VISHWAAS.AI®, A Cross Identity product: Turning Consent Into Proof
VISHWAAS.AI®
A Cross Identity product
Turning Consent Into Proof
A plain-language guide to getting ready for India’s new data-protection law - and proving, on any given day, that you follow it.
Aligned to the v2.9 release · June 2026
Written for Data Protection Officers, security and IT leaders, and legal and compliance teams - no technical background assumed.
| In one sentence: Vishwaas.AI® is an India-first privacy and consent platform built specifically for the DPDP Act 2023 and DPDP Rules 2025. It turns every consent into tamper-proof evidence, makes sure each record is matched to the right real person, and instantly tells all your other systems whenever someone says yes, no, or “delete my data.” |
|---|
Contents
Executive Summary
1. The Compliance Clock: Why DPDP Changes the Game
2. Why Foreign Tools and Simple Pop-Ups Both Fall Short
3. The Vishwaas.AI Philosophy
4. How It’s Built: Fifteen Building Blocks, Each Tied to the Law
5. A Closer Look at What It Does
6. Security, Explained Honestly
7. Built for Indian Data Sovereignty
8. Who It Serves
9. Honest by Design
10. Getting Started
Executive Summary
India now has a serious data-protection law, and there are real penalties behind it. Two pieces make it up: the Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (the “DPDP Rules”). They have been switched on in stages, starting 14 November 2025.
The date every business should circle is 13–14 May 2027. That is the end of the 18-month settling-in period. After it, the Data Protection Board of India (the regulator, which this paper calls “the Board”) can hand out fines reaching hundreds of crores of rupees - and a single incident can be fined more than once, once for each rule it breaks.
The hard part of DPDP is not understanding the law. It is being able to prove, on any given day, that you actually follow it. In practice, that means being able to show:
-
that every person whose data you hold agreed to a specific notice, in a language they understood;
-
that you know which real person each record belongs to - even when two people share the same phone number;
-
that consent collected on paper in the field is just as solid as consent collected on a web form;
-
that every “withdraw my consent” and “delete my data” request actually reached your other systems; and
-
that you can produce a tamper-proof record of all of it the moment the regulator asks.
Vishwaas.AI is built for exactly this. It is an India-first privacy and consent platform engineered specifically for the DPDP Act and Rules - not a foreign (GDPR) tool relabelled for India, and not a single consent pop-up. It is organised into fifteen building blocks, each tied to a specific legal duty, and it does the actual work: it runs the day-to-day consent, rights, breach, and notification tasks, and produces audit-ready, tamper-proof evidence as a natural by-product.
Three ideas anchor the whole platform:
-
Consent is evidence, not a setting. Every consent is saved as a record you can only add to - never quietly edit or delete - and it is locked to the exact notice and language the person saw, with a trusted timestamp by default.
-
Identity you can trust. When two genuinely different people share a phone or email, the platform never silently merges them into one or splits one into two. Anything unclear goes to a person to review, and logging in always resolves to the correct individual - or safely refuses. It never guesses.
-
Built for Indian reality and Indian sovereignty. Consent can be collected online and offline; data is kept in India (on AWS’s Mumbai region), with an option to run it entirely on your own premises; and it can connect to your internal systems without opening a single inbound hole in your firewall.
This paper explains what Vishwaas.AI does, how each capability maps to the DPDP framework, and - just as deliberately - where it draws careful lines around what it claims. A compliance product that over-promises simply hands its customer a fresh liability. Vishwaas.AI is built to stay credible under scrutiny, which is the only kind of compliance that survives an audit.
1. The Compliance Clock: Why DPDP Changes the Game
For two decades, Indian data handling rested on the Information Technology Act, 2000 - a law written before smartphones, social media, and the cloud existed. The DPDP Act ends that era. For the first time, India has a complete set of rules covering how the personal data of people in India is collected, used, stored, shared, and erased.
The timeline is fixed, and the clock is already running:
-
14 November 2025 - The DPDP Rules were published. The basic machinery took effect: definitions, procedures, and the setting-up of the Board itself.
-
November 2026 - The “Consent Manager” framework goes live, and the Board gains the power to investigate and penalise problems in this area. Gentle, settling-in enforcement starts giving way to active supervision.
