Pull the DPDP risk assessment for your shortlist
The interactive assessment maps each vendor to DPDP Act sections plus the Rules anchors. Pass / partial / fail per question, verdict band, PDF in your inbox in 90 minutes. No card, no gate.
Open the DPDP Vendor Risk AssessmentWhat the five DPDP anchors test
Workplace monitoring data is personal data. The employer is the Data Fiduciary; the vendor is a Data Processor under Section 8(4). The five anchors collapse the DPDP Act 2023 plus the expected Rules into the decisions a procurement team can make today.
- Section 4 consent. Does the vendor surface a per-feature consent record — not a single product-level toggle — so the deployer can demonstrate notified consent or specified legitimate use for each capture surface?
- Section 8 DPIA. Does the vendor ship Section 8(5) security safeguards documentation plus a DPIA template the deployer can adapt? Vendors that hand over a generic DPA without the DPIA section read partial.
- Section 10 SDF obligations. For employers likely to be designated Significant Data Fiduciaries (large IT services, BPO, regulated sectors), does the vendor ship the SDF documentation pack — appointed DPO contract, audit support, periodic DPIA refresh?
- Default surveillance. Are screenshot, keystroke, webcam, and similar capture surfaces switched off by default? Off by default = pass; on by default with role-level toggles = partial; on by default with only org-wide toggle = fail.
- India data residency. Does the vendor offer India-region data storage with a documented residency posture — or at minimum a clear cross-border transfer record that complies with Section 16 once notified?
DPDP penalty bands run up to INR 250 crore per breach for failure to take security safeguards (Section 33 and the schedule), with separate bands for breach-notification failure, SDF-obligation failure, and child-data failure — figures subject to revision in notified rules, verify with counsel.
The 6-vendor DPDP risk matrix
| Vendor | Section 4 consent | Section 8 DPIA | Section 10 SDF | Default surveillance | India residency | Verdict |
|---|---|---|---|---|---|---|
| gStride | Pass | Pass | Pass | Pass | Pass | Ready |
| Keka | Pass | Partial | Partial | Pass (HR data scope) | Pass | Ready (HR scope) |
| Freshteam | Pass | Partial | Partial | Pass (HR data scope) | Pass | Ready (HR scope) |
| Hubstaff | Partial | Partial | Fail | Fail | Partial | Patchable |
| Time Doctor | Partial | Partial | Fail | Fail | Partial | Patchable |
| Teramind | Fail | Partial | Fail | Fail | Partial | At-Risk / Halt |
Per-vendor read
gStride — Ready
gStride was built India-first with DPDP as a foundational design constraint, not a bolted-on DPA. Surveillance capture surfaces are off by default; the consent surface is per feature so the deployer can produce a Section 4 record per data principal per capture type. India residency is supported with a documented residency posture. The data-principal rights workflow — access, correction, erasure, grievance — is built into the product rather than a manual ticket queue. Section 10 SDF pack ships with the deployer kit. See the solution stance for cross-deployment EU + India posture.
Keka — Ready (HR scope)
Keka is HR-suite first — payroll, leave, attendance, performance — not a monitoring tool, so it sits outside the surveillance-default question for most of its product surface. India residency and Section 4 consent surface are clean. Where it reads partial is the Section 10 SDF pack (HR suite, not monitoring depth) and the Section 8 DPIA template (generic, not workplace-monitoring-specific). For India SMB and mid-market buyers who need an HR system plus light productivity signal, Keka is deployable; for buyers who need productivity intelligence depth, pair it or consolidate. See gStride vs Keka for the use-both pattern.
Freshteam — Ready (HR scope)
Freshteam scores the same pattern as Keka — HR-suite first, India residency clean, consent surface clean, Section 10 SDF pack and DPIA template partial because the product isn't workplace-monitoring depth. For deployers running Freshteam as the HR backbone and a separate productivity tool on top, score the productivity vendor separately. The DPDP exposure usually concentrates in the productivity layer, not the HR-record layer.
