Impenetrable Integrity.
Every consent record is logged, timestamped, and attributed at the moment of capture. Withdrawals update the audit trail in real time. The record of what was consented to, and when it changed, persists.
DPDP ACT 2023 COMPLIANCE
DPDP Act compliance infrastructure for regulated BFSI in India.
For NBFCs and fintech lenders navigating the direct conflict between DPDP erasure obligations and RBI retention mandates. Consent capture, audit records, and the Compliance Vault. Operational in 30 days.
Aligned with DPDP Rules 2025 (G.S.R. 846(E))
RBI-DPDP conflict resolution: built-in
Consent Manager network interoperable (Jio, TCS)
The Data Protection Board of India is processing complaints under the DPDP Act 2023. In May 2026, the Supreme Court directed the Ministry of Electronics and IT to examine a petition on the recovery of stolen personal data held on foreign servers. Penalty enforcement begins May 2027. Companies that build compliance infrastructure now avoid the cost and disruption of acting under enforcement pressure.
New to India's data protection law? Read the DPDP Act 2023 compliance guide : what it requires, who it applies to, and the enforcement timeline. Or browse all DPDP compliance guides, or compare platforms in the 2026 buyer's guide.
Free Compliance Assessment28
DPDP compliance guides published
26
Obligations tracked in the free checklist
RBI · IRDAI
SEBI · DPBI
Sector regulators covered
Built for India's most regulated sectors.
Select your sector to see your specific DPDP obligations.
-
KYC Retention Conflict
The RBI KYC Master Direction mandates KYC record retention for five years after the relationship ends; DPDP Rule 6 requires erasure when consent is withdrawn. ConsentOS isolates statutory-hold data from consent-governed records via the Compliance Vault.
-
Credit Bureau Consent (Rule 7)
Sharing credit history with bureaus requires explicit, purpose-specific consent per DPDP Rule 7. Bundled consent forms are non-compliant and create penalty exposure under Schedule I.
-
Data Localisation
Personal financial data must be processed on servers located in India. Cross-border transfers for co-lending or co-origination partnerships require documented transfer safeguards.
-
UPI / BNPL Consent Flows
Every payment mandate and lending decision requires a separate, granular consent record. Pre-checked authorisation boxes are explicitly non-compliant under DPDP Section 6.
-
72-Hour Breach Notification (Section 8(6))
Personal data breaches must be reported to the Data Protection Board within 72 hours of discovery. Incident response plans and communication templates must be pre-drafted and approved.
-
AML Retention vs DPDP Erasure
PMLA 2002 mandates 5-year transaction record retention. Erasure requests must be evaluated against this statutory obligation before deletion. The evaluation itself must be documented.
-
SEBI KYC vs DPDP Erasure
SEBI mandates 7-year retention of trading records and client communications. DPDP erasure requests cannot override this statutory obligation, but the rationale for withholding deletion must be documented and communicated to the investor.
-
Purpose Limitation for Research
Investor profile data collected for trade execution cannot be reused for research recommendations or cross-sell without explicit, separate consent per Rule 7. Co-mingling purposes is a Schedule I violation.
-
Trading Data Minimisation
Only data necessary for trade execution and regulatory compliance may be collected and retained. Collecting excess demographic or behavioural data without a stated purpose creates exposure under Schedule I.
-
Sensitive Personal Data (Health & Medical)
Health records, medical history, and biometric data used in underwriting are classified as sensitive personal data under the DPDP Act. Stricter consent requirements and restricted processing rules apply.
-
Claims Data Retention
IRDAI requires claims documentation to be retained for 3 years post-settlement. This creates a statutory retention override that must be logged in the Compliance Vault before honouring erasure requests.
-
Policyholder Marketing Consent
Consent for marketing communications must be captured separately from service and policy consent. Pre-ticked opt-in checkboxes are explicitly banned under DPDP Section 6(1).
The Conflict
RBI mandates 5-year KYC retention. DPDP requires erasure on request. Many fintechs are building consent systems that satisfy neither regulator. They have no audit trail to prove otherwise.
The Resolution
Every consent is captured, timestamped, and attributed at the point of collection. Data held under a statutory mandate stays isolated under a documented Legal Obligation Override. Every other category follows DPDP erasure on request. One audit trail proves both obligations to either regulator.
