India's DPDP compliance platform

Every DPDP obligation.
One platform. One proof.

DPDP is not a single checkbox. It is notice and consent, published policies, tracker discovery, data-principal rights, records, impact assessments and breach handling. Privista brings all of it into one platform, with a single tamper-evident evidence ledger under every tool, all hosted in India.

Built by a cyber-law postgraduate at NLIU Bhopal
Consent · Live Policy Studio Scan Rights Records DPIA Breach
Evidence Ledger
privista.in
4 events · not yet verified
Consent, policies, rights and breaches, one hash-chained record
Why one platform

Compliance is a stack, not a banner.

Stitching together a cookie plugin, a policy generator, a spreadsheet of records and an email inbox for rights requests is how gaps appear. Privista runs the whole obligation stack on one foundation, so every action lands in the same audit trail.

7 tools
One login covering consent through breach, sharing identity and isolation.
1 ledger
Every tool writes to the same tamper-evident, hash-chained evidence trail.
100% India
Database, queue, storage and backups all run in an India region.
13 May 2027
The date the substantive DPDP obligations commence. The runway is now.
The Privista suite

Seven tools, one compliance platform

Seven tools on one foundation, each carrying a distinct DPDP duty. They share one login, one design and one evidence ledger, so adopting a second tool never means rebuilding. Here is the whole toolset, stated honestly by status.

Live

Consent

Collect consent purpose by purpose, keep tracking inert until people agree, and write every choice to the ledger with a receipt.

  • enforcement engine
  • Consent Mode v2
  • signed receipts
New

Policy Studio

Draft and maintain every document a compliant site needs, from a guided intake, with DPDP-aware clauses and version history.

  • privacy, terms, disclaimer
  • cookie and refund policies
  • auto re-issue on change
In development

Scan

Crawl any site, discover trackers and third-party scripts, and flag exactly what is processing personal data without consent.

  • automated crawler
  • tracker inventory
  • consent-gap report
Planned

Rights

A data-principal portal for access, correction, erasure and grievance requests, tracked to statutory timelines.

  • request intake and identity check
  • timeline tracking
  • grievance workflow
Planned

Records

Data mapping and Records of Processing, so you always know what you hold, why, and on what basis you hold it.

  • processing inventory
  • purpose and basis mapping
  • RoPA export
Planned

DPIA

Guided Data Protection Impact Assessments for high-risk processing, producing a defensible written trail.

  • guided assessment
  • risk and mitigation log
  • sign-off record
Planned

Breach

An incident workflow that runs the clock, drafts notifications and keeps you inside the Board's reporting timelines.

  • incident intake
  • timeline and clock
  • notification drafting

One evidence ledger

Every tool above writes to the same append-only, hash-chained record. That is what turns seven tools into one provable compliance posture.

See how it works ›
Obligation coverage

Every duty, mapped to a tool

The DPDP Act and the 2025 Rules impose a set of duties on a Data Fiduciary. Here is exactly which Privista tool carries each one, and where it stands today.

Itemised notice and valid consentclear affirmative action, purpose by purpose, easy withdrawal
ConsentLive
Published, accurate policiesprivacy policy, terms, disclaimer, cookie policy
Policy StudioNew
Know what is processing personal datadiscover trackers and third-party scripts
ScanIn dev
Honour data-principal rightsaccess, correction, erasure, grievance redressal
RightsPlanned
Maintain records of processingwhat data, which purpose, on what basis
RecordsPlanned
Assess high-risk processingimpact assessments with a written trail
DPIAPlanned
Report breaches on timenotify the Board and affected principals within timelines
BreachPlanned
Demonstrate all of ittamper-evident proof for an audit or Board inquiry
Evidence LedgerLive
The platform spine

What makes it a platform, not a bundle

Point tools each hold a slice of your data and none of the whole picture. Privista's tools share one foundation, so the picture is always complete and always provable.

One evidence ledger

Every tool writes to the same append-only, hash-chained record. Recompute the whole chain and prove nothing was altered, across consent, policies, rights and breaches.

Isolation by the database

Every record is tagged with a tenant id derived from who is calling, never from what they type. PostgreSQL row-level security means one business can never read another's rows.

Data stays in India

Database, queue, storage and backups run in an India region. Only non-personal artifacts like SDK code sit on the global CDN. The simplest defensible posture, by design.

One identity, one design

Sign in once, invite your team with roles, and move between tools that look and behave the same. New tools inherit the spine instead of starting fresh.

Built for the DPA relationship

Every tenant signs a Data Processing Agreement that gates go-live. Privista acts only on your instructions and staff access is logged, time-boxed and visible to you.

India-first, not retrofitted

The notice model, the language set and the legal framing are built for DPDP, not adapted from GDPR. No Legitimate-Interest tab, no fixed vendor taxonomy.

Who is behind Privista

Built by a cyber-law postgraduate at NLIU Bhopal, not a generic SaaS team.

Most compliance software is written by engineers who ask a lawyer to check it afterwards. Privista is built the other way round, by someone studying India's data-protection regime at close range.

