DPDP Act 2023 Buyer's Guide: 14 Questions + Vendor Scorecard

Why DPDP changes workforce monitoring

The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection statute. It came into force on the date the President signed it; the operational rules — consent format, breach timing, transfer SCCs, grievance handling, fiduciary obligations — are expected to notify during 2026. The practical compliance gate is the Rules notification, not the Act passage. Verify with counsel for your specific obligations.

For Indian employers running 200 to 2,000 people in IT services, BPO, KPO, financial services, or healthcare administration, the immediate effect is that every workforce-monitoring tool currently in production becomes a regulated processing system. Keystroke loggers, screenshot capture, application-use trackers, mouse-activity sensors, idle-time detection: all are processing personal data of employees. Under DPDP, that processing requires explicit, granular, withdrawable consent under a documented purpose limitation. Bundling consent into the employment contract is no longer sufficient.

The category vendors that built their products in the keystroke-and-screenshot era — Hubstaff, Time Doctor, ActivTrak, Insightful, Teramind, Veriato — have not, as of public documentation, published explicit DPDP readiness statements. Their architectural choices (default-on monitoring, bundled consent, optional sub-processor disclosure) were built for jurisdictions where consent-by-default and broad-purpose contracts were acceptable. Under DPDP they are not.

This guide gives the buyer side of the conversation: the five obligations every vendor must meet, the fourteen questions to put in your evaluation call, the eight-vendor compliance scorecard with current public posture, the RFP redline language that translates DPDP into contract terms, and the penalty math under the INR 250-crore band.

The 5 obligations every workforce-AI vendor must meet under DPDP

These are the operative obligations on a vendor that processes employee personal data on behalf of an Indian employer. The employer is the data fiduciary; the vendor is the data processor. Both have liability, but the obligations split:

#	Obligation	What it means	How vendor proves it
1	Data fiduciary designation	Written contractual designation of who is data fiduciary (employer) and who is data processor (vendor). Vendor cannot independently decide processing purposes.	Master Services Agreement with explicit DPDP fiduciary/processor clauses. Standalone Data Processing Addendum referencing DPDP Section 8 obligations.
2	Granular, withdrawable consent	Separate consent per processing purpose (time tracking vs activity monitoring vs screenshots vs idle detection). Consent must be revocable per feature. Proof of consent recorded with timestamp + version.	Per-feature consent UI inside vendor app. Consent ledger API exposing timestamp, purpose, version, and withdrawal log per data principal.
3	Purpose limitation	Processing strictly to the consented purpose. No scope creep into evaluation, performance management, wellbeing inference, emotion analysis, or stress scoring without separate consent.	Documented data flow diagram. Architectural exclusion of secondary purposes (not just admin toggle). Quarterly purpose-audit log.
4	72-hour breach notification	Vendor must notify the data fiduciary within a window short enough that the fiduciary can meet its 72-hour notification obligation to CERT-In and the Data Protection Board, plus affected data principals.	Documented incident response runbook with vendor-to-fiduciary notification SLA (typically 24 hours). Annual breach drill report.
5	Cross-border transfer assessment	If vendor processes or stores data outside India, the fiduciary needs a transfer impact assessment with SCC-equivalent contract language. The list of permitted destinations is set by the central government and may change.	Sub-processor list with country-of-processing for each entry. SCC-equivalent or DPB-approved contract clauses. India-hosting option for fiduciary on demand.

What this means for procurement. The buyer’s job is not to verify each obligation in isolation. The buyer’s job is to require a single integrated DPDP Readiness Statement that maps each of the five obligations to a specific vendor artifact — contract clause, technical control, audit log, or process document. Vendors that cannot produce the statement in one PDF are not ready.

Vendor evaluation framework: 14 questions for India CISOs

Use these in the first 30 minutes of any workforce-AI vendor evaluation call. They are the same questions a Data Protection Board inquiry would ask the fiduciary after a breach — getting them answered upfront is the procurement defense. For deeper coverage on each question, see the companion piece on DPDP Rules: 14 questions for India CISOs evaluating workforce-AI vendors.

