DPDP Compliance (India)

Learn how to ensure your code meets India's Digital Personal Data Protection Act 2023 (DPDP) requirements with Juro's compliance scanning.

✅ Current Implementation Status

Juro includes 25 comprehensive DPDP rules that are fully implemented and actively scanning your code:

Implemented Rule Categories

Consent & Notice (5 rules) – Consent before processing, purpose-specific consent, withdrawal mechanism, privacy notice, multilingual notice
Data Principal Rights (5 rules) – Access, correction, erasure, grievance redressal, nomination
Data Fiduciary Duties (4 rules) – Data accuracy, retention, security safeguards, breach notification
Significant Data Fiduciary (3 rules) – DPO appointment, DPIA, periodic audits
Cross-Border & Localization (2 rules) – Transfer restrictions, data residency
Sensitive Data (3 rules) – Aadhaar, PAN, mobile number handling
Children's Data (2 rules) – Parental consent, no tracking/targeting
Documentation (1 rule) – Processing records

Coverage Details

Severity Levels: CRITICAL, HIGH, MEDIUM
File Types: TypeScript, JavaScript, TSX, JSX, Python, Java, JSON, YAML, HTML, MD
Pattern Types: Variable detection (Indian identifiers), control checks (rights/consent/security), regex (purpose, retention, transfer)
CLI: node packages/cli/dist/cli.js scan ./src -r DPDP (from juro repo root)

Key DPDP Requirements

Obtain consent before processing personal data
Consent must be specific to the purpose
Provide an easy consent withdrawal mechanism

Notice (Section 5)

Provide clear notice before data collection
Notice in English and scheduled Indian languages where applicable

Data Principal Rights (Sections 8–15)

Right to access personal data
Right to correction
Right to erasure (when consent withdrawn or data no longer necessary)
Right to grievance redressal (designated officer, complaint mechanism)
Right to nominate (for exercising rights after death/incapacity)

Data Fiduciary Duties (Section 8)

Ensure data accuracy
Limit retention to what is necessary
Implement reasonable security safeguards
Report personal data breaches to the Data Protection Board

Significant Data Fiduciary (Sections 10–11)

Appoint a Data Protection Officer (based in India)
Conduct Data Protection Impact Assessments
Conduct periodic audits by an independent data auditor

Cross-Border Transfer (Section 16)

Transfer only to countries/territories notified by the Central Government
Document data localization and residency where required

Sensitive Identifiers

Aadhaar: Encrypt, mask, and strictly control access; follow UIDAI guidelines
PAN: Protect and mask when displayed
Mobile numbers: Treat as personal data; collect only with consent

Children's Data (Section 9)

Verifiable parental/guardian consent for users under 18
No tracking, behavioral monitoring, or targeted advertising directed at children

Common DPDP Violations

Processing Aadhaar, PAN, or mobile without consent
No privacy notice or purpose statement
No consent withdrawal mechanism

Rights & Grievance

No data access, correction, or erasure endpoints
No designated grievance officer or complaint mechanism

Security & Breach

No encryption or security safeguards for personal data
No breach detection or notification procedure

Cross-Border & Children

Transferring data to restricted countries
Processing children's data without parental consent or tracking children

Best Practices

// Good: Explicit consent and notice
const consent = await getExplicitConsent(userId, purpose);
showPrivacyNotice({ purpose, dataCollected, rights, grievanceContact });

// Bad: No consent or notice
const user = { aadhaar, pan, mobile }; // Collected without consent

Data Principal Rights

// Good: Implement access, correction, erasure, grievance
app.get('/api/user/data', ensureAuth, dataAccessHandler);
app.put('/api/user/correct', ensureAuth, dataCorrectionHandler);
app.delete('/api/user/data', ensureAuth, dataErasureHandler);
app.post('/api/grievance', grievanceHandler);

Sensitive Data (Aadhaar, PAN, Mobile)

// Good: Encrypt and mask
const maskedAadhaar = maskAadhaar(encrypt(aadhaar));
// Consent and access controls in place

// Bad: Plain storage, no consent
const user = { aadhaar: 'xxxx-xxxx-1234', pan: 'ABCDE1234F' };

Juro DPDP Scanning

CLI

# DPDP-only scan (from juro repo root)
node packages/cli/dist/cli.js scan ./src -r DPDP -o table

# DPDP + save report
node packages/cli/dist/cli.js scan ./src -r DPDP -o json -f dpdp-report.json

# Scan a live website
node packages/cli/dist/cli.js scan --url https://example.com -r DPDP -o table

# HTML report for verification (open in browser)
node packages/cli/dist/cli.js scan --url https://example.com -r DPDP -o html -f report.html --open

# Filter by severity
node packages/cli/dist/cli.js scan ./src -r DPDP --severity HIGH,CRITICAL

LLM-assisted options (DPDP)

Optional verification and false-positive reduction (require Ollama with mistral-regtech):

Option	Purpose
`--verify`	Run verification layer: classify findings as CONFIRMED_FAIL or INCONCLUSIVE (LLM never gives PASS).
`--verify-max <n>`	Max findings to send to the LLM (default 30).
`--llm-filter-fp`	Remove likely false positives from the report.
`--dpdp-assist`	When scanning a URL, suggest privacy/terms links to fetch and re-scan.

# Verify up to 10 findings
node packages/cli/dist/cli.js scan ./examples -r DPDP --verify --verify-max 10 -o table

# URL scan with HTML report and verification
node packages/cli/dist/cli.js scan --url https://example.com -r DPDP --verify --verify-max 10 -o html -f report.html --open

Rule Summary

36 total rules in Juro (5 GDPR, 6 DORA, 25 DPDP)
List all: node packages/cli/dist/cli.js rules
DPDP rules use IDs such as DPDP-CONSENT-001, DPDP-RIGHTS-001, DPDP-SENSITIVE-001, etc.

Compliance Checklist

Automated Checks (Juro)

Consent & Notice – Scanned
Data Principal Rights – Scanned
Data Fiduciary Duties – Scanned
Sensitive Data (Aadhaar, PAN, mobile) – Scanned
Children's Data – Scanned
Cross-Border Transfer – Scanned

Manual Verification

Consent is free, specific, informed, and unambiguous
Grievance officer designated and contact details published
Breach response and notification process defined
Data retention and erasure procedures documented

Penalties (DPDP Act)

Violation	Penalty (up to)
Data breach / unauthorized transfer	₹250 crore
Non-reporting of breach	₹200 crore
Children's data violations	₹200 crore
Other violations	₹50–150 crore

Resources

Digital Personal Data Protection Act, 2023 (India)
Juro Getting Started – Setup and first scan
Juro Compliance Scanning – How scanning works

✅ Current Implementation Status​

Implemented Rule Categories​

Coverage Details​

Key DPDP Requirements​

Consent (Sections 4–7)​

Notice (Section 5)​

Data Principal Rights (Sections 8–15)​

Data Fiduciary Duties (Section 8)​

Significant Data Fiduciary (Sections 10–11)​

Cross-Border Transfer (Section 16)​

Sensitive Identifiers​

Children's Data (Section 9)​

Common DPDP Violations​

Consent & Notice​

Rights & Grievance​

Security & Breach​

Cross-Border & Children​

Best Practices​

Consent and Notice​

Data Principal Rights​

Sensitive Data (Aadhaar, PAN, Mobile)​

Juro DPDP Scanning​

CLI​

LLM-assisted options (DPDP)​

Rule Summary​

Compliance Checklist​

Automated Checks (Juro)​

Manual Verification​

Penalties (DPDP Act)​

Resources​