Question 1

When does DPDP enforcement begin?

Accepted Answer

DPDP enforcement is phased. The Data Protection Board was constituted on 13 November 2025. The Consent Manager regime activates 13 November 2026. Substantive duties (security safeguards, data principal rights, breach notification, algorithmic diligence) enforce from 13 May 2027.

Question 2

Am I a Data Fiduciary or Significant Data Fiduciary under DPDP?

Accepted Answer

You're a Data Fiduciary if your business determines the purpose and means of processing personal data of Indian residents, regardless of business location. A Significant Data Fiduciary (SDF) is notified by the Central Government based on data volume, sensitivity, and risk to Data Principals. No SDFs notified yet. Banks, healthcare providers, and major internet platforms are widely expected to be first.

Question 3

What does algorithmic risk assessment for SDFs involve?

Accepted Answer

Rule 13(3) requires SDFs to verify that their AI systems (including algorithmic software) are not likely to threaten Data Principal rights. In practice this means demonstrable safeguards against prompt injection and adversarial attacks, data leakage protection, and proof that access, correction, and erasure rights can still be honoured across the AI surface.

Question 4

Is pasting customer data into ChatGPT a DPDP violation?

Accepted Answer

Almost certainly yes. Any AI processing of personal data is subject to DPDP, whether pasted into a prompt, embedded in a RAG index, or sent to an agent. Section 8(5) requires technical safeguards; Section 8(2) extends them to third-party processors. Unmasked PII to an external LLM bypasses both, and the data leaves your perimeter, raising Section 16 cross-border concerns.

Question 5

Does using a foreign LLM count as cross-border transfer under Section 16?

Accepted Answer

Yes, if the prompt contains personal data. Section 16 permits cross-border transfer except to countries on a government-notified negative list. Even where permitted, sector restrictions apply (RBI for banking data, MeitY for sensitive personal data), with auditing obligations that don't apply in-country.

Question 6

How is Mavs AI different from existing privacy or AI security tools?

Accepted Answer

Existing tools fall into three categories. Privacy GRC platforms document collection on paper. AI gateways filter prompts and responses for unsafe content. Privacy vaults tokenize data at rest. None replaces personal data inside a live prompt at runtime. Mavs AI was built for that.

Question 7

Does Mavs AI fulfill the Section 8(5) and Rule 6 technical safeguards requirement?

Accepted Answer

Yes. Rule 6 enumerates the safeguards: masking or encryption, access control, logging and monitoring with one-year retention, continuity, and a cascade to processors. Mavs AI implements each for AI surfaces: synthetic substitution at the prompt boundary, role-based access, immutable per-prompt audit trails, processor cascade. Each safeguard maps to its Rule 6 provision in the DPA.

Question 8

Where and how does Mavs AI deploy?

Accepted Answer

Mavs deploys inside your perimeter, on-premises or in your VPC. Original data and the substitution mapping never leave your environment, meeting Section 16 cross-border obligations by design. Options: proxy-mode integration (no code changes), SDK for embedded use, browser plugin for employee LLM use, and native enterprise AI platform connectors. Most enterprises go live in two to four weeks.

Question 9

Does Mavs AI sign a DPDP-ready Data Processing Agreement?

Accepted Answer

Yes. A standard DPA is available at procurement. It documents Section 8(2) processor safeguards, Rule 7 breach cooperation, sub-processor controls, and confirms Mavs does not train on customer data.

DPDP requirement	SASE AI guardrails	Independent AI guardrails	Mavs AI
Technical safeguards for personal data protection	Redacts data, loses context in prompts.	Masks or tokenizes data, degrades context in prompts.	Synthetic data substitution in prompts for context-rich output.
Safe enterprise AI usage	Blocks sensitive prompts.	Blocks sensitive prompts.	Synthetic data allows prompts to be processed.
Audit evidence per processing event	Generic enterprise logging.	Retention and granularity vary by provider.	Per-entity log linking each personal data element to its substitution. Built for DPDP retention.
Third-party processor scope	LLM provider remains in scope as a processor of personal data.	LLM provider processes only masked data.	LLM provider processes only synthetic data. Out of scope as a processor of personal data.
Algorithmic due diligence	Denial layer, not a safeguard.	Safeguard layer, but loses context.	Safeguard layer. Personal data stays out of model processing.
DPDP-native DPA	GDPR-derived with DPDP addendum.	DPDP coverage.	Indian entity. DPDP-native from day one.

