DPDP Readiness Assessment

DPDP Compliance Timeline

What's coming — and Company C isn't ready for any of it

Nov 13, 2025

Phase 1

Core definitions, Data Protection Board constitution, basic duties, grievance redress, transparency

NOT READY

Nov 13, 2026

Phase 2

Consent Manager registration opens, Board oversight

NOT READY

May 13, 2027

Phase 3 — FULL ENFORCEMENT

Standalone privacy notices, security safeguards, 72-hour breach reporting, data retention/erasure, cross-border, Data Principal rights, PENALTIES LIVE

NOT READY

Days remaining until full enforcement: ~418 days. Every day without action increases regulatory risk.

Detailed Gap Analysis — All 25 DPDP Checkpoints

Complete checkpoint-by-checkpoint assessment across 9 compliance categories

A. Governance & Leadership 0 / 4

#	Requirement	DPDPA Section	Status	Gap
1	Designate a Grievance Redressal Officer with published contact	Section 13, Rule 6	FAIL	No grievance officer designated; no contact published
2	Establish privacy governance framework with board accountability	Section 8	FAIL	No evidence of privacy governance structure
3	Create and maintain data protection policy	Section 8, Rule 8	FAIL	No data protection policy exists
4	DPO appointment (if SDF)	Section 10	N/A	Not yet SDF — but must plan for growth

B. Data Inventory & Mapping 0 / 4

#	Requirement	DPDPA Section	Status	Gap
5	Comprehensive personal data inventory	Section 8	FAIL	No data inventory; PII found hardcoded in API responses (F18)
6	Map all data flows: collection, processing, storage, sharing	Section 8	FAIL	No data flow mapping; data flows through Vercel, Fastly, Linode, Razorpay — undocumented
7	Classify data by purpose, sensitivity, retention	Section 8(7)	FAIL	No classification; founder PII treated same as public content
8	Document all Data Processor relationships	Section 8(2)	FAIL	Multiple processors (Vercel, Fastly, Linode, Razorpay, Google Fonts, GitHub) — no documented contracts

C. Consent Management 0 / 4

#	Requirement	DPDPA Section	Status	Gap
9	Implement lawful basis for each processing activity	Section 4, 5, 7	FAIL	No consent mechanism on any property
10	Notice-and-consent mechanism (itemized, clear, plain language)	Section 5, Rule 3	FAIL	No privacy notice anywhere
11	Consent withdrawal mechanism (as easy as giving consent)	Section 6(4), Rule 3(c)(i)	FAIL	No consent collection = no withdrawal possible
12	Maintain auditable consent records	Rule 3	FAIL	No consent records exist

D. Privacy Notices 0 / 3

#	Requirement	DPDPA Section	Status	Gap
13	Standalone privacy notice (independently understandable)	Section 5, Rule 3	FAIL	Privacy Policy link on site is non-functional (`href="#"`) — identified in VAPT (F16)
14	Itemized description of data collected, purposes, services	Section 5	FAIL	No privacy notice content exists
15	Notice in scheduled languages	Rule 3	FAIL	No notice in any language

E. Security Safeguards 0.5 / 3

#	Requirement	DPDPA Section	Status	Gap
16	Reasonable technical & organizational security measures	Section 8(5), Rule 8	FAIL	VAPT found 25 vulnerabilities including 4 CRITICAL; PII exposed in API; no auth on payment endpoints
17	Encryption at rest and in transit	Rule 8	PARTIAL	HTTPS/TLS in transit (PASS), but no evidence of at-rest encryption
18	Access controls, logging, and monitoring	Rule 8	FAIL	No authentication on API endpoints (F21); no evidence of logging/monitoring

F. Data Retention & Erasure 0 / 2

#	Requirement	DPDPA Section	Status	Gap
19	Defined retention periods per data category	Section 8(7)	FAIL	No retention policy; PII hardcoded permanently in code
20	Automated erasure when purpose fulfilled or consent withdrawn	Section 8(7)	FAIL	No erasure mechanisms; data in static API responses

