DPDP is not a single checkbox. It is notice and consent, published policies, tracker discovery, data-principal rights, records, impact assessments and breach handling. Privista brings all of it into one platform, with a single tamper-evident evidence ledger under every tool, all hosted in India.
Stitching together a cookie plugin, a policy generator, a spreadsheet of records and an email inbox for rights requests is how gaps appear. Privista runs the whole obligation stack on one foundation, so every action lands in the same audit trail.
Seven tools on one foundation, each carrying a distinct DPDP duty. They share one login, one design and one evidence ledger, so adopting a second tool never means rebuilding. Here is the whole toolset, stated honestly by status.
Collect consent purpose by purpose, keep tracking inert until people agree, and write every choice to the ledger with a receipt.
Draft and maintain every document a compliant site needs, from a guided intake, with DPDP-aware clauses and version history.
Crawl any site, discover trackers and third-party scripts, and flag exactly what is processing personal data without consent.
A data-principal portal for access, correction, erasure and grievance requests, tracked to statutory timelines.
Data mapping and Records of Processing, so you always know what you hold, why, and on what basis you hold it.
Guided Data Protection Impact Assessments for high-risk processing, producing a defensible written trail.
An incident workflow that runs the clock, drafts notifications and keeps you inside the Board's reporting timelines.
Every tool above writes to the same append-only, hash-chained record. That is what turns seven tools into one provable compliance posture.
See how it works ›The DPDP Act and the 2025 Rules impose a set of duties on a Data Fiduciary. Here is exactly which Privista tool carries each one, and where it stands today.
Point tools each hold a slice of your data and none of the whole picture. Privista's tools share one foundation, so the picture is always complete and always provable.
Every tool writes to the same append-only, hash-chained record. Recompute the whole chain and prove nothing was altered, across consent, policies, rights and breaches.
Every record is tagged with a tenant id derived from who is calling, never from what they type. PostgreSQL row-level security means one business can never read another's rows.
Database, queue, storage and backups run in an India region. Only non-personal artifacts like SDK code sit on the global CDN. The simplest defensible posture, by design.
Sign in once, invite your team with roles, and move between tools that look and behave the same. New tools inherit the spine instead of starting fresh.
Every tenant signs a Data Processing Agreement that gates go-live. Privista acts only on your instructions and staff access is logged, time-boxed and visible to you.
The notice model, the language set and the legal framing are built for DPDP, not adapted from GDPR. No Legitimate-Interest tab, no fixed vendor taxonomy.
Most compliance software is written by engineers who ask a lawyer to check it afterwards. Privista is built the other way round, by someone studying India's data-protection regime at close range.
That is why the defaults, the notice templates and every field in the ledger start from how the DPDP Act and its 2025 Rules actually read, not a rough approximation of them.
Studying the exact law Privista automates, so the product tracks the statute rather than a rough reading of it.
Start with the tool you need today. Add the rest as they ship. Everything you do accrues to one audit trail you can hand to a regulator.
Sign up, verify email, accept the Data Processing Agreement. Your organisation becomes an isolated tenant.
Pick where you are exposed: publish policies, scan for trackers, add the consent banner, or set up rights intake.
Publish policies, scan for gaps, handle rights and records. Each new tool joins the same login and ledger.
Export the evidence ledger and receipts and run chain verification. That is the audit the platform is built to win.
The banner-before-a-cookie rule is European. Under India's DPDP Act the obligation attaches to personal data, and it does not stop at consent. Stating it correctly is what earns a lawyer's trust.
"Compliance means putting a cookie banner on the site." That trigger is GDPR and ePrivacy, and a banner is only one duty of several.
The obligation attaches to personal data: notice and consent, plus rights, records, impact assessments, breach reporting and the duty to demonstrate all of it.
A platform for the whole stack, not a single banner. Purpose-by-purpose consent, published policies, rights and breach handling, with proof under every action.
Free plugins and international suites can each do part of this. Privista's edge is doing the whole stack, India-first, with proof as a first-class feature.
| Capability | Privista | Free plugin | Policy generator | GDPR-retrofit suite |
|---|---|---|---|---|
| Covers the full DPDP stack | 7 tools | Consent only | Docs only | Broad |
| Built for India's DPDP | Native | No | Generic | Retrofit |
| One tamper-evident ledger | Hash-chained | No | No | Partial |
| All personal data in India | Yes | Varies | Varies | Usually EU/US |
| Enforces tracking before consent | Yes | Rarely | n/a | Yes |
| Eighth Schedule languages | Yes | No | Some | Limited |
Every plan includes the core tools and the evidence ledger. Higher tiers add more tools, more volume and more seats.
One site, getting compliant.
A growing business with real traffic.
Multi-brand, high volume, audit-ready.
Regulated, multi-entity, full suite.
No. Consent is the flagship and the first live tool, but Privista is a platform for the whole DPDP obligation stack: consent, policies, tracker discovery, data-principal rights, records, impact assessments and breach handling, all on one foundation with one evidence ledger.
Consent is live and feature-complete on the hard parts: collection, enforcement and the proof ledger. Policy Studio is new and building. Scan is in development. Rights, Records, DPIA and Breach are on the roadmap and join the same platform as they ship. We state status honestly so you never overclaim at an audit.
It is the shared record every tool writes to. Each entry is append-only and hash-chained: a record's hash includes the previous record's hash, so altering any past entry breaks the chain and is detectable by a verification endpoint. It is the artifact you hand to a regulator to prove what happened and that nothing was changed.
No, and deliberately so. Privista is software a business uses to meet its own obligations, so the business is the Data Fiduciary and Privista is its Processor. The statutory Consent Manager is a separate, registered, regulated intermediary role that a single-business compliance platform does not need.
A business sees only its own data, enforced by the database through row-level security, not just by our code. Staff have no standing access and can only view a tenant's data through a logged, time-limited support session that appears in that tenant's own audit log.
In India. The database, queue, object storage and backups all run in an India region. Only non-personal artifacts like the SDK code and published templates sit on the global CDN.
Start free with Consent today and grow into the full suite. Whatever you do in Privista lands in one audit trail you can prove.