When does the DPDP Act 2023 come into force?

The Act received presidential assent in August 2023. The draft DPDP Rules were published in January 2025. Most operative sections are being notified in tranches through 2026, with an 18-month transition window for compliance once the Data Protection Board is operationalised.

What's the difference between a data fiduciary and a data processor?

The data fiduciary determines the purpose and means of processing personal data; the processor processes data on the fiduciary's instructions. Most Indian companies are fiduciaries for their customer and employee data, and processors when handling third-party data on a customer's behalf. Clauseium classifies the role automatically.

Do I need a DPA with every vendor that handles personal data?

Yes. Section 8(5) requires a written contract with every processor obligating them to specific data handling standards. The DPA can be a standalone agreement or a schedule to the master contract. Clauseium identifies vendors that lack a DPA and flags them.

What are the penalties under the DPDP Act?

Up to ₹250 crore per breach for failure to take reasonable security safeguards (Schedule, Item 1), ₹200 crore for failure to notify a personal data breach to the Board (Item 2), and ₹150 crore for failure to fulfil obligations to children (Item 3). The Data Protection Board imposes these after inquiry under Section 27.

How does Clauseium handle the SPDI Rules 2011?

The SPDI Rules under the IT Act 43A continue to apply for sensitive personal data and information until the DPDP Rules supersede them. Clauseium runs both checks where applicable — DPDP for personal data generally, SPDI for sensitive categories — until the transition completes.

DPDP Compliance

DPDP Act compliance, scanned automatically.

Every contract gets a DPDP-readiness score in seconds. Clauseium identifies missing processor obligations, weak consent flows, absent breach windows, and cross-border transfer gaps — citing the exact section of the Act.

Start free trial Read DPDP guide

The Digital Personal Data Protection Act, 2023 imposes obligations on every Indian company that processes personal data. Section 8(5) requires a written contract with every data processor. Section 11 grants data principal rights. Section 16 governs cross-border transfers. Section 33 sets penalties up to ₹250 crore per breach. Clauseium scans every contract you upload for DPDP compliance and tells you exactly what's missing.

What it does for you.

Section 8(5) processor obligations checklist

Every processor contract is checked against the eight Section 8(5) obligations: process only on instruction, security measures, sub-processor approval, breach notification, audit rights, return/delete on termination, cross-border transfers, and confidentiality. Missing items are flagged with suggested clause language.

Consent flow audit

Clauseium reads consent language and tests it against Section 6's five requirements: free, specific, informed, unconditional, unambiguous. Bundled consent, pre-ticked boxes, and ToS-conditioned consent all get flagged.

Cross-border transfer compliance

Section 16 of the DPDP Act and sectoral RBI directions limit where Indian personal data can be stored. Clauseium identifies cross-border data flows in your contracts and flags missing geographic restrictions or data residency commitments.

Breach notification windows

DPDP Rule 7 requires fiduciaries to notify the Board within 72 hours. Clauseium checks every processor contract for a notification window of 48 hours or less and flags weaker terms that push DPDP risk back onto the fiduciary.

How it works.

Step 1
Upload contract
Drop in any contract that handles personal data — vendor agreement, SaaS subscription, processor agreement, employment contract, customer DPA.
Step 2
DPDP scan
Clauseium classifies the parties' roles (fiduciary, processor, joint), maps the data flows, and runs the contract against the Section 8(5) and Section 11 checklists.
Step 3
Compliance score
Each contract receives a DPDP-readiness score with a clause-by-clause breakdown: which obligations are present, which are weak, which are missing entirely.
Step 4
Suggested redlines
For every missing obligation, Clauseium suggests Indian-law-compliant clause language pre-drafted by Bar Council-enrolled advocates. Accept the redline, modify it, or reject it.
Step 5
Audit trail
Export a DPDP compliance report (PDF) for every reviewed contract — for internal sign-off, board reporting, or Data Protection Board inquiry response.

Indian-law coverage.

Section 5 — privacy notice compliance
Section 6 — consent standard (5-test audit)
Section 7 — legitimate-use grounds beyond consent
Section 8 — security and processor obligations
Section 9 — children's data verification
Section 10 — Significant Data Fiduciary triggers
Section 11-14 — data principal rights workflow
Section 16 — cross-border transfer restrictions
Section 33 — penalty exposure heatmap

Technical spec.

DPDP Act version tracked: Act + Draft Rules 2025
Sectoral overlays: RBI, IRDAI, SEBI, MeitY
Processor checklist items: 16
Suggested clause library: 120+ DPDP-aware clauses
Audit report formats: PDF, JSON, CSV
Update cadence: Live tracking of DPDP Board notifications

Related guides.

DPDP Compliance

Related capabilities.

Feature

AI Contract Review for Indian Counsel

Clauseium reviews every clause in your contract under Indian law in 6 minutes — flagging risks, citing the Indian Contract Act, DPDP Act, and your own playbook. Built for in-house counsel.

FAQ

DPDP Compliance Scanning for Indian Contracts — questions, answered.

When does the DPDP Act 2023 come into force?: The Act received presidential assent in August 2023. The draft DPDP Rules were published in January 2025. Most operative sections are being notified in tranches through 2026, with an 18-month transition window for compliance once the Data Protection Board is operationalised.
What's the difference between a data fiduciary and a data processor?: The data fiduciary determines the purpose and means of processing personal data; the processor processes data on the fiduciary's instructions. Most Indian companies are fiduciaries for their customer and employee data, and processors when handling third-party data on a customer's behalf. Clauseium classifies the role automatically.
Do I need a DPA with every vendor that handles personal data?: Yes. Section 8(5) requires a written contract with every processor obligating them to specific data handling standards. The DPA can be a standalone agreement or a schedule to the master contract. Clauseium identifies vendors that lack a DPA and flags them.
What are the penalties under the DPDP Act?: Up to ₹250 crore per breach for failure to take reasonable security safeguards (Schedule, Item 1), ₹200 crore for failure to notify a personal data breach to the Board (Item 2), and ₹150 crore for failure to fulfil obligations to children (Item 3). The Data Protection Board imposes these after inquiry under Section 27.
How does Clauseium handle the SPDI Rules 2011?: The SPDI Rules under the IT Act 43A continue to apply for sensitive personal data and information until the DPDP Rules supersede them. Clauseium runs both checks where applicable — DPDP for personal data generally, SPDI for sensitive categories — until the transition completes.

Ready to try it on your own contracts?

14-day free trial. First 5 contracts free. No credit card required.

Start free trial View pricing

DPDP Act compliance, scanned automatically.

What it does for you.

Section 8(5) processor obligations checklist

Consent flow audit

Cross-border transfer compliance

Breach notification windows

How it works.

Upload contract

DPDP scan

Compliance score

Suggested redlines

Audit trail