CompliSeal User Guide: How to Use Every Feature

Product Overview

CompliSeal is a compliance management platform built for the Digital Personal Data Protection Act 2023 (DPDP Act) and DPDP Rules 2025. It helps Indian businesses and foreign companies serving Indian users to assess, document, and maintain data protection compliance without requiring a dedicated legal team.

Platform Workflow

CompliSeal is designed to be used in four stages. Each stage has dedicated tools.

Stage 1

Assess

Run the Compliance Scanner to find gaps in your website

→

Stage 2

Document

Generate policies, consent notices, and DPIA reports

→

Stage 3

Operate

Manage DSARs, consent records, breach incidents, and vendor checks

→

Stage 4

Monitor

Track deadlines in the Calendar and review the Audit Log

Feature Summary

Compliance Scanner

Automated check of your website against 13 DPDP requirements. Produces a score and a list of gaps.

Free

Fix-It Checklist

Prioritised, actionable list of changes based on your scan results.

Free

Privacy Policy Generator

Generates a DPDP-compliant privacy policy pre-filled with your organisation details.

Pro

Consent Banner SDK

JavaScript snippet for consent collection with per-purpose toggles and a SHA-256 audit log.

Pro

DSAR Workflow

Public intake form for data rights requests with status tracking and audit trail.

Pro

Breach Response

Incident logging, 72-hour countdown, and pre-drafted Board and principal notifications.

Pro

DPIA

Guided Data Protection Impact Assessment with risk scoring and recommendations.

Pro

Compliance Calendar

Task manager for DPDP deadlines, pre-loaded with recurring compliance obligations.

Free

Vendor Assessments

Send DPDP compliance questionnaires to third-party processors and review their responses.

Pro

RoPA

Record of Processing Activities to document all data collection and sharing arrangements.

Pro

Recommended starting point

Run the Compliance Scanner first. It takes under two minutes and produces a scored gap list. Every other feature on the platform addresses one or more items on that list.

First Steps

Creating Your Account

Go to compliseal.cogenz.in/signup Enter your business email address. CompliSeal requires a business email because your compliance scan is scoped to the domain your email belongs to. Personal email providers (Gmail, Yahoo, Outlook, and similar) are not accepted.
Confirm your email Click the verification link sent to your inbox. The link is valid for 24 hours. Check your spam folder if you do not see it.
Complete your organisation profile Go to Org Settings and enter your organisation name, sector, Grievance Officer name, and Grievance Officer email. This information populates all generated documents. Do this before generating any policies or notices.

Recommended Setup Sequence

For most businesses, the fastest path to baseline DPDP compliance is:

Step 1

Run a Scan

Identify what is missing on your website

→

Step 2

Generate Policy

Publish a DPDP-compliant privacy policy to your site

→

Step 3

Install SDK

Add the consent banner to your website

→

Step 4

Set Up DSAR

Share the public request form link with your users

→

Step 5

Re-scan

Confirm your compliance score improved after changes

Note

The scanner checks your publicly accessible website. If your site is behind a login, in staging, or has geolocation restrictions, results may not be complete. Make sure the URL you scan is your live, public-facing domain.

Free vs Pro

CompliSeal has two plans. The Free plan lets you assess your compliance position and begin addressing the most basic gaps. The Pro plan unlocks the full compliance toolkit including policy generation, consent management, data rights handling, breach response, and governance tools.

Feature	Free No cost	Pro Paid plan
Compliance scans	3 total	✓ Unlimited
Compliance report and score	✓	✓
Fix-It Checklist	✓	✓
Compliance Questionnaire	✓	✓
Compliance Calendar	✓	✓
Consent Analytics	✓	✓
Audit Log	✓	✓
PDF report download	✗	✓
Privacy Policy Generator	✗	✓
Consent Banner SDK	✗	✓
Consent Withdrawals dashboard	✗	✓
DSAR Request Dashboard	✗	✓
Breach Response	✗	✓
DPIA (Impact Assessment)	✗	✓
Record of Processing (RoPA)	✗	✓
Vendor Assessments	✗	✓
Children's Data compliance tools	✗	✓

To upgrade, go to the Dashboard and click Upgrade to Pro, or click the lock icon next to any Pro feature in the sidebar. Payment is processed via Razorpay.