G. Breach Notification 0 / 2

#	Requirement	DPDPA Section	Status	Gap
21	Breach detection and response plan	Section 8(6), Rule 7	FAIL	No incident response plan; no security.txt (F17)
22	72-hour notification to Board + Data Principal notification	Rule 7	FAIL	No breach notification infrastructure

H. Cross-Border & Data Localization 0 / 2

#	Requirement	DPDPA Section	Status	Gap
23	Document cross-border transfers	Section 16	FAIL	Data flows to Vercel (US), Fastly (global CDN), GitHub (US) — not documented
24	RBI data localization (payment data in India)	RBI PA Guidelines	FAIL	Payment API on Vercel (servers in US/India mixed); Linode servers may be outside India

I. Data Principal Rights 0 / 1

#	Requirement	DPDPA Section	Status	Gap
25	Mechanisms for Data Principals to exercise rights (access, correction, erasure)	Sections 11-14	FAIL	No rights infrastructure; no user accounts; no self-service portal

DPDP Readiness Scorecard Summary

Category-by-category compliance scores

Governance & Leadership

0%

0 / 4 checkpoints

Data Inventory & Mapping

0%

0 / 4 checkpoints

Consent Management

0%

0 / 4 checkpoints

Privacy Notices

0%

0 / 3 checkpoints

Security Safeguards

17%

0.5 / 3 (partial TLS)

Data Retention & Erasure

0%

0 / 2 checkpoints

Breach Notification

0%

0 / 2 checkpoints

Cross-Border & Localization

0%

0 / 2 checkpoints

Data Principal Rights

0%

0 / 1 checkpoints

Total Score

0.5 / 25

Overall: 2%

VAPT Findings That Are DPDP Violations

Security vulnerabilities that directly constitute DPDPA violations

VAPT Finding	DPDPA Violation	Section	Exploitability	Potential Penalty
F18 — PII hardcoded in API (name, phone, email, address)	Failure to implement reasonable security safeguards	Section 8(5)	Critical	Up to ₹250 crore
F19 — Wildcard CORS on API	Failure to protect data from unauthorized access	Section 8(5)	Critical	Up to ₹250 crore
F21 — Unauthenticated payment API	Failure to implement security safeguards	Section 8(5)	Critical	Up to ₹250 crore
F16 — No Privacy Policy	Failure to provide privacy notice	Section 5	High	Up to ₹50 crore
F17 — No security.txt	No breach reporting mechanism	Section 8(6)	High	Up to ₹200 crore
F02 — Wildcard subdomain	Inadequate organizational security measures	Section 8(5)	High	Up to ₹250 crore
F23 — Public GitHub repo	Failure to protect against unauthorized data access	Section 8(5)	Critical	Up to ₹250 crore

Combined maximum penalty exposure: ₹250 crore (penalties are per violation, capped at the schedule maximum).

DPDP Penalties Company C Faces

Potential financial exposure under the DPDPA penalty schedule

₹250 Crore

Failure to implement reasonable security safeguards resulting in breach
PII exposure (F18), no auth (F21), CORS wildcard (F19)

₹200 Crore

Failure to notify Board & Data Principals of breach
No breach notification plan, no security.txt

₹200 Crore

Breach of children's data obligations
No age verification if any user is under 18

₹50 Crore

Non-compliance with any other DPDPA provision
No privacy notice, no consent, no erasure, no rights mechanism

What Needs To Be Done — DPDP Compliance Roadmap

Phased action plan to reach compliance before May 2027 enforcement

P0 Phase 1: IMMEDIATE (0-30 days) — Stop the Bleeding 7 actions

#	Action	Priority	Effort
1	Remove PII from API responses immediately	P0	1 hour
2	Add authentication to all API endpoints	P0	1 day
3	Fix CORS configuration (restrict to specific origins)	P0	1 hour
4	Draft and publish Privacy Policy	P0	3-5 days
5	Draft and publish Terms of Service	P0	3-5 days
6	Designate a Grievance Redressal Officer	P0	1 day
7	Make GitHub repo private	P0	5 minutes

