DPDP Compliance

Last updated: 9 May 2026.

The Digital Personal Data Protection Act, 2023 (DPDP) imposes structured obligations on organisations that process personal data of individuals in India. CortexData is built to make DPDP compliance demonstrable for the lending institutions that deploy our platform.

Our role

For data submitted through this website, CortexData is a Data Fiduciary. For personal data processed through the CortexData platform when deployed at a bank or NBFC, CortexData is a Data Processor acting on behalf of the institution (which is the Data Fiduciary).

Platform features supporting DPDP compliance

• Consent capture and ledger — every customer consent (KYC, bureau pull, communication preferences, data sharing for co-lending) is captured with timestamp, version of the consent text, and stored in the audit chain.
• Purpose limitation — data flows are scoped to the consented purpose; cross-purpose use requires re-consent.
• Data Principal rights — built-in workflows for access, correction, and erasure requests with SLA tracking.
• Withdrawal of consent — first-class workflow; downstream effects (data flow halt, retention reduction to legal-minimum) propagate automatically.
• Data retention — retention periods configurable per data category, with automated purge after retention horizon.
• Breach notification — incident-response runbook with notification timelines aligned to DPDP Section 8.
• Children’s data — special-handling workflow for accounts identified as belonging to minors.
• Significant Data Fiduciary obligations — DPO appointment workflow, periodic audit, data-protection impact assessment templates.

Grievance redressal

For DPDP-related queries on data processed via this website, contact privacy@cortexdata.ai. For data processed by an institution using CortexData as a platform, please contact the institution directly.