Skip to main content
API: India DPDP overview | SDK: Python DPDP
India’s Digital Personal Data Protection Act, 2023 (DPDP) governs how organizations process the personal data of individuals in India. For AI systems the Act is not a one-time checkbox — obligations attach across the whole lifecycle of a data principal’s interaction: before you collect data, while you process it, when an individual exercises a right, and if a breach occurs. RAIL turns those obligations into a small set of composable operations. This page explains the concepts; the API overview and Python SDK show the calls.

The vocabulary

  • Data Principal — the individual whose personal data is processed.
  • Data Fiduciary — the organization that decides why and how data is processed (you).
  • Significant Data Fiduciary (SDF) — a fiduciary the government designates as higher-risk, with extra duties (audits, DPO, impact assessments).
  • Personal data — anything that identifies an individual. In India this prominently includes Aadhaar, PAN, UPI IDs, and mobile numbers.

Obligations RAIL helps you meet

ObligationDPDP sectionHow RAIL helps
Notice before processingS.5emit a notice.shown event; it is retained as evidence.
Consent, and easy withdrawalS.6emit consent.granted / consent.withdrawn; evaluate blocks actions that lack a lawful basis.
Purpose limitationS.4scan detects purpose drift — content that strays from the declared purpose.
Data minimization & accuracyS.8scan surfaces Indian PII so you can mask or drop what you do not need.
Children’s data (no tracking, no targeted ads)S.9scan flags child signals; evaluate blocks profiling of minors.
Data principal rights (access, correction, erasure)S.11–S.14emit a dsr.received event to start the statutory response clock; timers tracks it.
Breach notificationS.8(6)emit breach.detected to start CERT-In and Data Protection Board timers.
SDF additional dutiesS.10evidence produces the SDF annual report packet.

The compliance lifecycle

A session is the thread that ties one data principal’s journey together. Events accumulate on it, timers start from those events, and evidence is assembled from the resulting trail.

Which operation do I reach for?

I have model output to publish

Scan it for Indian PII, child signals, and purpose drift — then detect, mask, or block.

I am about to act on personal data

Evaluate the action for a deterministic allow / block / require_action verdict.

Something happened I must record

Emit the event (consent, DSR, breach). Statutory timers start automatically.

An auditor is asking for proof

Generate evidence — a packet built from the session’s recorded trail.

Hosted vs. enterprise

The same DPDP capability is available two ways. On the hosted API your application sends content to RAIL. In enterprise self-hosted deployments the RAIL agent runs inside your own environment and content never leaves it — appropriate when data residency or air-gapping is required. The endpoint contract is identical, so code written against one runs against the other.

India DPDP API overview

The seven endpoints, credit costs, and a complete walkthrough.

Compliance frameworks

How DPDP sits alongside GDPR, CCPA, HIPAA, and the EU AI Act.