-
13–14 May 2027 - Hard enforcement. The core duties become fully enforceable - having a lawful reason to process data, running notice and consent properly, honouring people’s rights, reporting breaches, managing retention, and keeping data secure. There is no sign of a further grace period.
The penalties are designed to make ignoring the law the expensive choice:
| What goes wrong | Maximum fine |
|---|---|
| Not putting basic security protections in place | Up to ₹250 crore |
| Failing to report a data breach | Up to ₹200 crore |
| Mishandling children’s data | Up to ₹200 crore |
| A large, closely-watched organisation failing its extra duties | Up to ₹150 crore |
| General non-compliance | Up to ₹50 crore |
Crucially, these fines are counted per violation and can stack up. One incident that touches several duties at once can trigger several fines at once.
There is also a faster clock that many teams underestimate. When a data breach happens, you must notify the Board and the affected people within 72 hours under DPDP. Separately, India’s national cyber-security agency (CERT-In) requires certain incidents to be reported within just six hours. So a single breach actually runs two clocks at the same time.
| In plain terms 2026 is the year to build and test. 2027 is the year the regulator can write the cheque. The slow, heavy jobs - re-collecting consent from your existing customer base, wiring consent decisions through to all your other systems, and signing contracts with your data processors - take months, not weeks. Starting late is the real risk. |
|---|
2. Why Foreign Tools and Simple Pop-Ups Both Fall Short
Most organisations reach first for something familiar: either a global privacy product they already recognise, or a lightweight cookie-banner widget. Both leave gaps that only grow as enforcement begins.
The “foreign tool” problem. DPDP shares broad ideas with Europe’s GDPR, but it differs in ways that break GDPR-shaped software. For example: DPDP gives a short, fixed list of situations where you can use data without consent, where GDPR uses an open-ended judgement call. DPDP notices have a mandatory checklist of contents that the system must enforce not just free text. DPDP’s language duties cover the 22 official Indian languages. And DPDP’s regulators and official ID numbers (the Board, MeitY, CERT-In, large-organisation status, and verification against GSTIN/PAN/CIN) simply have no European equivalent. A thin “India layer” bolted onto a European core cannot model any of this faithfully.
The “pop-up” problem. A consent banner collects a click. It does not keep a register of how you use data, match one person across five different systems, run a deletion with a cooling-off window, drive a breach clock, or prove which notice the person actually saw. A single-feature tool leaves exactly the gaps the regulator will look into.
Vishwaas.AI takes the opposite approach: the DPDP Act itself is the blueprint. The law’s sections, sub-grounds, and mandatory fields are built in as core parts of the system - so the law is the architecture, not an afterthought.
3. The Vishwaas.AI Philosophy
“Vishwaas” means trust. Four convictions shape every feature.
Consent is evidence. When a regulator or court asks “prove this person agreed,” a line in a database that simply reads “consent = yes” proves nothing. Vishwaas.AI captures what the person actually saw - the exact notice, version, and language - and ties the consent to it so tightly that the record cannot be quietly altered later.
Compliance you cannot accidentally skip. Checklists fail under deadline pressure. Vishwaas.AI replaces them with guardrails - points where the system simply refuses to continue if a DPDP requirement is not met. You cannot publish a non-compliant notice. You cannot approve an empty risk assessment. The system stops you.
Identity you can trust. Before you can honour someone’s request or withdrawal, you first have to know which real person the record belongs to. The platform is built so two different people who share a contact detail are never silently merged or split, and the right person is always identified - at login and everywhere downstream.
It does the work; it isn’t a filing cabinet. Vishwaas.AI does not merely store policies. It actively runs the consent, rights, breach, and notification workflows, and produces audit-ready, tamper-proof evidence as it goes.
4. How It’s Built: Fifteen Building Blocks, Each Tied to the Law
The clearest way to picture Vishwaas.AI is as fifteen building blocks. Each is tied to specific DPDP duties, and together they cover the whole journey - from notice and consent, through people’s rights, breaches, risk assessments, managing your data processors, discovering where data lives, and producing audit evidence.
