What is the DPDP Compliance-in-a-Box offering for SMEs?

It is a fixed-scope, fixed-price engagement that combines independent DPDP consulting with the VishwaasAI platform — gap assessment, data mapping and RoPA, privacy notices and consent design, data-principal rights and breach workflows, and the configured platform as your operational system of record.

Who is the SME DPDP package for?

Small and medium Indian enterprises that must comply with the DPDP Act 2023 but lack an in-house DPO, dedicated privacy tooling, or verifiable proof of consent.

How is proof of consent captured?

Every consent event is hash-chained, RSA-signed, notice-anchored and RFC 3161 timestamped, producing tamper-evident records that can be independently verified.

Can consent be collected offline?

Yes. Consent can be captured in low-connectivity or fully offline environments such as field agents, physical touchpoints and rural outreach, then synced back to the cryptographic ledger once connectivity is restored, so no consent event is lost.

How long does it take and how is it priced?

The package has a fixed scope, a fixed timeline and SME-oriented pricing — compliance is delivered in weeks rather than quarters, typically starting with a 1-Day DPDP Health Check.

DPDP Act is in force · Enforcement: May 2027 · penalties up to ₹250 Crore

DPDP Compliance-in-a-Box for Small and Medium Enterprises

Expert DPDP consulting plus VishwaasAI configured to run your compliance — and prove it. A fixed-scope, fixed-timeline package that takes an SME from gap to defensible compliance in weeks, not quarters.

Book the 1-Day Health Check See the packages

Gap AssessmentRule 3 NoticesCryptographic Consent72h Breach ReadinessSupport of 22+ Languages

Tamper-Evident Consent Ledger

SHA-256 hash-chain · RSA-2048 · RFC 3161 timestamp

0x9f3a…GRANTEDnotice v4 · EN

0x7c1e…GRANTEDnotice v4 · हिंदी

0x4b88…WITHDRAWNpropagated in under 5 min

§6(8) burden-of-proof ✓append-only ✓chain valid ✓

Product Modules

Features

Indian Languages

Breach Notify SLA

4–6wk

To go live (Essentials)

The SME reality

The gaps Small and Medium Enterprises have

Every business that collects an email, a phone number, or a CV is a Data Fiduciary under the DPDP Act 2023. SMEs carry the same legal duty — without a privacy team, tooling, or proof.

No in-house expertise

No DPO, no legal team fluent in DPDP §5–§14. Consent — if recorded at all — lives in spreadsheets.

No tooling

Consent, notices, data-subject requests and breach logs scattered across email, Excel and WhatsApp.

No proof

When the Data Protection Board asks “show me this person's consent and the exact notice they saw,” there is no defensible answer. §6(8) puts that burden on you.

No easy DPO answer

Appointing a competent external DPO is hard — it takes the right selection process and genuine DPDP skill, delivered cost-effectively. Most SMEs simply don't know where to start.

Why this package

Consulting and implementation — together

Consulting alone leaves you a binder of policies that decay the day the consultant leaves. Software alone leaves you staring at an empty console. We combine both.

Cross Identity expert does the thinking

Gap assessment, lawful-basis mapping, Rule 3 notices, retention and breach policy — the judgment a tool can't supply.

Cross Identity's Vishwaas AI runs it forever

The DPDP-native platform becomes your permanent system of record and cryptographic proof — every obligation, operationalized.

= A living compliance program you own — not a one-time report

The complete picture

One stop shop — a complete 9-step journey from Cross Identity

Nine pillars span the full mandate — expert services and the VishwaasAI product — each anchored to the sections of the Act it satisfies.

Service1§5–§14

Consultation & Gap Assessment

Understand your compliance status and remediation roadmap.

Product3§8 · §16

Data Discovery & Map

Inventory every system and cross-border data flow.

Product5§6 · Rule 3

Consent & Cookie Management

Tamper-evident proof · 22 Indian languages.

Service7§8(6) · §13

DPO Advisory & Breach Response

72-hour DPBI readiness and ongoing oversight.

Service9§10(1)(c)

Audit & Legal

Regulator-ready evidence and DPB liaison.

Service2§5 · §6 · Rule 3

Notice & Policy Drafting

Author Rule 3 notices, retention, grievance and breach policies.

Product4§5 · §8(4)

Notices & RoPA

Rule 3 publish-gate and processing register — live.

Product6§11–§14

Data Principal Rights Desk

Access · correction · erasure · grievance, with SLAs.

Product8§10

DPIA & Risk Assessment

Track processing and access risk; DPO sign-off.

Consulting Service VishwaasAI Product Mapped to DPDP Act sections

The offering

Three bundles, sized to your business

Each bundle is a defined consulting engagement plus a VishwaasAI subscription tier plus a configuration scope plus a support runway. India data residency, the 22-language portal and the cryptographic ledger are standard in all.

DPDP Essentials

DPDP Professional

DPDP Assurance

Best for SDF & audit-facing

▹VishwaasAI tier: Pro + Enterprise add-ons
▹Time to live: 13–18 weeks
▹Consulting depth: Assessment + DPIA + SDF prep
▹Everything in Professional, plus:
▹Full DPIA programme (§10)
▹Audit-readiness & evidence packs
▹SDF obligation preparation
▹Board / compliance posture reporting
▹Fractional DPO retainer

Book the Health Check

Best For: SMEs scaling toward SDF status · multi-entity · regulated · audit-facing.

