DPDP Vendor Risk Assessment Worksheet

Score any workplace AI or productivity intelligence vendor against the Digital Personal Data Protection Act 2023 in 14 questions. Live total + verdict band updates as you click. Built for India CISOs, DPOs, and Compliance Heads getting ready before DPDP Rules notify.

The DPDP Vendor Risk Assessment Worksheet is a free interactive 14-question evaluator that grades any workplace AI or productivity intelligence vendor against the Digital Personal Data Protection Act 2023. Questions cover consent (Sections 4-6), DPIA and risk management (Section 8), Significant Data Fiduciary obligations (Section 10), data principal rights and cross-border transfer (Sections 11-14), plus one halt anchor (Q14) on default-on surveillance. Scored 0/1/3/5 with live verdict band and downloadable PDF. Designed for India CISOs, DPOs, Compliance Heads, and counsel preparing for DPDP Rules notification.

Questions14 (13 scored + 1 halt)

Max score65 points

Audit time15 minutes

OutputVerdict band + downloadable PDF

How to use this

Blocks A through D — click one score per question (0 = Fail, 1 = Partial, 3 = Mostly, 5 = Full). Block E (Q14) is a binary halt — default ON or default OFF. Total + verdict band update automatically. The gStride posture column on each question is a worked reference example of what a 5-of-5 answer reads like — it is not an answer for the vendor you are scoring. A score of 0 on Q14 fires the halt verdict regardless of total.

✓

Printable PDF
cover, rubric, verdict bands, signature page

✓

Interactive scorer
live total + verdict as you click

✓

Verdict band
DPDP-ready / gaps to close / halt procurement

DPDP Vendor Risk Assessment — 14 questions

The interactive worksheet above requires JavaScript. The 14 questions are reproduced below across 5 blocks (A: Consent & Notice, B: DPIA & Risk Management, C: Significant Data Fiduciary Obligations, D: Data Principal Rights & Cross-Border Transfer, E: Halt Question — Surveillance Default Posture). Score each on 0/1/3/5; Q14 score of 0 (default ON capture) fires the halt verdict regardless of total.

Block A — Consent & Notice (DPDP Sections 4-6, 9)

Q1. Does the vendor maintain a written, per-employee consent record for every AI inference the product produces — and is that consent granular per purpose, not bundled into one tickbox?

Q2. Does the vendor ship a plain-language notice template that the deployer can hand the employee at the point of data collection — covering categories collected, processing purpose, retention, and rights?

Q3. Is there a consent-withdrawal workflow that lets an employee revoke specific permissions without affecting their employment record, performance review, or manager visibility?

Q4. Does the platform recognise child / minor-employee carve-outs — and refuse to process inference data on anyone under 18 without verifiable parental consent?

Block B — DPIA & Risk Management (DPDP Section 8)

Q5. Has the vendor completed a documented Data Protection Impact Assessment covering the AI inference layer — categories of data, lawful basis, risk to data principals, and mitigation?

Q6. Is the DPIA refreshed on a documented cadence (at least annual) with a named Data Protection Officer or equivalent sign-off?

Q7. Is there a written risk-management framework that names known failure modes — bias, model drift, re-identification, scope creep — and the mitigation path for each?

Q8. Is there a documented post-incident workflow that includes root-cause documentation and a 72-hour Data Protection Board notification path?

Block C — Significant Data Fiduciary Obligations (DPDP Section 10)

Q9. Does the vendor commission an independent data audit on a documented cadence — and is the audit report shareable with the deployer under NDA?

Q10. Is there a documented compliance-reporting cadence to the Data Protection Board — or a ready-to-fire process if the deployer is asked for one?

Q11. Are children-data and sensitive-data categories segregated in employee monitoring — with separate retention, access control, and deletion paths?

Block D — Data Principal Rights & Cross-Border Transfer (DPDP Sections 11-14)

Q12. Does the platform implement a data principal rights workflow — access, correction, erasure, nomination — with a documented response SLA inside the statutory window?

Q13. Is the vendor able to demonstrate cross-border transfer compliance — including respect for notified blacklist regions, and supplementary safeguards for EU/UK-subsidiary data flows where applicable?

Block E — Halt Question — Surveillance Default Posture

Q14. Are screenshot capture, keystroke logging, continuous webcam capture, and microphone capture all set to OFF by default at install — and is each configurable per-feature with a linked employee notice template?

Your score 0 / 65

Not yet scored

Click a score on each question — the verdict band appears once you have answered all 14.

Next step — get the printable PDF + book a readiness audit

Download the full 14-question worksheet as a printable PDF (cover, rubric, verdict bands, signature page), or book a 30-minute readiness audit and walk through your scores with the gStride team. Curious how gStride scores against the same 14 questions? See gStride's DPDP compliance posture for the architecture-level walkthrough.

Book a 30-min readiness audit