| # | Building block | Legal duty it covers | What it does, in plain terms |
|---|---|---|---|
| 1 | Login & access control | Security (§8) | Sign in by one-time password only; eleven different staff roles with different permissions |
| 2 | Compliance dashboard | §8 | A live control centre for key numbers, risks, and recent activity |
| 3 | Consent management | §6, §7, §9, Rule 4 | Catalogue of purposes, a tamper-proof consent record book, bulk consent campaigns, and a live status check |
| 4 | Privacy notices | §5, Rule 3 | Write notices in many languages, keep versions, and a publish gate that blocks anything incomplete |
| 5 | People’s rights | §11–§14, Rule 8 | A queue for requests, deadline tracking, deletion handling, escalation to the Board, and nominee handling |
| 6 | Breach management | §8(6) + CERT-In (6h) | Log an incident, score its risk, run the legal clocks, and notify affected people |
| 7 | Risk assessments (DPIA) | §10 (large orgs) | Score likelihood × impact, require sign-off before approval, and keep a register for large organisations |
| 8 | Managing data processors | §2(k), §8, §9 | Track contracts, score processor risk, and flag data leaving the country |
| 9 | The individual’s self-service portal | §5, §6, §11–§14 | People manage their own consents, requests, notices, and cookies |
| 10 | Data map & inventory | §8(4) register, Rule 8 | A visual map of where data lives, with risk and retention |
| 11 | Bringing in source data | §8 (accuracy) | Pull in data from CRM, HR systems, or spreadsheets and stage it |
| 12 | Matching people to one identity | §8(1) (accuracy) | Combine exact and smart matching to resolve each person to a single, correct profile |
| 13 | Pushing consent to your systems | Rule 4 | Send every consent decision to your downstream systems and offer a live status check |
| 14 | Reports, analytics & training | §8, §10 | Compliance reporting and tracking of staff DPDP training |
| 15 | Administration & security | §8, multi-customer | Customer setup, strict separation between customers, the audit record, and encryption controls |
The next section walks through the capabilities that matter most - organised around the questions a DPDP buyer should actually be weighing.
5. A Closer Look at What It Does
5.1 Consent and notices built for DPDP
It keeps separate what the law keeps separate. There are two different things, and the platform never mixes them: your internal record of every way you use data (the register the law calls a RoPA, under §8(4)), and the person-facing consent wording they actually read (under §6). The law’s short list of uses that don’t need consent (its “legitimate uses”) are tracked internally for accountability and are never shown in a consent notice - because, by law, they are not consent-based.
All eight “legitimate use” grounds, spelled out. The law allows eight specific situations where you may use data without asking consent - for example, when a person volunteered it, for a government function or subsidy, to meet a legal obligation, under a court order, in a medical emergency, during a disaster, for employment, or in the public interest. The platform models all eight explicitly, so you always know the lawful basis for every piece of data.
Each consent is sealed to the exact notice the person saw. Every consent record carries a unique digital “fingerprint” of the precise notice version and language shown. If even one word of that notice later changes, the fingerprint changes - and any attempt to collect consent against a mismatched notice is rejected. This sealing now applies to paper, verbal, and agent-collected consent too, not just web, app, and email.
The publish gate that simply won’t let you slip. A notice physically cannot be published until 100% of the legally-required fields (under Rule 3) are present: who you are, the grievance contact, the person’s rights and how to withdraw, any special identifiers where relevant, an English version, and - for every activity - its data items, how long you keep them, and the lawful ground. The gate does not warn you; it stops you.
A campaign tool for re-collecting consent at scale. A simple four-step wizard runs bulk consent collection through single-use, time-limited (10-minute) secure links over email, SMS, or in-app. That lets you cleanly re-collect consent from an existing customer base, with each link tied to exactly one person and one notice.
5.2 A consent record that stands up in court
This is the evidential heart of the platform.
A record book you can only add to. The audit record can only be written to and read from - never edited or deleted - and that restriction is enforced by the database itself, not just by the software sitting on top of it. That difference matters: software-only “locks” can be bypassed by anyone with database access, while a database-level lock cannot be bypassed even by the application. Each entry is also mathematically linked to the one before it, so any attempt to alter or remove a past record breaks the chain and shows up immediately.