DPDP requirement	Mavs AI	SASE AI guardrails	Independent AI guardrails
Technical safeguards for personal data protection	Synthetic data substitution in prompts for context-rich output.	Redacts data, loses context in prompts.	Masks or tokenizes data, degrades context in prompts.
Safe enterprise AI usage	Synthetic data allows prompts to be processed.	Blocks sensitive prompts.	Blocks sensitive prompts.
Audit evidence per processing event	Per-entity log linking each personal data element to its substitution. Built for DPDP retention.	Generic enterprise logging.	Retention and granularity vary by provider.
Third-party processor scope	LLM provider processes only synthetic data. Out of scope as a processor of personal data.	LLM provider remains in scope as a processor of personal data.	LLM provider processes only masked data.
Algorithmic due diligence	Safeguard layer. Personal data stays out of model processing.	Denial layer, not a safeguard.	Safeguard layer, but loses context.
DPDP-native DPA	Indian entity. DPDP-native from day one.	GDPR-derived with DPDP addendum.	DPDP coverage.

Make Enterprise AI DPDP-Compliant
At the Infrastructure Layer

DPDP doesn't tell you to stop using AI. It tells you to prove you're using it safely. Mavs AI is how you prove it, across every prompt, app,and agent.

DPDP Gives You Five Duties
AI Puts Every One of Them at Risk

01 — Document what you collect and why.

02 — Demonstrate technical safeguards on personal data.

03 — Honour data principal rights.

04 — Respond to breaches inside the clock.

05 — Prove your algorithmic processing is safe.

Traditional Security Tools
Can't See AI-Based Violations

Scenario 1: An employee types into a chat app.

Scenario 2: An agent assembles a prompt from tools.

Three Pillars of the Mavs AI Control Layer for DPDP Compliance

DATA PROTECTION
AT THE PROMPT BOUNDARY

CENTRALISED
ACCESS CONTROL
AND VISIBILITY

PER-PROMPT
AUDIT TRAIL
RETAINED FOR ONE YEAR

DPDP Is About Being Able to Prove Safety

Mavs AI enables you to do that without compromising on AI Quality

Built-In Compliance
for Every AI Surface in Your Enterprise

For Employees

For Agents & Apps

For Governance

Frequently Asked Questions

When does DPDP enforcement begin?

Am I a Data Fiduciary or Significant Data Fiduciary under DPDP?

What does algorithmic risk assessment for SDFs involve?

Is pasting customer data into ChatGPT a DPDP violation?

Does using a foreign LLM count as cross-border transfer under Section 16?

How is Mavs AI different from existing privacy or AI security tools?

Does Mavs AI fulfill the Section 8(5) and Rule 6 technical safeguards requirement?

Where and how does Mavs AI deploy?

Does Mavs AI sign a DPDP-ready Data Processing Agreement?

RIDE WITH US!

Make Enterprise AI DPDP-CompliantAt the Infrastructure Layer

DPDP doesn't tell you to stop using AI. It tells you to prove you're using it safely. Mavs AI is how you prove it, across every prompt, app,and agent.

DPDP Gives You Five DutiesAI Puts Every One of Them at Risk

01 — Document what you collect and why.₹50 cr max penalty

01 — Document what you collect and why.

02 — Demonstrate technical safeguards on personal data.₹250 cr max penalty

02 — Demonstrate technical safeguards on personal data.

03 — Honour data principal rights.₹50 cr max penalty

03 — Honour data principal rights.

04 — Respond to breaches inside the clock.₹200 cr max penalty

04 — Respond to breaches inside the clock.

05 — Prove your algorithmic processing is safe.₹150 cr max penalty

05 — Prove your algorithmic processing is safe.

Traditional Security ToolsCan't See AI-Based Violations

Scenario 1: An employee types into a chat app.

Scenario 2: An agent assembles a prompt from tools.

Three Pillars of the Mavs AI Control Layer for DPDP Compliance

DATA PROTECTIONAT THE PROMPT BOUNDARY

CENTRALISEDACCESS CONTROLAND VISIBILITY

PER-PROMPTAUDIT TRAILRETAINED FOR ONE YEAR

DPDP Is About Being Able to Prove Safety

Mavs AI enables you to do that without compromising on AI Quality

Built-In Compliancefor Every AI Surface in Your Enterprise

For Employees

For Agents & Apps

For Governance

Frequently Asked Questions

When does DPDP enforcement begin?

Am I a Data Fiduciary or Significant Data Fiduciary under DPDP?

What does algorithmic risk assessment for SDFs involve?

Is pasting customer data into ChatGPT a DPDP violation?

Does using a foreign LLM count as cross-border transfer under Section 16?

How is Mavs AI different from existing privacy or AI security tools?

Does Mavs AI fulfill the Section 8(5) and Rule 6 technical safeguards requirement?

Where and how does Mavs AI deploy?

Does Mavs AI sign a DPDP-ready Data Processing Agreement?

RIDE WITH US!

Make Enterprise AI DPDP-Compliant
At the Infrastructure Layer

DPDP Gives You Five Duties
AI Puts Every One of Them at Risk

Traditional Security Tools
Can't See AI-Based Violations

DATA PROTECTION
AT THE PROMPT BOUNDARY

CENTRALISED
ACCESS CONTROL
AND VISIBILITY

PER-PROMPT
AUDIT TRAIL
RETAINED FOR ONE YEAR

Built-In Compliance
for Every AI Surface in Your Enterprise