DPDP & Privacy Operations
Breach deadlines, DPIAs, SDF classification, and audit packs — built for Data Fiduciaries.
What this replaces
The DPDP Act gives you 72 hours to notify the Data Protection Board and CERT-In expects 6 — deadlines that spreadsheet-based privacy programs discover mid-incident. Most global GRC tools treat Indian regulation as an afterthought.
What Offload does
A Data Fiduciary's control panel for the DPDP Act, 2023 and CERT-In Directions 2022: breach notification with statutory deadlines, DPIA lifecycle, SDF classification, vendor due diligence, and audit-ready evidence packs.
What you get
- Breach lifecycle per Rule 7: detect → declare → assess → report → close, with 72-hour DPB and 6-hour CERT-In deadline tracking and watchdog alarms
- Rule 7(2) nine-section report validation; CERT-In Annexure I across 18 incident categories
- DPIA lifecycle (draft → review → approve/expire) satisfying Section 13 obligations
- Significant Data Fiduciary classification with Section 10 obligations surfaced
- 18-question vendor/processor due-diligence assessments
- SCF-mapped readiness scoring with Section 8(6) penalty-exposure estimate
- Immutable audit-event log and generated audit packs; transfer impact analysis
How it works
The module is a pure domain core — state machines, validators, scoring — wrapped by services that persist state, emit audit events, and integrate the risk register. Every statutory workflow is deterministic and testable.
Every material action lands in an immutable audit log from which regulator- and board-ready packs are generated.
One platform, one risk view
DPDP readiness and breach posture feed the risk register and compliance dashboards; breach workflows raise central alerts; evidence joins the same reporting layer as the rest of the platform.