Scoring Methodology
How we assess DPDP 2023 compliance — fully external, no login required, based on what a regulator or customer would see.
How We Check
Consent Management
We interact with your website across multiple states — pre-consent, post-consent, and post-withdrawal — to evaluate consent banner behavior, cookie firing patterns, granular options, and withdrawal mechanisms as a regulator or customer would observe them.
Privacy Notice
Your published privacy policy is analyzed using AI against DPDP Act requirements — checking for required disclosures on data purposes, DPO contact details, cross-border transfer clauses, children's data provisions, and Data Principal rights.
Security Posture
We inspect HTTP response headers on every page load: HSTS enforcement, Content-Security-Policy presence, X-Content-Type-Options, Referrer-Policy, and transport-layer configuration. Gaps here represent direct regulatory exposure under Section 8(f).
Data Handling
Cross-border transfers are identified via GeoIP analysis of third-party destinations. PII leakage in URLs and payloads, tracker inventories, SDK injection, and Data Principal rights mechanisms are all evaluated and scored here.
Scoring Formula
The overall score (0–100) is a weighted average of four compliance categories.
Cookie consent banners, pre-consent tracking behavior, and consent withdrawal mechanisms.
12 checks in this category
Privacy policy completeness, data processing disclosures, and purpose limitation statements.
9 checks in this category
HTTP security headers (CSP, HSTS, X-Frame-Options, etc.) and transport layer configuration.
4 checks in this category
PII field exposure, cross-border data transfers, data retention disclosures, and data subject rights.
17 checks in this category
Grade Scale
Coverage
Every check maps to a specific obligation under the Digital Personal Data Protection Act, 2023 and the Draft DPDP Rules, 2025. The assessment is structured to reflect what the Data Protection Board and enterprise procurement teams would scrutinise — not a generic checklist, but a section-by-section evaluation of observable compliance posture.
The four compliance categories cover the full data lifecycle: lawful basis and consent collection (Sections 6-7), notice and disclosure obligations (Section 5), security safeguards (Section 8(f)), and data handling practices including cross-border transfers (Section 16), Data Principal rights (Sections 12-13), and third-party processor accountability (Section 8(2)).
All findings are derived exclusively from publicly observable signals — no credentials, no back-channel access, no self-reported inputs. This makes the Complete DPDP Audit independently reproducible and directly comparable across organizations and industries.
Scores are based on publicly observable behavior and do not constitute legal advice or a formal compliance certification. Methodology may evolve as DPDP Act rules are notified. Companies may dispute scores or submit corrections by contacting hello@dpdpscore.in.
See how your company measures up
Get your DPDP compliance score — or browse the leaderboard to see how Indian companies rank.