P1 Phase 2: SHORT-TERM (30-90 days) — Build Foundation 8 actions

#	Action	Priority	Effort
8	Conduct personal data inventory — map all data across all systems	P1	1-2 weeks
9	Document all Data Processor relationships (Vercel, Fastly, Linode, Razorpay)	P1	1 week
10	Execute Data Processing Agreements (DPAs) with all processors	P1	2-3 weeks
11	Implement consent management — collection, withdrawal, record-keeping	P1	2-4 weeks
12	Implement security headers (CSP, X-Frame-Options, etc.)	P1	1 day
13	Add rate limiting on all endpoints	P1	1 day
14	Set up security monitoring and logging	P1	1 week
15	Create breach notification procedure	P1	1 week

P2 Phase 3: MEDIUM-TERM (90-180 days) — Full Compliance Build 8 actions

#	Action	Priority	Effort
16	Build Data Principal rights portal (access, correction, erasure requests)	P2	2-4 weeks
17	Implement data retention policies with automated erasure	P2	2 weeks
18	Set up cookie consent banner (when cookies are used)	P2	1 week
19	Implement age verification (if platform could have users under 18)	P2	2 weeks
20	Conduct Data Protection Impact Assessment	P2	2-4 weeks
21	Ensure RBI data localization — payment data stored only in India	P2	2 weeks
22	Regular VAPT scans — ongoing vulnerability assessment	P2	Ongoing
23	Staff training on data protection	P2	1 week

P3 Phase 4: PRE-ENFORCEMENT (180-418 days) — Audit & Certify 5 actions

#	Action	Priority	Effort
24	Independent DPDP compliance audit	P3	2-4 weeks
25	PCI-DSS certification (for payment processing)	P3	3-6 months
26	Apply for RBI PA/PG license	P3	Ongoing
27	SOC 2 Type II preparation (if targeting enterprise clients)	P3	6-12 months
28	Continuous compliance monitoring	P3	Ongoing

How Company A Helps Company C Achieve DPDP Compliance

Product mapping to Company C's specific DPDP gaps

Company A Product Mapping to Company C's DPDP Gaps

Company C DPDP Gap	Company A Solution	How It Helps
No security safeguards assessment	Automated VAPT (45 min)	AI-powered security scan identifies all vulnerabilities; maps each to DPDP Section 8(5) obligations
No DPDP compliance mapping	DPDP Compliance Module	Auto-maps every security finding to specific DPDPA sections and rules; generates compliance readiness score
No breach notification plan	Breach Detection Alerts	Continuous monitoring alerts when new vulnerabilities appear; helps meet 72-hour notification requirement
Unknown attack surface	Subdomain Reconnaissance	Discovers all 12+ domains, exposed APIs, and shadow IT — exactly what our VAPT found
No security training	Hindi Phishing Simulation	AI-generated phishing campaigns test team readiness in Hindi/Hinglish/English
No ongoing compliance monitoring	Monthly Plan (3 reports/mo)	Continuous reassessment ensures compliance doesn't degrade over time
No data processor oversight	Cloud Security Scanning	AWS/GCP/Azure config scanning ensures processor environments are secure
No compliance documentation	PDF Reports with DPDP Mapping	Court-ready, auditor-friendly reports documenting security posture and compliance status
No dark web exposure check	Dark Web Monitoring	Checks if company-c.example.com data or credentials are exposed on dark web forums

Why Company A Over Alternatives

Factor	Company A	Enterprise Tools (HackerOne, Qualys)	Free Tools (Nmap, ZAP)
Price	₹2,000 first report	₹15K-50K/month	₹0
DPDP Mapping	Built-in, automated	Not India-specific	None
Time to Report	45 minutes	2-4 weeks	Manual analysis
Target Audience	Indian SMBs, startups, fintechs	Fortune 500, regulated banks	Security engineers only
Language	English + Hindi remediation	English only	English only
Compliance Coverage	DPDPA + CERT-In + RBI	Global frameworks (SOC2, ISO)	None
Action Required	DNS verification only	Agent installation, credentials	Manual setup

