NBFC Demo — Loan Onboarding
Live · 2,847 customers · 25 data points · DPDP 2023
All Units
All Units
Central DPO view — all data
Retail Lending
Owner: Deepak Kumar · 14 fields
Collections & Recovery
Owner: Smita Iyer · 6 fields
Digital Partnerships
Owner: Rohit Menon · 4 fields
Compliance & Legal
Owner: Arjun Nair · 7 fields
⚙ Manage Business Units →
DK
DPDP Compliance Assessment FREE
5–10 minutes · 100% private · Instant readiness score · Personalised 10-step roadmap
✓ 500+ companies assessed ✓ NCSS certified experts ✓ ISO 27001 aligned
1
Company
2
Industry
3
Data Volume
4
Results
🏢
What's your company name?
We'll personalise your compliance assessment based on your organisation
⚠ The cost of not being DPDP compliant
₹250Cr
Max penalty per violation
₹17.9Cr
Avg. breach cost in India
72 hrs
Breach notification deadline
30 min
To know your readiness score
DataShield / Dashboard
DPDP Compliance Dashboard
NBFC Demo — Unsecured Personal Loan · 2,847 customers · Live
68%
DPDP Score
⚠ Partially Compliant
Last assessed 18 Apr 2026
Obligation Coverage — DPDP Act 2023
Consent Management48%
Rule 3
Purpose Limitation62%
Rule 3
Vendor Controls42%
Rule 6
Data Accuracy78%
Rule 6
Storage Limitation55%
Rule 8
Breach Readiness85%
Rule 7
Principal Rights60%
Rule 14
32% gaps to close
5 critical gaps across consent management, vendor risk, and principal rights are lowering your score.
Generate a full compliance pack for your board or RBI inspection.
Consent Gaps
3
Fields with no valid consent — action required
Open DSRs
4
Data subject requests — 1 approaching deadline
Active Incidents
1
INC-2025-001 — DPB notification due in 58 hrs
Business Unit — DPDP Readiness
Click a BU to scope the dashboard
Retail Lending
72%
Owner: Smita Iyer · 3 gaps
Collections & Recovery
58%
Owner: Rajesh Pillai · 2 gaps · 1 incident
Digital Partnerships
81%
Owner: Rohit Menon · 0 gaps
Compliance & Legal
65%
Owner: Arjun Nair · 1 gap
Recent Activity
Last 7 days
Upcoming Obligations
Next 30 days
DataShield / Data Inventory
Data Inventory
Personal data fields your organisation collects · Classified by your team · DPDP Rule 5 & 6
7 database fields detected but not yet classified
DataShield agent found new fields in your DB schema. Classify each one to bring it into your Data Inventory and confirm you are aware of this data being collected.
PII Fields
12
Directly identifies an individual
Sensitive Fields
8
Financial or behavioural data
Non-Personal Fields
5
Aggregated or derived data
System / Operational
3
Infra, logs, system identifiers
Standard Field Classification DB Sources RoPA Purposes Vendors Consents Actions
DataShield / Consent Vault
Consent Vault
Consent Notices · SHA-256 signed · DPDP Rule 3 · 7-year retention
⚖ Why the Consent Vault exists
Rule 3Rule 6
DPDP Act Section 6 requires every Data Fiduciary to obtain free, specific, informed, unconditional and unambiguous consent before processing personal data. Section 8(3) requires you to be able to prove that consent was obtained — at any time, to any regulator. Penalties: up to ₹250 Crore (Rule 6).
Consent Notices
5
4 published · 1 draft
Active Consents
10,308
Across all published notices
New (30d)
1,284
New consents received
Revoked (30d)
47
Processing halted
Expiring (30d)
312
Renewal needed
Consent Notices
Notice Detail
DataShield / Customers
Data Principal View
Lookup by DP ID · View consents given · Vendor data sharing · DSR requests · DPDP compliance
DataShield / Vendor Data Risk
Vendor Data Risk
Data processors · Re-verification · Contract management · Field exposure · News-based risk signals
🔔 Platform Risk Signal — Awaiting DRO Approval
SalesForce CRM India — Data Residency Concerns: DPDP Board Enquiry
Reports indicate DPDP Board enquiry into cross-border data transfer for cloud CRM providers. 3 similar NBFC processors flagged. Sentiment: Negative.