What the consultant delivers

Nine standardized service modules

S1½–1 day

Discovery & Scoping Workshop

Map the business and data touchpoints, confirm Fiduciary status, flag SDF risk. Output: scoping memo + plan.

S2§5–§14 · Rule 3 · CERT-In

DPDP Gap Assessment

Score current state against every obligation — Red/Amber/Green per section — with penalty-exposure narrative and remediation roadmap.

S3§6 vs §7 lawful basis

Data Mapping & RoPA

Inventory every system touching personal data; build the §8(4) Record of Processing Activities — live in VishwaasAI, not a spreadsheet.

S4§5 · §6 · Rule 3

Policy, Notice & Consent Design

Draft Rule 3 notices, design granular opt-in/withdrawable consent, and the retention, grievance & breach policies — translated to your languages.

S5Full tenant config

VishwaasAI Implementation

The heart of the package — we configure all 13 building blocks of the platform to operationalize every obligation. See the blueprint below.

S6§16 cross-border

Integration & Data Onboarding

Connect source systems (CSV / API / SFTP), unify duplicate records, propagate consent downstream. VAOC agent for on-prem/legacy.

S71–2 days

Role-Based Training

Enable the DPO/Grievance Officer on rights & breach workflows; privacy & IT on notices, campaigns and connectors. Runbooks handed over.

S8Evidence of operation

Compliance Review & Sign-Off

End-to-end dry run: live consent, mock rights request, 72-hour breach drill. Output: DPDP Compliance Attestation Pack.

S9Ongoing

Compliance-as-a-Service

Optional retainer: quarterly reviews, notice updates, breach standby & DPB liaison, annual DPIA refresh, fractional DPO.

The VishwaasAI configuration blueprint

What we switch on — and the obligation it satisfies

This is what separates an expert implementation from a self-serve trial. Thirteen building blocks, each mapped to the law.

Data Fiduciary Profile

Entity, DPO & Grievance Officer, rights & withdrawal URLs, languages, DPBI ID.

DPDP §5 · §8 · §13

Processing Activities (RoPA)

One per purpose: lawful basis, attributes + necessity, retention.

DPDP §6 · §7 · §8(4)

Privacy Notices

Multilingual authoring; legal-to-DPO approval; Rule 3 publish-gate at 100%.

DPDP §5 · §6(3) · Rule 3

Consent Ledger

Hash-chained, RSA-signed, notice-anchored, RFC 3161 timestamped — by default.

DPDP §6(1) · §6(8)

DP Profiles & Attributes

Audience segments + the attribute schema collected for each.

DPDP §6(1) · §8

Consent Campaigns

Email/SMS/in-app re-consent with single-use magic links to re-paper legacy data.

DPDP §6

Data Principal Rights Desk

Portal + admin queue; identity verification; SLAs auto-track (30d / 90d).

DPDP §11 · §12 · §13 · §14

Breach & Incident Module

CERT-In config; milestone clock — CERT-In 6h, DPBI 72h, Tier-2 30d.

DPDP §8(6) · CERT-In

Vendor / DPA Registry

DPDP §8 · §16

DPIA Module

Risk scoring + DPO approval for high-risk / SDF processing.

DPDP §10

Cookie Governance

A lightweight consent banner + scanner + preference centre for web.

DPDP §6 (web)

Audit, Reports & Evidence

Append-only audit + posture scorecard + read-only auditor export.

DPDP §8 · §10(1)(c)

Branding

White-labelled DP portal on a vanity or your own domain.

Trust & continuity

Delivery methodology

The 5-phase Path to Proof

Each phase has a defined exit deliverable and sign-off — so you always know exactly what you're getting.

PHASE 0

Scope

Workshop, confirm fiduciary status, agree the plan.

PHASE 1

Assess

Gap report, RoPA, risk scorecard.

S2 · S3

PHASE 2

Build

Configure VishwaasAI, notices, consent, integrations.

S4 · S5 · S6

PHASE 3

Operate

Train DPO, staff & IT; hand over runbooks.

PHASE 4

Assure

Dry-run, breach drill, attestation pack + retainer.

S8 · S9

Why VishwaasAI

The features that set VishwaasAI apart

Cryptographic Consent Ledger

Every consent is hash-chained, RSA-signed, notice-anchored and RFC 3161 timestamped by default — tamper-evident proof that stands up to the §6(8) burden, not just a log entry.

DPDP-native in all 22 languages

Built for the Indian Act — notices and consent in every Eighth-Schedule language with India data residency by design. Not a GDPR tool retrofitted after the fact.

Self-driving compliance clocks

Rights-request SLAs (30d / 90d) and breach milestones — CERT-In 6h, DPBI 72h, Tier-2 30d — tracked automatically, so a statutory deadline never slips through the cracks.

Offline Consent Collection

Consent can be captured in low-connectivity or fully offline environments (field agents, physical touchpoints, rural outreach) and synced back to the cryptographic ledger once connectivity is restored — ensuring no consent event is lost or undocumented regardless of infrastructure constraints.

Audit-ready evidence on demand

An append-only audit trail, a live compliance posture scorecard and a read-only auditor export — hand the Data Protection Board proof of operation in minutes, not weeks.

White-labelled Data Principal portal

One branded system of record — consent, cookies, RoPA, DPIA, rights and vendors — served on a vanity or your own domain, so data principals only ever see your brand.

Book the 1-Day DPDP Health Check

In a single day: a baseline gap snapshot, a penalty-exposure view, and a fixed quote for full compliance — with the fee credited toward your chosen bundle.

Request the Health Check Compare the packages