Recommended Company A Plan for Company C

Phase	Company A Product	Cost	What You Get
Now	Free DPDP Check + Free Scan	₹0	Baseline DPDP readiness score + top 5 findings
Week 1	Full Report (one-time)	₹2,000	Complete VAPT with DPDP mapping, remediation steps, fix quotes
Month 1-3	Starter Plan	₹4,999/mo	3 rescans/month to track remediation progress
Month 4+	Growth Plan	₹9,999/mo	10 reports/month, API access, continuous monitoring, trend analysis
Total Year 1		~₹1.1 lakhs	Complete DPDP security compliance coverage

Compare: A single manual VAPT engagement costs ₹40K-8.5L and takes 2-4 weeks. Company A covers the full year for less than one manual assessment.

Start Your DPDP Compliance Journey

Get your free DPDP readiness check and security scan today. See exactly where you stand before enforcement begins.

Free DPDP Check Book Free Scan Schedule Demo

Competitor Comparison: DPDP Compliance Products in India

14 products analyzed — full competitive landscape

Full Competitive Landscape — 14 Products 14 analyzed

#	Product	Company	Type	India-Built?	Free Tier	Starting Price	Best For
1	Company A	Company A, Bengaluru	VAPT + DPDP Compliance	Yes	Free scan	₹2,000/report; ₹4,999/mo	SMB fintechs, startups
2	Concur	Concur, India	Privacy & Consent Platform	Yes	20K data principals free	₹84,000/yr (~₹7K/mo)	Startups to enterprise
3	Consentin	Leegality, India	Consent Management	Yes	3,000 consents/mo free	Custom SaaS/on-prem	BFSI, e-commerce, lending
4	Privy	IDfy, India	Consent + Data Governance	Yes	No	Custom (on AWS Marketplace)	Enterprise, regulated
5	Consently	Consently, India	Consent Handling	Yes	1-month free trial	Pay-per-consent	Any Indian business
6	DPDPA Shield	DPDPA Shield Pvt Ltd, Delhi	Full DPDP Compliance	Yes	Starter tier	Contact sales	Indian startups by stage
7	QverLabs	QverLabs, India	AI Compliance Platform	Yes	No	Custom	BFSI, healthcare, SaaS
8	Seqrite	Quick Heal (listed), India	Privacy + Security	Yes	No	Custom enterprise	Enterprises with Seqrite stack
9	Ardent Privacy	Ardent Privacy, India	Data Discovery + Privacy	Yes	No	Custom	Enterprise (HDFC, HPCL, Zee)
10	CookieYes	CookieYes (India-origin)	Cookie Consent	Yes	5K pageviews/mo free	$10/mo (~₹850) per domain	Any website
11	OneTrust	OneTrust, USA ($5.1B)	Full Privacy Platform	No (adapted)	No	~$50K+/yr (~₹42L+)	Multinational enterprise
12	Securiti.ai	Securiti, USA	Data Intelligence	No (adapted)	No	~$30K+/yr (~₹25L+)	Complex data environments
13	PrivacyEngine	PrivacyEngine, Ireland	Privacy Operations	No (adapted)	No	Custom	SDFs, DPOs, CISOs
14	Tsaaro	Tsaaro Consulting, India	Consulting + DPO-as-a-Service	Yes	No	₹1-5L/engagement	Mid-market (Adani, NPCI, CRED)

