findings with implementation cost estimates
Briefing for founding team + tech lead + legal counsel

DPDP Build-Out (8-12 weeks)

Everything in Gap Assessment
Consent management infrastructure built into the codebase
DSAR pipeline implemented (access + correction + erasure + grievance)
Breach detection + 72-hour notification pipeline live
Retention policies enforced via automated deletion jobs
Vendor data-processor agreements drafted with our partner regulatory counsel
Privacy notice rewrite + multi-language scaffolding

DPDP Build + Annual Retainer (12 weeks + monthly)

Everything in DPDP Build-Out
Monthly retainer for Act-amendment monitoring (the Rules under DPDP are still being notified incrementally — this needs ongoing attention through 2027)
Quarterly DSAR audit + vendor reassessment
Annual breach-response drill
Direct DPO advisory if your classification ever crosses into Significant Data Fiduciary territory

This might not be a fit if...

You handle no personal data of Indian residents — pure B2B with no PII collection
You already have a full-time Data Protection Officer and a privacy engineering team
You want a Privacy Policy template generator only (multiple SaaS tools do this; the legal text alone doesn't make you compliant)
You're outside India and have no plans to serve Indian users

What You Get

Data inventory + flow mapping — every Personal Data field across your codebase + databases + analytics + third-party SaaS, with classification (general / sensitive / children's data) and retention status

Consent management infrastructure — granular consent capture per processing purpose, consent ledger with full audit trail, withdrawal-of-consent honored across systems within hours not weeks

Data Subject Access Request (DSAR) pipeline — automated handling for the four DPDP rights: access, correction, erasure, grievance redressal — each within statutory timelines

Breach detection + 72-hour notification pipeline — anomaly detection on user-data systems, automated drafting of the Data Protection Board notification + the Data Principal communication, named on-call ownership

Data Protection Officer scope — whether you need a formal DPO (Significant Data Fiduciary classification triggers it), what the role looks like, who can hold it

Children's data handling — Act-mandated parental consent for users under 18, no behavioral monitoring or targeted advertising for minors, technical enforcement in the consent layer

Cross-border transfer assessment — countries the Indian government has notified as restricted, flagging of every external SaaS and infrastructure dependency that would route data outside India

Retention policy + automated deletion — defined retention period per data class, automated purge jobs, audit log of every deletion

Vendor data-processor assessment — every third-party SaaS handling user data assessed for DPDP Article 8 compliance, contractual data-processing agreements drafted

Privacy notice rewrite — clear, granular, in 22 scheduled languages where required, linked to the consent flows so the notice and the technical reality match

The Transformation

Before

No data inventory — nobody on the team can list every Personal Data field the product collects
Consent = one checkbox at signup, no granularity, no withdrawal mechanism
No breach detection — you'd find out about a leak from a customer email or HaveIBeenPwned alert
Retention policy = 'we keep everything forever, just in case'
Third-party SaaS dependencies handling user data with no data-processing agreements in place
Privacy notice last reviewed in 2023, doesn't match the actual data practices

After

Live data inventory tracked in code, updated automatically as the schema evolves
Per-purpose consent capture, audit-trail-backed, withdrawal honored within hours across all systems
Anomaly detection on user-data systems with automated 72-hour notification pipeline if a breach happens
Defined retention period per data class, automated purge jobs verified by audit log
Every vendor assessed for DPDP Article 8, agreements signed, ongoing reassessment scheduled
Privacy notice that matches the technical reality, refreshed quarterly as Rules evolve

Engagement Models

Project-based

Fixed scope, fixed timeline, fixed price. Ideal for specific security initiatives.

Retainer

Ongoing support with priority response. Perfect for continuous security needs.

What influences pricing?

Team size and environment complexity
Timeline and urgency requirements
Scope of systems and platforms
Ongoing support and maintenance needs

Book a call to discuss your situation

Frequently Asked Questions

Ready to get started?

Book a 20-minute call to discuss your specific situation.

Book Your Free Call

Explore Other Services

Cloud Audit

We audit your AWS, GCP, or Azure environment, finding the ghost costs draining your runway and the security gaps hiding underneath. Most teams find both within the first week.

Pipeline Security

Your pipeline is deploying secrets to production and you probably don't know it. We audit and harden your CI/CD, catching vulnerabilities before they ship, not after.

Incident Readiness

When production breaks, does your team have a playbook, or does everyone just Slack the one person who knows the system? We build the runbooks, alerts, and processes so the next incident doesn't become a war story.

RBI Fintech Compliance

RBI Master Direction technical compliance for payment aggregators, NBFCs, and digital lending platforms headquartered in Bangalore. Data localization, encryption, MFA, 6-hour incident reporting, VAPT readiness, and CERT-In empanelled audit prep — built into your AWS / GCP / Azure infrastructure, not into a binder nobody reads.

AWS Baseline (India)

The 12 AWS security controls every Indian seed startup should turn on this afternoon — region-locked to ap-south-1, DPDP-aware, RBI-overlay-ready. Same opinionated baseline we open-sourced as aws-startup-security-baseline. Built for ₹40k-month retainers, not enterprise CAPEX.

K8s Audit (India)

Production Kubernetes cluster audit + hardening for Indian startups: RBAC review, network policies, admission controllers, supply-chain security, pod-security standards. Built for 3-15 node EKS / GKE / AKS clusters running real workloads, not enterprise mesh complexity.

SOC 2 (India)

SOC 2 Type I + Type II readiness for Indian seed startups, priced in rupees. We get you to attestation for ₹15-30L all-in instead of the ₹35L+ Western default. India-empanelled auditor partnerships, Vanta / Drata / Sprinto / Scrut integration, and a build cadence calibrated to Indian engineering economics.

See what your cloud is hiding.

Book a 20-minute infrastructure review. No pitch, just practical insights.

Book a 20-min Infra Review