This site is password-protected.
Updating your privacy policy does not make you DPDP-compliant. DPDP requires that your operational workflows are redesigned, documented, and evidenced. Manatoko DPDP is an autonomous workflow program that does this work — AI agents execute, wallets eliminate unnecessary data custody, and your team governs the decisions.
Enforcement begins May 2027. DPDP Rules notified November 2025.
The DPDP Act 2023 applies to any organisation that processes digital personal data of Indian residents. The Rules were notified 13 November 2025. Core obligations become enforceable May 2027 — with no grace period on penalties from Day 1.
The Act is consent-led. Consent must be free, specific, informed, and unambiguous — as easy to withdraw as to give. Organisations must have operational processes for data principal rights: access, correction, erasure, nomination.
Section 8(1) imposes absolute fiduciary liability for processor failures — no contractual escape. Penalty ceilings: up to ₹250 crore for security failures, ₹200 crore for breach non-notification or children's data violations, ₹50 crore for other violations.
Conventional DPDP readiness — whether it is a Big Four advisory engagement, a privacy SaaS platform, or an in-house compliance team — starts from the same assumption: your organisation is and will remain a custodian of large quantities of personal data. The task is to manage that data better: inventory it, protect it, obtain consent for it, govern the vendors who touch it, and respond when it is breached.
Manatoko DPDP starts from a different premise. For qualifying workflows, your organisation should not hold that data at all. The data you do not collect is the easiest data to protect. The data nobody holds centrally is the hardest data to breach. And the 72-hour breach response obligation under DPDP becomes simpler when your breach surface is structurally smaller.
When a customer or employee needs to verify their identity, the Manatoko VC component processes their personal data transiently — in memory, milliseconds — and immediately deletes it. Nothing is retained. Your organisation never holds the raw data.
A verifiable credential is issued to the individual’s own self-custodied wallet: ‘KYC verified,’ ‘training complete,’ ‘role authorised.’ Your organisation holds no copy. The individual holds their own proof.
When your organisation needs to confirm something about that individual in future, it requests a credential presentation from their wallet. It receives a verification result — not the underlying personal data. For this workflow, you have left the data custody chain entirely.
Not every workflow qualifies for data custody elimination. Banks face mandatory KYC retention requirements under RBI that cannot be sidestepped. Employee records, transaction logs, and regulated banking records remain in enterprise custody. The Manatoko DPDP assessment identifies which of your workflows qualify for full elimination, which require partial redesign, and which must remain conventional — with appropriate controls.
The Ingestion Agent processes all submitted documents — policies, vendor contracts, consent notices, SOPs, system inventory. It classifies, indexes, and prepares them for assessment.
Maps every operational workflow that touches personal data, identifies gaps against DPDP requirements, flags processor risk, and produces a readiness score with regulatory conflict analysis.
Designs target-state workflows — new consent flows, processor governance structures, role accountability maps, and a remediation roadmap. Every redesign is presented for your team's approval before implementation begins.
Executes the remediation work. Where redesign calls for data custody elimination, the Credential Agent deploys Manatoko VC — issuing verifiable credentials to individual wallets and registering validation events on-chain. No personal data is retained. Output: completed workstreams, evidence artefacts, audit log.
Assembles the executive readiness dossier, evidence pack, readiness scorecard, and self-attestation package. Every output is traceable to source documents with full audit chains.
Complete assessment of every workflow that touches personal data, with gap register and risk mapping.
Visual map of where personal data sits across your organisation — collection, storage, retention, sharing risk by workflow.
Target-state workflows for every high-risk process — consent flows, processor governance, rights handling, breach response.
Regulator-ready documentation: consent records, processor DPAs, remediation evidence, audit trails — all navigable and traceable.
Board-level summary with readiness scorecard, domain assessments, and residual risk register for leadership sign-off.
Defensible, evidence-backed statement of baseline readiness — with referral to DPDP-qualified law firms for legal review.
You face real DPDP obligations but cannot build a traditional compliance office. Agents replace the staff that does not exist. Delivery through your apex cooperative bank, federation, or virtual DPO firm.
You have policies and a partial data inventory. The gap is in workflow evidence — you cannot demonstrate operationalised compliance. Agents identify the gap between documentation and evidence.
Your team exists but the work exceeds its bandwidth. Agents compress weeks of assessment, redesign, and evidence capture into days. Your team governs the decisions.
Agents do the work. Wallets hold the data. Humans make the decisions.
The section above describes what Manatoko DPDP does. The demo below shows it — including the point in the workflow where Manatoko VC is deployed to eliminate data custody for a specific account opening workflow.
Enter your work email to unlock the interactive walkthrough. No password. No sales call.