Compliance Scanner

The Compliance Scanner is the starting point for all compliance work on CompliSeal. It fetches and analyses your publicly accessible website and checks it against 13 DPDP Act requirements.

How the Scanner Works

Input

You enter a URL

Your domain is pre-filled from your account email

→

Fetch

Page content retrieved

The scanner reads your publicly accessible pages

→

Check

13 checkpoints evaluated

Each check returns Pass, Fail, or Requires Verification

→

Score

Score out of 100

Weighted by the severity of each checkpoint under the Act

The 13 Checkpoints

Verified Automatically

Privacy Policy present: Is a privacy policy page accessible on your site?
Purpose of processing stated: Does the policy explain why data is collected?
Data Principal rights mentioned: Are user rights (access, correction, erasure) described?
Grievance Officer published: Is a named Grievance Officer listed with contact details?
Retention period stated: Does the policy say how long data is kept?
Multilingual consent: Are consent notices available in Indian scheduled languages?
Consent withdrawal mechanism: Is there a clear way for users to withdraw consent?
Preference centre: Can users manage individual consent categories?
Plain language policy: Is the privacy policy written for a general audience, not a legal audience?

Requires Live Browser Verification

Cookie consent banner: Does a banner appear before cookies are set?
Cookie categorisation: Are cookies separated into necessary, analytics, and marketing?
Tracking blocked before consent: Are third-party scripts held until the user accepts?
Consent logging: Is each consent event recorded with a timestamp?

About "Requires Verification" checks

Four checkpoints require a live browser to test correctly because they depend on JavaScript behaviour at page load. These are marked "Unverified" in your report and carry partial credit. Install the Consent Banner SDK to satisfy all four automatically.

Running a Scan

Navigate to Compliance Scanner Your registered domain is pre-filled. You can change it to any URL on your domain.
Select your business sector This tailors recommendations to your industry (for example, health data handling requirements or FinTech consent rules).
Click Scan Now A progress indicator shows which checks are running. The scan typically completes in 30 to 90 seconds depending on your website's response time.
View your results Results appear immediately and are also saved to your Scan History so you can track changes over time.

Scan Limits

Free plan3 scans total (lifetime)

Pro planUnlimited scans

When to re-scan

After making changes to your website, allow 24 to 48 hours before re-scanning. The scanner reads your live public pages; changes to your privacy policy, footer links, or consent banner need time to be fully accessible at the URL being checked.

Scan Report

The Report page shows your compliance score, a plain-language verdict, and a full breakdown of each of the 13 checkpoints. Click any checkpoint to expand it and see the specific finding and evidence the scanner used.

Score Bands

70 to 100Fully compliant. All major checkpoints are met.

40 to 69Mostly compliant. Some gaps need attention before enforcement begins.

0 to 39Needs attention. Material DPDP requirements are missing.

Score Delta

If you have previously scanned the same domain, the report shows how your score changed compared to the last scan. Improvements appear in green; regressions in red. Use this to verify that the changes you made to your website had the expected effect.

PDF Export

Pro users can download a formatted PDF of the report by clicking Download PDF. The PDF is suitable for sharing with your leadership team, auditors, or investors who need to see evidence of compliance activity.

Scan History

All previous scans are saved under Scan History in the sidebar. You can open any past report to see the score and findings at that point in time.

Fix-It Checklist

The Fix-It Checklist translates your scan results into a prioritised list of specific changes you need to make. Each item explains what the scanner found, what needs to change, and why it matters under the DPDP Act.

How to Use It

Open from the Report page Click View Fix-It Checklist after a scan completes.
Work through items in priority order Items are sorted by impact. Critical items (tied to high regulatory penalty exposure) appear first.
Mark items complete Tick each item as you address it. Your progress is saved. If a new scan detects the issue is still present, the item resets.
Re-scan to verify After making changes, run a new scan to confirm the issues have been resolved and your score has improved.

Highest-impact fixes

For most Indian businesses, three changes produce the largest score improvement: publishing a named Grievance Officer with a contact email, adding a consent notice before data collection forms, and updating the privacy policy to include data retention periods. These three items typically increase a score by 20 to 30 points.