Sources: ET Tech · MeitY DPDP Bulletin · 3 days ago
⚠ Re-verification Alerts
VendorLast VerifiedNext DueStatusAction
DataShield / Breach & Incidents
Breach & Incident Response
DPDP Rule 7 · 72-hr DPB notification · RBI MD 2025 Para 68 · 6-hr cyber incident report
⚖ Mandatory breach notification obligations DPDP Rule 7RBI MD 2025 Para 68
DPDP Act Rule 7 mandates that every Data Fiduciary notify the Data Protection Board of India within 72 hours of becoming aware of a personal data breach, including: nature of breach, data categories affected, estimated number of principals, likely consequences, and measures taken. RBI Master Directions on Outsourcing 2025, Para 68 additionally requires regulated entities (banks, NBFCs) to report cyber security incidents to RBI CSITE within 6 hours of detection. Both timelines run simultaneously. Failure to notify attracts penalties up to ₹200 Crore (DPDP) plus RBI enforcement action. This module tracks both clocks and pre-populates notification drafts from your Data Points Registry.
58:14:22
DPB Notification Deadline
DPDP Rule 7 · INC-2025-001 · Breach detected 13:46 today
CRITICAL
02:14:22
RBI CSITE Deadline
RBI MD 2025 Para 68 · INC-2025-001 · 6-hr cyber reporting
HIGH
Active Incidents
1 open
Data Exposure — INC-2025-001
From Data Points Registry — fields potentially exposed:
Notification Status
Incident Response Workflow — INC-2025-001
In Progress — Step 3 of 7
Incident History
Incident IDTypeSeverityDetectedStatusDPB NotifiedRBI NotifiedPrincipals AffectedActions
DataShield / DSR & Grievances
Data Subject Requests & Grievances
Data Principal rights · Consent withdrawal requests · Grievance tracking · 90-day resolution
⚖ Data Principal Rights under DPDP S.11–13S.32
Sections 11–13 of the DPDP Act grant every Data Principal the right to: (1) Access — request a summary of what data you hold about them; (2) Correction & Erasure — demand inaccurate or no-longer-needed data be corrected or deleted; (3) Grievance Redressal — raise complaints about data misuse within a statutory 90-day resolution window. Section 13 requires all grievances to be resolved within 30 days at the entity level, failing which the Data Principal can approach the Data Protection Board. Unresolved DSRs attract penalties up to ₹50 Crore per violation.
Open Requests
4
Requires DPO action
In Progress
6
Assigned to team
Resolved (90d)
23
Avg. 8.4 days
Escalated
1
Approaching DPB deadline
All Requests
Consent Withdrawal
Erasure Requests
Access Requests
Grievances
Ref No.TypeCustomerRaised OnStatusDays OpenAssigned ToDue ByActions
⚖ Consent Withdrawal workflow S.6(4)
When a Data Principal withdraws consent, DPDP requires you to: (1) Immediately cease processing for that purpose; (2) Notify all Data Processors (vendors) who received that data; (3) Document the cessation. This workflow tracks every step, ensuring you can demonstrate to regulators that withdrawal was acted upon within a reasonable time.
⚖ Erasure / Right to be Forgotten S.12Rule 8
DPDP Rule 8 requires automated erasure of personal data once the purpose for which it was collected is fulfilled, or when the Data Principal requests erasure. The erasure must be cryptographic (not just database delete) to prevent data recovery. You must also instruct all processors to erase their copies. Legal hold exceptions apply where retention is mandated by law (e.g., RBI KYC, SEBI audit trail).
⚖ Right to Access S.11
Section 11 grants every Data Principal the right to receive a summary of their personal data held by you, including what purposes it is being processed for, who it has been shared with, and for how long it will be retained. You must provide this information in a clear, structured format — not raw database output. Failure to respond to an access request is a grievance ground.
⚖ Grievance Redressal requirements S.13S.32
Section 13 requires you to designate a Grievance Redressal Officer (your DPO) and ensure complaints are acknowledged within 24 hours and resolved within 30 days. If unresolved, the Data Principal may approach the Data Protection Board. Board orders are appealable to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Every grievance must be logged with a unique reference number, tracked to closure, and archived for 3 years minimum.