Detailed Feature Comparison — 17 Features x 7 Products Feature Matrix

Feature	Company A	Concur	Consentin	DPDPA Shield	QverLabs	OneTrust	Securiti
VAPT Security Scanning	Yes	No	No	No	No	No	No
DPDP Compliance Mapping	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Consent Management	Roadmap	Yes	Yes	Yes	Yes	Yes	Yes
Data Discovery	Partial	Yes	Yes (Lens)	No	Yes (AI)	Yes	Yes
DSAR/Rights Portal	Roadmap	Yes	Yes	Yes	Yes	Yes	Yes
Breach Notification	Yes	Yes	Yes	Yes (72hr)	Yes	Yes	Yes
Cookie Consent	No	No	Yes	No	No	Yes	Yes
22 Indian Languages	No	No	Yes	Yes	Yes	No	No
Children's Data Module	No	Yes	No	Yes	Yes	Yes	Yes
DPIA Automation	No	Yes	Yes	Yes	Yes	Yes	Yes
Phishing Simulation	Yes (Hindi)	No	No	No	No	No	No
Dark Web Monitoring	Yes	No	No	No	No	No	No
RBI/SEBI Alignment	Yes	No	No	No	No	No	Partial
On-Premises Option	No	No	Yes	No	No	Yes	Yes
API Access	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Report in 45 min	Yes	N/A	N/A	N/A	N/A	N/A	N/A
Free Tier	Yes	Yes (best)	Yes	Starter	No	No	No

Price Comparison — Annual Cost for a Startup like Company C Cost Analysis

Product	Annual Cost (INR)	What You Get	Value Rating
CookieYes	~₹10K-50K	Cookie consent banners only	Low (narrow scope)
Company A (Starter)	~₹60K	3 VAPT/mo + DPDP mapping + remediation	Best for security-first
Concur (Growth)	~₹84K	Consent + data discovery + DSAR (50K principals)	Best for consent-first
Company A (Growth)	~₹1.2L	10 VAPT/mo + API + monitoring + trends	Best comprehensive
Tsaaro	~₹1-5L/engagement	One-time consulting assessment	Moderate (not continuous)
Consentin (Leegality)	~₹1-3L	Consent lifecycle + data discovery	Good for BFSI
DPDPA Shield	Custom	Full DPDP compliance suite	Good for startups
Sprinto	~₹8-15L	SOC2/ISO + DPDP add-on	Expensive for DPDP-only
OneTrust	~₹42L+	Everything (100+ regulations)	Overkill for startups
Securiti.ai	~₹25L+	Enterprise data intelligence	Overkill for startups
Manual VAPT	~₹40K-8.5L per test	Single point-in-time assessment	Poor (not continuous)

Annual Cost Comparison (Visual)

CookieYes

₹10K-50K

Company A Starter

₹60K

Concur (Growth)

₹84K

Company A Growth

₹1.2L

Tsaaro

₹1-5L

Consentin

₹1-3L

Sprinto

₹8-15L

Manual VAPT

₹40K-8.5L / test

Securiti.ai

₹25L+

OneTrust

₹42L+

Value Matrix — Cost vs. Coverage Strategic View

Coverage Depth →

Low Cost ←——————————————→ High Cost

Security + Compliance (VAPT + DPDP + Continuous)

Company A Growth (₹1.2L)

Only product with VAPT + DPDP

High Cost Enterprise

OneTrust (₹42L+)

Securiti.ai (₹25L+)

PrivacyEngine (Custom)

Partial / Some Coverage

Company A Starter (₹60K)

Concur (₹84K)

Consentin (₹1-3L)

DPDPA Shield (Custom)

QverLabs (Custom)

Consently (Pay-per-consent)

High Cost / Partial

Sprinto (₹8-15L)

Seqrite (Custom)

Ardent Privacy (Custom)

CookieYes (₹10-50K)

Tsaaro (₹1-5L)

What Makes Company A Unique in This Market 7 Differentiators

Only Company A

VAPT + DPDP in One Platform

No other product combines security scanning with DPDP compliance mapping. Every competitor is either security-only or compliance-only.

Only Company A

45-Minute Report Delivery

All competitors are manual (weeks) or consent-only (no scanning). Company A delivers a full VAPT + DPDP report in 45 minutes.

