Trusted by India's
Leading Institutions

The DPDPA 2023 is India's first comprehensive data protection law, passed by Parliament on 11 August 2023. It governs how organisations collect, store, process, and share the personal data of Indian citizens — placing enforceable rights in the hands of individuals and concrete obligations on businesses. The accompanying DPDP Rules 2025 were officially notified on 13 November 2025. Full compliance is mandatory from 13 May 2027.

The DPDPA applies to any entity — Indian or foreign — that processes digital personal data within India, or processes personal data of Indian residents outside India in connection with goods or services offered to them. There is no minimum size threshold; a 10-person startup faces the same fundamental obligations as a listed enterprise. In practice, this covers e-commerce platforms, SaaS products, fintech apps, healthcare providers, educational institutions, HR systems, and any company with Indian users or customers.

Core obligations apply to all Data Fiduciaries by May 2027: (1) Lawful consent — free, specific, informed, and unambiguous consent before collecting personal data, with no bundled or pre-ticked consents. (2) Privacy notice — a standalone, plain-language notice itemising data categories, purposes, and rights before consent is collected. (3) Data Principal rights — mechanisms to fulfil requests for access, correction, erasure, and grievance redressal within prescribed timelines. (4) Breach notification — mandatory reporting to the Data Protection Board and affected users within 72 hours of a breach. (5) Data minimisation and retention — collect only what is necessary; delete data once the purpose is fulfilled or consent is withdrawn. (6) Children's data — verifiable parental consent for any processing of data relating to minors under 18. (7) Cross-border transfers — transfers outside India permitted only to government-whitelisted countries.

Penalties are substantial and cumulative — each violation can attract a separate fine. Failure to implement reasonable security safeguards: up to ₹250 crore. Failure to notify a data breach within 72 hours: up to ₹200 crore. Non-compliance with children's data obligations: up to ₹200 crore. Non-compliance with Significant Data Fiduciary obligations: up to ₹150 crore. General DPDPA or Rules violations: up to ₹50 crore per incident. The Data Protection Board can also suspend business operations entirely. Penalties are not capped per year — multiple breaches compound. Unlike earlier drafts, the 2023 Act does not prescribe criminal imprisonment.

An SDF is a Data Fiduciary formally notified by the Central Government based on criteria such as volume and sensitivity of data processed, risk to Data Principal rights, potential national security impact, and influence on electoral democracy. SDF provisions are expected to activate on 13 May 2027. SDFs face enhanced obligations: appointing an Indian-resident DPO, conducting annual Data Protection Impact Assessments (DPIAs), independent audits, algorithmic fairness assessments, and stricter cross-border transfer restrictions. Even if you are not yet notified as an SDF, building SDF-ready infrastructure now protects you from scrambling later.

A Consent Manager is a registered entity — unique to India's framework, conceptually similar to an Account Aggregator in financial services — that acts as a digital intermediary between Data Principals and Data Fiduciaries. It allows individuals to grant, manage, review, and withdraw consent through a single platform. Consent Manager registration opens 13 November 2026 and is restricted to India-incorporated entities with a minimum net worth of ₹2 crore. Foreign platforms cannot operate as registered Consent Managers in India. Businesses using third-party consent platforms should verify their compliance status and update contracts accordingly.

The DPDPA shares philosophical roots with the GDPR — both centre on consent, data minimisation, breach notification, and individual rights. However, key differences exist: DPDPA does not define a separate 'sensitive personal data' category — all personal data is treated with equal rigour. DPDPA does not prescribe criminal penalties such as imprisonment. Cross-border transfer rules differ — DPDPA uses a government whitelist rather than GDPR's adequacy decisions. India's Consent Manager construct has no direct GDPR equivalent. If you are already GDPR-compliant, your existing frameworks provide a strong foundation — but India-specific gaps must still be addressed. Kensara AI's platform maps both simultaneously.

The Government may notify exemptions for smaller organisations, including certain startups and MSMEs, relieving them from specific obligations such as appointing a DPO or conducting independent audits. However, these exemptions are not yet notified and are expected to be addressed by May 2027. Critically, basic consent, security safeguards, and grievance mechanisms remain mandatory for all entities regardless of size. Waiting for exemptions to be announced before beginning compliance is a high-risk strategy.