Hubstaff — Patchable
Hubstaff has a global product footprint and DPA architecture but not an India-specific posture. Section 4 consent reads partial — consent toggles exist but are not per-feature granular enough for a clean record. Default surveillance is fail — screenshots, activity score, app/URL tracking are on by default per project. Section 10 SDF documentation isn't published. India residency reads partial because the global tenant doesn't pin to an Indian region. Patchable with deployer-side hardening (per-feature consent, surveillance off at org level, SDF pack from counsel) but the vendor needs to ship the missing pieces for a sustainable Ready.
Time Doctor — Patchable
Time Doctor mirrors the Hubstaff pattern with the same default-on screenshot plus activity rating. Section 4 consent surface is partial, default surveillance is fail, Section 10 SDF documentation is missing, India residency is partial. The patch path is the same: deployer-side consent record, capture off at org level, SDF pack adapted from counsel. Hold renewal on a vendor-side commitment to ship the missing pieces inside 60 days.
Teramind — At-Risk / Halt
Teramind's default product configuration — screenshots, keystroke logging, webcam capture, behavioral analytics — collides with both DPDP consent architecture and the EU AI Act Article 5 prohibition when used in cross-border deployments. Section 4 consent reads fail because the depth of capture cannot be cleanly mapped to a per-feature consent record without disabling most of the product. Default surveillance is fail. India residency is partial. For India deployers where any portion of the workforce sits in EU jurisdiction or the data crosses an EU border, this becomes a halt for the combined matrix, not just at-risk. See our Teramind alternative piece for the enterprise replacement pattern.
Verdict bands — what to do at each
- Ready. Proceed to deployment with a documented DPIA. Set a Q4 2026 re-review when DPDP Rules notification status updates.
- Ready (HR scope). Deployable for the HR-suite use case. Score the productivity tool separately for the monitoring scope.
- Patchable. Conditional deployment with deployer-side hardening today plus vendor commitment to ship the missing pieces inside 60 days. Hold renewal on completion.
- At-Risk. Parallel-track an alternate vendor today. Do not renew past Q3 2026 unless the provider closes the consent and surveillance-default gaps with documented evidence.
- Halt. Replace the vendor before DPDP Rules notification lands. The compliance debt compounds — every month deployed without the consent record is exposure that does not retroactively heal.
The cross-border note
India deployers with EU workforce footprint should run both the DPDP risk matrix and the EU AI Act vendor scorecard. A vendor that lands Patchable on DPDP often lands Patchable on the AI Act for the same architectural reason (default-on surveillance, missing deployer kit). A halt on either side is a halt for the combined deployment. See our companion EU AI Act vendor scorecard for the cross-check, and see how gStride is engineered against this matrix on the consent-first productivity intelligence platform for the India lane — Section 4 lawful purpose, Section 6 withdrawal, Section 8 reasonable security, and Sections 11–14 Data Principal Rights wired in as platform features.
Get the DPDP risk file for procurement
12-question vendor assessment mapped to DPDP Act sections plus expected Rules anchors. Verdict band per vendor, PDF you can attach to the procurement file. Free, no card.
Open the DPDP Vendor Risk Assessment Read the 14-question CISO frameworkRelated reading
For the deeper CISO framework see DPDP Rules: 14 questions India CISOs must score. For the cross-border EU + India read see EU AI Act compliant productivity software vendors 2026. For India-specific vendor patterns see Hubstaff alternative for India and BPO workforce management software in India. For the neutral entry-layer shortlist see the best DPDP-compliant employee monitoring software for India (2026), and for the call-centre lens see BPO workforce monitoring in India.
Frequently asked questions
Which employee monitoring vendors are DPDP-compliant in India in 2026?
As of May 2026 the DPDP Rules are still being notified, expected late 2025 or 2026 in staged form, so no vendor can claim full DPDP compliance on a notified-rule basis yet. What buyers can score today is the DPDP Act itself (consent architecture, purpose limitation, data principal rights, security safeguards) plus the architectural anchors the Rules will land on. In our 6-vendor matrix gStride scores closest to DPDP-ready because surveillance is off by default, the consent surface is per-feature, India residency is supported, and the data-principal rights workflow is built in. Keka and Freshteam score well on India residency and consent surface but are HR suites rather than monitoring tools. Hubstaff, Time Doctor, and Teramind each have at least one fail point that needs work.
What does the DPDP Act 2023 require of employee monitoring vendors?
