DPDPA Penalty Checker — Know Your Fine Exposure Before the Regulator Does
India's only penalty checker with browser-side forensic log analysis. Built on LEAP v2 — the same engine built during India's Gurugram Cyber Police internship programme.
Takes 5 minutes · No data leaves your device · Powered by LEAP v2
⚡ Powered by LEAP v2 Forensic Engine
🇮🇳 Built for DPDPA 2023
🔒 Your data never leaves your device
DPDPA 2023 penalties are not theoretical
₹250 Cr
Security safeguard failures (Sec 8.5) or unauthorised cross-border transfer (Sec 16)
₹200 Cr
Breach notification failure (Sec 8.6) or children's data violation (Sec 9)
₹150 Cr
SDF non-compliance (Sec 10) or data retention violations (Sec 8.7)
₹50 Cr
Consent failures, missing RoPA, rights mechanism absent
Stacked
Multiple violations = multiple penalty instances. No cumulative cap in the Act.
Data Protection Board begins enforcement May 13, 2027. Indian SMBs are least prepared. The Board will make public examples in early enforcement to establish deterrence.
Who faces DPDPA penalty exposure
Fintech
Aadhaar/UPI data in logs, cross-border payment APIs, KYC processors — multiple ₹250 Cr triggers.
Student PII + children's data — Sec 9 adds ₹200 Cr on top of standard exposure.
E-commerce
Purchase history, consent trails, vendor data sharing — cross-border transfer risk if using foreign cloud.
This checker uses forensic analysis, not guesswork
LEAP v2 performs browser-side forensic scanning of system application logs without sending data to any external server. Running entirely inside a local Web Worker, it was built based on lessons from the Delhi NCR cybersecurity initiatives.
LEAP v2 Local Engine
Built by Kryptasys — India's Sovereign Cyber Institution
Kryptasys secures critical systems, infrastructure, and compliance pipelines across India from our Delhi NCR headquarters. We build the India-first toolchains that protect national digital sovereign spaces.
DPDP Shield
DPDPA 2023 compliance automation for Indian SMBs. 58-point gap assessment, Consent SDK, Data Principal Rights Portal, and SHA-256 Audit Logs.
Browser-side forensic PII detection. Finds unmasked Aadhaar references, UPI data, and potential breach patterns in logs without sending data to any server.
Got questions about DPDPA penalty structures, voluntary undertakings, or forensic scans? We have answers.
What is the maximum penalty under DPDPA 2023?
Under Schedule 1 of the DPDPA 2023, the maximum penalty for a single breach is ₹250 Crore, specifically for failure to prevent a personal data breach or implement security safeguards (Section 8.5). If multiple independent violations occur, the Board can assess penalties for each instance without any cumulative cap. This makes systemic compliance gaps an existential financial threat.
When does DPDPA enforcement begin?
The DPDPA was enacted in August 2023. The rules were notified in November 2025, setting a clear enforcement deadline for May 13, 2027. The Data Protection Board of India (DPBI) will begin actively auditing and penalizing gaps after this transition period. Startups and enterprise fiduciaries must ensure their consent history and log safeguards are completed before this date.
Who qualifies as a Significant Data Fiduciary?
Under Section 10 of the Act, the Central Government may designate any Data Fiduciary as a Significant Data Fiduciary (SDF) based on factors such as the volume of personal data processed, risk to electoral democracy, public order, or sovereign security. SDFs face additional compliance burdens, including mandatory independent audits and appointing an India-based Data Protection Officer (DPO). Fines for SDF non-compliance reach up to ₹150 Crore.
What triggers the ₹250 Cr cross-border transfer penalty?
Section 16 of the Act restricts the transfer of personal data outside India to countries blacklisted or not notified by the Central Government. Failure to comply with these restrictions or transferring sensitive PII through unapproved transit nodes triggers a maximum penalty of ₹250 Crore under Schedule 1. Entities using global cloud services must audit data residency flows strictly to prevent silent transfers.
What is a voluntary undertaking under Section 32 and can it reduce penalties?
Under Section 32, a Data Fiduciary can submit a voluntary undertaking to the Data Protection Board committing to remedy compliance gaps and notify affected users. The Board has the power to accept this undertaking, which can halt penalty proceedings or significantly reduce the overall fine exposure. This is a critical legal mechanism for mitigating penalties when breaches are self-identified and reported.
Does DPDPA apply to startups and SMBs?
Yes, the DPDPA applies to all entities processing digital personal data within India, regardless of company size. While the government may notify exemptions for certain small startups regarding retention or notice obligations, standard startups and SMBs processing consumer or employee PII are fully subject to the compliance obligations. Failing to protect customer data will result in standard fines starting from ₹50 Crore.
What is a Data Principal Rights Portal and is it mandatory?
Under Sections 12, 13, and 14, Data Principals have rights to access, correct, erase their data, and register grievances. Data Fiduciaries must provide a readily accessible mechanism for these rights, making a dedicated portal a practical necessity to avoid penalty exposure. If a customer cannot register a query or withdraw consent easily, the fiduciary faces fines up to ₹50 Crore under Schedule 1.
How does LEAP v2 detect DPDPA violations in log files?
LEAP v2 is a local forensic analyzer that parses web application log lines. It checks for exposed PII patterns like unmasked Aadhaar, plain UPI IDs, credentials, and abnormal brute force auth status rates, mapping matches to specific DPDPA Section 8.5 risks. By running entirely inside your local browser sandbox, it ensures zero data transmission, making it a secure choice for developers and auditors alike.