Kensara AI is an expert-led, AI-powered GRC (Governance, Risk, and Compliance) platform that takes you from regulatory chaos to audit-ready confidence. We combine certified Data Protection Officers, privacy lawyers, and techno-legal consultants with an intelligent automation platform — so you get expert strategy and operational execution in one programme. Our platform covers gap assessment, consent management, data mapping, DPIA workflows, policy drafting, DPO-as-a-Service, employee training, and real-time regulatory monitoring across 51+ global frameworks including DPDPA, GDPR, CCPA, HIPAA, ISO 27001, SOC 2, and the EU AI Act.

Kensara AI actively monitors, maps, and enforces compliance across 51+ regulatory frameworks in real-time, including: DPDPA 2023, DPDP Rules 2025, RBI, SEBI, and IRDAI frameworks for India; GDPR and EU AI Act for the European Union; CCPA / CPRA and HIPAA for the United States; PDPL for Saudi Arabia; and ISO 27001 and SOC 2 internationally, with 40+ additional jurisdictions covered. Framework coverage is auto-updated as regulations evolve — no manual re-engagement required.

DPO-as-a-Service provides a fully outsourced Data Protection Officer function. Our certified DPOs serve as your regulatory interface — handling board reporting, regulator communications, breach notifications, and ongoing compliance governance — without the overhead of a full-time senior hire. It is mandatory for Significant Data Fiduciaries under DPDPA, which require an Indian-resident DPO. It is also strongly recommended for any company in fintech, healthtech, edtech, or e-commerce processing large volumes of personal data. Even if you are not yet an SDF, having a DPO on record signals seriousness to regulators and partners.

Our team holds certifications across the leading global privacy frameworks, including: Certified Data Protection Officer (DPO) across GDPR, DPDPA, and global frameworks; CIPP/E — Certified Information Privacy Professional (Europe) from IAPP; and 5+ years of operational experience in data privacy across fintech, healthcare, and social media. Kensara AI is incubated at IIT Guwahati's Technology Incubation Centre (TIC-IITG) and is a recognised startup under MeitY's GENESIS EIR 2.0 programme — the very ministry that enacted the DPDPA.

It means that zero clients supported by Kensara AI across audit engagements have experienced a compliance failure. Our continuous monitoring, real-time evidence generation, and automated mandate mapping ensure you are perpetually audit-ready — not just prepared in the weeks before a scheduled audit. Unlike traditional consulting deliverables that are outdated the day they are printed, our platform generates living compliance documentation that evolves with your data and with regulatory changes.

Most clients achieve full compliance in 2–6 weeks — compared to the 6–12 months typical of traditional consulting engagements. This 70% time reduction is possible because our AI platform automates the heavy lifting: data mapping, evidence generation, consent deployment, and policy drafting happen simultaneously, not sequentially. The timeline depends on your organisation's size, number of data systems, and existing compliance posture. We will give you an accurate estimate during the initial discovery call.

Our four-phase programme: Day 1 — Discovery Call: we understand your business model, data flows, jurisdictions, and existing compliance posture. Week 1–2 — Gap Assessment: a structured techno-legal audit against applicable frameworks, delivering a prioritised remediation roadmap. Week 2–4 — Platform Deployment: consent mechanisms, DPIA workflows, data mapping pipelines, rights-request systems, and policy documents go live with zero IT disruption. Ongoing — Continuous Compliance: real-time monitoring, regulation auto-updates, and expert support keep you audit-ready permanently.

A DPIA is a structured assessment conducted before initiating any processing activity that poses a significant risk to individuals' rights. It identifies the nature and purpose of the processing, the necessity and proportionality of the data use, and the safeguards to mitigate identified risks. Under DPDPA, DPIAs are mandatory for Significant Data Fiduciaries on an annual basis. For other Data Fiduciaries, DPIAs are a best-practice requirement for high-risk processing such as profiling, large-scale sensitive data handling, or new technology deployments. Kensara AI automates DPIA workflows, making them continuous rather than a one-time exercise.

Mandatory DPO appointment applies to Significant Data Fiduciaries — the DPO must be an Indian resident and serve as the primary regulatory interface with the Data Protection Board. SDF provisions activate on 13 May 2027. For all other organisations, a DPO is strongly recommended but not mandatory. Appointing one — or engaging our DPO-as-a-Service — demonstrates accountability to regulators, builds customer trust, and significantly reduces risk exposure, particularly if you process data at scale.

