DPDP Act Compliance Services

Ideal for: Freelancers, early-stage startups, small retailers with online presence

• ✓ Up to 3 data processing activities mapped
• ✓ Website & CRM consent review
• ✓ Privacy Notice gap check
• ✓ Basic Gap Report
• ✓ Two remediation briefing calls

Ideal for: MSMEs, mid-size firms, EdTech, HealthTech, e-commerce businesses

• ✓ Up to 10 data processing activities mapped
• ✓ Full consent mechanism & privacy notice audit
• ✓ Third-party processor contract review (up to 5 vendors)
• ✓ HR / payroll data compliance check
• ✓ Detailed Gap Register + Roadmap
• ✓ Five management briefing sessions

Ideal for: IT/ITES companies, NBFCs, hospitals, large manufacturers, SDFs

• ✓ Unlimited data processing activities mapped
• ✓ SDF obligation assessment (DPO, DPIA readiness)
• ✓ Third-party processor due diligence (up to 20 vendors)
• ✓ Cross-border transfer compliance review
• ✓ Full audit-grade Gap Report
• ✓ Board presentation & management briefing
• ✓ Regulatory watch briefing for 3 months post-assessment

Ideal for: Early-stage startups, small e-commerce businesses, solo practices

• ✓ Privacy Policy & Consent Notice drafting
• ✓ Data Processing Register setup
• ✓ Basic breach response SOP
• ✓ Rights-request handling process
• ✓ Two staff awareness sessions (virtual)

Ideal for: MSMEs, EdTech, HealthTech, HR companies, mid-size manufacturers

• ✓ All Standard deliverables +
• ✓ Full Data Processing Register (all departments)
• ✓ Data Processor Agreement template (up to 3 customised)
• ✓ DPIA template & one completed DPIA
• ✓ Retention & Erasure Policy
• ✓ Four staff training sessions (virtual or on-site)

Ideal for: IT/ITES exporters, NBFCs, hospitals, SDFs, listed companies

• ✓ All Business deliverables +
• ✓ SDF-specific obligations (DPO job spec, DPIA for all key activities)
• ✓ Cross-border data transfer framework
• ✓ Vendor due diligence programme (up to 20 processors)
• ✓ Compliance manual & SOPs for all departments
• ✓ Board-level governance framework
• ✓ Full-team training programme (up to 7 sessions)

Ideal for: Small businesses that have completed initial compliance setup

• ✓ Quarterly compliance health-check
• ✓ Regulatory update briefings (quarterly)
• ✓ Annual policy review
• ✓ Email/WhatsApp advisory (up to 5 queries/month)

Ideal for: MSMEs, EdTech, HealthTech, e-commerce platforms

• ✓ Monthly compliance health-check
• ✓ Regulatory updates (monthly briefings)
• ✓ Rights request handling support
• ✓ Breach monitoring & DPBI support
• ✓ Quarterly compliance status report
• ✓ Unlimited advisory queries

Ideal for: Significant Data Fiduciaries (IT/ITES, NBFCs, hospitals, listed cos)

• ✓ All Business Retainer deliverables +
• ✓ Named DPO appointment (statutory compliance)
• ✓ DPBI interface & correspondence management
• ✓ Annual independent data audit coordination
• ✓ DPIA review for all new major processing activities
• ✓ Board-level compliance reporting (quarterly)

📦 DPDP Starter Pack

Assess + Implement for Small Businesses

Best For: Startups, small e-commerce & service businesses handling customer data

• ✓ Track A — DPDP Readiness Assessment (Starter)
• ✓ Track B — Compliance Setup (Standard)
• ✓ 3 months Track C Retainer (Starter) included free
• ✓ Everything needed to be Phase 2-ready by November 2026

📦 DPDP Business Compliance Pack

Full Assess + Implement + Monitor for SMEs

Best For: Growing MSMEs, EdTech, HealthTech, HR companies — complete Phase 2 & 3 readiness

• ✓ Track A — DPDP Readiness Pro Assessment
• ✓ Track B — Compliance Setup (Business)
• ✓ 6 months Track C Retainer (Business)
• ✓ Two staff training sessions + management briefing
• ✓ Annual DPDP compliance calendar

📦 DPDP Enterprise + DPO Pack

Complete SDF Compliance Programme

Best For: Significant Data Fiduciaries, IT/ITES exporters, NBFCs, large hospitals, listed companies

• ✓ Track A — Enterprise Assessment (incl. SDF check)
• ✓ Track B — Enterprise Implementation (full SOPs + governance)
• ✓ 12 months Track C Retainer + DPO-as-a-Service
• ✓ Annual independent data audit coordination
• ✓ GDPR alignment module (for EU-serving businesses)
• ✓ Board-level governance framework & reporting

🏢 Business Information

💻 Data & Technology

📋 Existing Compliance Documents

Does the DPDP Act apply to my small business or startup?

Yes. If you collect even basic personal data — names, email addresses, phone numbers, or payment details — through your website, app, or offline process, you are a Data Fiduciary under the DPDP Act. Size is not an exemption criterion. However, smaller organisations face fewer obligations than Significant Data Fiduciaries, and our Starter tier is specifically designed to be affordable for SMEs and startups.

When do I need to be compliant by?

Phase 2 obligations — consent management, privacy notices, and Data Principal rights — become enforceable from November 2026. Phase 3 full compliance (data security, breach notification, SDF obligations) applies from May 2027. We recommend starting your compliance journey now: a proper implementation takes 4–6 weeks, and internal process changes take time to embed.

What are the penalties for non-compliance?

The DPDP Act provides for penalties of up to ₹250 crore per violation by the Data Protection Board of India. Different violations carry different penalty caps — for example, failure to implement reasonable data security safeguards can attract up to ₹250 crore, while breach of obligations concerning children's data can attract up to ₹60 crore. These are per-incident penalties, not annual caps.

What is a Significant Data Fiduciary (SDF) and am I one?

The government will notify specific categories and volume thresholds for SDFs separately. However, organisations that process large volumes of personal data, handle sensitive data (financial, health, biometric), serve children, or pose significant risk to data principals are likely candidates. VITTAX's Enterprise Assessment includes a full SDF obligation check to help you determine your category.

We already have a privacy policy on our website. Are we compliant?

Almost certainly not — most existing privacy policies were written for general purposes and do not meet the specific requirements of the DPDP Rules (prescribed format, itemised disclosures, rights procedures, contact details of Data Fiduciary and DPO). A privacy policy gap check is one of the first steps in our Readiness Assessment.

We are an IT company serving EU clients. Do we need GDPR too?

If you process personal data of EU residents as a processor on behalf of an EU controller, GDPR obligations apply to your processing under Article 28. VITTAX's Enterprise pack includes a GDPR alignment module to help you meet both DPDP and GDPR obligations efficiently — avoiding duplication of effort.

What does DPO-as-a-Service mean and is it mandatory?

Significant Data Fiduciaries are legally required to appoint a Data Protection Officer under the DPDP Rules. DPO-as-a-Service means VITTAX provides a named, qualified professional to fulfil this statutory role on your behalf — interfacing with the DPBI, overseeing your compliance programme, and providing expert oversight. It eliminates the cost and complexity of an in-house hire.

How is VITTAX different from a law firm or IT security firm for DPDP?

DPDP compliance sits at the intersection of legal obligations, financial controls, HR processes, IT security, and accounting systems. Law firms focus on legal advice; IT firms on technical controls; VITTAX brings the CA's structured audit lens — identifying, documenting, and controlling risks across all these dimensions simultaneously. We also offer ongoing compliance retainers at a fraction of the cost of a dedicated in-house compliance team.