What is VAPT and why does my business need it?

VAPT (Vulnerability Assessment and Penetration Testing) is a security audit that identifies weaknesses in your website, application, or infrastructure before attackers can exploit them. Every business that handles customer data, processes payments, or operates web-facing applications needs regular VAPT scans — especially with the DPDP Act now mandating 'reasonable security safeguards' for all data fiduciaries in India.

How much does penetration testing cost in India?

Traditional penetration testing in India costs ₹25,000 to ₹5,00,000+ depending on scope. Bachao.AI offers AI-powered VAPT starting with a free scan, with detailed reports from ₹4,999. Our automated approach delivers the same depth as manual testing at a fraction of the cost, making enterprise-grade security accessible to startups and SMBs.

Is VAPT mandatory under the DPDP Act 2023?

The DPDP Act requires all Data Fiduciaries to implement 'reasonable security safeguards' to protect personal data. While VAPT is not explicitly named, it is the most widely accepted way to demonstrate compliance with this requirement. The Data Protection Board can impose penalties up to ₹250 crore for failure to implement adequate security measures. A VAPT report serves as documented proof of due diligence.

How long does a VAPT scan take?

Bachao.AI's automated VAPT scan typically completes in 1-2 hours depending on the size and complexity of your website or application. You receive a risk score and severity breakdown immediately. Detailed remediation reports with code-level fix suggestions are available within 24 hours for paid tiers.

Is the free VAPT scan really free? What's the catch?

Yes, the free scan is genuinely free — no credit card required, no sales calls afterwards. You get a risk score, severity breakdown, and your top critical findings at zero cost. The free scan uses the same tools and methodology as our paid reports. We offer it because we believe every Indian business deserves to know their security posture. Paid reports add detailed remediation steps, authenticated deep scans, and code-level fix suggestions.

How is my scan data secured?

Each scan runs in an isolated microVM with hardware-level separation — the same technology AWS Lambda uses. Scan artifacts are encrypted at rest (AES-256) and purged after 90 days by default. Reports are stored with end-to-end encryption. We never share scan data with third parties.

DPDP Act Penalties: Real Scenarios for Indian Startups

DPDP Act Compliance

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law. For startups, it's not just a compliance checkbox — it's a business survival issue. With penalties reaching ₹250 crore and personal liability for founders, ignoring this law is not an option.

I've broken down the penalty structure with real scenarios that Indian startups actually face. No legal jargon — just practical risk assessment.

- ₹250 crore — maximum penalty under the DPDP Act for a single violation

- ₹10,000 — minimum penalty per individual for data breach notification failure

- 72 hours — mandatory breach notification window to DPBI (Data Protection Board of India)

- 83% of Indian startups have no formal data protection policy (NASSCOM 2025)

- 40% of Series A+ startups collect data without proper consent mechanisms

The Penalty Structure at a Glance

Violation	Maximum Penalty	Who's Liable
Failure to take security safeguards	₹250 crore	Data Fiduciary (Company)
Failure to notify data breach	₹200 crore	Data Fiduciary + Board
Non-compliance with children's data	₹200 crore	Data Fiduciary
Breach of additional obligations (Significant DF)	₹150 crore	Data Fiduciary
Non-compliance with Data Principal duties	₹10,000	Individual
Breach of voluntary undertaking	₹50 crore per breach	Data Fiduciary

⚠️

WARNING

These are per violation penalties. A single data breach affecting 10,000 users could theoretically result in multiple violations being charged simultaneously — failure to secure data + failure to notify + failure to maintain records.

