Skip to content
checkDPDP

Ranking methodology

How we rank — and on which points.

Two numbers, four sets of criteria. That's it. Here's exactly what each one measures.

The scores

Every CMP has two scores

Protection score

How well the product is built for DPDP

Our review of the product itself — does it cover DPDP properly, is it secure, is it easy to deploy. DPDP fit matters most, security next, ease of use last.

Live scan score

How the vendor's own website behaves

The same DPDP audit that runs at /scan, applied to the vendor's public homepage. If a CMP's own site isn't DPDP-clean, that tells you something.

The criteria

The points we check

DPDP fit

Weighted most

How directly the product maps to the DPDP Act 2023 + Rules 2025.

What we look for

  • Section 5 itemised consent notice
  • Section 6 — withdraw as easy as grant
  • Section 8 audit log + breach reporting
  • Section 9 verifiable parental consent
  • 22 official Indian languages supported
  • India-resident DPO option for SDFs

Security

Weighted heavily

Published certifications, hosting posture, breach history.

What we look for

  • SOC 2 Type II
  • ISO 27001 / 27701
  • India-resident hosting option
  • TLS, HSTS, CSP on the marketing site
  • Public breach-disclosure history
  • Documented penetration-test cadence

Ease

Weighted lightly

How fast a typical Indian site can get a working banner live.

What we look for

  • Free tier or transparent SMB pricing
  • Self-serve signup (no demo gate)
  • WordPress / Shopify / GTM integrations
  • Pre-built DPDP templates
  • One-line embed documented
  • Time-to-banner under 1 day

Live scan

The 10 DPDP markers we check on the vendor's site

  1. Cookie consent banner

    Granular, prior consent with reject as easy as accept.

  2. Privacy / consent notice

    Plain-language Section 5 notice with purpose, categories, rights.

  3. Consent withdrawal

    Obvious mechanism — Section 6 symmetry.

  4. Data-collection transparency

    Forms, trackers, integrations all disclosed.

  5. Third-party trackers

    No analytics / ad pixels firing before consent.

  6. Grievance officer

    Published Section 8(10) Grievance Officer + SLA.

  7. Data Principal rights

    Access / correction / erasure / nomination reachable.

  8. Cross-border transfer disclosure

    Where data leaves India and why.

  9. Children & age-gate

    Verifiable parental consent for under-18s.

  10. Security signals

    HTTPS, HSTS, CSP, X-Content-Type, no leakage.