DPDP Act 2023 + Rules 2025 - Enforcement target 2027-05-13

India DPDP compliance for global SaaS,
drop-in by deadline.

If you have Indian users, the DPDP Act applies to you - even if your company is in San Francisco, London, or Singapore. Penalties reach Rs 250 crore (~$30M USD) per instance with no statutory cure period.

2026-11-13 Consent Manager registration window opens 2027-05-13 Full enforcement target 30+ requirements automated

Why your existing privacy stack will not save you

DPDP is not a re-skinned GDPR. The Act and the Rules introduce India-specific obligations that no horizontal SOC 2 or generic CMP covers.

Pain - Cost

OneTrust quotes a 5-figure annual contract

Built for Fortune 500 multi-jurisdiction programmes. For a Series A SaaS with 12% Indian users, the unit economics do not work.

Pain - Coverage

Vanta and Drata do not cover DPDP

SOC 2 and ISO 27001 audit automation does not implement Section 5 itemised notice, Section 8(6) 72-hour breach, or Section 12 erasure SLA.

Pain - Time

2027-05-13 is a hard deadline

The DPDP Act provides no statutory cure period before the Data Protection Board can begin penalty proceedings. A 12-month build will not finish in time.

Pain - Scope

30+ obligations across 24 sections + 6 rules

Notice content, consent withdrawal symmetry, parental consent, DPO appointment, DPIA, breach notification template, grievance 30-day SLA, Third Schedule retention.

Pain - Risk

Rs 250 crore per instance, per failure

The Schedule of the Act sets graduated maxima. Failure of reasonable security safeguards under Section 8(5) carries the highest band - approximately $30M USD.

Pain - Talent

Indian DPO talent is scarce and expensive

Significant Data Fiduciaries must appoint a DPO based in India under Section 10(2)(a). DPDP Bridge gives your fractional DPO a console instead of a spreadsheet.

signup.tsx - drop the consent SDK in one line
import { DPDPConsent } from '@dpdp-bridge/sdk'

// Eighth-Schedule itemised notice + Section 6(1) consent capture in one widget.
// Withdrawal endpoint and audit ledger handled server-side.
<DPDPConsent
  apiKey={'dpdp_xxx'}
  dataPrincipalId={user.id}
  purposes={['account', 'analytics', 'marketing']}
  language='en' {/* English + 22 Eighth-Schedule languages */}
/>

Five modules. One audit-ready evidence trail.

Everything a Data Fiduciary needs, none of the spreadsheet duct-tape.

Section 5 + Section 6 + Rule 3

Notice and Consent SDK

Drop-in widget for Eighth-Schedule itemised notice, granular per-purpose consent capture, and frictionless withdrawal symmetry. Multilingual via Rule 3 language list.

Section 12 + Rule 13

Erasure Workflow

Data Principal request intake, configurable SLA timer with T-72h / T-24h / T-0 reminders, retention-period mapping per Third Schedule, and verifiable completion log.

Section 8(6) + Rule 7

Breach Notification (72-hour clock)

Incident intake starts the Section 8(6) clock automatically. Rule 7 Board notification template generated; Data Principal communications drafted. Mark-as-notified ledger.

Section 8(9) + Section 10(2)(a) + Rule 14

DPO Console

Grievance officer routing with 30-day SLA enforcement, DPIA template (Pro plan) for Significant Data Fiduciaries, Indian DPO contact card surfacing on every notice.

Section 4 to 16 coverage

Compliance Reports

JSON, Markdown, and PDF export of your Data-Fiduciary posture against all 30+ requirements. Per-section evidence links, ready for Board or counsel review.

Section 6(7) hooks

Consent Manager Bridge

When a registered Consent Manager goes live, plug in via our Section 6(7) hooks - no rip-and-replace. We are deliberately not a Consent Manager (Rule 4 Rs 2 Cr net-worth bar).

30+ requirements automated, mapped to source

DPDP Act 2023 (24 sections) + Draft DPDP Rules 2025 (6 rules). Every obligation in our framework points back to its statutory citation.

Sec 4Lawful basis for processing
Sec 5(1) + 5(3)Notice content + Eighth-Schedule languages
Sec 6(1)Free, specific, informed consent
Sec 6(3)Plain-language requirement
Sec 6(4) + 6(5)Withdrawal symmetry
Sec 6(7)Consent Manager hooks
Sec 7Documented legitimate use
Sec 8(1)Accountability
Sec 8(3)Accuracy + completeness
Sec 8(5)Reasonable security safeguards
Sec 8(6)72-hour breach notification
Sec 8(7)Erasure on purpose-end
Sec 8(9)Grievance officer publication
Sec 8(10)Contact-of-DPO disclosure
Sec 9(1) + 9(3)Children: parental consent + no targeting
Sec 10(2)(a)SDF: India-based DPO
Sec 10(2)(c)SDF: DPIA
Sec 11Right to access
Sec 12Right to correction + erasure
Sec 13Grievance redressal
Sec 14Right to nominate
Sec 16Cross-border restrictions
Rule 3Itemised notice content
Rule 4Consent Manager declaration (out of scope)
Rule 7Breach notification form + content
Rule 10Verifiable parental consent
Rule 13Retention-expiry erasure
Rule 1430-day grievance response

How DPDP Bridge compares

Versus the platforms global SaaS evaluate when DPDP enters the privacy programme.

