Vishwaas AI Makes Proof Automatic.
Legal and compliance teams spend weeks preparing evidence for regulatory inquiries. Vishwaas AI makes that evidence available in minutes — cryptographically signed, tamper-evident, and DPBI-ready. Focus on advising the business. Let the platform handle the proof.
The DPDP Act 2023 creates compliance obligations that your existing legal operations tools were not designed to meet.
| What the DPDP Act Requires | What Existing Tools Typically Provide | Vishwaas AI |
|---|---|---|
|
Cryptographic proof of consent §6(3) |
Database timestamp — alterable, legally questionable | SHA-256 + RSA + RFC 3161 TSA token |
|
Notice in 22 Indian languages Rule 3 |
English-only templates with manual translation | All 22 Eighth Schedule languages, built-in |
|
90-day DPR SLA with audit trail Rule 10 |
Email inbox + spreadsheet tracker | Automated SLA countdown with DPBI escalation path |
|
72-hour DPBI breach notification Rule 8 |
Manual process — no countdown, no template | Live 72-hr clock, DPBI notification workflow, auto-alerts |
|
Erasure communicated to all processors §12(3) |
Manual emails to vendors — no confirmation tracking | Consent Propagation webhooks with per-system delivery confirmation |
|
7-year consent artifact retention Rule 4 |
Backup policy — not defensible as a legal artifact | Append-only ledger; every record permanently immutable |
Vishwaas AI closes every one of these gaps — not with workarounds, but with purpose-built legal-grade tooling.
The DPDP Act Standard
DPDP Rules 2025 Rule 4(3) requires a consent artifact to identify: the data principal, the purpose, the notice version, the timestamp, and the channel.
The Harder Question
A consent artifact that merely satisfies Rule 4(3) in form is not necessarily defensible in a DPBI adjudication. The DPBI can ask: "How do we know this record was not created after the complaint was filed?"
Vishwaas AI's answer is a four-layer legal proof chain — each layer independently verifiable by the DPBI, courts, or any third party, with no dependency on Vishwaas AI infrastructure.
Read the Non-Repudiation WhitepaperThe exact multilingual text the data principal was shown at the moment of consent, stored immutably. Not a reference to a notice. The actual words, in the actual language.
SHA-256 hash chain linking every record to every other. Any alteration to any record breaks the chain — and the break is immediately detectable by the DPBI.
Signed with your organisation's private key held in AWS KMS HSM. Binds the consent record to your legal entity — the signature is your organisation's, not Vishwaas AI's.
Issued by DigiCert/GlobalSign. The timestamp cannot be set by your organisation and cannot be backdated. When the DPBI says "prove this consent was obtained on 1 March 2026", you produce the TSA token — verifiable by any party, independently of Vishwaas AI infrastructure.
The legal standard the DPDP Act requiresNotice Workflow
Privacy Manager authors notice
Draft in any language, version controlled
Legal Officer reviews ← Your step
▸Plain language check
▸Mandatory elements completeness
▸Multilingual accuracy flag
▸Standalone format confirmation
DPO approves
Approval recorded with name, timestamp, notice version
Notice publishes
Version locked · Content hash recorded · Immutable from this point
Your legal officer's review decision — approve, reject, or request revision — is recorded in the audit trail with your name, timestamp, and the specific notice version reviewed. When the DPBI asks "did a qualified legal professional review this notice?", the answer is documented and immutable.
The DPDP Act Standard
Rule 3 requires notices to be: in plain language, standalone (not bundled with T&Cs), in English and at least one Eighth Schedule language, and to cover five mandatory elements.
Vishwaas AI includes a mandatory legal review gate built into the notice workflow. No notice can be published without a Legal Officer's recorded decision and DPO approval — in that order.
delivered_at and acknowledged_at per principal
The DPDP Act Standard
§8(7) requires personal data to be erased when consent is withdrawn or when the purpose for which it was collected has been fulfilled.
Define retention periods per consent purpose (in days)
Auto-deletion triggers when purpose is fulfilled or consent is withdrawn
Erasure jobs tracked per data system — the DPR module orchestrates deletion from every system linked via the Identity Unification engine
Erasure communicated to all Data Processors (§12(3)) via Consent Propagation webhooks; delivery confirmed per system
RoPA export in signed PDF format for DPBI inspection
No more erasure obligations that are acknowledged in policy but not tracked in practice.
Data principal withdraws consent → Vishwaas AI fires withdrawal event → Consent Propagation notifies all downstream systems in <5 seconds → erasure jobs created per system → completion tracked and logged.
Each consent purpose carries a retention_days field. When the period expires, automated erasure jobs activate per the data asset map — no manual intervention required.
Every erasure event — trigger, execution, processor confirmation — is logged immutably. The audit trail answers §12(3) questions with a single signed PDF export.