Privacy Policy Generator Pro

The Policy Generator produces a DPDP Act 2023-compliant privacy policy for your business. It uses your organisation details from Org Settings and your scan findings to pre-fill the policy. The result covers all mandatory disclosures required under the Act.

What the Generated Policy Covers

Categories of personal data collected
Purposes of data processing
Data retention periods
Third-party processors and data sharing arrangements
Data Principal rights: access, correction, erasure, and nomination
Grievance Officer name and contact details
Consent withdrawal mechanism
Breach notification commitment
Children's data handling (if applicable)

Generating a Policy

Go to Policy Generator From the sidebar. If Org Settings are incomplete, you will be prompted to fill them in first.
Review the pre-filled details The form uses your business name, sector, and Grievance Officer details from Org Settings. Update anything that is incorrect before generating.
Click Generate Policy The policy is generated in 15 to 30 seconds and appears in an editable text area below.
Review and edit Read through the policy. Adjust any section that does not accurately reflect your specific data practices, and add any details the generator could not infer.
Publish to your website Paste the policy as a new page, typically at yoursite.com/privacy. Link to it from your footer and all data collection forms.

Important

The generated policy is a template based on the information you provide. Review it carefully before publishing. For complex data processing arrangements, international data transfers, or sensitive data categories (health, financial, or children's data), consult a qualified legal professional to review and supplement the generated text.

Consent Banner SDK Pro

The Consent Banner SDK is a lightweight JavaScript file that adds a DPDP-compliant consent banner to your website. Once installed, it handles consent collection, per-purpose granularity, and audit logging automatically. It also blocks third-party scripts until the user gives consent, which is a direct DPDP requirement.

What the SDK Does

Shows a consent banner on first visit, before any non-essential scripts run
Provides per-purpose toggles: Necessary, Analytics, Marketing, and Preferences
Stores each consent record with a SHA-256 hash for tamper-evident audit purposes
Provides a preference link so users can update or revoke consent at any time
Logs all consent and withdrawal events with timestamps for the audit trail
Works on any website regardless of framework or platform

Installation

Go to Consent SDK in the sidebar Your unique site key and ready-to-use snippet are shown on this page.
Copy your snippet Click Copy Snippet. Each account has a unique data-key that ties consent records to your CompliSeal account.
Paste into your website's <head> The snippet must be the first script tag inside <head>, before any analytics or tracking scripts. If it loads after other scripts, those scripts may fire before consent is checked.
Verify in an incognito window Open your website in a private browser session. The banner should appear immediately. Accept or decline, then reload the page. Your choice should be remembered and the banner should not reappear.

<!-- Paste as the first script inside <head> -->
<script
  src="https://compliseal.cogenz.in/consent-sdk.js"
  data-key="YOUR_SITE_KEY"
  defer
></script>

No dependencies

The SDK is a plain JavaScript file with no external dependencies. It works with React, Next.js, Vue, plain HTML, WordPress, Webflow, and any other technology. Your unique data-key is shown on the Consent SDK page in the app.

Consent Analytics

Consent Analytics shows aggregated statistics about how visitors are interacting with your consent banner. This data comes from events logged by the Consent Banner SDK.

What You Can See

Total consent events (accepts, declines, and partial consents) over a selected time window
Acceptance rate broken down by purpose (Analytics, Marketing, Preferences)
Consent withdrawal count and trend over time
Event breakdown by browser and device type

Exporting Data

Click Export to download a CSV of all consent events. This is useful for providing evidence to auditors, and for responding to requests where you need to produce the consent record for a specific user.

Data requirement

Consent Analytics only shows data if the Consent Banner SDK is installed on your website. The SDK is a Pro feature. The Analytics page is accessible on the Free plan but will show no data until the SDK is active.

Consent Withdrawals Pro

Under the DPDP Act, users must be able to withdraw consent as easily as they gave it. This page shows all withdrawal requests submitted through the preference centre on your consent banner. Each entry shows the user's identifier, the purposes they withdrew consent for, and the timestamp.