A trusted timestamp, on by default. Consent records carry a trusted, standards-based digital timestamp (the international RFC 3161 standard), switched on by default for new customers, with a tool that checks the timestamp’s signature. In plain terms, this proves a record existed, unchanged, at a specific moment in time.
| A note of precision The built-in timestamping proves tamper-evidence and lets anyone verify a record cryptographically. For independent, third-party-attested timestamps - the strongest evidential position - a live deployment can point at a contracted public authority (for example DigiCert’s public service or eMudhra), and Vishwaas.AI is designed to support that. So we describe the default capability as trusted-timestamped and verifiable, and we reserve stronger “independently attested” language for deployments wired to an outside authority. In a compliance product, that is exactly the line a careful buyer should expect a vendor to draw. |
|---|
5.3 Identity you can trust - safe when people share a phone or email
This is the biggest advance since the last release, and it fixes a problem that quietly breaks naïve customer-data systems. In India, two genuinely different people often share a phone number (a family handset) or an email. A system that silently merges them gives one person access to another’s data. A system that silently splits one person into two cannot honour that person’s rights. Both are accuracy failures under §8(1).
Vishwaas.AI is built so that no identity decision is ever made silently:
-
Smart matching, always reviewed. It combines exact matching (on scrambled identifiers) with smart “fuzzy” matching (catching near-identical names, dates of birth, and cities) across your systems - but a human reviews the result, and it never auto-merges silently.
-
Shared-identifier safety. If a record shares a strong identifier (like a phone number) with an existing person but clashes on name or date of birth, it is sent to review rather than merged - including in cases that older versions used to skip.
-
Three clear review choices. A reviewer can pick: Approve & Merge (same person), Keep Separate (a genuinely different person who happens to share the identifier becomes their own independent profile), or Reject (a reversible “quarantine” with no profile, no access, and no login - fully recorded and re-checked on the next clean sync).
-
One primary identity per profile. Each profile declares a single official identity (phone, email, or a custom key such as an employee ID), stored as a scrambled token, so logins and downstream systems always use one unambiguous identity.
-
Fail-safe login. When two people share a login detail, the portal shows a profile chooser and asks for a second detail (such as date of birth) to confirm who is logging in, then locks the session to that exact person. If anything is unclear, it fails safe - it never guesses, so it cannot show the wrong person’s data.
| What we deliberately do not claim That second-detail check is fail-safe disambiguation, not multi-factor authentication - a piece of knowledge (like a birth date) is weaker than something you physically hold, and its job is correct-person resolution, not strong security. Likewise, when a person is ambiguous, the platform emits an extra distinguishing identifier to your downstream systems so the receiving app can resolve the right person - but that app still has to plug it in through a documented integration. We describe this as what it is: fail-safe resolution plus a documented integration, not magic that works end-to-end with no effort on the receiving side. |
|---|
| In plain terms The platform would rather stop and ask than guess wrong about who someone is - because under DPDP, guessing wrong is itself a violation. |
|---|
5.4 Consent collected anywhere - online and offline
Much of India’s consent is still gathered by an agent with a form, a field officer on a phone call, or a branch executive with a paper declaration. A platform that only understands web forms cannot make that consent defensible.
Offline Consent Collection brings field-collected consent into the same tamper-proof, notice-sealed record book as digital consent:
-
One-at-a-time capture records the collection date, the channel, and the proof type (a scanned physical form, a call-recording reference, a written declaration, a screenshot, or other) with a proof reference - plus a guardian-proof upload where the person is a minor.
-
Bulk capture by spreadsheet (up to 5,000 rows at a time): a no-write check first sorts each row into Ready, Warning (not on file - skipped), or Error (not found - skipped); the operator confirms; then a background job writes each record one by one to preserve the tamper-proof chain, pushes each decision to your systems, and returns a downloadable result report.
-
Offline withdrawals are recorded with the same channel, date, and proof details.
-
Backfilling old consent is supported for consents collected before you came on board.
| In plain terms The paper consent sitting in a branch drawer becomes a sealed, tamper-proof, system-aware record - without forcing you to abandon how consent is really gathered in the field. |
|---|
5.5 Consent that actually reaches your systems
A quiet failure defeats most consent programmes: consent is collected in one place, but the CRM and the marketing tool never get the memo - so a person withdraws, and the emails keep coming. Under DPDP, that gap is a live violation.
Vishwaas.AI closes it with real-time updates. Every grant, withdrawal, and deletion is pushed to your other systems through secure, tamper-proof messages, with automatic retries and a safety net so nothing is ever silently dropped. A live status check (kept fast by an in-memory cache) lets any of your systems ask “is this person still opted in?” and get an answer instantly, at the speed of a normal click.