Scenario 1: The Leaky SaaS Startup

Company: HealthTrack (Series A, ₹12 crore revenue) What happened: A MongoDB instance was left publicly accessible with default credentials. Personal health data of 50,000 users was scraped and sold on a dark web forum.

sequenceDiagram
    participant A as Attacker
    participant DB as MongoDB (Public)
    participant DW as Dark Web Forum
    participant U as 50K Users
    participant DPBI as Data Protection Board

    A->>DB: Shodan scan finds open port 27017
    A->>DB: Connect with default creds (admin/admin)
    DB-->>A: Full database access
    A->>DW: Lists 50K health records for sale
    Note over U: Users unaware for 4 months
    U->>DPBI: Victim files complaint
    DPBI->>DPBI: Investigation begins

DPDP Act violations:

Violation	Section	Potential Penalty
Failed to implement reasonable security safeguards	Section 8(5)	Up to ₹250 crore
Failed to notify breach within 72 hours	Section 8(6)	Up to ₹200 crore
Processing health data (sensitive) without explicit consent	Section 6	Up to ₹250 crore
No Data Protection Officer appointed	Section 10	Up to ₹150 crore

Realistic penalty: ₹5-25 crore (based on company size, revenue, and first offense)

🛡️

SECURITY

MongoDB exposed on the internet is the #1 cause of data breaches in Indian startups. Run this command to check if your database is exposed:

bash

> # Check if MongoDB is accessible from outside
> nmap -p 27017 your-server-ip
> # If state is "open" — you have a critical problem
>

Scenario 2: The Ed-Tech Children's Data Violation

Company: LearnBuddy (Pre-Series A, ₹3 crore revenue) What happened: An ed-tech platform collected children's data (ages 8-14) without verifiable parental consent. They also tracked children's behavior for targeted advertising.

DPDP Act violations:

Violation	Section	Potential Penalty
Processing children's data without verifiable parental consent	Section 9(1)	Up to ₹200 crore
Behavioral tracking/profiling of children	Section 9(2)	Up to ₹200 crore
Targeted advertising directed at children	Section 9(3)	Up to ₹200 crore

Realistic penalty: ₹10-50 crore (children's data violations attract the harshest scrutiny globally)

⚠️

WARNING

The DPDP Act defines a "child" as anyone under 18 years old. If your platform has any users under 18, you need verifiable parental consent. This applies to gaming apps, ed-tech, social platforms, and even e-commerce apps where minors might create accounts.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Company: QuickLoan (Series B, ₹45 crore revenue) What happened: A lending app collected contacts, SMS, photos, and location data during KYC — but their consent form was a single "I agree to terms" checkbox bundled with 15 different data processing purposes.

flowchart LR
    A[User Signs Up] --> B[Single Consent Checkbox]
    B --> C[KYC Processing ✓]
    B --> D[Contact List Access ✗]
    B --> E[SMS Reading ✗]
    B --> F[Photo Gallery Access ✗]
    B --> G[Location Tracking ✗]
    B --> H[Share with 12 Partners ✗]
    B --> I[Marketing Emails ✗]

    style C fill:#22c55e,color:#fff
    style D fill:#ef4444,color:#fff
    style E fill:#ef4444,color:#fff
    style F fill:#ef4444,color:#fff
    style G fill:#ef4444,color:#fff
    style H fill:#ef4444,color:#fff
    style I fill:#ef4444,color:#fff

DPDP Act violations:

Violation	Section	Potential Penalty
Consent not free, specific, informed, and unambiguous	Section 6(1)	Up to ₹250 crore
Bundled consent (not purpose-limited)	Section 6(4)	Up to ₹250 crore
Excessive data collection beyond stated purpose	Section 4(2)	Up to ₹250 crore
Sharing with third parties without separate consent	Section 8(8)	Up to ₹250 crore

Realistic penalty: ₹25-100 crore (fintech companies face intense regulatory scrutiny from both DPBI and RBI)

Scenario 4: The No-Breach-Notification E-commerce

Company: ShopDesi (Series A, ₹20 crore revenue) What happened: A SQL injection attack exposed 2 lakh customer records (names, addresses, phone numbers, order history). The company discovered it but decided to "handle it internally" without notifying the Data Protection Board or affected users.