If your organisation processes digital personal data of Indian residents, the DPDP Act 2023 applies — regardless of your size or where you are located. This covers banks, NBFCs, cooperative banks, schools, colleges, EdTech platforms, and quick-commerce companies. There is no minimum size threshold.
The DPDP Rules were notified on 13 November 2025. Core compliance obligations become enforceable at mid-May 2027. There is no grace period on penalty powers from Day 1 of enforcement.
Up to ₹250 crore for failure to maintain reasonable security safeguards. Up to ₹200 crore for breach non-notification or children's data violations. Up to ₹50 crore for other violations. Section 8(1) adds absolute fiduciary liability for any processor failure — no contractual escape.
No. A privacy policy is a disclosure document. DPDP compliance requires that your operational workflows are redesigned to meet the Act's requirements — and that you can produce evidence of this to a regulator. A regulator will ask for records of consent obtained, records of rights request handling, and evidence of processor governance. These are workflow outputs, not policy documents.
Manatoko DPDP is a 90-day baseline readiness program for DPDP compliance, executed through autonomous AI agents with human oversight at decision points. Agents assess your current state, redesign your highest-risk workflows, orchestrate implementation, and assemble the evidence your board and regulators will ask for.
It is not a SaaS tool your team operates. It is not a consulting engagement. Agents execute the program. Your team governs the decisions.
Every operational workflow that touches personal data: which workflows collect data and on what legal basis, where data is stored and for how long, which vendors hold personal data and whether they are DPDP-ready, where consent is obtained and whether it meets the Act's standard, and whether processes exist for rights requests and breach notification.
For banks and NBFCs, the assessment specifically identifies where RBI's mandatory KYC retention requirements intersect with DPDP's erasure rights.
The current-state assessment with gap register, the PII custody heatmap, target-state workflow designs approved by your team, documentation of consent flows and their legal basis, processor governance artefacts for each vendor, records of completed remediation, and a residual-risk register.
This is what a regulator or auditor would inspect — designed to be navigable by someone who was not part of the program.
An organisation-issued statement of baseline readiness, supported by the evidence pack. Not a government certification. Not a legal guarantee. A defensible, evidence-backed representation of what your organisation has assessed, redesigned, and implemented. Manatoko DPDP will refer you to DPDP-qualified Indian privacy law firms who can review the self-attestation language before it is used externally.
Weeks 1–4: Agents ingest and classify all submitted documents, map every workflow that touches personal data, audit processor relationships, and produce the readiness score. Your team approves findings before redesign begins.
Weeks 5–11: Agents design target-state workflows, present them for your approval, then orchestrate the remediation work — sequencing tasks, tracking progress, capturing evidence.
Week 12: Agents assemble the executive dossier, evidence pack, readiness scorecard, and self-attestation package. Your leadership reviews and signs off. A Phase 2 planning handoff is produced.
The 90-day program delivers baseline readiness. It is not a promise of full compliance in 90 days. Full compliance by May 2027 requires ongoing Phase 2 and Phase 3 work. The program covers Phase 1 of that journey. Manatoko supports Phase 2 and Phase 3 through renewal engagements, and a Phase 2 planning handoff is produced at Day 90.
Submit documents at the start — policies, vendor contracts, consent notices, SOPs, system inventory. Review and approve assessment findings. Review and approve redesign proposals. Make legal conclusions and risk acceptance decisions. Sign off on the final dossier.
Concentrated human attention is required primarily in weeks 4, 6, and 12. The agents handle everything between those decision points.
Five specialised agents execute the program. Ingestion Agent processes submitted documents. Assessment Agent maps workflows and identifies gaps. Governance Redesign Agent designs target-state workflows. Implementation Orchestration Agent sequences and tracks remediation. Evidence and Dossier Agent assembles final outputs.
Every output is traceable to a source document. Agents log reasoning chains for auditability. Agents do not make legal conclusions — they flag legal questions for your team.
A decision gate is a structured pause where the agent presents its outputs for your team's review. Primary gates: after assessment (your team approves the gap register before redesign begins) and after redesign (your team approves target-state designs before implementation begins).
At each gate your team can approve, request changes, or reject the output. The agent does not proceed without explicit approval.
Manatoko DPDP can be delivered through a channel partner — a virtual DPO firm, an apex cooperative bank, or a compliance federation — that provides the human governance layer. The agents execute the program; the partner provides oversight your institution cannot maintain internally.
For a qualifying workflow — say, account opening KYC — your bank currently collects a customer’s Aadhaar number and PAN, stores them, shares them with a verification processor, and retains the result alongside the raw data. Your organisation is a PII custodian at every step.
