Loading…
Loading…
₹250 crore penalty per contravention. No grace period. Are you compliant?
Know exactly where you stand — assessment, remediation, and audit-ready package. Scope-based engagement.
Quick check
If any one of the following is true, you are a Data Fiduciary under the Act and obligations apply to you from May 13, 2027.
Exemptions apply for personal or domestic use and certain government processing. Consult legal counsel for edge cases.
Schedule I
The Act defines 7 categories of obligations. Non-compliance with any single category can trigger the full ₹250 Crore penalty.
Implement encryption, access controls, and vulnerability management proportionate to the data you process.
Obtain free, specific, informed consent with clear withdrawal mechanisms — in all 22 scheduled languages.
Enable access, correction, and erasure requests with clear response mechanisms as prescribed by rules.
Report personal data breaches to CERT-In within 6 hours and notify affected individuals without delay.
Maintain processing records, conduct periodic audits, and appoint a Data Protection Officer if classified as Significant.
Delete personal data when consent is withdrawn or the purpose is fulfilled — no indefinite storage.
Obtain verifiable parental consent before processing data of individuals under 18. No behavioral tracking.
Your certification journey
Bachao.AI is not a certification body — and that’s intentional. We do the technical work so your certifying auditor (Big 4, CERT-In empanelled firm, or CPA for SOC 2) gets a clean evidence package.
Scope call → infrastructure scan → gap report. Stage 1 engagement.
Technical + policy gaps mapped to DPDP, SOC 2, or ISO 27001 controls.
Fix controls. Collect audit evidence. Dashboard tracks progress.
Hand to your certifying auditor. Clean, structured, defensible.
Bachao.AI does
Certifying body does
Empanelled firms: CERT-In empanelled auditors, Big 4, AICPA-licensed CPA firms (for SOC 2)
How we engage
No fixed packages. No subscriptions forced upfront. Each stage is scoped and priced based on your infrastructure, data volumes, and target framework. Most clients engage for all stages and move to continuous monitoring.
One-time engagement stages
Assessment
Full infrastructure scan + obligation mapping against DPDP Schedule I. Includes SOC 2 / ISO 27001 gap analysis if required. Deliverable: Gap report + prioritised remediation plan.
Remediation Support
Technical fixes, policy drafting (consent framework, breach response, retention schedule), and access control implementation. Scoped per number of findings and policy documents required.
Audit-Ready Package
Final consolidated evidence package: scan report, control mapping matrix, policy set, and remediation log. Structured for CERT-In empanelled auditors, Big 4, or SOC 2 CPA firms.
Continuous compliance — SaaS
DPDP compliance is not a one-time event. The Board can audit you at any time. SOC 2 Type 2 requires 6–12 months of continuous evidence. Our monitoring subscription keeps you always-ready.
Annual engagement · scoped per number of assets monitored
Scope call included. Every engagement starts with a 30-minute call to define scope, timelines, and what frameworks you need evidence for. Pricing is confirmed before any work begins.
Book a Scope Call →How long does it take?
Most businesses are fully ready for a certifying auditor within 8–10 weeks. Here’s the typical journey.
Automated infrastructure scan + obligation mapping. Scope call first to confirm assets, frameworks, and timeline. Gap report delivered end of week.
Detailed mapping of your technical and policy gaps against all 7 DPDP obligations — and against SOC 2 / ISO 27001 if required. Evidence inventory created.
Fix vulnerabilities, draft required policies (consent framework, breach response plan, data retention schedule), implement access controls. Dashboard tracks every item to closure.
Structured evidence package: remediated scan report, policy documents, control mapping matrix, and remediation log. Ready to hand to your certifying auditor.
Framework overlap
SOC 2’s Common Criteria CC6–CC9 map almost directly to DPDP Schedule I obligations. If you’re pursuing both, your DPDP evidence package covers the majority of what your SOC 2 auditor needs.
| DPDP Schedule I Obligation | SOC 2 Criteria Covered | ISO 27001 Domain | Overlap |
|---|---|---|---|
| Reasonable Security Safeguards | CC6.1, CC6.6, CC6.7, CC6.8 | A.8 Technology Controls | High |
| Breach Notification (6-hour CERT-In) | CC7.4 Incident Response, CC7.5 Mitigation | A.5.26 Response to incidents | High |
| Data Fiduciary Obligations (audits, DPO) | CC4.1 Monitoring, CC9.2 Vendor Risk | A.5.35 Independent review | High |
| Retention Limits (deletion on purpose fulfilment) | CC6.5 Disposal of logical assets | A.8.10 Information deletion | Medium |
| Consent Management | Availability + Confidentiality criteria | A.5.34 Privacy, A.8.3 Information use | Medium |
| Data Principal Rights (access, correction, erasure) | Indirect — supports confidentiality | A.5.34 Privacy obligations | Partial |
| Children's Data Protection | Availability + Confidentiality criteria | A.5.34 Privacy obligations | Partial |
Bottom line for your auditor: The vulnerability scan report, breach response plan, access control evidence, and vendor risk assessment produced during DPDP compliance directly satisfy CC6, CC7, and CC9 of your SOC 2 Type 2 engagement. You are not starting from scratch.