bash

# Timeline of failure
Day 0:  SQL injection exploited, 2L records exfiltrated
Day 3:  Internal team discovers breach via unusual DB queries
Day 5:  CTO decides to "patch quietly" without notification
Day 14: Customer data appears on Telegram channel
Day 15: Media reports the breach
Day 16: DPBI opens suo motu investigation
Day 45: DPBI issues penalty notice

DPDP Act violations:

Violation	Section	Potential Penalty
Failure to notify DPBI within 72 hours	Section 8(6)	Up to ₹200 crore
Failure to notify affected Data Principals	Section 8(6)	Up to ₹200 crore
Failure to implement security safeguards (SQLi)	Section 8(5)	Up to ₹250 crore

Realistic penalty: ₹15-75 crore (cover-up significantly increases penalty severity)

ℹ️

INFO

The 72-hour notification rule under DPDP is strict. CERT-In already mandates 6-hour incident reporting for certain categories. The DPDP Act's 72-hour window for breach notification to the Data Protection Board is a hard deadline — no extensions, no excuses.

Scenario 5: The Data Retention Hoarder

Company: TravelYaar (Bootstrapped, ₹8 crore revenue) What happened: A travel booking platform kept customer passport copies, Aadhaar photos, and travel history for 7+ years after trip completion with no data retention policy and no deletion mechanism.

DPDP Act violations:

Violation	Section	Potential Penalty
Retaining data beyond purpose fulfillment	Section 8(7)	Up to ₹250 crore
No mechanism for data erasure requests	Section 12	Up to ₹250 crore
Storing Aadhaar copies without legal basis	Aadhaar Act + DPDP	Compounded penalties

Realistic penalty: ₹5-20 crore + mandatory data deletion order

What You Should Do Right Now

Here's a practical compliance checklist for Indian startups:

flowchart TD
    A[DPDP Compliance Roadmap] --> B[Phase 1: Audit]
    A --> C[Phase 2: Implement]
    A --> D[Phase 3: Maintain]

    B --> B1[Map all personal data flows]
    B --> B2[Identify data processing purposes]
    B --> B3[Review consent mechanisms]
    B --> B4[Audit third-party data sharing]

    C --> C1[Implement granular consent]
    C --> C2[Set up breach notification process]
    C --> C3[Create data retention policy]
    C --> C4[Appoint DPO if required]
    C --> C5[Implement data deletion workflows]

    D --> D1[Quarterly data audits]
    D --> D2[Annual VAPT assessments]
    D --> D3[Employee training]
    D --> D4[Consent record maintenance]

Immediate Action Items

bash

# 1. Check if you collect any of these data types:
# PAN, Aadhaar, Passport, Health records, Financial data,
# Biometrics, Children's data, Location data, Communication data

# 2. Verify your consent mechanism:
# - Is consent separate for each purpose?
# - Can users withdraw consent easily?
# - Are you storing consent records?

# 3. Set up breach notification workflow:
# - Who is the single point of contact?
# - Can you notify DPBI within 72 hours?
# - Do you have a communication template ready?

# 4. Run a security scan:
curl -s https://bachao.ai/scan?domain=yourdomain.com

💡

TIP

Start with a VAPT scan. It's the most practical first step — you can't protect what you don't know is vulnerable. At Bachao.AI, we map VAPT findings directly to DPDP Act compliance requirements, so you address security and compliance in one shot.

The Insurance Angle

Cyber insurance premiums in India are rising fast. Here's what insurers look at:

Factor	Impact on Premium
No VAPT in last 12 months	+40-60% premium increase
No DPDP compliance program	May refuse coverage
History of data breach	+100-200% increase
No incident response plan	+25-40% increase
No employee security training	+15-25% increase

A basic DPDP compliance program plus annual VAPT can reduce your cyber insurance premium by 30-50%.

