DPDPA Compliance Statement

DPDPA Shield operates in two capacities under DPDPA 2023:

• Data Fiduciary for the personal data of our own customers (tenants), demo requesters, and website visitors — we determine why and how this data is processed.
• Data Processor for personal data that our customers process through the platform (consent records, rights request data, breach incident records) — we process this data only on the Customer's instructions under a Data Processing Agreement.

We obtain free, informed, specific, and unambiguous consent before processing personal data for marketing communications, in accordance with DPDPA S.6. Our consent notice:

• Is written in plain language
• Itemises each processing purpose separately
• Identifies DPDPA Shield as the Data Fiduciary
• Explains how to withdraw consent

Consent withdrawal is available at any time by emailing hello@dpdpashield.in with subject “Withdraw Consent”. We will action withdrawal requests within 3 business days.

We honour all rights under DPDPA S.11–14 for individuals whose personal data we process as Data Fiduciary:

• Access (S.11): You can request a summary of your personal data we hold
• Correction & Erasure (S.12): You can request correction or deletion of your data
• Grievance Redressal (S.13): You can raise complaints about our data practices
• Nomination (S.14): You can nominate a representative to exercise your rights

To exercise any right: hello@dpdpashield.in — subject “Data Rights Request”. We respond within 30 days.

We implement security safeguards in accordance with DPDPA S.8(5) and Rules Rule 6. Our security programme includes:

• Encryption of personal data at rest and in transit
• Role-based access controls — no cross-tenant data access possible by design
• Immutable audit logs for all data operations
• Regular vulnerability assessments and dependency updates
• Incident response plan with defined timelines

Full details: Security Policy

In the event of a personal data breach affecting data for which we are the Data Fiduciary, we will:

• Notify the Data Protection Board within 72 hours per DPDPA S.8(6) and Rules Rule 7
• Notify affected Data Principals without undue delay
• Provide information on the nature of the breach, affected data categories, and remediation actions taken

For breaches affecting Customer (tenant) data where we act as Data Processor, we notify the Customer within 24 hours per our DPA.

When acting as Data Processor for Customer data, we:

• Process data only on the Customer's documented instructions
• Maintain a Data Processing Agreement with all Customers
• Use only the sub-processors listed in the DPA
• Assist Customers in responding to Data Principal rights requests
• Delete Customer data within 30 days of subscription termination

Full details: Data Processing Agreement

DPDPA Shield's own service is for business users (18+). We do not collect or process personal data of individuals under 18 in our own operations.

Our platform's Children's Data Module is designed to help our customers comply with DPDPA S.9 in their own products — it does not involve DPDPA Shield processing children's data directly.

Our designated contact for data protection grievances:

Email: hello@dpdpashield.in
Subject line: “Data Protection Grievance”

We acknowledge grievances within 3 business days and resolve within 30 days. If unresolved, you may escalate to the Data Protection Board.

This statement is reviewed quarterly and updated to reflect any changes in our data practices or the regulatory framework. The review date is shown at the top of this page. Material changes will be notified to customers via email.