DataShield / Knowledge Hub / Integration Guide
Integration Guide
Get connected in 3 steps · On-premise deployment · Architecture reference · Webhook setup
Get Started — 3 Steps to Connect DataShield
On-Premise Agent · Zero data egress
1
Download Agent Config
Download the DataShield on-premise agent config file. Runs as a lightweight sidecar container (Docker / Kubernetes). No personal data leaves your network — only anonymised metadata is synced over mTLS.
docker pull datashield/agent:latest
kubectl apply -f datashield-agent.yaml
2
Map Your Database
Point the agent at your database schemas. It auto-scans table structures and field names using pattern matching + ML to detect and classify PII, Sensitive, and Non-Personal fields. Results appear in the Data Points registry within minutes.
Supported databases
PostgreSQL MySQL Oracle MSSQL MongoDB Cassandra
3
Configure Consent Webhook
DataShield fires a signed webhook to your system when consent expires within 30 days. Your application can then trigger an in-app or SMS consent renewal flow for the customer automatically.
POST https://your-app.com/webhook
X-DataShield-Signature: sha256=...
Pre-Integration Checklist
Docker or Kubernetes environment available
Network egress allowed on port 443 to datashield.in (mTLS)
DB read-only service account credentials ready
Webhook receiver endpoint deployed and reachable
Industry template selected (see Quick Setup)
DPO email configured in Settings → Organisation
🏛
On-Premise First · Zero Data Leaves Your Network
DataShield agent runs entirely within your infra. Only anonymised metadata (field names, classification labels, consent events) is shared over mTLS.
mTLS Encrypted
BFSI On-Premise Deployment Pattern
Your Infrastructure (On-Premise / Private Cloud)
🗄
Core Banking DB
PII · Loan data
🔗
API Gateway
KYC · Bureau · eSign
📋
CRM / Collections
Interactions · Payments
📁
Document Store
Aadhaar · PAN · eSign
🛡
DataShield On-Prem Agent
Sidecar container (Docker/K8s) · Auto-classifies PII · Intercepts consent events · Fires webhooks
🔍
PII Scanner
Pattern + ML classification
📜
Consent Vault Node
Immutable · SHA-256 signed
🔔
Webhook Engine
30d expiry · CustomerID · Purpose
mTLS · Metadata only · Zero PII egress
DataShield Control Plane (Your-Hosted or SaaS)
DPO Dashboard
This UI · 4 modules
🔐
Consent Vault Central
Immutable · 7yr retention
📊
RoPA Engine
Auto-generates DPDP RoPA
🔗
Vendor Risk Monitor
News signals · Re-verify
Consent Renewal Webhook Payload
{
  "event": "CONSENT_EXPIRING",
  "trigger": "30_DAYS_BEFORE_EXPIRY",
  "customerId": "CUST-00472",
  "field": "Bank Statement (6mo)",
  "purpose": "Income & Affordability Check",
  "expiryDate": "2025-04-15",
  "daysRemaining": 29
}
Knowledge Hub / Quick Reference
DPDP Act 2023 — Quick Reference
Key entities · Rules · Financial liability · Compliance roadmap · Solution framework
Key Entities Under DPDP
👤
Data Principal
The individual whose personal data is being processed
Access: Right to access their personal data
Correction: Right to correct inaccurate data
Erasure: Right to request data deletion
Grievance: Resolution within 90 days
Nomination: Nominate someone to exercise rights
🏢
Data Fiduciary
Entity that determines purpose and means of processing
Notice: Clear and plain language notice to data principals
Consent: Freely given, informed, unambiguous consent
Storage Limitation: Data retention only as long as necessary
Reasonable Safeguards: Encryption, access controls, backups
Breach Notifications: 72-hour reporting to Data Protection Board
Contracts with Processors: Binding agreements with data processors
⚖️
Significant Data Fiduciary
Large-scale processors with additional obligations
› Appointing a DPO based in India
› Appointing an Independent Data Auditor
› Conducting DPIA (Data Protection Impact Assessment)
› Regular audits and reporting to Data Protection Board
› Due diligence of algorithmic software
› Restrictions on cross-border data transfer
Key DPDP Rules — At a Glance
Rule 3 — Itemized Consent
Clear & Plain LanguageRevocable ConsentPurpose LimitationSpecific & Informed
Rule 6 — Security Safeguards
Encryption & MaskingAccess ControlLogging & AuditingContractual Flow-Down
Rule 7 — Breach Notification
72-hour reporting to DPBNotify affected Data Principals
Rule 8 — Data Erasure
Erase when purpose servedRetain logs ≥1 yearNotify Data Principal 48h before
Rule 14 — Principal Rights
Right to AccessRight to ErasureRight to CorrectionGrievance: 90 days
Other Key Rules
Rule 10: Children's DataRule 11: Parental ConsentRule 13: SDF Additional ObligationsRule 15: Cross-Border Transfer
Financial Liability — Why Act Now
₹250 Crore
Security Breaches (Rule 6)
₹200 Crore
Breach Notification Failure (Rule 7)
₹50 Crore
General Violations (per violation)
₹17.9 Cr
Avg. breach cost in India
Timeline: Rules effective Nov 14, 2025. 62% of customers stop doing business after a data breach. Early compliance = competitive edge for government contracts & enterprise deals.
