NeuDocIQRequest a Demo
DPDP Compliance

Built for India's DPDP Act 2023.

India's Digital Personal Data Protection Act 2023 (DPDP Act) establishes obligations for organisations that process personal data. NeuDocIQ is designed to help you meet those obligations — not add to your compliance burden.

The DPDP Act

What the law requires

The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) is India's primary legislation governing the processing of digital personal data. It came into force in August 2023 and applies to any organisation that processes personal data of individuals in India.

The Act establishes two primary roles: Data Fiduciary (the organisation that determines the purpose and means of processing) and Data Processor (an entity that processes personal data on behalf of a Data Fiduciary).

When you use NeuDocIQ to process documents that contain personal data — for example, insurance claim forms, KYC packets, or citizen applications — your organisation acts as the Data Fiduciary. NeuDayAI acts as your Data Processor, operating under your instructions.

Our roleData Processor — we process under your instructions
Your roleData Fiduciary — you determine the purpose
Data residencyIndia (AWS Mumbai) for all cloud processing
DPA availableYes — Data Processing Agreement on request
Grievance Officerprivacy@neudayai.com · 30-day SLA
Act referenceDPDP Act 2023 (Act No. 22 of 2023)
How we comply

Designed around DPDP principles

NeuDocIQ is built to support the core obligations of the DPDP Act across every deployment.

Lawful processing

NeuDocIQ processes personal data only when directed by you as the Data Fiduciary, on the basis of a lawful purpose as defined by the DPDP Act. We process data as a Data Processor — not as a Data Fiduciary in relation to your customers.

Purpose limitation

We process Customer Data exclusively to deliver the document intelligence services you have configured. We never use your data for advertising, model training, or any purpose outside of service delivery.

Data minimisation

We retain only what is necessary to provide the Service. Document files are not persisted after processing unless you explicitly enable storage. Logs retain metadata, not document content.

Data accuracy

NeuDocIQ's verification engine flags low-confidence extractions for human review, helping your team maintain accurate records in your systems of record.

Storage limitation

Configurable retention policies let you define how long extracted data is stored on our platform. Documents without storage enabled are deleted within minutes of processing completion.

Security by default

AES-256 encryption at rest, TLS 1.3 in transit, RBAC, SSO/SAML, and immutable audit trails are available on all plans — not reserved for enterprise tiers.

Data Principal rights

Enabling rights fulfilment

The DPDP Act grants Data Principals (individuals) specific rights. NeuDocIQ provides the tools you need to fulfil these rights for your customers.

Right to access

Your customers can request a summary of their personal data you hold. NeuDocIQ's API lets you retrieve and export all extracted data for any individual on demand.

Right to correction

You can correct any stored extracted data through the API or Studio. We provide audit-trail entries for all corrections.

Right to erasure

The delete API allows you to erase all stored data for a specific document or individual. Deletion is irreversible and confirmed within 24 hours.

Right to grievance redressal

NeuDayAI has a designated Grievance Officer reachable at privacy@neudayai.com with a 30-day resolution commitment.

Right to withdraw consent

Where your processing relies on consent, you can configure NeuDocIQ to halt further processing for an individual by flagging their documents in the pipeline.

Data Processing Agreement

Formalise the relationship

A Data Processing Agreement (DPA) between NeuDayAI and your organisation formalises the Data Processor obligations required by the DPDP Act. Our standard DPA covers:

  • Subject matter, duration, and nature of processing
  • Categories of personal data and Data Principals
  • Obligations and rights of the Data Fiduciary
  • Processor obligations including security, audit rights
  • Sub-processor list and change notification
  • Data deletion procedures on contract termination
  • Incident notification timelines (72 hours)

For enterprise customers

Enterprise plans include a standard DPA. Custom DPAs are available for large government and regulated-sector deployments. Contact us to begin the process.

Request a DPA

Grievance mechanism

Our designated Grievance Officer handles all DPDP-related enquiries. We aim to acknowledge within 3 business days and resolve within 30 days.

privacy@neudayai.com