Skip to main content
Concept: India DPDP guide | SDK: Python DPDP | Frameworks: Compliance overview
The India DPDP suite operationalizes the Digital Personal Data Protection Act, 2023 for AI systems. Where a one-shot compliance check answers “is this text compliant right now?”, the DPDP suite covers the full lifecycle of a data principal’s journey: detect Indian personal data, gate decisions against the Act’s obligations, record the events that prove compliance, track statutory deadlines, and produce audit-grade evidence on demand. All seven endpoints sit under one base path and return the same envelope, so you can adopt them incrementally — start with scan, add session and emit when you need stateful tracking, and reach for evidence at audit time. 
https://api.responsibleailabs.ai/railscore/v1/compliance/dpdp

Two ways to run DPDP

RAIL ships the same DPDP capability on two paths with opposite data-flow guarantees. This page documents the hosted API.

Hosted (this API)

Your application sends content to api.responsibleailabs.ai. Multi-tenant, org-scoped, billed per call. Everything on this page runs here.

Enterprise self-hosted

The RAIL agent runs inside your own VPC or air-gapped environment; content never leaves your infrastructure. The same seven endpoints are mirrored there for single-tenant, licensed deployments.

The seven endpoints

EndpointMethodCreditsWhat it does
/scanPOST0.5Detect Indian PII (Aadhaar with Verhoeff checksum, PAN, UPI, mobile, and 6 more), child signals (S.9), and purpose drift (S.4). Detect, mask, or block.
/evaluatePOST0.3Deterministic allow / block / require_action gate for an action, mapped to DPDP S.4–S.16.
/emitPOST0.1Record 1–50 compliance events (consent, notice, DSR, breach). Auto-starts regulatory timers.
/requirePOST0.3List the required actions for a given workflow step.
/evidencePOST2.0Generate an audit-grade evidence packet (DSR response, breach notification, consent audit, SDF annual report). Pro+ plans.
/sessionPOST0Create or retrieve a stateful compliance session for one data-principal journey.
/timersGET0List regulatory deadline timers, filtered by status, type, or how soon they are due.
Billing on every DPDP route is fire-and-forget by design — a billing hiccup never blocks a compliance decision. Use /verify for a pre-flight balance check when you need one. session and timers are always free.

How the pieces fit together

A typical integration threads a single session through the user’s journey. Events you emit mutate the session state and start the statutory timers; scan and evaluate make in-the-moment decisions; evidence reads the accumulated trail when an auditor or regulator asks.

Response envelope

Every endpoint returns the same two-key envelope. result holds the endpoint-specific payload; credits_consumed reports what the call cost. 
{
  "result": { "...": "endpoint-specific" },
  "credits_consumed": 0.5
}

Authentication

All routes require a Bearer token — an API key (rail_...) or a JWT. Pass it on every request: 
-H "Authorization: Bearer YOUR_RAIL_API_KEY"

A complete walkthrough

The flow below tracks one loan-application journey end to end. It uses curl; the Python SDK mirrors every call as client.dpdp.*.
1

Open a session

A session ties events, scans, and timers to one data-principal journey. config.purpose is required.
curl -X POST https://api.responsibleailabs.ai/railscore/v1/compliance/dpdp/session \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "create",
    "config": { "purpose": "loan_advisory", "entity_type": "data_fiduciary" }
  }'
The response returns a session_id you reuse on later calls.
2

Record notice and consent

emit writes the events that later prove you met your notice (S.5) and consent (S.6) obligations.
curl -X POST https://api.responsibleailabs.ai/railscore/v1/compliance/dpdp/emit \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "session_id": "sess_1a2b3c",
    "events": [
      { "type": "notice.shown", "data": { "user_id": "u_42" } },
      { "type": "consent.granted", "data": { "user_id": "u_42", "purpose": "loan_advisory" } }
    ]
  }'
3

Scan content for Indian PII

Before storing or sending model output, scan it. pii_action can detect, mask, or block.
curl -X POST https://api.responsibleailabs.ai/railscore/v1/compliance/dpdp/scan \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "content": "Applicant PAN ABCDE1234F, mobile 9876543210.",
    "config": { "pii_action": "mask", "purpose": "loan_advisory" }
  }'
4

Gate the decision

evaluate returns a deterministic verdict for the action you are about to take.
curl -X POST https://api.responsibleailabs.ai/railscore/v1/compliance/dpdp/evaluate \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "make_decision",
    "context": { "user_id": "u_42", "purpose": "loan_advisory" },
    "session_id": "sess_1a2b3c"
  }'
A verdict of require_action tells you to call /require for the outstanding obligations.
5

Track deadlines and produce evidence

When a data principal exercises a right or a breach occurs, emit starts the statutory timer; timers lists what is approaching; evidence assembles the audit packet.
# A rights request starts the S.13 response clock
curl -X POST https://api.responsibleailabs.ai/railscore/v1/compliance/dpdp/emit \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "events": [ { "type": "dsr.received", "data": { "user_id": "u_42", "request_id": "r_9" } } ] }'

# What is due in the next 30 days?
curl "https://api.responsibleailabs.ai/railscore/v1/compliance/dpdp/timers?status=active&approaching_days=30" \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY"

Errors

DPDP routes use standard HTTP status codes. Validation problems return 400 with an error message; evidence on a plan below Pro returns 403 with code: TIER_INSUFFICIENT. 
{ "error": "Evidence generation requires Pro+ tier.", "code": "TIER_INSUFFICIENT" }
The DPDP suite never logs raw content or detected PII values — only a truncated, non-identifying snippet for analytics. Aadhaar, PAN, and other identifiers are masked or dropped before anything is written.

Where to go next

India DPDP guide

The concepts behind the suite: obligations, lifecycle, and which endpoint maps to which section of the Act.

Python SDK: DPDP

Every endpoint as a typed client.dpdp.* method, plus client-side PII scanning and the system audit.

Scan endpoint

Indian PII detection, child signals, and purpose drift in detail.

Evidence endpoint

Audit-grade packets for DSR, breach, consent, and SDF reporting.