What actually happens
Every step is documented. Every deliverable is yours to keep and present to auditors, investors, or your board.
Automated infrastructure scan
We scan your web applications, APIs, cloud configuration, TLS/SSL setup, and security headers. No agent installed. No access to your database or source code.
AI-assisted finding validation
Raw scanner output is reviewed and validated. False positives are removed. Each finding is classified by severity (CVSS v3.1) with environmental context applied.
Obligation mapping
Every finding is mapped to the DPDP obligation it violates — and to the corresponding SOC 2 or ISO 27001 control if applicable.
Policy gap identification
We identify which required policies are missing or incomplete: consent framework, breach response plan, data retention schedule, vendor agreements.
Remediation tracking
Dashboard tracks every open item to closure. When a finding is fixed, the next scan confirms it. Remediation log is maintained for audit evidence.
✓Executive Summary Report
Board-ready PDF: risk score, critical findings, compliance status across all 7 DPDP obligations, recommended actions. No technical jargon.
✓Technical Findings Annex
Full vulnerability list with CVSS scores, reproduction steps, affected URLs/parameters, and remediation code. Structured for your engineering team.
✓DPDP Control Mapping Matrix
Spreadsheet mapping each finding and policy gap to the specific DPDP Schedule I obligation — and to SOC 2 / ISO 27001 controls if applicable.
✓Evidence Package
Scan logs, remediation records, and policy templates structured for auditor review. Ready to present to CERT-In empanelled auditors, Big 4, or SOC 2 CPA firms.
✓Policy Templates
Draft Privacy Policy, Consent Notice, Breach Response Procedure, and Data Retention Schedule — customisable, legally-informed starting points.
✓Compliance Dashboard Access
Live tracking of open items, remediation progress, and re-scan history. Always know your current compliance posture.
Scope: We scan assets you explicitly authorise — web applications, APIs, and cloud configuration (AWS/GCP/Azure). We do not scan endpoints, internal networks, or third-party SaaS tools. Physical security, social engineering, and employee awareness training are separate engagements available on request.
Traditional compliance assessments are expensive and slow. Bachao.AI is typically 60–80% less — discuss your scope on a call.
| Vendor | Price | Billing | Source |
|---|---|---|---|
| Sprinto (DPDP module) | ₹5,80,000 – ₹12,50,000/yr | annual platform | spendflo.com ↗ |
| SISA | ₹10,00,000 – ₹2,00,00,000 | full compliance | sisainfosec.com ↗ |
| Kratikal (compliance) | ₹1,00,000 – ₹5,00,000 | per framework | kratikal.com ↗ |
| Big 4 India | ₹10,00,000 – ₹50,00,000 | per assessment | Industry estimates |
| → Bachao.AI | Per-stage · scope-based | assessment + SaaS |
Prices verified as of March 2026. All Bachao.AI prices exclusive of 18% GST. Your actual quote may vary by scope.
The clock is already ticking. There is no grace period after May 13, 2027.
Nov 2025
Board constituted
Nov 2026
Registration opens
May 13, 2027
Full enforcement
Time remaining until enforcement
₹250 Cr
Max penalty per contravention
DPDP Act 2023, Schedule I
No cap
No cumulative annual cap in the enacted Act
DPDP Act 2023 — penalties are per contravention
For a startup with ₹2 Crore revenue — a single ₹250 Crore penalty is 125 years of revenue.
Under DPDP Act Section 71, every person in charge of the company at the time of a contravention — including directors and Key Managerial Personnel — can be held personally liable alongside the company. The penalty is not limited to the corporate entity. Board-level sign-off on a compliance programme is not optional.
DPDP Act 2023, Section 71 — Offences by companies
Bachao.AI covers your entire security surface — from code to cloud to compliance.
May 13, 2027 is fixed. Your audit-ready package takes 10 weeks. Start now.
Book a Scope Call →30-minute call. Scope confirmed. Pricing agreed before any work begins.
Disclaimer: Bachao.AI is not a legal firm or certification body. Our DPDP compliance assessment is a technical readiness check, not legal advice. Consult qualified legal counsel for compliance certification.