Built for DPDP from Day One

Compliance
in India
is broken.

We're fixing it.

DPDP compliance software for Indian enterprises, with a complete Governance, Risk & Compliance core. Purpose-built for the DPDP Act 2023 (DPDPA) and ISO 27001:2022. One platform, both frameworks, every control.

app.vratex.com
Risk Register
5 risks
RiskLIScoreStatus
Unauthorised data access4520Open
Third-party data sharing3412Mitigating
Inadequate encryption3515Open
Missing consent records4416Mitigating
Weak access controls236Closed
DPDP Act 2023 · Enforcement timeline
13 Nov 2025In force
DPDP Rules notifiedData Protection Board in force
13 Nov 2026Next
Penalties activateUp to ₹250 Cr per violation
13 May 2027Deadline
Full compliance requiredConsent, rights & SDF obligations
The Problem

The Compliance Reckoning Is Here

The Digital Personal Data Protection Act 2023 is India's most consequential data law in a generation. Penalties up to 0 Cr per violation. And the average Indian company manages compliance on spreadsheets and email chains.

risk-register-FINAL-v7 (3).xlsxModified 8 months ago
PROTECTED VIEW: this file originated as an email attachment
fx=VLOOKUP(#REF!, Risks_2024!A:F, 4, FALSE)
ABCD
1RiskOwnerScoreLast review
2Unauthorised data accessPriya (left in Nov)#REF!Nov 2025 ??
3Vendor DPA missing1603/2025 (text)
4#REF!#REF!#REF!
5Consent recordsRahuldone??check w/ legal
6TODO: update after audit (copied from v5, verify against Ramesh's copy)
12 broken referencesSheet 3 of 11

Your risk register, today

The Spreadsheet Trap

Risk registers in Excel are indefensible. When the regulator or an SDF audit asks for your register, there is no version of record, no accountability trail, no defensible due diligence.

The Invisible Audit Trail

DPDP Section 8(5) requires reasonable security safeguards. ISO 27001 Clause 9.1 requires performance evaluation. Both demand evidence of who did what, and when.

The Consultant Dependency

External GRC consultants charge ₹5–20 lakh per engagement, produce a static PDF, and leave. Six months later it's outdated. No institutional memory.

The India-Fit Problem

Most GRC platforms were built for GDPR, SOX, or SOC 2. DPDP Act 2023 has distinct obligations these tools treat as an afterthought. You get a cross-reference PDF bolted onto a foreign framework.

Regulatory Exposure

The DPDP Rules are notified and the Data Protection Board provisions are in force. Penalties activate on 13 November 2026. The organisations treating this as a future problem will be the organisations paying penalties and scrambling to rebuild compliance programmes under regulatory scrutiny.

The Platform

Three Integrated Capabilities

One cohesive compliance programme. Not three disconnected tools.

Risk Register

Continuous Compliance, Not Annual Theatre

Map, score, and track every enterprise risk. Linked to ISO 27001 Annex A controls and DPDP obligations.

  • 5×5 likelihood/impact scoring for inherent and residual risk
  • Table and heat map views for analysis, board reporting, and treatment workflow
  • Hash-stamped change log on every record for a defensible audit trail
app.vratex.com
Risk Register
5 risks
RiskLIScoreStatus
Unauthorised data access4520Open
Third-party data sharing3412Mitigating
Inadequate encryption3515Open
Missing consent records4416Mitigating
Weak access controls236Closed
Audit & Compliance

Evidence-Ready From Day One

Pre-loaded with all 93 ISO 27001:2022 Annex A controls and the DPDP Act's core obligations, pre-mapped. Nothing to configure.

  • Attach evidence files directly to each control: PDFs, screenshots, policy documents
  • Vratex Steps: step-by-step implementation guidance on every control, with status tracking and overdue indicators
  • One-click PDF export formatted for external auditors with evidence index
app.vratex.com
ISO 27001:2022 · Annex A
62%
A.5.1Information security policiesCompliant3 files
A.5.2Information security rolesCompliant2 files
~
A.6.1Screening of personnelIn Progress1 files
~
A.6.2Terms and conditions of employmentIn Progress
A.7.1Physical security perimetersNot Started
A.8.1User endpoint devicesCompliant4 files
AI Gap Analysis

From Posture to Roadmap in Seconds

AI analyses your entire compliance posture. Gaps are ranked by regulatory exposure, not alphabetical order.

