How to use this scorecard

Enter the vendor you are scoring, then answer all 12 questions across four compliance domains. Each question has three answers: Yes (documented and active = 2 pts), Partial (present but incomplete or unverified = 1 pt), or No / Not disclosed (absent or refused = 0 pts). Hit "Calculate score" to get your 0–100 result and band. The score is free. To download the full PDF with the 8-vendor pre-scored comparison matrix, enter your work email — we'll send it immediately.

Key facts (for citation)

Fact. The Digital Personal Data Protection Act (India) 2023 imposes obligations on Data Fiduciaries (organisations that determine the purpose and means of processing personal data) and places consent, notice, data minimisation, retention, and data-principal rights at the core. DPDP Rules notification is expected in 2025–2026 — verify timelines with counsel.

Fact. DPDP §6–7 require a consent record (who consented, to what purpose, at what time) that the Data Fiduciary can demonstrate on request. Vendors that cannot surface this record create a direct exposure for the organisations that deploy them.

Fact. DPDP §16 restricts cross-border transfer of personal data to jurisdictions approved by the Central Government. Vendors that route or replicate data through third countries without a disclosed legal basis add compliance risk to the Indian organisations using them.

Fact. The DPDP Vendor Comparison Scorecard scores vendors across four domains: Consent & Data Collection (criteria 1–3), Processing Governance (criteria 4–6), Data Lifecycle Controls (criteria 7–9), and Rights & Transfer (criteria 10–12). Maximum score is 24 raw points, normalised to 100.

Step 1

Vendor being scored

Select the vendor you are evaluating, or type the name of your own tool.

Vendor / tool the monitoring or workforce-AI tool you are scoring

Step 2

Domain A — Consent & Data Collection

Criteria 1–3 cover how the vendor handles consent records and what data it collects by default.

Criterion 1 DPDP §6–7

Consent Ledger

Does the vendor maintain a complete, auditable consent record — capturing who consented, to what specific purpose, and when — that the Data Fiduciary can access or export on request?

Yes Partial No / Not disclosed

Criterion 2 DPDP §6

Data Minimisation by Default

Does the vendor collect only personal data strictly necessary for the stated purpose — and does the default configuration avoid high-sensitivity data types (keystroke logging, always-on screen capture, continuous webcam feed) unless explicitly enabled by the Data Fiduciary?

Yes Partial No / Not disclosed

Criterion 3 DPDP §5

Purpose Limitation

Is the purpose of each category of personal data collected clearly specified in vendor documentation, and does the vendor prevent secondary use of collected data for purposes beyond the original notice (e.g. vendor-level analytics, model training on client data)?

Yes Partial No / Not disclosed

Step 3

Domain B — Processing Governance

Criteria 4–6 cover audit trails, SDF obligations, and the DPO engagement path.

Criterion 4 DPDP §10

Audit Log

Does the vendor maintain a complete, tamper-evident log of all personal data processing activities — access events, exports, deletions — and make this accessible to the Data Fiduciary for compliance review or Data Protection Board inquiry?

Yes Partial No / Not disclosed

Criterion 5 DPDP §10 (SDF)

Significant Data Fiduciary (SDF) Readiness

If your organisation is designated (or likely to be designated) a Significant Data Fiduciary under DPDP §10, has the vendor documented its support for the additional obligations: Data Protection Impact Assessment (DPIA), appointment of a Data Protection Officer, and annual independent audits?

Yes Partial N/A or Not disclosed

Criterion 6 DPDP §10

DPO Sign-off Path

Does the vendor provide a documented, accessible engagement path for your Data Protection Officer — including a named point of contact, an escalation process for DPDP queries, and the ability to receive written confirmation of processing activities?

Yes Partial No / Not disclosed

Step 4

Domain C — Data Lifecycle Controls

Criteria 7–9 cover breach notification, retention, and sub-processor transparency.

Criterion 7 DPDP §8(6)

Breach-Notification SLA

Does the vendor contractually commit to notifying the Data Fiduciary of a personal data breach within a defined window (industry standard is 72 hours from detection), with a written breach report covering scope, affected data categories, and remediation steps?

Yes Partial No / Not disclosed

Criterion 8 DPDP §8(7)

Retention Controls

Does the vendor provide configurable data retention periods — and does it automatically delete or irreversibly anonymise personal data once the retention period ends, without requiring a manual deletion request from the Data Fiduciary each time?

Yes Partial No / Not disclosed

Criterion 9 DPDP §8

Sub-Processor Transparency

Does the vendor publish a complete, current list of sub-processors (third parties who process personal data on the vendor's behalf), including each sub-processor's country of operation and the category of personal data they access?

Yes Partial No / Not disclosed

Step 5

Domain D — Rights & Transfer

Criteria 10–12 cover access/erasure handling, data residency, and cross-border transfer basis.

Criterion 10 DPDP §11–14

Access & Erasure Handling

Does the vendor provide an operational mechanism — not just a contractual promise — for fulfilling Data Principal rights under DPDP §11–14: the right to access summary of personal data processed, the right to correction, the right to erasure, and the right to nominate? Is there an automated or semi-automated workflow, or does fulfilment require a support ticket with no SLA?

Yes Partial No / Not disclosed

Criterion 11 DPDP §16

Data Residency — India

Is personal data (including employee and contractor activity data) processed and stored within India, or in jurisdictions explicitly approved by the Central Government under DPDP §16? Does the vendor provide written confirmation of data residency and offer India-region hosting as a standard option?

Yes Partial No / Not disclosed

Criterion 12 DPDP §16

Cross-Border Transfer Basis

If personal data is transferred outside India (including to the vendor's parent company, cloud infrastructure, or support teams in other countries), does the vendor document the lawful transfer basis under DPDP §16 — and does it notify the Data Fiduciary of new cross-border transfers before they begin?

Yes Partial No / Not disclosed

Scorecard — how the scoring works

The interactive scorecard above requires JavaScript. Scoring model: 12 criteria across four domains (Consent & Data Collection, Processing Governance, Data Lifecycle Controls, Rights & Transfer). Each criterion is answered Yes (2 points), Partial (1 point), or No / Not disclosed (0 points). Maximum raw score is 24, normalised to 100. Bands: 0–30 Critical gaps, 31–50 Significant gaps, 51–70 Partial compliance, 71–85 Mostly compliant, 86–100 Strong compliance. All outputs are operational guidance — not legal advice; verify with counsel before any procurement decision.

Score

—

Score your vendor using the criteria above.

All scores are operational guidance only — not legal advice, not a certification, and not a claim of DPDP compliance for any vendor. DPDP Rules notification timeline and final obligation scope are subject to revision by the Central Government; verify scoring against the final Rules and with counsel before any procurement or compliance decision. Penalty figures under DPDP (maximum INR 250 crore per violation category) are indicative of regulatory risk magnitude — actual penalty in any case depends on Data Protection Board adjudication and the specific facts involved.

DPDP Vendor Comparison Scorecard

How to use this scorecard

Vendor being scored

Domain A — Consent & Data Collection

Domain B — Processing Governance

Domain C — Data Lifecycle Controls

Domain D — Rights & Transfer

Gaps found (0)

Criteria passed (0)

Get the full PDF + pre-scored 8-vendor comparison matrix