Vendor / Processor Register
DPA Status OverviewAWS (Data Processor)
Storage, compute, KMS
SendGrid (Email)
DPR notice dispatch
Salesforce CRM
Customer data source
Analytics Vendor
Cross-border (SG)
When the DPBI asks "show us your processor agreements and their current status" —
30-second export →The DPDP Act Standard
§8(4) requires Data Fiduciaries to ensure Data Processors provide sufficient guarantees. §8(5) prohibits engaging a processor without a valid contract.
Vendor register with DPA status tracking (active, expiring, expired, not signed)
DPA upload and version management per vendor
Cross-border transfer tracking — flags data transfers outside India; documents legal basis per transfer
Annual vendor assessment workflow — schedule, track, and record completion
Risk scoring per vendor (data categories × processing jurisdiction × DPA status)
Vendor Risk Report — signed PDF, DPBI-ready summary of all processor arrangements
The DPDP Act Standard
§§11–14 and Rule 10 establish rights with statutory timelines that carry DPBI escalation consequences if missed.
| Right | SLA | Miss Consequence |
|---|---|---|
| Access | 90 days | DPBI complaint; potential penalty |
| Correction | 90 days | DPBI complaint |
| Erasure | 90 days | DPBI complaint |
| Nomination | 90 days | DPBI complaint |
| Grievance | 30 days | DPBI complaint |
Vishwaas AI enforces these SLAs operationally — not as a policy document, but as live countdown clocks that escalate before deadlines pass.
Reference numbers for every DPR request, for use in all correspondence with data principals and the DPBI.
Overdue requests are flagged red before the deadline passes. Escalation alerts sent to DPO and Legal Officer.
Email OTP, DigiLocker, or Aadhaar — documented and evidenced per request before any data is disclosed.
Compliant escalation process with timestamp and DPO notification — when a data principal escalates to the Board, the record is already prepared.
Required by Rule 9(3) for grievance rejections. Dispatched via email with delivery confirmation — logged in the audit trail.
Signed PDF with SLA compliance metrics per period. One click — DPBI-ready.
When your organisation receives a DPBI notice, Vishwaas AI produces the requested evidence immediately. All exports are RFC 3161-timestamped at the time of generation — the export itself is a legally defensible artifact.
| DPBI Request | Vishwaas AI Response | Time to Produce |
|---|---|---|
| All consent records for data principal X | Unified Profile → Consent Timeline (signed PDF) | < 1 min |
| Proof that notice was delivered before consent | Notice delivery log: delivered_at + acknowledged_at per principal |
< 1 min |
| Full audit log for investigation period | Audit Log Export (CSV) + chain verification result | < 5 min |
| Breach notification record | Breach Register Export (signed PDF): discovery timestamp vs. DPBI notification timestamp | < 1 min |
| All DPR requests and their resolution status | DPR Performance Report (signed PDF) | < 1 min |
| DPIA register | DPIA Register Export (signed PDF) with DPO approval certificates | < 1 min |
| Vendor processor register and DPA status | Vendor Risk Report (signed PDF) | < 1 min |
All exports are RFC 3161-timestamped at the time of generation. The export itself is a legally defensible artifact — it carries a third-party timestamp from DigiCert/GlobalSign, not a server timestamp set by Vishwaas AI.
Common questions from privacy counsel, compliance heads, and general counsel evaluating Vishwaas AI.
RFC 3161-compliant timestamps are recognised as admissible electronic records under the Information Technology Act, 2000, when issued by a Certifying Authority. RSA digital signatures provide authentication under the same framework. The combination of hash chain + RSA signature + RFC 3161 TSA token satisfies the evidentiary standard for DPBI adjudication and civil court proceedings.
Engage your legal counsel for advice specific to your evidentiary context.
Purposes with lawful_basis: legal_obligation or lawful_basis: legitimate_interests are processed without consent records. Every processing event is still logged in the audit trail with the lawful basis documented. This provides the evidentiary record for DPDP Act §7 legitimate use defences.
Yes. Enterprise plan customers receive a standard Data Processing Agreement template for use with their downstream vendors and processors. Vishwaas AI also signs a DPA as a Data Processor for Enterprise plan customers.
Template reviewed by qualified Indian privacy counsel.
Each consent purpose carries a retention_days field. When a consent purpose's retention period expires, Vishwaas AI triggers automated erasure jobs per the data asset map. For data in external source systems, the erasure job creates an orchestrated deletion task tracked to completion. The erasure event is logged immutably in the audit trail.
Vishwaas AI supports 11 admin role patterns including a dedicated Legal Officer role. Legal Officers have scoped access to notice review and approval, audit log exports, DPR reports, and DPIA registers — without access to operational configuration settings. Role-based access ensures separation of duties and prevents accidental changes to live compliance workflows.
See Vishwaas AI produce a DPBI evidence package live — for a data principal, a consent record, a breach incident, or a DPR request — in under a minute.