DPDP Rule 6, 2025
Erase personal data when the Data Principal withdraws consent or the stated purpose is fulfilled.
vs
RBI KYC Master Direction, 2016
Retain KYC and customer identification records for five years after the end of the business relationship.
ConsentOS resolves this conflict via the Compliance Vault. Your team does not choose between two regulators.
Three principles. One operational framework.
Precision Continuity.
Integrates into existing data flows without requiring product teams to rebuild core features. The compliance layer runs alongside your product, not against it.
Absolute Enforcement.
Automated protocols that halt data flow the moment consent is withdrawn. This is not an error state. It is an enforced boundary, and it is by design.
Not built for everyone.
ConsentOS is purpose-built for India's regulated sectors. If your compliance challenge is different, we will tell you directly.
| If you need… | Better fit | ConsentOS is for… |
|---|---|---|
| Global compliance across 50+ countries | OneTrust (~₹84L/year minimum) | India-regulated fintech with RBI + DPDP dual obligations |
| Just a cookie consent banner for your website | CookieYes ($25/month) | Full compliance infrastructure: consent, vault, audit, breach |
| A human compliance advisor or part-time DPO | Tsaaro or a Big 4 firm | Automated compliance workflows that run without your team's ongoing intervention |
| ABDM-aligned patient consent without a second compliance system | A hospital-specific IT vendor | Hospitals where ABDM consent and DPDP data rights are the same patient record |
We are built specifically for NBFCs, fintech lenders, registered brokers, insurance companies, and hospitals navigating India's dual-regime compliance challenge. Where DPDP obligations and sector-specific mandates are in direct conflict. If that is not your situation, one of the options above will serve you better.
Operational compliance in three stages.
From your first assessment to an ongoing audit trail, ConsentOS handles each stage.
01
Step 1
Understand your position.
Complete the free Compliance Vault Assessment. Ten questions across five compliance areas. Takes less than ten minutes. You receive a personalised PDF report with your compliance score and the exact gaps you need to close.
02
Step 2
Embed the framework.
ConsentOS integrates into your existing consent flows. Your engineering team makes targeted changes. Nothing is rebuilt from scratch. Your consent framework is operational within 30 days.
03
Step 3
Run continuously.
Every consent record is timestamped, stored, and withdrawal-ready from the moment of capture. The system handles ongoing compliance. Your team moves on to other work.
Frequently asked questions.
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law. It requires businesses to collect personal data with valid consent, honour Data Principal rights, and report breaches to the Data Protection Board within 72 hours. Penalties reach up to ₹250 crore.
What does ConsentOS do?
ConsentOS handles DPDP Act compliance for regulated BFSI entities: consent capture, Compliance Vault for RBI and PMLA retention conflicts, audit records, and withdrawal processing. Built for NBFCs, fintech lenders, insurance companies, and registered brokers operating under dual regulatory obligations.
How long does DPDP compliance take with ConsentOS?
Operational compliance in 30 days: consent capture, audit records, and the Compliance Vault configured against your sector's retention mandates. Ongoing obligations run under the monthly retainer.
What is a Consent Manager under the DPDP Act?
A Consent Manager is an entity registered with the Data Protection Board that lets Data Principals give, manage, review, and withdraw consent through a single platform. Registration requires meeting the conditions in the DPDP Rules 2025, including a ₹2 crore minimum net worth, and the registration window is expected to open in November 2026. ConsentOS operates as consent management infrastructure today and integrates with registered Consent Managers.
How much does ConsentOS cost?
Plans start at ₹2,999 per month with a one-time implementation fee. Four tiers cover NBFCs, fintech lenders, brokers, insurance companies, and Significant Data Fiduciaries. Compare plans on the pricing page.
Which sectors is ConsentOS built for?
ConsentOS is built for India's regulated sectors: NBFCs, fintech lenders, registered brokers, insurance companies, and hospitals managing ABDM consent alongside DPDP obligations. Each carries dual obligations where a sector regulator and the DPDP Act govern the same records.
Understand your DPDP compliance position in under ten minutes.
The free Compliance Vault Assessment covers five compliance areas under the DPDP Act 2023. You receive a scored PDF report with a prioritised action list. No sales call required to access it.
Free Compliance AssessmentNo commitment. Delivered within minutes.
or explore the platform
Read the Technical Brief