The DPDPBible
Library Book Call
Guide Fintech D2C Restaurants SMEs Fractional DPO Penalties Vendors
The DPDP BibleVendor Checklist
A Project By Meridian Bridge Strategy

5 Questions Before You Buy
DPDP Software

Sushant Pasumarty
Sushant Pasumarty

Founder & CEO, Meridian Bridge Strategy

A founder's guide to vendor scrutiny. The questions DPDP vendors can't answer.

The Problem

The ₹249.75 Crore Gap

Why This Matters

You're about to spend ₹8-15 Lakhs on DPDP compliance software.
The vendor promises: "Complete compliance. One dashboard. Real-time sync."
What they don't tell you: Their liability is capped at ₹25 Lakhs.
Your DPDP penalty exposure? ₹250 Crores.
The ₹249.75 Crore gap = your problem.

Vendor's Maximum Liability

₹25 Lakhs

Capped in page 47 of the contract

Your DPDP Exposure

₹250 Crores

Per violation, uncapped

The Checklist

5 Questions Every Founder Must Ask

1

System Failures

"What happens when your system goes down?"

Why it matters:

Scenario: You schedule an SMS campaign at 2:30 PM. A customer opted out at 2:00 PM, but the DPDP tool crashed at 2:15 PM. The opt-out wasn't synced.

Result: Customer gets SMS. Penalty: ₹50 Crores. Who pays? You.

What to look for:
  • • Do they notify you immediately?
  • • Can you see a log of failures?
  • • Do they fix it automatically?
  • • What's the SLA for uptime?
Red flags:
  • • "Our system rarely goes down"
  • • No failure notifications
  • • No visibility into what broke
  • • No SLA in the contract
2

Proof of Delivery

"How do I know the opt-out actually reached WhatsApp?"

"We sent it" ≠ "They got it". Under DPDP, you need proof that WhatsApp confirmed receipt. If WhatsApp's server was down and your message never delivered, but your campaign fired — you are liable.

What to look for:
  • • Does the vendor show WhatsApp/email platform's confirmation?
  • • Can you export proof for each opt-out?
  • • What happens if the destination doesn't respond?
  • • Is there an audit trail for the Data Protection Board?
3

Mismatched Customer Details

"What if my customer has different email/phone across my tools?"

Scenario: CRM has Phone. Email Tool has Email. Customer opts out via Phone. DPDP tool updates CRM. But Email Tool doesn't know. Campaign fires to Email.

Result: Violation. The consent withdrawal wasn't propagated across all systems.

What to look for:
  • • How do they link phone + email for same person?
  • • Do you get an alert when matching fails?
  • • Can they handle 3+ identifiers per person?
Red flags:
  • • "We match on email only"
  • • Failures happen silently
  • • No deduplication logic
4

Who Pays the Fine?

"If your tool fails and I get a DPDP fine, will you cover it?"

Prepare for silence. Most contracts cap liability at the software cost (₹25L). The DPDP fine is up to ₹250 Cr. You cover the difference.

This is not a bug. This is standard SaaS contracting. Every vendor does this.

What to do:
  • • Read the liability clause. It's usually on page 40+.
  • • Ask for unlimited indemnity (they'll say no — but the answer reveals their confidence).
  • • Understand: you are buying a tool, not transferring your legal obligation.
  • • Consider: does saving ₹2L by choosing a cheaper vendor matter against ₹250Cr exposure?
5

Catching the Slip-Throughs

"How do I catch the 1% that fails?"

Even with 99% success, 1% failure on 100k customers = 1,000 potential violations. At ₹50 Cr per violation, the risk is astronomical. The question isn't "does it work?" — it's "what happens when it doesn't?"

What to look for:
  • • Daily reconciliation report
  • • Shows mismatches across all tools
  • • Exportable for compliance audits
  • • Alerts for anomalies
Red flags:
  • • "Everything is real-time" (ignores failure)
  • • "Trust us, it works"
  • • No reconciliation dashboard
  • • No export capability

How to Use This Checklist

Step 1 Schedule Demo
Step 2 Ask These 5 Questions
Step 3 Get Written Answers
Step 4 Read the Contract
Step 5 Decide on Risk

The Bottom Line: DPDP vendors sell tools, not liability insurance.

Before spending ₹8-15 Lakhs, understand what breaks and who pays. Or hire someone to ask these questions for you.

The Truth

Software ≠ Compliance

DPDP compliance has 3 layers. Software only covers one:

1

Technical Layer ← Software helps here

Consent banners, opt-out syncing, data mapping, cookie management

2

Legal Layer ← Software does NOT cover this

Privacy policies, Data Processor Agreements (DPAs), legal basis documentation, breach notification templates

3

Organizational Layer ← Software does NOT cover this

DPO appointment, staff training, breach response protocol, vendor management, deletion workflows

Translation: A ₹12L software subscription covers maybe 30% of your compliance obligation. The other 70% needs human expertise — legal review, process design, and someone accountable when things break.

Sushant Pasumarty

Sushant Pasumarty

Founder & CEO, Meridian Bridge Strategy

Sushant has built and sold products in identity verification, cybersecurity, and e-commerce at IDfy, CyberArk, and Cyware. Master's from IE Business School, Computer Science from BITS Pilani.

A Project By Meridian Bridge Strategy

Want Someone to Ask These Questions For You?

We evaluate DPDP vendors on your behalf. We read the contracts. We ask the hard questions. Free 30-minute clarity call.

Book Free Clarity Call

Also Read

The DPDP Bible

Complete Guide

Penalty Schedule

₹50Cr to ₹250Cr

DPDP for SMEs

Small Business Guide

DPDP for Fintech

Underwriting Trap
Book Free Clarity Call