May 13, 2027 is a hard cutoff — there is no grace period afterward. Enforcement is complaint-driven initially, meaning the Data Protection Board will investigate consumer complaints and breach reports from Day 1. High-profile cases establishing regulatory precedent are expected early in the enforcement cycle. Non-compliant businesses face penalties up to ₹250 crore per violation, cumulative fines across multiple breaches, mandatory breach notifications, and the possibility of business suspension. Starting compliance now — while over a year of runway remains — is the only risk-managed approach.

DPDPA restricts transfers of personal data outside India to government-whitelisted countries only. Non-compliant transfers constitute a direct violation regardless of contractual safeguards in place. Our platform maps all cross-border data flows within your organisation — cloud providers, SaaS tools, analytics platforms, CDNs — and identifies which transfers require remediation. We maintain updated whitelists and alert you when new country designations affect your operations. For global businesses, we simultaneously address GDPR adequacy requirements and CCPA transfer obligations under a unified data-transfer governance framework.

Traditional consulting programmes for enterprise-grade DPDPA compliance typically cost between ₹50 lakh and ₹2 crore, take 6–12 months, and require re-engagement every time regulations change. Kensara AI delivers the same outcome at approximately 60% lower cost, in 2–6 weeks, with continuous regulatory updates included. Our pricing is subscription-based — one plan covering assessment, implementation, and ongoing enforcement. No per-framework add-ons. No surprise re-engagement fees when regulations update.

If you are not satisfied with our programme within 14 days of onboarding, we offer a full refund — no questions asked. This reflects our confidence in the quality of our assessment, delivery, and compliance architecture. Please refer to our Terms of Service for the precise conditions of the guarantee.

No. Kensara AI operates on transparent, predictable pricing. Your subscription covers gap assessment, platform deployment, policy drafting, continuous monitoring, and regulatory auto-updates. We do not charge per-framework fees or re-engagement fees when new regulations emerge. The only additions are optional services — such as expanded DPO-as-a-Service or bespoke employee training programmes — which are quoted separately and only if you choose them.

No. Zero IT disruption is a core design principle of our platform. We integrate with your existing infrastructure — cloud environments, databases, SaaS tools, CRMs, and data warehouses — without requiring system overhauls or downtime. Your engineering team is involved minimally: primarily for API connectors and access provisioning, which typically takes a few hours, not weeks. Our AI-driven analysis and documentation runs in the background while your team continues business as usual.

Our platform continuously monitors 51+ regulatory frameworks across India, EU, USA, Saudi Arabia, and 40+ additional jurisdictions. When a regulation is updated — a new enforcement notice, an amendment, a new country whitelist, or a change in penalty structure — the system automatically updates your compliance posture and alerts you to any actions required. This means you are never caught off-guard by regulatory changes that make yesterday's compliance inadequate. Traditional consulting programmes require a fresh engagement each time; Kensara AI handles it automatically as part of your subscription.

Our consent management layer deploys across all digital touchpoints — websites, mobile applications, customer portals, and API integrations. It handles consent collection, granular withdrawal tracking, and preference management in a DPDPA and GDPR-compliant format from day one. Under the DPDPA, valid consent must be free, specific, informed, unconditional, and obtained via unambiguous affirmative action. Pre-ticked boxes and bundled consents are explicitly non-compliant. Our templates are built to these standards, and all consent records are stored for a minimum of 7 years as required.

A Record of Processing Activities (RoPA) is a structured internal register documenting every personal data processing activity in your organisation: what data is collected, for what purpose, how long it is retained, who has access, which processors are involved, and whether any cross-border transfers occur. Yes — Kensara AI's data mapping module automatically generates and maintains your RoPA. Our platform discovers data flows across systems, maps them to your regulatory obligations, and updates the RoPA continuously as your business evolves. This is a living document, not a one-time audit deliverable.

Under the DPDPA, all personal data breaches — regardless of gravity — must be reported to the Data Protection Board and affected Data Principals within 72 hours. There are no de minimis thresholds. Our platform provides a structured breach response workflow: automated detection alerts, incident documentation templates, regulator notification drafts, and affected-user communication protocols — all pre-configured and ready to activate. Our DPO team can manage the entire breach response process on your behalf under our DPO-as-a-Service offering, ensuring nothing falls through the cracks under time pressure.