The Digital Personal Data Protection Act 2023 requires that personal data processing have a notified lawful ground (Section 4 — consent or specified legitimate uses), that the purpose be specified and limited (Section 5-6), that data principal rights be honoured (Sections 11-13: access, correction, erasure, grievance), that reasonable security safeguards are in place (Section 8(5)), and that personal data breaches are notified to the Data Protection Board and affected principals (Section 8(6)). Significant Data Fiduciaries get additional obligations under Section 10 including DPIA and audit. Workplace monitoring data is personal data, and the employer is the Data Fiduciary; the vendor is the Data Processor under Section 8(4).
When do the DPDP Rules come into force?
The DPDP Act 2023 received presidential assent in August 2023 but operationalisation depends on notification of the DPDP Rules and constitution of the Data Protection Board. The Rules are expected to be notified in staged form, likely beginning late 2025 and continuing through 2026. Once notified, transition periods will apply per category. Employers should treat May 2026 as the runway: get the consent surface, vendor DPAs, breach SLA, and Section 10 SDF documentation in place now so the team isn't building under a 90-day deadline post-notification. Verify the current rule timeline with counsel.
Is gStride DPDP-compliant?
gStride is built around the architectural anchors the DPDP Rules will land on. Surveillance capture (screenshots, keystroke, webcam) is off by default; consent surface is per feature so deployers can show a Section 4 consent record; India data residency is supported with a documented residency posture; the data-principal rights workflow (access, correction, erasure, grievance) is built into the product, not a manual ticket; breach detection and SLA timer are in the platform. The deployer kit ships with a vendor DPA template, Section 10 SDF documentation, and the Annex III mapping for cross-deployment in EU + India. The full DPDP posture is in our solution stance and the linked vendor risk assessment. Verify with counsel for your specific deployment.
What is the DPDP Vendor Risk Assessment and how does it work?
The DPDP Vendor Risk Assessment is an interactive evaluator at gstride.ai/assets/audits/dpdp-vendor-risk-assessment. Each question maps to a DPDP Act section or to an anchor the Rules will land on. Score each question pass / partial / fail; the tool produces a verdict band (Ready, Patchable, At-Risk, Halt) with a recommended next step for procurement and counsel. No card, no gating — the assessment lands as a PDF in your inbox in 90 minutes so you can attach it to the procurement file.
What does India data residency mean for a workplace monitoring vendor?
India data residency for workplace monitoring means the personal data collected from employees in India is stored, processed, and primarily handled within India's geographic boundary, with documented controls on any cross-border transfer. Under the DPDP Act 2023 Section 16, the Central Government may notify countries to which transfer is restricted; the precise notified-country list is expected through the Rules. A residency-ready vendor offers an India-region deployment option (typically AWS Mumbai, Azure Pune, or equivalent), documents the cross-border posture for backups and DR, names the India-based DPO contact, and produces a residency artefact for the Data Fiduciary file. Verify with counsel before deployment as the notified-country list and transfer-rule text are subject to revision.
How does the DPDP scorecard apply to multinational employers with India staff?
A multinational employer treats India staff as a separate Data Fiduciary scope under DPDP and runs the 5-anchor scorecard against the workplace monitoring vendor for the India headcount specifically, even when the same vendor is deployed globally. Consent architecture (Section 4) must satisfy India's specific-purpose test, which is stricter than GDPR's lawful basis test on bundled consent. Section 10 SDF obligations apply at the India-entity level if the criteria are met. India data residency and the India-based grievance officer are India-specific requirements, not satisfied by EU or US infrastructure. The deployer kit a vendor ships should include an India-region addendum that names these artefacts.
This article scores six workplace software vendors against the Digital Personal Data Protection Act 2023 as applied to India workplace monitoring deployments in May 2026. The DPDP Rules and Data Protection Board notifications are still in staged finalisation — rule text, transition periods, SDF designation criteria, and penalty schedules are subject to revision and final form is expected through late 2025 and 2026. Vendor scores reflect product configuration and public documentation at time of writing; vendor postures change. Verify specific obligations, the current rule timeline, residency requirements, and current vendor evidence with legal counsel for your jurisdiction and your specific deployment. The risk matrix is a buyer aid, not legal advice.