Processing a Withdrawal

Review the withdrawal Check which consent purposes were withdrawn. A full withdrawal means all non-essential processing must stop. A partial withdrawal (for example, marketing only) requires you to remove the user from those specific processing activities.
Stop processing for withdrawn purposes Remove the user from relevant marketing lists, analytics audiences, or personalisation pipelines. This must happen promptly.
Notify downstream processors if required If you have shared this user's data with third-party processors and your Data Processing Agreements require it, inform those processors of the withdrawal.

Withdrawal vs Erasure

Withdrawing consent stops future processing but does not automatically delete existing data. If the user also wants their data deleted, they must submit a separate erasure request through the DSAR form. These are two distinct rights under the DPDP Act.

DSAR Requests Pro

The DPDP Act gives Indian residents the right to access, correct, erase, or nominate a successor for their personal data. CompliSeal provides a public intake form for these requests and a dashboard to manage and track them through to resolution.

Request Types

Access: The user wants a summary of what personal data you hold about them
Correction: The user wants inaccurate data updated
Erasure: The user wants their data deleted
Nomination: The user wants to designate a successor to exercise their rights after death

Setting Up Your Public Form

Go to DSAR Requests Your unique public form URL is shown at the top of the page. It looks like: compliseal.cogenz.in/dsar?for=YOUR_USER_ID
Add the link to your website Place this link in your Privacy Policy, your Contact or Support page, and your cookie banner's preference centre. Users click this link to submit requests to you.
Test the form Open the link in an incognito browser window and submit a test request to confirm it is working and appears correctly in your dashboard.

Request Handling Workflow

Day 0 — Request received

New request appears in dashboard

The request is timestamped and a default 7-day resolution deadline is set. You receive a notification.

Within 48 hours — Acknowledge

Set status to "In Review"

Update the request status and add an acknowledgement note. This records that you have received the request and are acting on it.

Days 1 to 7 — Fulfil the request

Complete the required action

Retrieve, correct, or delete data as required. For Access requests, prepare a summary of data held. For Erasure, delete from all systems including processors.

Day 7 — Resolution deadline

Mark as Fulfilled or Rejected

Set the final status. For rejections, enter the reason. Every status change is permanently recorded in the request's audit trail.

Penalty exposure

Failure to respond to a data rights request is subject to penalties under the DPDP Act. Monitor the dashboard regularly and do not allow requests to pass the 7-day default deadline without a status update.

Breach Response Pro

Under the DPDP Act and DPDP Rules 2025, you must notify the Data Protection Board and affected Data Principals promptly following a significant personal data breach. CompliSeal helps you document the incident, draft required notifications, and track the notification deadlines.

What Counts as a Breach

Any incident resulting in unauthorised access to, accidental disclosure of, alteration of, or loss of personal data that is likely to cause harm to the affected individuals. This includes ransomware attacks, accidental data exposures, insider threats, and system compromises involving personal data.

Breach Response Timeline

Hour 0 — Discovery

Log the incident in CompliSeal immediately

Go to Breach Response and click Report Incident. Enter the incident name, breach type, severity, date and time discovered, data categories affected, and estimated number of principals affected. The 72-hour countdown begins from the discovery date and time you enter.

Hours 0 to 72 — Board notification

Notify the Data Protection Board

Click Draft Board Notification. A pre-drafted notification is generated using your incident details, covering the nature of the breach, data affected, number of principals, and remedial steps taken. Edit it, then submit through the official DPB portal. Once sent, click Mark as Sent to Board and optionally record the Board's reference number. This action is timestamped in the audit trail.

After 72 hours — Overdue

Board notification deadline passed

The incident is flagged as overdue in the dashboard. Notify the Board immediately and document the delay in your incident record.

After Board notification — Principal notification

Notify affected Data Principals

Click Draft Principal Notification. A plain-language notification is generated for the affected users explaining what happened. Select your delivery method (email, SMS, in-app, or postal) and mark as sent.

Penalty exposure estimate

When you log an incident, CompliSeal shows an estimated regulatory penalty range based on the severity and scale you enter. This figure is drawn from the DPDP Act's penalty schedule and is a reference guide only. The actual penalty is determined by the Data Protection Board based on the specific circumstances.