🎯Key Takeaway

Key Takeaways:

DPDP penalties are per violation, not per incident — a single breach can trigger multiple penalties
The 72-hour breach notification rule is non-negotiable — set up your process NOW
Children's data (under 18) violations attract the harshest penalties globally
Bundled consent (single checkbox for multiple purposes) is explicitly illegal under DPDP
Cover-ups dramatically increase penalty severity — transparency is always better
A VAPT report is your primary evidence of "reasonable security safeguards" under Section 8(5)
Start with a security scan — you can't comply with data protection if your data is already leaking

Worried about DPDP compliance? Get a free security scan from Bachao.AI that maps vulnerabilities directly to DPDP Act requirements.

DPDP Act Penalties: Real Scenarios for Indian Startups

DPDP Act Compliance

I've broken down the penalty structure with real scenarios that Indian startups actually face. No legal jargon — just practical risk assessment.

- ₹250 crore — maximum penalty under the DPDP Act for a single violation

- ₹10,000 — minimum penalty per individual for data breach notification failure

- 72 hours — mandatory breach notification window to DPBI (Data Protection Board of India)

- 83% of Indian startups have no formal data protection policy (NASSCOM 2025)

- 40% of Series A+ startups collect data without proper consent mechanisms

The Penalty Structure at a Glance

Violation	Maximum Penalty	Who's Liable
Failure to take security safeguards	₹250 crore	Data Fiduciary (Company)
Failure to notify data breach	₹200 crore	Data Fiduciary + Board
Non-compliance with children's data	₹200 crore	Data Fiduciary
Breach of additional obligations (Significant DF)	₹150 crore	Data Fiduciary
Non-compliance with Data Principal duties	₹10,000	Individual
Breach of voluntary undertaking	₹50 crore per breach	Data Fiduciary

⚠️

WARNING

Scenario 1: The Leaky SaaS Startup

sequenceDiagram
    participant A as Attacker
    participant DB as MongoDB (Public)
    participant DW as Dark Web Forum
    participant U as 50K Users
    participant DPBI as Data Protection Board

    A->>DB: Shodan scan finds open port 27017
    A->>DB: Connect with default creds (admin/admin)
    DB-->>A: Full database access
    A->>DW: Lists 50K health records for sale
    Note over U: Users unaware for 4 months
    U->>DPBI: Victim files complaint
    DPBI->>DPBI: Investigation begins

DPDP Act violations:

Violation	Section	Potential Penalty
Failed to implement reasonable security safeguards	Section 8(5)	Up to ₹250 crore
Failed to notify breach within 72 hours	Section 8(6)	Up to ₹200 crore
Processing health data (sensitive) without explicit consent	Section 6	Up to ₹250 crore
No Data Protection Officer appointed	Section 10	Up to ₹150 crore

Realistic penalty: ₹5-25 crore (based on company size, revenue, and first offense)

🛡️

SECURITY

MongoDB exposed on the internet is the #1 cause of data breaches in Indian startups. Run this command to check if your database is exposed:

bash

> # Check if MongoDB is accessible from outside
> nmap -p 27017 your-server-ip
> # If state is "open" — you have a critical problem
>

Scenario 2: The Ed-Tech Children's Data Violation

DPDP Act violations:

Violation	Section	Potential Penalty
Processing children's data without verifiable parental consent	Section 9(1)	Up to ₹200 crore
Behavioral tracking/profiling of children	Section 9(2)	Up to ₹200 crore
Targeted advertising directed at children	Section 9(3)	Up to ₹200 crore

Realistic penalty: ₹10-50 crore (children's data violations attract the harshest scrutiny globally)

⚠️

WARNING

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

flowchart LR
    A[User Signs Up] --> B[Single Consent Checkbox]
    B --> C[KYC Processing ✓]
    B --> D[Contact List Access ✗]
    B --> E[SMS Reading ✗]
    B --> F[Photo Gallery Access ✗]
    B --> G[Location Tracking ✗]
    B --> H[Share with 12 Partners ✗]
    B --> I[Marketing Emails ✗]

    style C fill:#22c55e,color:#fff
    style D fill:#ef4444,color:#fff
    style E fill:#ef4444,color:#fff
    style F fill:#ef4444,color:#fff
    style G fill:#ef4444,color:#fff
    style H fill:#ef4444,color:#fff
    style I fill:#ef4444,color:#fff

