DPDP compliance methodology

1. What this audit is and is not

2. The check library

97 scored checks across 10 categories, each mapped directly to a specific provision of:

• Digital Personal Data Protection Act 2023 (No. 22 of 2023, Gazette of India, 11 Aug 2023)
• Digital Personal Data Protection Rules 2025 (G.S.R. 846(E), 13 November 2025)

Each check has:

• A unique identifier (CHECK_001 to CHECK_109)
• A direct section or rule reference
• Pass / fail / partial / manual evaluation criteria
• Penalty exposure derived from the Schedule to Section 33(1) of the Act

The full structured index with identifiers, titles, legal references, and primary signal paths is published at /methodology/checks. Evaluation criteria for each check (pass, fail, partial, manual, and not-applicable thresholds) are documented in our check definitions. Companies disputing a specific finding receive the full check definition for that check as part of the dispute review.

Ten compliance categories (overview)

High-level grouping for the check library in Section 2.

3. The scoring system

score = sum(weight × credit) / sum(weight) × 100

Weights derived directly from the DPDP Act Schedule (penalty tiers):

• Rs. 250 Crore provisions → weight 5
• Rs. 200 Crore provisions → weight 4
• Rs. 150 Crore provisions → weight 3
• Rs. 50 Crore provisions → weight 1

Credit per finding:

• Pass = 1.0 · Partial = 0.5 · Fail = 0.0
• Manual = excluded from denominator
• N/A = excluded from denominator

A company that passes all notice checks but fails all security checks will score lower than one that does the opposite — because the Act assigns higher maximum penalties to security failures than to many notice-related provisions.

4. Penalty exposure calculation

5. Check statuses

PASS

Publicly observable evidence satisfies the requirement.

FAIL

The requirement is not met based on publicly observable evidence.

PARTIAL

Some elements present, some missing.

MANUAL REVIEW

Cannot be determined from public signals alone; requires internal verification.

NOT APPLICABLE

Provision not yet triggered by the Central Government (e.g. CHECK_059 — SDF designation under Section 10(1)).

6. Limitations

This scan cannot assess:

• Internal data processing practices
• Technical security infrastructure
• Employee training and procedures
• Contractual arrangements with processors
• Board-level data governance
• Actual incident response capabilities
• Historical compliance record

Cross-border data transfer restrictions under Section 16 depend on Central Government notifications that had not been issued as of April 2026. Transfer-related checks reflect policy disclosures only, not actual compliance with any notified restrictions.

Manual review checks require on-site or internal verification to complete. Cookie and tracker findings are based on automated scanning of the public website; mobile app behaviour, logged-in states, and server-side tracking are outside scope.

7. Dispute and correction process

If you believe a finding is incorrect:

1. Submit a dispute from your company profile ("Dispute this finding") or open /dispute/<your-domain> on this site.
2. Provide the specific check ID and your evidence.
3. We aim to review within 7–10 working days.
4. Corrections are applied to the published report where warranted.
5. A correction notice may be appended to the report record.

We correct errors promptly. Our goal is accuracy, not adverse coverage. Browse companies · privacy@complydp.com

8. SDF check status

Sample findings

Below are examples of how our checks produce findings, with actual evidence snippets.

Where findings include names of designated officers (grievance officers, nodal officers, DPOs), these are published by the company in their own privacy or grievance policies and are therefore already public information. ComplyDP does not publish personal contact details beyond what companies have self-disclosed.