Incident Audit Timeline

Every action on an incident record (creation, Board notification, principal notification, status changes) is stored in the Audit Timeline on the incident detail page. This provides a complete, timestamped record of your response that you can present as evidence to the Data Protection Board if required.

Data Protection Impact Assessment (DPIA) Pro

A DPIA is a structured assessment of the privacy risks associated with a specific data processing activity. Significant Data Fiduciaries are required to conduct DPIAs periodically under the DPDP Act. For other businesses, a DPIA is good practice before launching any high-risk processing activity, such as large-scale profiling, processing sensitive personal data, or new data sharing arrangements with third parties.

DPIA Workflow

1

Create

Name the assessment and describe the processing activity

→

2

Answer

Complete all sections covering data scope, consent basis, security, and governance

→

3

Score

Risk score (0 to 100) and recommendations are generated on completion

→

4

Export

Download as a formatted PDF for your DPO, board, or regulators

Assessment Sections

The DPIA covers seven sections:

Data scope and sensitivity
Consent and lawful basis for processing
Data minimisation and proportionality
Security controls in place
Data sharing and international transfers
Data Principal rights mechanisms
Organisational governance and oversight

Each section contains questions answered on a Yes/No or 1 to 5 scale. You can save a partial draft at any time and return to it later from the DPIA list page.

Risk Levels

Low (0 to 25)Minimal privacy risk. Proceed with standard controls.

Medium (26 to 50)Moderate risk. Address the listed recommendations before proceeding.

High (51 to 75)Significant risk. Implement all recommendations. Consider DPO review.

Critical (76 to 100)High risk. Do not proceed without addressing every critical recommendation.

Compliance Calendar

The Compliance Calendar is a task management tool for DPDP compliance deadlines and recurring obligations. It comes pre-loaded with common annual and quarterly compliance tasks and allows you to add your own.

Pre-loaded Tasks

Quarterly privacy policy review
Annual DPIA review for existing high-risk processing activities
Vendor Data Processing Agreement renewal reminders
Consent banner copy review (required when your stated processing purposes change)
Grievance Officer disclosure update check

Adding a Task

Click Add Task Enter the task title, description, due date, and priority level: Low, Medium, High, or Critical.
Assign a compliance category Categories map to DPDP compliance areas: Consent, Data Rights, Security, Documentation, Vendor, or Training.
Mark complete Click the checkbox next to a task when it is done. The calendar tracks your completion rate across each category, giving you a quick view of which areas are falling behind.

Record of Processing Activities (RoPA) Pro

A Record of Processing Activities documents every type of personal data your organisation collects: what it is, why you collect it, how long you keep it, who you share it with, and what safeguards are in place. Maintaining a RoPA is required for Significant Data Fiduciaries and is considered good practice for all businesses.

Adding a Processing Activity

Go to RoPA and click Add Activity
Fill in the record Required fields: activity name, data categories, data subjects, purpose of processing, legal basis, data processors and third parties, retention period, and whether data is transferred internationally (and to which countries).
Save All records are listed on the RoPA page. You can edit or delete any entry. Use the search and filter to find specific activities.

A complete RoPA serves as the foundation for your privacy policy, DPIA assessments, and Data Processing Agreements with vendors.

Vendor Assessments Pro

Under the DPDP Act, you are responsible for how your Data Processors handle the personal data you share with them. Vendor Assessments let you send a structured DPDP compliance questionnaire to a vendor and review their responses in one place.

Assessment Workflow

1

Create

Enter vendor name, contact name, and email

→

2

Send

Vendor receives an email with a unique questionnaire link

→

3

Wait

Assessment shows as Pending until the vendor submits their answers

→

4

Review

A risk score and recommendations are generated from the vendor's responses

What the Questionnaire Covers

Data handling and processing practices
Security controls and certifications
Sub-processor arrangements
Breach detection and notification procedures
Data deletion and return policies on contract end

Where to start

Prioritise your highest-risk processors first: your analytics provider, CRM, email marketing platform, payment gateway, and any cloud storage provider where personal data is held. These are the most common sources of third-party data liability.