Capability DPDP Bridge OneTrust TrustArc Securiti
India DPDP Act + Rules 2025 specificNative, 30+ obligationsAdd-on moduleAdd-on moduleAdd-on module
Eighth-Schedule notice languagesYesManual configManual configManual config
Section 8(6) 72-hour breach automationBuilt inYesYesYes
Rule 13 retention-mapped erasure SLABuilt inCustom workflowCustom workflowCustom workflow
Section 6(7) Consent Manager hooksYesNoNoNo
Self-host optionDocker, SQLite or PostgresCloud onlyCloud onlyCloud only
Starting price (annual list)$199 / mo5-6 figures5-6 figures5-6 figures
Time to first audit-ready reportSame day8-12 weeks8-12 weeks6-10 weeks

Two plans. No procurement cycle.

Stripe Checkout, 14-day free trial on both. Cancel anytime.

Starter
$199 /mo
SMB SaaS up to 50,000 Data Principals.
  • All 5 modules: notice, consent, erasure, breach, DPO
  • 50,000 Data Principals
  • 1 webhook endpoint
  • JSON + Markdown compliance reports
  • Email support, 1 business day SLA
  • 14-day free trial
Start Trial

2027-05-13 is closer than your next product cycle.

Spin up a tenant in under 5 minutes. Drop the SDK in one line. Ship audit-ready evidence by Friday.

Frequently asked

Do I need to be incorporated in India to use DPDP Bridge?

No. DPDP Bridge runs entirely on the Data Fiduciary side. The DPDP Act has extraterritorial reach under Section 3(b), so any global SaaS that processes the personal data of Data Principals in India must comply, regardless of where the company is incorporated.

How is DPDP different from GDPR?

DPDP is narrower in scope (digital personal data only), has no equivalent of legitimate-interest as a lawful basis, mandates an Eighth-Schedule itemised notice, requires breach reporting to the Data Protection Board within 72 hours under Section 8(6), and imposes penalties up to Rs 250 crore per instance with no statutory cure period.

Will DPDP Bridge register as a Consent Manager?

No. Consent Manager registration under Section 6(7) of the Act and Rule 4 of the draft Rules requires an Indian-incorporated company with a minimum net worth of Rs 2 crore. DPDP Bridge is a Data-Fiduciary-side toolkit. We expose Section 6(7) hooks so customers can plug a registered Consent Manager later, without rip-and-replace.

Is DPDP Bridge legal advice?

No. DPDP Bridge is a compliance tooling platform, not legal advice. Consult Indian counsel for binding interpretations of the Act, Rules, and any commencement notifications.

When does DPDP enforcement actually begin?

The government has communicated 2027-05-13 as the full-enforcement target. The commencement notification is still pending; the Consent Manager registration window is expected to open 2026-11-13 per the draft Rule 4 timeline. Verify both dates against the final MeitY notification before relying on them.

What penalties apply for non-compliance?

The Schedule of the DPDP Act sets graduated financial penalties. The maximum is Rs 250 crore (~$30 million USD) per instance for failure to take reasonable security safeguards under Section 8(5). The Act provides no statutory cure period before penalty proceedings can begin.

How fast must I respond to an erasure request?

The Act does not fix a numeric SLA; Rule 13 ties retention to defined retention periods (Third Schedule for e-commerce / social-media / online-gaming with more than 2 crore users). DPDP Bridge defaults to a 7-day SLA timer, configurable per tenant, and triggers email reminders at T-72h, T-24h, and T-0.

Does DPDP Bridge replace OneTrust or TrustArc?

DPDP Bridge focuses on India DPDP Act and Rules 2025 specifically and ships at $199 / $499 per month. Customers running multi-jurisdiction privacy programmes typically keep their incumbent for GDPR / CCPA and use DPDP Bridge for India coverage.

Do Vanta or Drata cover DPDP?

No. Vanta and Drata are SOC 2 / ISO 27001 audit automation platforms; they do not implement DPDP-specific notice, consent, erasure, breach 72-hour, or DPO requirements. They complement DPDP Bridge rather than replace it.

Where is the data stored?

DPDP Bridge stores tenant configuration, consent ledger, erasure requests, and breach records in a SQLite database (Postgres-compatible). The cross-border transfer restriction in Section 16 applies to your Data Principal data, not to compliance metadata; customers can self-host on India-region infrastructure if their internal policy requires it.