DPDP Act 2023 Infrastructure
The consent management platform built for India
A consent management platform governs how a business obtains, records, and acts on personal data consent. ConsentOS is built for the DPDP Act 2023 alone, by an India-incorporated company, and carries the retention controls a regulated Indian business needs. Consent records, data principal rights, and breach notification. Each governed to statute.
What the DPDP Act requires of the platform
A consent management platform is judged on the obligations it discharges, not the features it lists. ConsentOS maps each capability to the section of the DPDP Act 2023 that governs it.
Section 6, Section 5
Consent capture and records
Granular, purpose-bound consent with a notice in English and the Eighth Schedule languages. Every grant, withdrawal, and notice version filed and retrievable as a record.
Sections 11 to 14
Data principal rights
Access, correction, and erasure requests received, tracked to a deadline, and resolved. A denial register for requests a statute requires you to refuse.
Section 8(6), Rule 7
Breach notification workflow
A breach record, a Board notification path, and an affected-principal notification path. The 72-hour window tracked from detection, not from convenience.
Section 6(7), Rule 4
Consent Manager registration path
An India-incorporated entity built to seek registration with the Data Protection Board of India when the window opens, expected around November 2026.
Section 8(7)
Retention and erasure control
Field-level resolution of statutory retention against the erasure right. When RBI or PMLA requires you to keep data a customer asks you to delete, the platform records the refusal and the mandate behind it.
Section 8(2)
Audit and inspection readiness
A consent record, a decision log, and a notice archive an inspector accepts. Evidence of compliance, not a description of it.
The India-incorporation requirement
The DPDP Act 2023 creates a Consent Manager registration regime. A registered Consent Manager must be an India-incorporated entity registered with the Data Protection Board of India, with the registration window expected around November 2026. CivicLayer Technologies Private Limited is India-incorporated and is building ConsentOS to seek that registration. A global suite operating a DPDP module on a GDPR-first engine carries no India-incorporated entity for this regime. See the full DPDP platform comparison for how the field divides on this line.
Buying software, or buying the obligation met
If you are evaluating the category by feature list, read the DPDP compliance software buyer's guide, which covers what to demand from any vendor. This page covers the platform itself. The distinction that matters for a regulated business is whether the platform produces evidence an inspector accepts when a statutory retention mandate collides with the erasure right. ConsentOS resolves that conflict at field level.
Built for regulated Indian sectors
Consent under the DPDP Act 2023 collides with sector retention mandates. ConsentOS maps those mandates at field level for the sectors that carry the sharpest conflict.
Measure your position first
Three free tools, no account required. Each returns a result you can act on.
Consent management platform, answered.
What is a consent management platform under the DPDP Act 2023?
A consent management platform is the infrastructure a business uses to obtain, record, and act on personal data consent under the DPDP Act 2023. It captures purpose-bound consent against a compliant notice, files every grant and withdrawal as a retrievable record, handles data principal access and erasure requests against statutory deadlines, and runs the breach notification workflow. ConsentOS provides this for Indian businesses, with the retention and erasure controls a regulated sector requires.
Does a consent management platform have to be India-incorporated?
The platform itself does not, but the DPDP Act 2023 creates a separate Consent Manager registration regime, and a registered Consent Manager must be an India-incorporated entity registered with the Data Protection Board of India. The registration window is expected to open around November 2026. ConsentOS is built by CivicLayer Technologies Private Limited, an India-incorporated company, and is built to seek that registration. A GDPR-first global suite with no India-incorporated entity cannot.
What should a consent management platform do for a regulated business in India?
For a regulated lender, insurer, or broker, the binding requirement is resolving the conflict between statutory retention and the DPDP erasure right. When a customer demands erasure of data the RBI or PMLA requires you to retain, the platform must record a refusal that cites the mandate, retain only the mandated fields, and log the decision in a denial register the Data Protection Board accepts. ConsentOS resolves this at field level. A generic consent tool does not model the conflict.
Is a consent management platform the same as a cookie consent tool?
No. A cookie consent banner governs tracking technologies on a website. A consent management platform governs the full personal data obligation set under the DPDP Act 2023: consent records, data principal rights, breach notification, retention control, and audit evidence. A cookie banner is one narrow input. ConsentOS covers the obligation set a data fiduciary carries.
How long does ConsentOS take to deploy?
ConsentOS installs operational DPDP Act 2023 compliance infrastructure in 30 days at a fixed scope. The Gap Assessment scores your current position across the obligation set first, so the deployment starts from a measured baseline rather than a blank one. Current tiers are on the ConsentOS pricing page.
Score your DPDP position. Free.
The Gap Assessment scores your position across the DPDP obligation set and returns a PDF report in minutes. No account required.
Run the Gap AssessmentComparing platforms? See the DPDP platform comparison.