Quick Take:
|
India’s Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 — operationalising the DPDPA 2023 (Digital Personal Data Protection Act), India’s first comprehensive data privacy law. The notification triggered a three-phase compliance countdown for every company that processes digital personal data in India — which, in 2026, is essentially every company with a digital product, a customer database, or an employee system.
The compliance market that DPDPA creates is, by any measure, enormous. EY India estimates a Rs 10,000 Cr (~$1.2 Bn) compliance-as-a-service market over the next three years. The parallel is GDPR in Europe — which generated a multi-billion euro legal, tech, and consulting industry between 2018 and 2022. India’s DPDPA, applied to a market of 1.4 billion people and one of the world’s fastest-growing digital economies, is that opportunity at a different scale.
A new ecosystem of companies is quietly building the technology rails for this compliance wave — from identity verification and KYC infrastructure to AI-led data discovery tools, consent management platforms, and privacy governance suites. The Inc42 infographic mapping the DPDPA compliance ecosystem names eight key players: IDfy, NeoKred, Redacto, Perfios, OneTrust, Seqrite, Concur Consent Manager, and CrossIdentity. Here is every one of them — what they do, why they matter under the DPDPA, and what the law is about to force every Indian company to buy.
| StartupFeed Insight
The GDPR parallel for India: When GDPR came into force in Europe in May 2018, it created a compliance industry worth billions of Euros within four years. OneTrust — one of the eight companies in this ecosystem map — was founded in 2016 specifically in anticipation of GDPR. By 2021, it had raised $1 Bn and was valued at $5.3 Bn. The same opportunity is now playing out in India, with two differences: the market is larger (1.4 Bn people vs 450 Mn EU citizens) and the compliance tools are being built by Indian companies, not imported from the US What this means for different audiences:
Our prediction: TCS’s application for a consent manager permit (reported in April 2026) signals that India’s IT bellwethers are entering the compliance-as-a-service market. When TCS, Infosys, and Wipro begin selling DPDPA compliance services to their enterprise clients, the smaller startups in this map will face a consolidation pressure: get acquired by an IT major, or carve a deep enough vertical niche to survive. Redacto (AI-led data discovery), NeoKred (KYC/KYB infrastructure), and Concur Consent Manager (consent-only specialists) are the most likely acquisition targets over the next 24 months. |
The DPDPA — What the Law Actually Requires
The Digital Personal Data Protection Act 2023 is India’s answer to GDPR — a comprehensive framework governing how digital personal data is collected, processed, stored, and transferred. The DPDP Rules 2025, notified on November 13, 2025, provide the operational detail. The compliance rollout is phased:
| Phase | Timeline | What Becomes Mandatory |
| Phase I — Immediate (Nov 13, 2025) | Effective immediately on notification | Data Protection Board of India (DPB) established; appellate authority designated (Telecom Disputes Settlement and Appellate Tribunal) |
| Phase II — Consent Managers (Nov 13, 2026) | 12 months from notification | Registration of Consent Managers with the Data Protection Board; consent manager obligations begin; entities requiring consent management infrastructure must be ready |
| Phase III — Full Compliance (May 13, 2027) | 18 months from notification | All substantive provisions: notice and consent, grounds for processing, security safeguards, breach reporting, data principal rights (access, correction, erasure, grievance), children’s data protections, and Significant Data Fiduciary obligations (DPO appointment, DPIA, audits) |
Key DPDPA concepts every company must understand:
- Data Fiduciary: Any person (company, startup, individual) who determines the purpose and means of processing personal data. This is GDPR’s ‘Data Controller.’ Under DPDPA, ALL companies processing digital personal data in India are Data Fiduciaries — there is no small business exception written into the core law (though exemptions may be granted by notification)
- Significant Data Fiduciary (SDF): Companies classified by the Central Government based on volume and sensitivity of data processed; risk to rights of Data Principals. SDFs face additional obligations — mandatory DPO (Indian resident), DPIA (Data Protection Impact Assessments), independent audits, algorithmic risk verification. SDF classifications expected in 2026