Only Company A

Hindi Phishing Simulation

No other platform offers Indian-language phishing tests. AI-generated campaigns in Hindi/Hinglish/English.

Lowest Entry Price

₹2,000 Entry Price

Concur is ₹84K/yr; most others are custom/enterprise pricing. Company A starts at ₹2,000 for a full report.

Unique at This Price

Dark Web Monitoring

Enterprise-only feature at SMB pricing. Checks if your data or credentials are exposed on dark web forums.

Only Company A

RBI + SEBI + CERT-In Alignment

Consent platforms don't cover regulatory security mandates. Company A maps to RBI, SEBI, and CERT-In requirements.

Only Company A

No Credentials Needed

DNS-only verification; competitors often need agent installation, credentials, or complex onboarding.

For Company C specifically: Company A is the only product that addresses both the security vulnerabilities (25 findings from VAPT) AND the DPDP compliance gaps (25 checkpoints) in a single platform at startup pricing. A consent-only tool like Concur or Consentin won't fix the CRITICAL security issues. An enterprise tool like OneTrust costs 35x more.

See How Company A Stacks Up — Free

Run your free DPDP check now and compare the results with any competitor. No credit card, no agent installation, just DNS verification.

Free DPDP Check Book Free Scan Schedule Demo

Key DPDPA Reference

Penalty schedule, Data Principal rights, and fintech-specific dual compliance requirements

Penalty Schedule

Violation	Max Penalty
Failure to implement security safeguards (breach)	₹250 crore
Failure to notify Board & Data Principals of breach	₹200 crore
Breach of children's data obligations	₹200 crore
Breach of SDF obligations	₹150 crore
Any other DPDPA non-compliance	₹50 crore

Data Principal Rights (What Users Can Demand)

Right	Section	What Company C Must Provide
Right to Access	Section 11	Summary of all data processed, who it's shared with
Right to Correction	Section 12	Fix inaccurate/incomplete data
Right to Erasure	Section 12	Delete data when purpose served or consent withdrawn
Right to Grievance Redressal	Section 13	Accessible complaint mechanism
Right to Nominate	Section 14	Designate someone for post-death data rights
Right to Withdraw Consent	Section 6(4)	As easy as giving consent

Fintech-Specific Dual Compliance (DPDPA + RBI)

Requirement	DPDPA	RBI
Data localization	Negative list (no restricted countries yet)	Mandatory — all payment data in India
Consent	DPDPA consent framework	KYC consent per RBI norms
Retention	Erase when purpose served	10-year retention for payment records
Breach notification	72 hours to Board	RBI incident reporting requirements
Security standards	"Reasonable safeguards"	IS audit, VAPT mandatory for PA/PG
Net worth	N/A	₹15 crore (application), ₹25 crore (3rd year)

Don't Wait for Enforcement — Act Now

Company C has 418 days to go from 2% to full DPDP compliance. The penalty for inaction is up to ₹250 crore. Start with a free scan today.

Free DPDP Check Book Free Scan Schedule Demo

Overall DPDP Readiness Score

DPDP Compliance Timeline

Detailed Gap Analysis — All 25 DPDP Checkpoints

DPDP Readiness Scorecard Summary

VAPT Findings That Are DPDP Violations

DPDP Penalties Company C Faces

What Needs To Be Done — DPDP Compliance Roadmap

How Company A Helps Company C Achieve DPDP Compliance

Start Your DPDP Compliance Journey

Competitor Comparison: DPDP Compliance Products in India

Annual Cost Comparison (Visual)

VAPT + DPDP in One Platform

45-Minute Report Delivery

Hindi Phishing Simulation

₹2,000 Entry Price

Dark Web Monitoring

RBI + SEBI + CERT-In Alignment

No Credentials Needed

See How Company A Stacks Up — Free

Key DPDPA Reference

Don't Wait for Enforcement — Act Now