DPDP Section → DataShield Module Mapping
DPDP SectionRequirementDataShield Module
Sec 4–7Consent Management✓ Consent Vault
Sec 5Privacy Notice✓ Consent Text + RoPA
Sec 8(1),(5)Purpose Limitation & Minimisation✓ Data Points + Purpose Master
Sec 11–13Data Principal Rights✓ Customers Module
Sec 13Grievance Redressal⚙ Consent Vault + Support
Sec 8(7)Security Safeguards✓ On-Premise Agent
Sec 8(9)Breach Notification⚙ Dashboard Alerts
Sec 8(8)Third Party / Processor Risk✓ Vendor Data Risk
10-Step DPDP Compliance Roadmap
AI-powered guidance
1
Data Privacy Assessment
Assess current posture against DPDP requirements
✓ AI-powered gap analysis
2
Data Discovery & Mapping
Identify personal data touchpoints and conduct mapping
✓ PII Discovery Agent
3
RoPA & Data Flow Diagram
Document processing activities across systems
✓ Automated documentation
4
Consents & Notices
Prepare consent mechanisms and privacy notices
✓ Policy templates library
5
Privacy Impact Assessment
Identify risks and define mitigation controls
✓ Risk scoring dashboard
6
Third-Party Risk Management
Assess processors and establish contracts
✓ Vendor assessment tools
7
Technical Safeguards
Implement encryption, access controls, backups
✓ Security controls checklist
8
DPO Setup
Establish data protection office and processes
✓ Expert consultation
9
Implementation
Deploy controls and automation tools
✓ Guided implementation
10
Monitoring & Sustenance
Periodic reviews and continuous compliance
✓ Continuous monitoring
The Solution: Data Privacy Vault Architecture
Architectural Pillars
Isolation of PIIPolymorphic EncryptionAdvanced TokenizationCentralized Governance
Operational Benefits
De-risking AI TrainingSimplifying DSR ExecutionEnsuring Data ResidencyReal-time Consent Validation
AI & LLM Privacy
Privacy-Preserving TrainingInference FilteringRight to be Forgotten in AIDe-identifying PHI/PII
DataShield is trusted by 500+ Indian BFSI companies. NCSS certified. ISO 27001 aligned. On-premise deployment available for Significant Data Fiduciaries.
DPDP Rules 2025 — All 23 Rules Explained
Nov 2025 Gazette
ℹ Click any rule to expand a plain-language explanation. Rules 1, 2, 17-21 are in force now. Rule 4 takes effect Nov 2026. Rules 3, 5-16, 22-23 take effect May 2027.
Loading rules…
Knowledge Hub / FAQ
Frequently Asked Questions
Search or browse DPDP compliance questions
Knowledge Hub / Webinars & News
Webinars & DPDP News
Official webinars · Latest regulatory updates · Market intelligence
DPDP Rules 2025: What You Must Do Now
Official Webinar · 45 min
Consent Management Under DPDP — Deep Dive
Official Webinar · 38 min
PII Discovery & RoPA — Practical Guide
Official Webinar · 42 min
BFSI DPDP Readiness: Vendor & Data Processor Obligations
Official Webinar · 51 min
DPDP & Privacy Regulatory News
● Live feed
DataShield / Support
Support & Platform Features
Your account team · Company support · Platform capabilities reference
Your DataShield Account Team
Your Account Manager
RS
Rahul Sharma
Account Manager — BFSI
📞 +91 98765 43210[email protected]
Technical Account Manager
PK
Priya Krishnaswamy
Technical Account Manager
📞 +91 91234 56789[email protected]
Company Support Desk
DS
DataShield Support
24×7 Compliance Support Desk
📞 1800-xxx-xxxx (Toll free)[email protected]
Raise a Support Ticket
DataShield Platform Features
DPDP Act 2023 Ready
🗂
Data Discovery & Classification
Auto-detect PII, Sensitive, and Non-Personal fields across your DB schema. Pattern + ML-based classification. Fill rate and quality monitoring per field.