Data fiduciary designation: Will you sign a DPA that explicitly designates you as data processor and us as data fiduciary under DPDP Section 8? Provide the template.
Sub-processor list: Provide the current list of sub-processors with country-of-processing per entry. How do we get notified when this list changes?
India-hosting option: Can processing and storage be confined to Indian data centres on contract demand? What is the latency / feature impact?
Consent architecture: Walk through the per-employee, per-feature consent flow. Show the consent ledger UI. How does an employee withdraw consent for a single feature without disabling the entire product?
Purpose limitation enforcement: What technical controls prevent data collected for time-tracking from being repurposed for performance evaluation or wellbeing scoring? Is the exclusion architectural or admin-toggled?
Breach notification SLA: What is your vendor-to-fiduciary breach notification SLA? Document it in the DPA. Provide the most recent breach drill summary.
Grievance handling: What is the data-principal grievance handling process? Who is the designated Data Protection Officer at your end? What is the SLA?
Significant Data Fiduciary tier: Do you support enhanced controls if our deployment qualifies us as a Significant Data Fiduciary under Section 10 (likely for >1,000 employee or BFSI / healthcare verticals)? List the additional obligations you support: DPIA, independent audit, data-fiduciary appointment.
Children's data: If our workforce includes apprentices or trainees under 18, what additional controls apply? Verifiable parental consent flow, no targeted advertising, no behavioural tracking.
Cross-border transfer assessment: Provide the SCC-equivalent template you use for cross-border transfers. Is it on the DPB's approved list (when published)?
Audit logs: What audit logs are produced for fiduciary review? Frequency, retention, access controls. Can our DPO query the logs without raising a support ticket?
Right to correction and erasure: Walk through the data-principal correction and erasure flow. SLA. Verification process. What survives erasure (e.g. aggregated metrics) and why is that compatible with DPDP?
Exit and data portability: On contract termination, what is the data export format, retention period, and deletion certification process? Get the deletion certificate template.
Documented DPIA: Have you completed a Data Protection Impact Assessment for your product against DPDP obligations? Provide a copy or summary.

DPDP-compliance scorecard for 8 incumbent vendors

This is the snapshot as of May 2026 based on each vendor's publicly available trust, privacy, and product documentation. It is not a legal opinion. Where a vendor's public documentation does not address a specific DPDP obligation, the cell is marked Unknown — not Non-compliant. Vendors may have private DPDP statements available to enterprise buyers on request. Verify with counsel and request a written readiness statement from each vendor in your shortlist.

Vendor	Data fiduciary DPA	Granular consent	Purpose limit (arch.)	72-hr breach SLA	India hosting	Public DPDP statement
Hubstaff	Unknown	Partial (bundled)	Non-compliant (default-on screenshots + keystrokes)	Unknown	Unknown	Not published
Time Doctor	Unknown	Partial (bundled)	Non-compliant (default-on screenshots)	Unknown	Unknown	Not published
ActivTrak	Unknown	Unknown	Partial (activity classification)	Unknown	Unknown	Not published
Insightful	Unknown	Partial (bundled)	Non-compliant (default-on screenshots + keystrokes + apps)	Unknown	Unknown	Not published
Teramind	Unknown	Partial (bundled)	Non-compliant (default-on full-stack monitoring + behaviour analytics)	Unknown	Unknown	Not published
Veriato	Unknown	Partial (bundled)	Non-compliant (default-on behaviour + email + screen + risk scoring)	Unknown	Unknown	Not published
Toggl Track	Unknown	Partial	Compliant (time-only, no monitoring)	Unknown	Unknown	Not published
Clockify	Unknown	Partial	Compliant (time-only, no monitoring)	Unknown	Unknown	Not published

Two patterns: the keystroke-and-screenshot vendors carry the deepest DPDP architectural debt because purpose-limitation under DPDP is incompatible with default-on broad-spectrum monitoring. The time-only vendors (Toggl, Clockify) carry less architectural debt because they do not process the kinds of personal data DPDP scopes most heavily — but they also lack the workforce-AI signals that justify a productivity-intelligence buy in 2026. The architectural answer is a system that does produce productivity intelligence but does so from outcome signals (calendar, project, repository tools) rather than input capture.