5.6 People’s rights, handled end to end
DPDP gives individuals concrete rights, and the Rules put them on a clock. Vishwaas.AI handles all of them - Access (§11), Correction and Deletion (§12), Grievance (§13), and Nomination (§14) - with:
-
a secure data download (§11 access): the person’s data delivered as a strongly-encrypted, time-limited package (open for 7 days, three downloads maximum) in their choice of common formats, sent by email and/or SMS short code;
-
a safety check on deletions: the confirmation code for a destructive “delete my data” action is sent on the same channel the person logged in with, and clearly labelled as a deletion code, not a login code;
-
a 48-hour change-your-mind window (Rule 8): before data is erased, the person gets a notice and a secure link to cancel the deletion;
-
a guided close-out that records the outcome (Fulfilled, Partially Fulfilled, or Withdrawn) and captures a reason for any refusal only where the law (§13) requires it; and
-
deadline tracking (90 days by default, 30 days for grievances) with overdue cases escalated toward the Board.
5.7 Corporate groups and one shared front door
For conglomerates and multi-business enterprises, the Enterprise Group feature models a corporate group of legal entities and reconciles a shared, group-level view of each person across the member companies, with a clear disclosure and linking flow. The Unified Privacy Center then gives each individual a single, group-aware front door - with a company switcher, separate sessions per company, and the full set of features (consents, data, notices, requests, cookies, data downloads), plus a language selector and notifications.
5.8 Breaches, risk assessments, and processor oversight
Breach management runs the 72-hour Board clock alongside the CERT-In pathway, scores each incident by likelihood and impact, walks it through an eight-step lifecycle, and notifies affected people. Risk assessments (DPIA) score the risk both before and after safeguards, with sign-off guards that will not let an empty or unaddressed assessment be approved, plus a register for large organisations. Processor oversight tracks your contracts with data processors, verifies their identity against official Government of India numbers (GSTIN, PAN, CIN), scores their risk, and flags any data moving across borders (relevant to §9).
5.9 Twenty-two languages, genuinely end to end
The individual’s portal, the notices, and the consent wording are all available in every one of the 22 official Indian languages, plus English. This is not a nice-to-have; it is a legal advantage. A consent collected in a person’s own language is a stronger consent - and an English-first foreign tool cannot easily match it.
6. Security, Explained Honestly
Security in Vishwaas.AI is designed to be described honestly - strong where it is strong, and clear about its edges.
A separate vault for each customer’s keys. The main identifiers are encrypted using keys kept in a dedicated, locked digital vault, with a separate set of keys for each customer - so the keys are managed and rotated centrally and never sit in the application database. Identifiers are also stored as scrambled, salted hashes, which lets the system match people without ever decrypting them. Other personal data is encrypted at rest with bank-grade encryption, with the keys managed inside India.
Some IDs can never be turned back. Highly sensitive national identifiers such as Aadhaar are stored in a one-way, irreversible form - a clean, defensible privacy stance, rather than keeping the actual number where it could be read back.
Point to data, don’t copy it. A data-minimisation mode runs the identity and membership screens on scrambled values and masked displays, avoiding fresh copies of readable personal data wherever a scrambled value plus a simple “present / not present” flag will do. The plain consequence: if the database were stolen, the attacker gets fingerprints, not phone numbers.
Layered separation between customers. On top of the usual software separation, the database itself enforces that the most sensitive tables - consent records, rights requests, breaches, individuals, and notice deliveries - stay walled off per customer, and the application connects with a restricted account so that wall is genuinely enforced.
| What we deliberately do not claim We describe the main identifiers as encrypted in a dedicated key vault with per-customer keys, and other personal data as field-by-field bank-grade encrypted - not a blanket “zero readable data anywhere,” because some derived and working values, plus a backward-compatibility migration, are still in progress. Precision here is the point: a privacy vendor that over-states its encryption is the last vendor a security chief should trust. |
|---|
One more trust signal worth stating plainly: identity-critical code is independently attacked and reviewed before it is allowed into the product. A platform whose whole promise is not getting identity wrong should be willing to attack its own identity code - and this one is.
7. Built for Indian Data Sovereignty
For banks, government bodies, and healthcare providers, two questions often decide everything: where does the data live, and how do you connect to it? Vishwaas.AI answers both well.
Hosted in India. The cloud version runs on AWS’s Mumbai region - a strong signal for regulated Indian buyers, and aligned with the framework’s direction on keeping data in India, especially for large, closely-watched organisations.