🔐
Consent Vault
Tamper-proof, SHA-256 signed consent artefacts. Full lifecycle: collect → renew → revoke → purge. DPDP Rule 3 compliant. 7-year immutable audit retention.
📊
Automated RoPA
Auto-generates Record of Processing Activities. Maps data fields to purposes, legal basis, and retention schedules. Exportable for Data Protection Board submission.
🔗
Vendor / Third-Party Risk
Track all data processors. News-based risk signals. Re-verification scheduling. Contract & DPA document store. Purge certificate management.
👤
Data Principal Rights
Customer-level data view with masking. Consent trail per customer. Action tools: map consent, send consent link, flag for purge, mark revoked.
🏗
On-Premise Agent
Docker/K8s sidecar. Zero data egress — only metadata synced over mTLS. Consent renewal webhooks fire 30d before expiry with full field + purpose context.
DataShield / Settings
Settings
Users · Roles · Notifications · Organization · API keys
User Management
NameEmailRoleBusiness UnitStatusLast LoginActions
Deepak Kumar
Central DPO
 dpo@nbfcdemo.in DPO — Admin 🏢 All Units Active Today, 09:14
Smita Iyer
BU Compliance Owner
 smita.i@nbfcdemo.in BU Compliance Owner ● Retail Lending Active Yesterday, 16:42
Rajesh Pillai
BU Compliance Owner
 r.pillai@nbfcdemo.in BU Compliance Owner ● Collections & Recovery Active Today, 11:02
Rohit Menon
BU Compliance Owner
 rohit.m@nbfcdemo.in BU Compliance Owner ● Digital Partnerships Active 18 Apr, 14:30
Arjun Nair
BU Compliance Owner
 arjun.n@nbfcdemo.in BU Compliance Owner ● Compliance & Legal Invited Never
Priya Krishnaswamy
Compliance Officer
 priya.k@nbfcdemo.in Compliance Officer
RetailDigital
 Active 17 Apr, 09:55
Vikram Shetty
IT / Technical
 v.shetty@nbfcdemo.in IT / Technical 🏢 All Units Active Today, 08:30
Organization Settings
Business Units
Business Units scope data points, consents, vendors, and DSRs to their owner. Central DPO always has cross-BU visibility.
Retail Lending
Owner: Smita Iyer · 14 fields · 2 vendors
72%
DPDP Score
Collections & Recovery
Owner: Rajesh Pillai · 6 fields · 1 vendor
58%
DPDP Score
Digital Partnerships
Owner: Rohit Menon · 4 fields · 3 vendors
81%
DPDP Score
Compliance & Legal
Owner: Arjun Nair · 7 fields · 0 vendors
65%
DPDP Score
Notification Preferences
Consent expiry alerts
When consents expire within 30 days
Vendor re-verification due
When vendor verification is overdue
New unmapped fields detected
Agent finds new DB fields
Vendor risk news signals
News-based risk flags for vendors
Weekly DPDP readiness digest
Email summary every Monday
API Keys & Webhook Config
Your on-premise agent uses the Live API Key to push metadata events to the DataShield control plane over mTLS. Never expose this key in client-side code.
Data Retention Policies
Configured per data category · DPDP Rule 8 compliance · Auto-delete scheduling
⚖ Why configure data retention? Rule 8S.8(7)
DPDP Rule 8 mandates automated erasure of personal data as soon as the purpose for which it was collected is satisfied, unless retention is required by law. Section 8(7) prohibits retaining personal data beyond what is "necessary." Without configured retention policies, your organisation faces two risks simultaneously: retaining data too long (DPDP violation), or deleting data required by RBI/SEBI/IRDAI regulations (regulatory violation). Legal hold flags ensure legally mandated data is preserved while consent-based data is automatically purged.
Data CategoryRetention PeriodDeletion MethodLegal HoldStatusActions
Loading retention policies…
Next automated purge run: 05 May 2025, 02:00 IST · 312 records scheduled for deletion ·
Field Detail
Vendor Detail