Methodology note. "Unknown" means the vendor's public documentation does not address the obligation. It is not a claim of non-compliance. Many vendors will produce private readiness statements on request — getting one in writing is the procurement step. Buyers should re-run this scorecard with private documentation in hand before contract signature.

DPDP Rules notification — what to expect in 2026

The Act sets out the structural obligations. The Rules operationalise them. As of May 2026, the Rules are in draft circulation; final notification is expected during 2026. The four areas where Rules will most directly affect workforce-AI procurement:

Consent format

The Rules will specify the form, language, and presentation of consent — including the minimum information that must accompany each consent request, the format of consent withdrawal, and the standard for verifiable proof of consent. Current draft language anticipates separate consent per processing purpose, presented in clear and accessible language in English plus the data principal's preferred Indian language (the eight Schedule VIII languages are likely default). Workforce-AI vendors that bundle all monitoring into a single yes/no checkbox will need to refactor their consent UI before Rules notification.

Breach notification

The 72-hour notification window is in the Act. The Rules will specify the format of the breach notification (likely a structured form to CERT-In and the Data Protection Board), the categories of "personal data breach" that trigger the obligation, and the threshold for notifying affected data principals individually. For workforce-AI vendors, this means a documented incident response runbook is no longer optional — it is a contractual deliverable.

Cross-border transfer assessment

The Act allows the central government to publish a list of countries to which personal data may be transferred without additional safeguards (a "white-list" approach). The Rules and subsequent notifications will populate this list. Until then, cross-border transfers require contractual safeguards — typically SCC-equivalent clauses. Vendors that process or store data outside India should already have transfer impact assessments available on request.

Significant Data Fiduciary designation

Section 10 of the Act allows the central government to designate certain data fiduciaries as Significant Data Fiduciaries based on volume of data, sensitivity, risk, and other factors. The Rules will specify the criteria and the additional obligations — likely including mandatory DPIA, independent audit, and appointment of a Data Protection Officer. Indian companies with >1,000 employees, BFSI, healthcare, and large platform businesses should plan for this designation. Workforce-AI vendors serving these segments need to support enhanced controls now.

Penalty exposure under the INR 250-crore band

The DPDP Act introduces a tiered penalty schedule under Section 33. The highest band is up to INR 250 crore per offence for failures of obligation. The Data Protection Board has discretion within each band based on the nature of the violation, the duration, the number of data principals affected, the gain or loss caused, and the mitigation effort by the entity. Verify with counsel; the figures here are statutory ceilings, not expected enforcement values.

Penalty band	Ceiling	What it covers (paraphrased)
Schedule penalty A	up to INR 50 crore	Failure to take reasonable security safeguards
Schedule penalty B	up to INR 200 crore	Failure to notify breach to DPB or affected data principals
Schedule penalty C	up to INR 250 crore	Failure of obligations relating to processing children's data and Significant Data Fiduciary obligations
General contravention	up to INR 50 crore	Other contraventions of the Act or Rules

For a 1,000-employee Indian IT services company that experiences a breach involving employee personal data, plausible first-year exposure is concentrated in two bands: the security safeguards failure (up to INR 50 crore) and the breach notification failure (up to INR 200 crore). The 250-crore band is reached when children's data or Significant Data Fiduciary obligations are involved. First-mover enforcement is expected to focus on egregious failures — bundled consent and undisclosed cross-border transfers are likely high-priority targets. Verify with counsel.

Risk-weighted framing. The penalty math is not the only exposure. The reputational cost of an enforced DPB order and the contractual cost of being identified as a non-compliant vendor in a customer's compliance audit will hit faster and harder than the statutory penalty itself. Procurement teams are already running “DPDP readiness” columns in their vendor scorecards.