  • Surfaces critical gaps and generates a structured, time-bounded remediation roadmap
  • Quick wins identified automatically. Close compliance gaps in hours, not months
  • Full audit report generation enriched with findings and evidence status
app.vratex.com
AI Gap Analysis
AI-Powered
Critical Gaps Found
1.Data Processing Agreement templates missing for 3 vendor relationships (DPDP S.8 non-compliance risk)
2.No documented consent withdrawal mechanism as required under DPDP S.6(4)
3.Incident response plan not tested in 12 months (ISO 27001 A.5.24 gap)
Quick Wins
Publish data retention schedule: 2 hours, closes DPDP S.8(7)
Enable MFA on admin accounts: 30 minutes, closes A.8.5
Generating remediation roadmap...
AI-Powered

Six AI Capabilities, One Intelligent Platform

Every AI feature runs server-side, streaming results in real time. No spreadsheet can do this.

Gap Analysis

Scans your entire compliance posture and ranks gaps by regulatory exposure, not alphabetically.

Control Guidance

Contextual implementation advice for every ISO 27001 and DPDP control. No more Googling standards.

Evidence Adequacy Check

AI reviews your uploaded evidence and tells you if it's sufficient or what's missing.

Finding Writer

Generates formal audit findings from compliance gaps: title, description, impact, recommendation.

Remediation Roadmap

Three-phase action plan: Quick Wins, Medium Effort, Structural. Each with time estimates.

Audit Report

Full audit report generated from your data, enriched with prior findings and evidence status.

AI-Powered. Built for Indian compliance.
Competitive Position

The Gap Vratex™ Fills

Privacy tools can't run your ISO 27001 programme. GRC tools treat the DPDP Act as an afterthought. Vratex is built ground-up for both.

CapabilityPrivacy-Ops ToolsGRC Automation ToolsVratex™
DPDP Act 2023, nativeCore focusThin add-on (2025-26)Built-in
ISO 27001:2022 (93 controls)Not coveredBuilt-inBuilt-in
Both frameworks, one risk registerNoNoBuilt-in
AI gap analysis, evidence checks, audit reportsRareVaries6 AI features
Public Trust Center pageNoCommonIncluded
Template marketplace (frameworks & checklists)NoLimitedIncluded
Data hosted in IndiaUsuallyVariesMumbai, always
CommercialsPer-consent pricingUSD, US-market pricingINR, GST invoice
Why Vratex™

Six Reasons Compliance Leaders Choose Vratex™

India-First, Not India-Adapted

DPDP Act 2023 controls are native. Pre-seeded, pre-mapped, ready on day one. Not a plugin, not a cross-reference PDF. Built in.

Fraction of the Consultant Cost

A fraction of the cost versus ₹5–20 lakh per engagement. Vratex™ never leaves. It updates as your posture changes, continuously.

Evidence When You Need It

Attach evidence to every control. When an ISO auditor arrives, you produce a complete timestamped evidence pack. No frantic search.

Database-Layer Tenant Isolation

Row-level security at the Postgres engine. A code bug is far less likely to become your compliance breach. No organisation ever sees another's data.

Proof of Diligence, On Demand

Every action logged to a hash-stamped audit table. A regulator asks 'what did you know?' You have the answer.

Priced for the Indian Market

No USD pricing. No opaque enterprise quotes. GST-compliant INR invoicing, designed for how India buys.

Standards & Security

Built for the Frameworks That Matter

Every design decision was made with DPDP Section 8(5) in view.

DPDP

DPDP Act 2023

India's Digital Personal Data Protection Act. Core obligations pre-mapped and pre-seeded, ready from day one.

ISO

ISO/IEC 27001:2022

All 0 Annex A controls with step-by-step implementation checklists, evidence tracking, and gap analysis.

Enterprise Architecture

Security built into the database layer. Not bolted on after.

Row-Level SecurityDPDP S.8(5)
Mumbai Data ResidencyIndia-hosted data
Hash-Stamped Audit LogTamper-evident records
TOTP MFA AvailableAccount security
Erasure-Ready ArchitectureDPDP S.12
FAQ

Common Questions About DPDP & ISO 27001 Compliance

Everything Indian enterprises need to know about DPDP Act 2023 and ISO 27001 compliance, answered plainly.