Compliance
in India
is broken.
We're fixing it.
DPDP compliance software for Indian enterprises, with a complete Governance, Risk & Compliance core. Purpose-built for the DPDP Act 2023 (DPDPA) and ISO 27001:2022. One platform, both frameworks, every control.
| Risk | L | I | Score | Status |
|---|---|---|---|---|
| Unauthorised data access | 4 | 5 | 20 | Open |
| Third-party data sharing | 3 | 4 | 12 | Mitigating |
| Inadequate encryption | 3 | 5 | 15 | Open |
| Missing consent records | 4 | 4 | 16 | Mitigating |
| Weak access controls | 2 | 3 | 6 | Closed |
The Compliance Reckoning Is Here
The Digital Personal Data Protection Act 2023 is India's most consequential data law in a generation. Penalties up to ₹0 Cr per violation. And the average Indian company manages compliance on spreadsheets and email chains.
| A | B | C | D | |
|---|---|---|---|---|
| 1 | Risk | Owner | Score | Last review |
| 2 | Unauthorised data access | Priya (left in Nov) | #REF! | Nov 2025 ?? |
| 3 | Vendor DPA missing | 16 | 03/2025 (text) | |
| 4 | #REF! | #REF! | #REF! | |
| 5 | Consent records | Rahul | done?? | check w/ legal |
| 6 | TODO: update after audit (copied from v5, verify against Ramesh's copy) | |||
Your risk register, today
The Spreadsheet Trap
Risk registers in Excel are indefensible. When the regulator or an SDF audit asks for your register, there is no version of record, no accountability trail, no defensible due diligence.
The Invisible Audit Trail
DPDP Section 8(5) requires reasonable security safeguards. ISO 27001 Clause 9.1 requires performance evaluation. Both demand evidence of who did what, and when.
The Consultant Dependency
External GRC consultants charge ₹5–20 lakh per engagement, produce a static PDF, and leave. Six months later it's outdated. No institutional memory.
The India-Fit Problem
Most GRC platforms were built for GDPR, SOX, or SOC 2. DPDP Act 2023 has distinct obligations these tools treat as an afterthought. You get a cross-reference PDF bolted onto a foreign framework.
The DPDP Rules are notified and the Data Protection Board provisions are in force. Penalties activate on 13 November 2026. The organisations treating this as a future problem will be the organisations paying penalties and scrambling to rebuild compliance programmes under regulatory scrutiny.
Three Integrated Capabilities
One cohesive compliance programme. Not three disconnected tools.
Continuous Compliance, Not Annual Theatre
Map, score, and track every enterprise risk. Linked to ISO 27001 Annex A controls and DPDP obligations.
- 5×5 likelihood/impact scoring for inherent and residual risk
- Table and heat map views for analysis, board reporting, and treatment workflow
- Hash-stamped change log on every record for a defensible audit trail
| Risk | L | I | Score | Status |
|---|---|---|---|---|
| Unauthorised data access | 4 | 5 | 20 | Open |
| Third-party data sharing | 3 | 4 | 12 | Mitigating |
| Inadequate encryption | 3 | 5 | 15 | Open |
| Missing consent records | 4 | 4 | 16 | Mitigating |
| Weak access controls | 2 | 3 | 6 | Closed |
Evidence-Ready From Day One
Pre-loaded with all 93 ISO 27001:2022 Annex A controls and the DPDP Act's core obligations, pre-mapped. Nothing to configure.
- Attach evidence files directly to each control: PDFs, screenshots, policy documents
- Vratex Steps: step-by-step implementation guidance on every control, with status tracking and overdue indicators
- One-click PDF export formatted for external auditors with evidence index
From Posture to Roadmap in Seconds
AI analyses your entire compliance posture. Gaps are ranked by regulatory exposure, not alphabetical order.
- Surfaces critical gaps and generates a structured, time-bounded remediation roadmap
- Quick wins identified automatically. Close compliance gaps in hours, not months
- Full audit report generation enriched with findings and evidence status
Six AI Capabilities, One Intelligent Platform
Every AI feature runs server-side, streaming results in real time. No spreadsheet can do this.
Gap Analysis
Scans your entire compliance posture and ranks gaps by regulatory exposure, not alphabetically.
Control Guidance
Contextual implementation advice for every ISO 27001 and DPDP control. No more Googling standards.
Evidence Adequacy Check
AI reviews your uploaded evidence and tells you if it's sufficient or what's missing.
Finding Writer
Generates formal audit findings from compliance gaps: title, description, impact, recommendation.
Remediation Roadmap
Three-phase action plan: Quick Wins, Medium Effort, Structural. Each with time estimates.
Audit Report
Full audit report generated from your data, enriched with prior findings and evidence status.
The Gap Vratex™ Fills
Privacy tools can't run your ISO 27001 programme. GRC tools treat the DPDP Act as an afterthought. Vratex is built ground-up for both.
| Capability | Privacy-Ops Tools | GRC Automation Tools | Vratex™ |
|---|---|---|---|
| DPDP Act 2023, native | Core focus | Thin add-on (2025-26) | Built-in |
| ISO 27001:2022 (93 controls) | Not covered | Built-in | Built-in |
| Both frameworks, one risk register | No | No | Built-in |
| AI gap analysis, evidence checks, audit reports | Rare | Varies | 6 AI features |
| Public Trust Center page | No | Common | Included |
| Template marketplace (frameworks & checklists) | No | Limited | Included |
| Data hosted in India | Usually | Varies | Mumbai, always |
| Commercials | Per-consent pricing | USD, US-market pricing | INR, GST invoice |
Six Reasons Compliance Leaders Choose Vratex™
India-First, Not India-Adapted
DPDP Act 2023 controls are native. Pre-seeded, pre-mapped, ready on day one. Not a plugin, not a cross-reference PDF. Built in.
Fraction of the Consultant Cost
A fraction of the cost versus ₹5–20 lakh per engagement. Vratex™ never leaves. It updates as your posture changes, continuously.
Evidence When You Need It
Attach evidence to every control. When an ISO auditor arrives, you produce a complete timestamped evidence pack. No frantic search.
Database-Layer Tenant Isolation
Row-level security at the Postgres engine. A code bug is far less likely to become your compliance breach. No organisation ever sees another's data.
Proof of Diligence, On Demand
Every action logged to a hash-stamped audit table. A regulator asks 'what did you know?' You have the answer.
Priced for the Indian Market
No USD pricing. No opaque enterprise quotes. GST-compliant INR invoicing, designed for how India buys.
Built for the Frameworks That Matter
Every design decision was made with DPDP Section 8(5) in view.
DPDP Act 2023
India's Digital Personal Data Protection Act. Core obligations pre-mapped and pre-seeded, ready from day one.
ISO/IEC 27001:2022
All 0 Annex A controls with step-by-step implementation checklists, evidence tracking, and gap analysis.
Enterprise Architecture
Security built into the database layer. Not bolted on after.
Common Questions About DPDP & ISO 27001 Compliance
Everything Indian enterprises need to know about DPDP Act 2023 and ISO 27001 compliance, answered plainly.
