1 Why "aligned" and not "certified"
The DPDP Act 2023 received presidential assent on 11 August 2023. The operational rules are being notified by the central government in phases. As of May 2026, several substantive provisions are still pending notification.
Crucially, the Act establishes the Data Protection Board of India as the supervisory authority, but the Board is still being constituted. No statutory certification scheme exists yet, and no government-accredited body issues "DPDP certifications."
Any vendor today claiming to be "DPDP-certified" is overclaiming. The correct, defensible position is "DPDP-aligned" — meaning we have implemented the substantive obligations and are operationally ready for full enforcement when all rules are notified.
2 What we have implemented
Ten substantive obligations from the DPDP Act 2023, each with operational implementation in Headx Monitor:
| DPDP obligation | Status | Implementation |
|---|---|---|
| Granular per-purpose consent (Section 6) | Done | Per-capability consent flags; withdrawable in dashboard |
| Notice with purpose and rights (Section 5) | Done | Privacy Notice at /privacy, plain-English |
| Right to access personal data (Section 11) | Done | Request via privacy@headx.in. SLA: 48h ack, 30d fulfil |
| Right to correction (Section 12) | Done | Same workflow as access; in-product self-service available |
| Right to erasure (Section 12) | Done | Within 30d of confirmed request; backups purged within 180d |
| Right to nominate (Section 14) | Done | Written nomination form on file; honoured on death/incapacity |
| Right to withdraw consent (Section 6(4)) | Done | Self-service in dashboard; immediate processing-stop |
| Grievance redressal (Section 13) | Done | Grievance Officer: privacy@headx.in |
| Breach notification (Section 8(6)) | Done | 72-hour notification; concurrent CERT-In reporting |
| Reasonable security safeguards (Section 8(5)) | Done | TLS 1.3, AES-256, MFA, audit logging full details |
Additional operational implementations
- Indian data residency — Cloud edition hosted in AWS Mumbai (ap-south-1); no cross-border replication
- Sub-processor register — published with locations and data accessed; updated on changes
- Purpose limitation — contractual restriction in the DPA: data processed only for instructed purposes
- Retention policy — explicit retention windows per data class, customer-configurable
- Data Processing Agreement (DPA) — signed by Headx's authorised signatory; available on request
- Consent + Acceptable Use Policy templates — bundled with the product, reviewed under Indian law
3 Our role: Data Processor, not Data Fiduciary
For employee monitoring data captured by our agent on behalf of a corporate customer, Headx Monitor is the Data Processor. The corporate customer (the employer) is the Data Fiduciary.
This distinction matters because:
- The corporate customer is responsible for obtaining employee consent, designating their own Grievance Officer, and meeting Data Fiduciary obligations
- Headx is responsible for processing on documented instructions, implementing reasonable security, and facilitating data-principal rights requests
- The DPA between Headx and the customer codifies this division of responsibility
For marketing-side data (visitors to headx.in, sales prospects), Headx is the Data Fiduciary. Our Privacy Notice at /privacy covers this role.
4 What we cannot claim
We list these explicitly so security reviewers know we are not glossing over gaps:
- Cannot claim Formal "DPDP-certified" status — no certification scheme exists today
- Cannot claim Significant Data Fiduciary (SDF) compliance — SDF designation is conferred by central government
- Pending Cross-border transfer assessment — Section 16 transfer rules not yet notified
- Out of scope Children's data processing — services not intended for under-18 (Privacy Notice §12)
5 Sector overlap (RBI, IRDAI, SEBI)
For BFSI, NBFC, fintech, and insurance customers, the DPDP Act sits on top of existing sector frameworks. The substantive overlap:
| Framework | Overlap with DPDP |
|---|---|
| RBI Cyber Security Framework for Banks (2016) | Reasonable security safeguards; incident reporting |
| RBI Master Direction on IT Outsourcing (2023) | Sub-processor controls; data residency in India |
| IRDAI Information and Cyber Security Guidelines (2017) | Encryption, access controls, breach reporting |
| SEBI Cybersecurity and Cyber Resilience Framework (2022) | Cyber-incident reporting; data classification |
Practical implication: customers regulated by these frameworks meet most DPDP obligations as a side-effect of meeting their sector requirements, when Headx is configured per our deployment guidance.
6 Available artefacts (under NDA)
The following documents are available to qualified customer evaluators on signed NDA, typically within 24 hours of request:
- Data Processing Agreement (DPA) signed by Headx authorised signatory
- DPDP Act gap-assessment matrix (clause-by-clause)
- Sub-processor register with annual review records
- Privacy impact assessment template (DPIA) — for customer to complete on their side
- Incident response playbook (redacted)
- Penetration test executive summary
- Pre-filled CAIQ / SIG / customer-specific security questionnaires
Request via security@headx.in or legal@headx.in.
7 Contact
- Privacy & Grievance Officer — privacy@headx.in (48h ack, 30d resolution)
- Security questions — security@headx.in
- Legal & DPA — legal@headx.in
- Sales / pre-procurement — sales@headx.in
Related documents
- Security Architecture — full technical security documentation
- ISO 27001 Status — current certification progress
- Privacy Policy — how we handle personal data
- Employee Monitoring Laws in India — legal framework guide
- DPDP Act 2023 Guide for HR and IT Teams — operational checklist
Need detailed audit evidence or a signed DPA?
The full Statement of Applicability, latest penetration-test summary, sub-processor register with annual review records, and pre-filled CAIQ / SIG questionnaires are available under NDA — typically within 24 hours (IST business days).