- Consent Manager: A new registered intermediary that sits between Data Principals (users) and Data Fiduciaries (companies) — allowing users to grant, manage, and withdraw consent via a standardised interface. Consent manager registration opens November 2026. This creates an entirely new category of licensed financial/tech intermediary in India
- Data Principal: The individual to whom personal data relates — what GDPR calls ‘Data Subject.’ Rights under DPDPA: access, correction, erasure, consent withdrawal, grievance redressal, nominating a representative
- Penalties: Up to Rs 250 Cr per violation — calibrated by gravity, repetitive nature, and intent. For large enterprises, a single non-compliance event could trigger board-level financial consequences
The 8 Companies — Complete Ecosystem Map
| Company | Founded | Funding | What It Does | DPDPA Relevance |
| IDfy (Customer Focus) | 2011 | $119 Mn (Blume Ventures, IndiaMART, Elev8 Venture Partners) | Identity Verification, Fraud Detection, Privacy Infrastructure — three pillars: onboarding, risk, and privacy. Recently launched dedicated privacy suite for DPDPA compliance | DPDPA requires identity verification for consent validity (children’s data, parental consent); data fiduciaries must verify the identity of the Data Principal; IDfy’s privacy pillar directly addresses data minimisation, purpose limitation, and consent audit trails. Won competition (March 2026) related to DPDPA compliance |
| NeoKred | 2019 | ~$1.2 Mn | KYC/KYB, Partner Ecosystem Infrastructure — provides KYC (Know Your Customer) and KYB (Know Your Business) infrastructure for fintech, lenders, and enterprise partners | DPDPA mandates verifiable consent — which requires identity verification of the consenting individual. KYB (for businesses acting as data processors) also needs to demonstrate DPDPA compliance to their data fiduciary partners; NeoKred’s infrastructure enables this verification layer |
| Redacto | 2023 | ~$1.4 Mn | Data Discovery and AI-led Privacy Tools — automated discovery of where personal data lives within an organisation; AI-driven tools to redact, classify, and manage personal data | DPDPA requires data fiduciaries to know exactly what personal data they hold, where it is stored, and for what purpose (data mapping obligation). Data erasure rights (right to be forgotten) require companies to find and delete specific user data on request — impossible without a data discovery tool. Redacto addresses this foundational compliance requirement |
| Perfios | 2008 | ~$450 Mn | Financial Data Aggregation, Analytics, Credit Decisioning, Underwriting APIs — India’s financial data infrastructure layer | DPDPA’s impact on financial data is profound: all financial personal data is subject to consent requirements. Perfios launched Perfios DPDP Suite in March 2026 — a unified platform to operationalise consent and comply with DPDPA for its banking and NBFC customers |
| OneTrust | 2016 | ~$1 Bn (global company) | Privacy, Security, Governance — global privacy management platform; founded in anticipation of GDPR; serves Fortune 500 companies worldwide | Offers full-stack DPDPA compliance tools: consent management, data subject request automation, privacy notice management, data mapping, third-party risk management. One of the most experienced GDPR-to-DPDPA translation players in the market |
| Seqrite (Quick Heal Technologies) | 2015 | Not separately disclosed (part of Quick Heal Technologies, listed) | Privacy, Security, Governance — enterprise cybersecurity and data privacy solutions from India’s leading cybersecurity company | Data security is a core DPDPA obligation — breach notification is mandatory, and reasonable security safeguards are required. Seqrite’s data privacy solution addresses the security requirement that sits at the foundation of DPDPA compliance; cybersecurity and privacy are now inseparable regulatory obligations |
| Concur Consent Manager | 2023 | $150K | Data Privacy and Consent Management Solutions — purpose-built consent manager platform | Directly addresses the Phase II requirement (November 2026): entities must be registered as Consent Managers or partner with one. Concur offers consent manager infrastructure — a highly specialised, regulation-specific product category created entirely by DPDPA |
| CrossIdentity | 2017 | Not Disclosed | Identity Security Solutions — identity and access management (IAM) for enterprises | DPDPA requires access controls and identity management to ensure only authorised personnel handle personal data; CrossIdentity recently launched Vishwaas AI — a privacy and consent management portal — specifically for DPDPA compliance; IAM is foundational to data security and access audit trails required under the Act |
