Skip to content
checkDPDP

Trustify · DPDP-Verified

Get your CMP or website DPDP-Verified

checkDPDP independently audits consent management platforms and Indian websites against 40+ DPDP Act 2023 + Rules 2025 checkpoints. Pass and earn the DPDP-Verified badge — publicly verifiable, renewed annually.

An independent badge — not a self-attestation.

Anyone can put “DPDP-compliant” in a footer. The DPDP-Verified badge from checkDPDP is different: it is awarded only after an independent technical and legal audit against 40+ checkpoints across the obligations the DPDP Act 2023 and the DPDP Rules 2025 actually impose. The result is published on a public verification page — anyone can confirm the badge is real, and when it expires.

  • Automated technical audit + human review
  • Public verification page (anti-claim-washing)
  • One-year validity, mandatory re-audit
  • Free Fix-list if you don’t pass first time
Apply for verificationRequest the audit checklist

Sample badge

DPDP-Verified by checkDPDP

94

/ 100

Verified
June 2026
Expires
June 2027
Issued by
checkDPDP

What we audit

Nine dimensions, weighted by enforcement risk

Each dimension maps to a specific obligation under the DPDP Act 2023 or the DPDP Rules 2025. Weights reflect penalty exposure — security and consent UX dominate because the Schedule does.

  1. Section 5 consent notice

    weight 8

    Purposes named, data categories itemised, retention windows stated, rights mechanism described, grievance contact published.

  2. Section 6 consent UX

    weight 8

    Granular categories, equal-prominence Accept and Reject, no pre-ticks, no dark patterns, withdraw as easy as grant.

  3. Section 8 data principal rights

    weight 6

    Access, correction, erasure, nomination and grievance intake; routed to the Grievance Officer with SLA.

  4. Section 8(5) security safeguards

    weight 6

    HTTPS, HSTS, Content-Security-Policy, X-Frame-Options, secure cookies, modern TLS, MFA on admin paths.

  5. Section 8(6) breach workflow

    weight 4

    Documented playbook, named owner, 72-hour Board report path, Data Principal notification template.

  6. Section 8(7)–(8) retention & erasure

    weight 3

    Retention schedule per data category, deletion-on-withdrawal, evidence trail for erasure requests.

  7. Section 9 children

    weight 2

    Age-gate where required, verifiable parental consent flow, no behavioural tracking or targeted ads.

  8. Third-party trackers & vendors

    weight 2

    No firing before consent, vendor DPAs on file, sub-processor list maintained.

  9. Cross-border transfer disclosure

    weight 1

    Recipients disclosed, no transfers to blacklisted jurisdictions, India-residency option documented where applicable.

Total scored checkpoints: 40+. Findings are graded Critical / High / Medium / Low. A Pass requires 85/100 or higher with zero Critical findings.

How it works

From submission to badge in 10 working days

  1. Step 01

    Apply

    Submit your product or site URL, a short questionnaire, and access to staging if your CMP is gated. Free for the first round.

  2. Step 02

    Independent audit

    Our scanner runs the technical checks; our editorial team reviews the legal-text dimensions. Findings are scored and graded.

  3. Step 03

    Verdict + badge

    Pass: badge issued and listed on the public verification page. Fail: itemised Fix-list and a free re-audit once you remediate.

Questions

Frequently asked questions

Who can apply for the DPDP-Verified badge?
Any consent management platform (CMP) or any Indian website operating as a Data Fiduciary. Most applicants are CMPs, SaaS platforms, BFSI portals, healthtech and edtech websites.
How long does the audit take?
We commit to a verdict — Pass, Fail or Fix-list — within 10 working days of receiving a complete submission.
Is the audit pass / fail?
No. We return a score across the 40 checkpoints. A Pass is awarded at 85/100 or higher with no Critical findings. Below that, you get a prioritised fix-list and a free re-audit once remediated.
How long does the badge last?
One year. After 12 months you must re-verify — DPDP rules evolve, and the badge means current compliance, not historical.
Will the verification page be public?
Yes. Every passing applicant gets a public verification page showing the issue date, expiry, score band and the dimensions audited. This is how anyone can confirm the badge is real.

Ready to get verified?

Tell us about your CMP or site. We'll run the audit and come back with a verdict within 10 working days. If you don't pass first time, the Fix-list is free.

Start an applicationSee ranked CMPs

Already a buyer?

If you're evaluating CMPs, the ranked list at /consent-managers surfaces the DPDP-Verified holders first. Always cross-check the verification page before you sign.