Children's Data Pro

Processing personal data of individuals under 18 requires verifiable parental or guardian consent under the DPDP Act. Behavioural tracking and targeted advertising directed at minors are explicitly prohibited. The Children's Data module generates the documentation required to support compliant processing.

Documents Generated

Children's Privacy Policy: A supplemental policy section covering your obligations when processing data of minors, including age verification method and parental consent mechanism
Parental Consent Notice: A consent notice template for parents or guardians to review and accept before a child's data is processed
Age Verification Statement: A disclosure explaining the age verification mechanism your platform uses

Using the Module

Go to Children's Data The module will first ask whether you process data of individuals under 18 and what age verification method you use.
Select the document type Choose which document to generate based on what you need.
Generate and publish The document is generated using your organisation details from Org Settings. Add the generated content to your privacy policy and any age-gated section of your website.

Compliance Questionnaire

The Compliance Questionnaire is a self-assessment of your organisation's data protection practices. Unlike the website scanner, which checks your public-facing website, the questionnaire assesses your internal processes: how you handle data rights requests, whether staff have been trained, how you manage vendor contracts, and whether your policies are documented and current.

Structure

The questionnaire is divided into five sections:

Data Collection: What data you collect and whether you have a legal basis for it
Consent Management: How consent is obtained, recorded, and withdrawn
Data Rights: Whether you have a process for handling access, correction, and erasure requests
Security and Breach: Controls in place and whether you have a breach response plan
Governance: Whether you have a Grievance Officer, staff training, and documented policies

How to Use It

Answer each question honestly Questions are Yes/No or multiple choice. The results are only useful if the answers reflect your actual current situation, not what you intend to have in place.
Submit Your organisational compliance maturity score and a list of gaps appear immediately.
Use the gap list alongside your Fix-It Checklist The website scan identifies external gaps; the questionnaire identifies internal ones. Together they give a complete picture of what needs to change.

Audit Log

The Audit Log records all significant compliance actions taken within your CompliSeal account. It provides a timestamped history of activity that you can produce as evidence during a Data Protection Board investigation or audit.

What Is Logged

Compliance scans completed (URL, score, date)
PDF reports downloaded
Privacy policies generated
Plan changes
DSARs received and each status change
Breach incidents logged and notifications sent
Org Settings updated
Consent events (via SDK)

Filtering and Exporting

Filter log entries by event type using the category chips at the top of the page. Click Export CSV to download up to 1,000 recent entries. The CSV is formatted for sharing with auditors or legal counsel.

Organisation Settings

Org Settings stores your business profile. This information is used across all generated documents: privacy policies, consent notices, DPIA reports, and breach notifications. Fill this in before generating any documents.

Fields

Organisation nameYour legal business name as it will appear in generated documents

Business sectorUsed to tailor compliance recommendations (FinTech, HealthTech, EdTech, E-commerce, etc.)

Website URLYour primary website domain

Grievance Officer nameFull name of the person appointed as Grievance Officer

Grievance Officer emailThe contact email published for user grievances (e.g. grievance@yourcompany.com)

Registered addressYour India-registered business address, for disclosure in the privacy policy

Contact phoneOptional. Included in documents that require a phone number.

Grievance Officer requirement

Every Data Fiduciary under the DPDP Act must publish a named Grievance Officer with a contact mechanism. If these fields are left blank in Org Settings, generated policies will contain placeholder text that must be filled in manually before publishing. The scanner also checks for a published Grievance Officer as one of its 13 checkpoints.

Account Settings

Account Settings allows you to update the email address associated with your CompliSeal account.

Changing Your Email

Go to Account Settings From the sidebar, or directly at compliseal.cogenz.in/app/settings.
Enter your new business email The new address must be a business email on the domain you want to scan. Personal email providers are not accepted.
Confirm via the email link A verification link is sent to the new address. Click it to complete the change. Your login email updates immediately after confirmation.

Domain change

Changing your email to an address on a different domain changes which domain your scans are scoped to. Existing scan history for your previous domain is retained, but new scans will run against the domain of your new email address.

DPDP Glossary

Data Fiduciary

Any person or entity that determines the purpose and means of processing personal data of Indian residents. As a business collecting and using customer or employee data, you are a Data Fiduciary.