DPDP Act violations:

Violation	Section	Potential Penalty
Consent not free, specific, informed, and unambiguous	Section 6(1)	Up to ₹250 crore
Bundled consent (not purpose-limited)	Section 6(4)	Up to ₹250 crore
Excessive data collection beyond stated purpose	Section 4(2)	Up to ₹250 crore
Sharing with third parties without separate consent	Section 8(8)	Up to ₹250 crore

Realistic penalty: ₹25-100 crore (fintech companies face intense regulatory scrutiny from both DPBI and RBI)

Scenario 4: The No-Breach-Notification E-commerce

bash

# Timeline of failure
Day 0:  SQL injection exploited, 2L records exfiltrated
Day 3:  Internal team discovers breach via unusual DB queries
Day 5:  CTO decides to "patch quietly" without notification
Day 14: Customer data appears on Telegram channel
Day 15: Media reports the breach
Day 16: DPBI opens suo motu investigation
Day 45: DPBI issues penalty notice

DPDP Act violations:

Violation	Section	Potential Penalty
Failure to notify DPBI within 72 hours	Section 8(6)	Up to ₹200 crore
Failure to notify affected Data Principals	Section 8(6)	Up to ₹200 crore
Failure to implement security safeguards (SQLi)	Section 8(5)	Up to ₹250 crore

Realistic penalty: ₹15-75 crore (cover-up significantly increases penalty severity)

ℹ️

INFO

Scenario 5: The Data Retention Hoarder

DPDP Act violations:

Violation	Section	Potential Penalty
Retaining data beyond purpose fulfillment	Section 8(7)	Up to ₹250 crore
No mechanism for data erasure requests	Section 12	Up to ₹250 crore
Storing Aadhaar copies without legal basis	Aadhaar Act + DPDP	Compounded penalties

Realistic penalty: ₹5-20 crore + mandatory data deletion order

What You Should Do Right Now

Here's a practical compliance checklist for Indian startups:

flowchart TD
    A[DPDP Compliance Roadmap] --> B[Phase 1: Audit]
    A --> C[Phase 2: Implement]
    A --> D[Phase 3: Maintain]

    B --> B1[Map all personal data flows]
    B --> B2[Identify data processing purposes]
    B --> B3[Review consent mechanisms]
    B --> B4[Audit third-party data sharing]

    C --> C1[Implement granular consent]
    C --> C2[Set up breach notification process]
    C --> C3[Create data retention policy]
    C --> C4[Appoint DPO if required]
    C --> C5[Implement data deletion workflows]

    D --> D1[Quarterly data audits]
    D --> D2[Annual VAPT assessments]
    D --> D3[Employee training]
    D --> D4[Consent record maintenance]

Immediate Action Items

bash

# 1. Check if you collect any of these data types:
# PAN, Aadhaar, Passport, Health records, Financial data,
# Biometrics, Children's data, Location data, Communication data

# 2. Verify your consent mechanism:
# - Is consent separate for each purpose?
# - Can users withdraw consent easily?
# - Are you storing consent records?

# 3. Set up breach notification workflow:
# - Who is the single point of contact?
# - Can you notify DPBI within 72 hours?
# - Do you have a communication template ready?

# 4. Run a security scan:
curl -s https://bachao.ai/scan?domain=yourdomain.com

💡

TIP

The Insurance Angle

Cyber insurance premiums in India are rising fast. Here's what insurers look at:

Factor	Impact on Premium
No VAPT in last 12 months	+40-60% premium increase
No DPDP compliance program	May refuse coverage
History of data breach	+100-200% increase
No incident response plan	+25-40% increase
No employee security training	+15-25% increase

A basic DPDP compliance program plus annual VAPT can reduce your cyber insurance premium by 30-50%.