After Manatoko VC is deployed for that workflow, the customer’s identity is verified transiently by Manatoko’s Credential Agent — processed in memory, deleted on completion. A verifiable credential is issued to the customer’s own wallet confirming the verification. Your organisation receives a verification result — not the Aadhaar number, not the PAN, not any raw data. For that workflow, you have left the data custody chain entirely.
Manatoko VC is Manatoko’s identity product — separate from Manatoko DPDP. It enables verifiable credentials to be issued to individual self-custodied wallets, with validation events registered on-chain. No personal data is stored by Manatoko. No personal data is stored by the enterprise for credential-enabled workflows.
Within Manatoko DPDP, the Credential Agent deploys Manatoko VC selectively — for the specific workflows the assessment identifies as qualifying for data custody elimination. It is the architectural mechanism that makes the elimination possible.
A verifiable credential containing verified claims — ‘identity verified,’ ‘KYC complete,’ ‘training completed,’ ‘role authorised,’ ‘processor attestation’ — without the underlying raw data. The credential is tamper-proof and can be presented to any organisation that accepts it. The individual controls it. The enterprise requests a presentation; it does not hold a copy.
This is what the manatoko.me demo shows for the university segment — the same architecture applied to academic credentials. Manatoko DPDP applies the same architecture to compliance workflows: KYC re-use, training completion, processor attestation, consent receipts, and role authorization.
A verification result — ‘KYC verified,’ ‘training complete,’ ‘attestation valid’ — with a timestamp and the credential ID. Not the customer’s Aadhaar number. Not the employee’s personal details. Not the vendor’s raw compliance records.
The on-chain validation record confirms the verification occurred without containing the personal data. For the enterprise, this means no inventory obligation, no retention obligation, no processor governance exposure, and no erasure risk — for that workflow.
The Assessment Agent identifies qualifying workflows during the 90-day program. High-fit categories: customer KYC re-use, employee training completion, role and authority credentials, processor and vendor attestation, notice acknowledgement, consent receipt proofs, and milestone completion proofs.
Workflows that do not qualify: mandatory retention under RBI, CKYC, or AML rules. Core KYC records, transaction logs, and sanctioned-person screening records must remain in enterprise custody under banking regulations. The assessment maps both categories clearly. Hybrid models apply where full elimination is not possible.
DigiLocker is a government-managed document repository — documents are fetched from issuing authorities on demand. The organisation remains in the verification chain. Documents are PDFs or signed XML files, not W3C Verifiable Credentials in the full technical sense. Selective disclosure at the attribute level is not supported.
Manatoko VC issues W3C-compatible verifiable credentials to individual wallets. Verification is cryptographic and can be performed offline without querying any central server. The organisation receives a verified outcome, not a document. The two are complementary — Manatoko DPDP can work alongside DigiLocker for document workflows while deploying VC for identity and compliance workflows.
Yes. Manatoko DPDP is designed for institutions that face real DPDP obligations but cannot build a traditional compliance office. Agents replace the staff that does not exist. Preferred delivery is channel-led: through your apex cooperative bank, federation, or virtual DPO firm.
The Assessment Agent specifically identifies RBI-DPDP conflicts in your workflow map — where mandatory KYC retention intersects with DPDP's erasure rights. The Governance Redesign Agent then designs a workflow-level response that separates legally mandated retention from DPDP-regulated processing, containing the conflict to the narrowest possible surface. This is a structural redesign, not a policy workaround.
Yes. The Assessment Agent will identify what you have done, what is still missing, and where your highest remaining risk is. The 90-day program is calibrated to close those gaps rather than repeating work already done.
No. There is no private certification scheme under the DPDP Act. Manatoko DPDP produces a defensible, evidence-backed baseline readiness position — your organisation's own statement supported by evidence. Not a third-party certification.
First: the 90-day program delivers baseline readiness, not full compliance. Ongoing work is required.
Second: not every workflow can be redesigned away from enterprise data custody. RBI, CKYC, and AML retention requirements constrain certain workflows.
Third: the self-attestation package is only as defensible as the evidence it rests on. Your team's genuine engagement at decision gates determines its legal value.
No. If your organisation is designated a Significant Data Fiduciary, you will be required to appoint a DPO. Manatoko DPDP does not satisfy that requirement. For non-SDF organisations, agents execute the work a DPO team would perform — but they do not hold the legal accountability a DPO would hold.
See the five workflow layers in action — including the point where Manatoko VC is deployed to eliminate data custody for a bank’s account opening workflow. Assessment outputs, governance redesign, credential deployment, evidence pack, self-attestation — step by step.
“DPDP compliance is a workflow problem. Agents solve it.”
“Agents do the work. Wallets hold the data. Humans make the decisions.”
“The data you do not collect is the easiest data to protect.”