What to put in your next RFP

Translate DPDP into contract terms now — before Rules notification. Five contract clauses to add to your standard workforce-AI vendor RFP:

DPDP fiduciary/processor designation clause. Explicit designation of buyer as data fiduciary, vendor as data processor under DPDP Section 8. Vendor cannot independently determine processing purposes. Both parties indemnify per their respective obligations.
Granular consent and consent ledger clause. Vendor product must support per-feature consent capture per data principal, with timestamped ledger entries accessible to the fiduciary on demand. Consent withdrawal must take effect within an SLA (typically 24 hours).
72-hour breach notification SLA clause. Vendor must notify fiduciary of any personal data breach within an SLA short enough that the fiduciary can meet its 72-hour CERT-In and DPB notification window (typically 24 hours from discovery). Vendor must provide a structured breach summary including affected data principal count, categories of personal data affected, root cause, and remediation timeline.
Cross-border transfer assessment clause. Vendor must maintain a current sub-processor list with country-of-processing per entry, notify fiduciary 30 days in advance of sub-processor additions, and execute SCC-equivalent contract language for any cross-border transfers. India-hosting option must be available on demand at no incremental cost.
Exit and deletion certification clause. On contract termination, vendor must export all personal data to fiduciary in a documented format within 30 days, certify deletion of all copies within 60 days, and provide a signed deletion certificate. Backups and aggregated metrics are excluded from the deletion obligation only if specifically scoped in the contract.

Sample redline language for clause 1:

The parties acknowledge that, under the Digital Personal Data
Protection Act 2023, the Buyer is the Data Fiduciary and the Vendor
is the Data Processor with respect to all personal data of Buyer's
employees, contractors, and other workforce data principals processed
through the Vendor's product. The Vendor shall process such personal
data only for the purposes specified in Schedule A and only on
documented instructions from the Buyer, except where required by
applicable law. The Vendor shall not transfer any personal data to a
sub-processor without the Buyer's prior written consent and shall
maintain a current list of sub-processors available to the Buyer on
demand.

gStride DPDP architecture

gStride is architected against DPDP Act 2023 obligations at the system level. The product is positioned as an AI productivity intelligence platform that reads outcome signals from work data — calendar, project, and repository tools — rather than capturing input behaviour at the keyboard layer.

Data fiduciary by default

Every deployment ships with a standalone Data Processing Addendum designating the customer as the data fiduciary and gStride as the data processor under DPDP Section 8. The DPA is signed at contract execution; there is no path to deploy without it.

Granular consent architecture

Each monitoring feature (time capture, idle detection, calendar parse, repository commit parse, project ticket parse) is a separate consent surface inside the product. Employees see per-feature toggles in their gStride profile with timestamped consent ledger entries. Withdrawal of consent for a feature disables only that feature; the employee remains in good standing with the platform.

No keystroke or screenshot collection

The product does not capture keystrokes. The product does not capture screenshots by default; the screenshot feature is available as a customer-toggled opt-in for verticals (e.g. BPO billing audits) where it is operationally required and contractually consented to, and the schedule is configurable per data principal.

Excluded categories

Emotion inference, stress scoring, and wellbeing prediction are excluded by architecture, not by admin toggle. The product cannot perform these inferences regardless of customer configuration. This maps to the DPDP purpose-limitation obligation and to the EU AI Act Article 5 prohibited categories.

72-hour breach notification process

The gStride incident response runbook commits to a 24-hour vendor-to-fiduciary notification SLA from discovery, giving the fiduciary 48 hours to meet the 72-hour CERT-In and DPB obligation. The runbook is reviewed annually and a redacted summary is available to enterprise customers.

India-hosting option

For India-based deployments, all processing and storage can be confined to Indian data centres (Mumbai region). For deployments spanning India and non-India workforce, cross-border transfers use SCC-equivalent contract language, with a transfer impact assessment available to the fiduciary on demand.

How to verify. Run the gStride DPDP Vendor Risk Assessment scorecard against gStride itself — the scorecard is vendor-neutral and produces the same output for any vendor. The methodology is open. Verify the architectural claims above against your own counsel's review of the gStride DPA and product documentation before relying on them in a regulatory submission.

Run the free DPDP Vendor Risk Assessment

The gStride DPDP Vendor Risk Assessment is a 25-question interactive scorecard built for India HR, IT, and CISO teams. It produces a board-ready vendor-risk memo and a downloadable PDF. Free to run, no email gate on the interactive version — email-gated only at the PDF download step. Use it against gStride, against your incumbent vendor, or against any vendor in your shortlist.