Data Principal

The individual whose personal data is being processed. Your customers, users, and employees are Data Principals.

Data Processor

An entity that processes personal data on behalf of a Data Fiduciary under a contract. Your CRM, analytics tool, cloud storage provider, and payment gateway are typical Data Processors. You are responsible for their compliance through Data Processing Agreements.

Consent Notice

A clear, itemised notice presented to a user before their personal data is collected. Must specify what data is collected, why it is collected, how long it will be kept, who it will be shared with, and how consent can be withdrawn.

Data Protection Board (DPB)

The adjudicatory body established under the DPDP Act to investigate complaints from Data Principals, impose penalties on Data Fiduciaries, and issue guidance. The Board was being constituted in 2025.

Significant Data Fiduciary (SDF)

A Data Fiduciary designated by the Central Government based on the volume or sensitivity of data processed, or the risk to rights of Data Principals. SDFs face additional obligations including a resident Data Protection Officer, periodic DPIAs, and data audits. Most SMBs and early-stage businesses are not SDFs.

DSAR (Data Rights Request)

A formal request from a Data Principal to exercise their rights. Under the DPDP Act, this covers the right to access data held about them, correct inaccurate data, have data erased, and nominate a successor. CompliSeal uses the term DSAR (Data Subject Access Request) as the industry-standard abbreviation.

Grievance Officer

A named individual whose contact details are published on the business's website. Responsible for receiving and resolving complaints from Data Principals about data handling. Required for all Data Fiduciaries. No specific professional qualification is required by the Act.

Data Protection Officer (DPO)

A specialist compliance role required only for Significant Data Fiduciaries. Must be based in India and have knowledge of data protection law. This is a different and additional role to the Grievance Officer.

DPIA (Data Protection Impact Assessment)

A formal assessment of the privacy risks of a specific data processing activity, covering the necessity of the processing, risks to individuals, and controls in place to mitigate those risks. Mandatory for Significant Data Fiduciaries; recommended for any organisation before launching high-risk processing.

RoPA (Record of Processing Activities)

A documented inventory of all personal data processing activities within an organisation. Records what data is collected, the legal basis, how long it is kept, who it is shared with, and any international transfers.

Personal Data Breach

Any incident resulting in unauthorised access to, disclosure of, alteration of, or loss of personal data. Must be reported to the Data Protection Board promptly if it is likely to cause harm to affected Data Principals. DPDP Rules 2025 prescribe notification within 72 hours of the breach being discovered.

Support

Contact

Emailinfo@cogenz.in

Response timeWithin 1 business day for Pro users; 2 to 3 business days for Free users

Company websitecogenz.in

Common Issues

My scan score is lower than expected

The scanner only checks publicly accessible pages. If your privacy policy, consent banner, or Grievance Officer details are on pages behind a login, or only visible after accepting cookies, the scanner may not find them. Make sure all required disclosures are visible to an anonymous visitor before running a scan.

I cannot scan my domain

The scanner is scoped to the domain of your registered email address. If you need to scan a different domain (a subsidiary or a client), contact support. Domains behind Cloudflare's bot protection or with aggressive rate limiting may not scan correctly.

My DSAR form is not receiving submissions

Verify the form URL includes your correct user ID: compliseal.cogenz.in/dsar?for=YOUR_USER_ID. Copy the correct URL from the DSAR Requests page in the app. Also check your spam folder for submission notification emails.

I upgraded to Pro but features are still locked

Sign out and sign back in. If features remain locked after signing back in, contact support with your account email address and your Razorpay payment confirmation reference number.

The consent banner is not appearing on my website

Check that the SDK snippet is placed inside <head> and is the first script tag in the document. Open your browser's developer console (F12) and look for any errors on the network tab showing the SDK file not loading. Confirm that your data-key matches the value shown on the Consent SDK page in the app.

Legal disclaimer

CompliSeal is a compliance tool, not a legal service. The documents and assessments generated by CompliSeal are templates and structured guides based on the DPDP Act 2023 and DPDP Rules 2025. They do not constitute legal advice. For complex compliance situations, sensitive data categories, or matters involving regulatory proceedings, consult a qualified legal professional.