Run it on your own premises. The entire system can also run inside your own walls with no public-cloud dependency, keeping personal data and the audit record on infrastructure you control. (This on-premises option is available and offered at the proposal stage - positioned as available, rather than as a packaged, priced product line.)
Connect without opening your firewall. Connecting a privacy platform to a bank’s internal systems usually means opening inbound holes in the firewall - a hard “no” for most security teams. Vishwaas.AI removes that need entirely. A small agent inside your network makes a single outbound connection (the same way your browser does), and the platform sends its commands back down that existing connection. The platform never reaches in. The channel is locked down with the same kind of secure connection used for online banking, with certificates on both ends, signed commands, encrypted secrets, replay protection, and approved-address lists - plus a 72-hour offline queue so commands aren’t lost if the link briefly drops.
| In plain terms Your security team never has to punch a hole in the perimeter for a compliance tool - which is often the difference between a project that ships and one that stalls in security review. |
|---|
8. Who It Serves
| Who they are | The pain they feel | What Vishwaas.AI leads with |
|---|---|---|
| Data Protection / Compliance / Legal | Personally on the hook; racing the 2027 clock; answerable for accuracy. | The publish gate, the defensible consent record, shared-identifier review with no silent merge or split, automatic deadline tracking, an offline-consent proof trail, and a clean register. |
| Security / IT leaders | Customer separation, audit integrity, key management, integration sprawl, the breach clock. | Database-level append-only audit, vaulted per-customer keys, strict per-customer separation, real-time updates, firewall-friendly connectivity, and breach tooling. |
| Field & operations leaders (banking, agriculture, insurance) | Agents collect consent on paper and by phone; data is messy; people share handsets. | Offline consent capture with proof, identity matching, and shared-identifier safety. |
| Small & mid-size founders | “I just need to be compliant, fast, and affordably.” | Fast time-to-compliance, a self-serve cookie scanner, and a multilingual portal out of the box. |
| Large enterprises & groups (banking, health, telecom) | Risk assessments, large-organisation duties, cross-border flows, multi-company structure, brand control. | Enterprise Group and the Unified Privacy Center, large-org tooling, rigorous risk-assessment guards, processor risk, white-label setup, and multi-source identity matching. |
9. Honest by Design
The last and most important characteristic of Vishwaas.AI is a discipline, not a feature. A privacy platform that over-claims hands its customer a new liability, because every marketing promise becomes something the customer is then held to.
So the platform - and this paper - are deliberately precise about their edges:
-
Consent records are trusted-timestamped and verifiable, with “independently attested” reserved for deployments wired to an outside timestamping authority.
-
Customer separation is layered, including database-level walls on the most sensitive data.
-
Encryption is described as per-customer vaulted main identifiers plus field-by-field bank-grade encryption - not “zero readable data everywhere.”
-
Shared-identifier handling is fail-safe resolution, not multi-factor authentication.
-
And anything still on the roadmap is not marketed as already shipped.
For a buyer whose own neck is on the line under the law and the penalty schedule, that restraint is not a weakness. It is the most reliable signal that the vendor understands the law it claims to serve.
10. Getting Started
The runway to May 2027 is shorter than it looks. A practical path with Vishwaas.AI:
-
Map your data systems and the ways you use data into the data map and register, tagging each one to its consent basis or its lawful “legitimate use” ground.
-
Write and gate your notices through the publish gate, in the languages your people actually speak.
-
Resolve identities across your systems, letting shared-identifier review stop “two people, one phone” collisions from becoming accuracy failures.
-
Re-collect consent from your existing base - online through the campaign wizard, and offline through bulk spreadsheet upload with proof - into one tamper-proof, notice-sealed record.
-
Push every consent decision out to your live systems, and offer the live status check to the services that act on data.
-
Stand up breach, risk-assessment, and processor oversight - and let the guardrails keep them honest.
The result is not a binder of policies. It is a running system that produces, on demand, tamper-proof evidence of lawful consent - the very thing the regulator will actually ask you for.
Vishwaas.AI - built specifically for the DPDP Act 2023 and DPDP Rules 2025. A Cross Identity product. vishwaas.ai
This document describes capabilities aligned to the v2.9 release (June 2026). It is informational pre-sales material and is not legal advice; organisations should confirm their specific obligations with qualified counsel.