The Four Layers of the DPDPA Compliance Stack
The eight companies in this ecosystem map are not all doing the same thing — they address four distinct technical layers of DPDPA compliance:
| Compliance Layer | What It Covers | Companies in This Layer |
| Layer 1 — Identity and Verification | Verifying who the Data Principal is; validating consent is from a real, eligible person; age verification for children’s data; KYC/KYB for business partners | IDfy, NeoKred, CrossIdentity |
| Layer 2 — Data Discovery and Governance | Finding where personal data lives within the organisation; mapping data flows; classifying sensitive vs non-sensitive data; enabling erasure and correction requests | Redacto, OneTrust (data mapping module) |
| Layer 3 — Consent Management | Collecting, recording, managing, and enabling withdrawal of user consent; operating as or connecting to a registered Consent Manager; consent audit trails | Concur Consent Manager, OneTrust (consent module), CrossIdentity (Vishwaas AI), Perfios DPDP Suite |
| Layer 4 — Security and Governance | Cybersecurity safeguards for personal data; breach detection and notification; access controls and audit logging; policy management and DPO support | Seqrite, OneTrust (security module), CrossIdentity |
The consolidation thesis: Sachin Yadav of Deloitte India: “Currently, the legal, SaaS and cybersecurity players address distinct components of the DPDPA stack. However, over time, consolidation is likely expected as customers would prefer integrated, end-to-end solutions.” Companies that can offer the complete four-layer stack — identity + data discovery + consent + security — will command the premium enterprise relationships. This is why OneTrust has grown to $1 Bn in funding globally: it built the all-layers platform.
The Timeline — What Every Company Must Do and By When
| Deadline | Action Required | Who This Affects |
| Now (April 2026) | Begin data audit: understand what personal data you collect, where it lives, what it’s used for, and how it flows to third parties | Every company with digital products or customer databases |
| Now – Nov 2026 | Build or procure consent management infrastructure: design consent notices, create consent recording systems, build withdrawal mechanisms | Every company collecting user data digitally |
| November 13, 2026 | Consent Managers must be registered with Data Protection Board; companies using consent managers must be integrated with registered platforms | Companies positioning themselves as Consent Managers (like Concur, TCS); companies planning to use Consent Manager intermediaries |
| May 13, 2027 | Full DPDPA compliance: notice and consent, security safeguards, breach reporting (within 72 hours), data principal rights (access, correction, erasure, grievance), children’s data protection | All data fiduciaries — essentially every company processing digital personal data in India |
| Post-May 2027 (TBD) | Significant Data Fiduciary obligations: DPO appointment, DPIA, independent audits, algorithmic risk verification | Large companies classified as SDFs by Central Government |
The Rs 10,000 Crore Market — Why This Is India’s Biggest Compliance Opportunity
The EY India report estimates the DPDPA will unlock a Rs 10,000 Cr ($1.2 Bn) compliance-as-a-service market over three years — driven by investments in privacy automation, data governance tools, consent management platforms, and legal advisory services. This estimate is probably conservative for three reasons:
- No GDPR precedent for India: When GDPR hit Europe, most companies had some prior data protection frameworks to build from (Safe Harbor, Directive 95/46/EC). India has no prior comprehensive digital data protection law — companies are starting from scratch, creating higher consulting, tooling, and implementation demand
- 100 Mn+ digital SMEs: Unlike GDPR, which had a de facto small business soft-landing, the DPDPA applies broadly. India’s 100 Mn+ digital small businesses are data fiduciaries — even if exemptions are granted by notification for some, the awareness and evaluation process itself creates demand for advisory and tooling
- The consent manager category is entirely new: GDPR did not create a separate registered consent manager category. DPDPA does — November 2026 is the registration deadline. Every company that positions as a consent manager needs a technology platform, a regulatory compliance infrastructure, and a customer acquisition strategy. This is a new market segment created by the law
What do you think? Will Indian privacy tech startups build a world-class compliance ecosystem — or will global players like OneTrust dominate as they did in Europe? Tell us on X @StartupFeed_news