🎯Key Takeaway

Key Takeaways:

DPDP penalties are per violation, not per incident — a single breach can trigger multiple penalties
The 72-hour breach notification rule is non-negotiable — set up your process NOW
Children's data (under 18) violations attract the harshest penalties globally
Bundled consent (single checkbox for multiple purposes) is explicitly illegal under DPDP
Cover-ups dramatically increase penalty severity — transparency is always better
A VAPT report is your primary evidence of "reasonable security safeguards" under Section 8(5)
Start with a security scan — you can't comply with data protection if your data is already leaking

Worried about DPDP compliance? Get a free security scan from Bachao.AI that maps vulnerabilities directly to DPDP Act requirements.

DPDP Act Penalties: Real Scenarios for Indian Startups

DPDP Act Penalties: Real Scenarios for Indian Startups

The Penalty Structure at a Glance

Scenario 1: The Leaky SaaS Startup

Scenario 2: The Ed-Tech Children's Data Violation

Scenario 4: The No-Breach-Notification E-commerce

Scenario 5: The Data Retention Hoarder

What You Should Do Right Now

Immediate Action Items

The Insurance Angle

Shouvik Mukherjee

Get cybersecurity insights for Indian SMBs

Related Articles

How to Read a VAPT Report: A CTO's Guide

Why Every Indian SMB Needs a VAPT Scan in 2026

Why Every Indian SMB Needs a VAPT Scan in 2026

Ready to secure your business?

DPDP Act Penalties: Real Scenarios for Indian Startups

DPDP Act Penalties: Real Scenarios for Indian Startups

The Penalty Structure at a Glance

Scenario 1: The Leaky SaaS Startup

Scenario 2: The Ed-Tech Children's Data Violation

Scenario 4: The No-Breach-Notification E-commerce

Scenario 5: The Data Retention Hoarder

What You Should Do Right Now

Immediate Action Items

The Insurance Angle

Shouvik Mukherjee

Get cybersecurity insights for Indian SMBs

Related Articles

How to Read a VAPT Report: A CTO's Guide

Why Every Indian SMB Needs a VAPT Scan in 2026

Why Every Indian SMB Needs a VAPT Scan in 2026

Ready to secure your business?

DPDP Act Penalties: Real Scenarios for Indian Startups

DPDP Act Penalties: Real Scenarios for Indian Startups

The Penalty Structure at a Glance

Scenario 1: The Leaky SaaS Startup

Scenario 2: The Ed-Tech Children's Data Violation

Scenario 3: The Fintech Consent Failure

Scenario 4: The No-Breach-Notification E-commerce

Scenario 5: The Data Retention Hoarder

What You Should Do Right Now

Immediate Action Items

The Insurance Angle

Shouvik Mukherjee

Get cybersecurity insights for Indian SMBs

Related Articles

How to Read a VAPT Report: A CTO's Guide

Why Every Indian SMB Needs a VAPT Scan in 2026

Why Every Indian SMB Needs a VAPT Scan in 2026

Ready to secure your business?

DPDP Act Penalties: Real Scenarios for Indian Startups

DPDP Act Penalties: Real Scenarios for Indian Startups

The Penalty Structure at a Glance

Scenario 1: The Leaky SaaS Startup

Scenario 2: The Ed-Tech Children's Data Violation

Scenario 3: The Fintech Consent Failure

Scenario 4: The No-Breach-Notification E-commerce

Scenario 5: The Data Retention Hoarder

What You Should Do Right Now

Immediate Action Items

The Insurance Angle

Shouvik Mukherjee

Get cybersecurity insights for Indian SMBs

Related Articles

How to Read a VAPT Report: A CTO's Guide

Why Every Indian SMB Needs a VAPT Scan in 2026

Why Every Indian SMB Needs a VAPT Scan in 2026

Ready to secure your business?