Run the scorecard (free, interactive) Or book the 20-min walkthrough (100 slots, founder-led)

Frequently asked questions

What is the DPDP Act 2023?

The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection statute. It applies to any entity that processes digital personal data in India, including employers processing employee data. Rules notification (which operationalises consent, breach, transfer, and grievance obligations) is expected during 2026. Indian companies should treat the Rules notification as the practical enforcement gate. Verify with counsel for your specific obligations.

Is Hubstaff DPDP compliant?

As of the published documentation, Hubstaff does not explicitly state DPDP Act 2023 compliance in its public trust or privacy materials. The product collects keystrokes, screenshots, and mouse activity by default — which under DPDP would require explicit, granular, withdrawable consent and a documented purpose limitation. Buyers should request a written DPDP readiness statement from Hubstaff and a sub-processor list before contracting. Verify with counsel.

Is Time Doctor DPDP compliant?

Time Doctor's public documentation does not explicitly classify the product against DPDP Act 2023 obligations. The product captures screenshots and tracks application use; DPDP would require these as consent-based processing with granular purpose, not bundled into employment contract acceptance. Buyers should request a DPDP readiness statement, sub-processor map, and 72-hour breach notification process before contracting. Verify with counsel.

What are the 5 obligations DPDP places on workforce-AI vendors?

1. Data fiduciary status — clear contractual designation of who is the data fiduciary (employer) and who is the data processor (vendor). 2. Granular consent — separate consent for each processing purpose, withdrawable, with proof of consent recorded. 3. Purpose limitation — processing strictly to the consented purpose, no scope creep into evaluation or wellbeing inference. 4. 72-hour breach notification — to CERT-In and Data Protection Board, plus affected data principals. 5. Cross-border transfer assessment — SCC-equivalent contract language for any data leaving India. Verify with counsel.

When does DPDP Act start enforcement?

The DPDP Act 2023 is enacted. Rules notification (the operational implementing rules) is expected during 2026. Until Rules notify, the operational obligations (consent format, breach timing, transfer SCCs, grievance handling) are not enforceable in their final form. Companies should treat the Rules notification window as the practical compliance deadline and build readiness against the current draft now. Verify with counsel.

What is the penalty exposure under DPDP?

The DPDP Act 2023 introduces a tiered penalty schedule under Section 33, with the highest band reaching INR 250 crore per offence for failures of obligation. The Data Protection Board has discretion within each band based on severity, recurrence, type of data, and mitigation effort. The 250-crore band is the statutory ceiling — actual penalties are expected to vary widely with first-mover enforcement likely focused on egregious failures. Verify with counsel.

How do I evaluate a workforce-AI vendor against DPDP?

Use the gStride DPDP Vendor Risk Assessment — a 25-question interactive scorecard covering data fiduciary designation, consent architecture, purpose limitation, breach process, cross-border transfers, sub-processor list, grievance handling, and documented exits. The scorecard produces a board-ready vendor-risk memo and a downloadable PDF. Free to run, no email gate on the interactive version.

Does gStride meet DPDP obligations?

gStride is architected against DPDP Act 2023 obligations at the system level: data fiduciary by default with separate processor agreement, granular consent management with per-feature toggles, no keystroke or screenshot collection by default, no emotion or stress or wellbeing inference (excluded by architecture not by toggle), 72-hour CERT-In notification process, India-hosted data option with documented cross-border SCCs for non-India deployments. Verify with your own counsel before relying on this for regulatory submission.

Disclaimer. This guide reflects gStride AI's current interpretation of the Digital Personal Data Protection Act 2023 and the draft Rules in circulation as of May 2026. Rules notification and subsequent Data Protection Board guidance may change the operational obligations described here. Penalty figures cited are statutory ceilings under Section 33, not expected enforcement values. Vendor compliance assessments reflect publicly available documentation only and are not legal opinions. Verify with your own counsel before relying on any output in a regulatory submission, vendor RFP, or board document. Questions about this guide: press@gstride.ai.