That is why the defaults, the notice templates and every field in the ledger start from how the DPDP Act and its 2025 Rules actually read, not a rough approximation of them.

A
Amal Singh
Postgraduate student, Cyber Law & Information Security
National Law Institute University, Bhopal
Master's in Cyber Law & Information Security · currently pursuing

Studying the exact law Privista automates, so the product tracks the statute rather than a rough reading of it.

From setup to proof

How the platform comes together

Start with the tool you need today. Add the rest as they ship. Everything you do accrues to one audit trail you can hand to a regulator.

Step 01

Create your organisation

Sign up, verify email, accept the Data Processing Agreement. Your organisation becomes an isolated tenant.

Step 02

Turn on your first tool

Pick where you are exposed: publish policies, scan for trackers, add the consent banner, or set up rights intake.

Step 03

Add tools as you grow

Publish policies, scan for gaps, handle rights and records. Each new tool joins the same login and ledger.

Step 04

Prove it, anytime

Export the evidence ledger and receipts and run chain verification. That is the audit the platform is built to win.

Get the framing right

DPDP has no cookie law. It has a full obligation stack.

The banner-before-a-cookie rule is European. Under India's DPDP Act the obligation attaches to personal data, and it does not stop at consent. Stating it correctly is what earns a lawyer's trust.

Myth

"Compliance means putting a cookie banner on the site." That trigger is GDPR and ePrivacy, and a banner is only one duty of several.

DPDP

The obligation attaches to personal data: notice and consent, plus rights, records, impact assessments, breach reporting and the duty to demonstrate all of it.

Privista

A platform for the whole stack, not a single banner. Purpose-by-purpose consent, published policies, rights and breach handling, with proof under every action.

DPDP implementation countdown
--Days
--Hours
--Minutes
--Seconds
until the substantive DPDP obligations commence on 13 May 2027
Rules notified13 Nov 2025
Consent Manager registration13 Nov 2026
Obligations commence13 May 2027
Honest comparison

Why a platform beats point tools

Free plugins and international suites can each do part of this. Privista's edge is doing the whole stack, India-first, with proof as a first-class feature.

CapabilityPrivistaFree pluginPolicy generatorGDPR-retrofit suite
Covers the full DPDP stack7 toolsConsent onlyDocs onlyBroad
Built for India's DPDPNativeNoGenericRetrofit
One tamper-evident ledgerHash-chainedNoNoPartial
All personal data in IndiaYesVariesVariesUsually EU/US
Enforces tracking before consentYesRarelyn/aYes
Eighth Schedule languagesYesNoSomeLimited
Plans

Start with one tool. Grow into the platform.

Every plan includes the core tools and the evidence ledger. Higher tiers add more tools, more volume and more seats.

Starter

One site, getting compliant.

Free
  • Core tools, 1 domain, 1 seat
  • Up to 5,000 ledger events / mo
  • Receipts and chain verification
Get started
Growth

A growing business with real traffic.

₹1,499/mo
  • Consent + Policy Studio
  • 3 domains, 5 seats
  • Up to 100,000 ledger events / mo
  • Webhooks and full export
Choose Growth
Scale Popular

Multi-brand, high volume, audit-ready.

₹4,999/mo
  • Consent, Policy Studio + Scan
  • 10 domains, 20 seats
  • Up to 1M ledger events / mo
  • Priority support and SLA
Choose Scale
Enterprise

Regulated, multi-entity, full suite.

Custom
  • Full suite: Rights, Records, DPIA, Breach
  • Unlimited domains and seats
  • Custom DPA and dedicated region
  • Named compliance contact
Talk to us
The questions people ask

Answers, stated correctly

No. Consent is the flagship and the first live tool, but Privista is a platform for the whole DPDP obligation stack: consent, policies, tracker discovery, data-principal rights, records, impact assessments and breach handling, all on one foundation with one evidence ledger.

Consent is live and feature-complete on the hard parts: collection, enforcement and the proof ledger. Policy Studio is new and building. Scan is in development. Rights, Records, DPIA and Breach are on the roadmap and join the same platform as they ship. We state status honestly so you never overclaim at an audit.

It is the shared record every tool writes to. Each entry is append-only and hash-chained: a record's hash includes the previous record's hash, so altering any past entry breaks the chain and is detectable by a verification endpoint. It is the artifact you hand to a regulator to prove what happened and that nothing was changed.

No, and deliberately so. Privista is software a business uses to meet its own obligations, so the business is the Data Fiduciary and Privista is its Processor. The statutory Consent Manager is a separate, registered, regulated intermediary role that a single-business compliance platform does not need.

A business sees only its own data, enforced by the database through row-level security, not just by our code. Staff have no standing access and can only view a tenant's data through a logged, time-limited support session that appears in that tenant's own audit log.

In India. The database, queue, object storage and backups all run in an India region. Only non-personal artifacts like the SDK code and published templates sit on the global CDN.

Built for the May 2027 obligations

One platform for everything DPDP asks of you.

Start free with Consent today and grow into the full suite. Whatever you do in Privista lands in one audit trail you can prove.