What is India's DPDP Act 2023?

The Digital Personal Data Protection Act 2023 (DPDP Act) is India's comprehensive data protection law. It establishes rights for data principals (individuals), obligations for data fiduciaries (organizations processing data), and requirements for consent, purpose limitation, and data processing transparency. For AI agents, DPDP creates specific obligations around how agents collect, process, and use personal data on behalf of users.

Does the DPDP Act apply to AI agents?

Yes. AI agents that process digital personal data of Indian residents fall under the DPDP Act. The Act applies to any automated processing of personal data, which includes AI agents accessing emails, calendar entries, files, contacts, or any data that identifies an individual. The agent's developer is the data fiduciary and must ensure compliance.

How does Grantex help with DPDP Act compliance?

Grantex provides a structured DPDPConsentRecord that maps directly to DPDP Act sections. It enforces purpose limitation through scoped grant tokens, implements right to withdrawal via instant revocation, maintains audit-ready logs for regulatory inspection, and provides data principal portals for individuals to manage their consent. The compliance module generates export packages formatted for DPDP audit requirements.

What is the EU AI Act and when does it take effect?

The EU AI Act is the world's first comprehensive AI regulation. Key provisions become binding in August 2026. Articles 9, 13, 14, 17, and 26 create specific obligations for AI agent deployments including risk management, transparency, human oversight, quality management, and deployer responsibilities. Organizations deploying AI agents that serve EU users must comply.

Can Grantex handle both DPDP and GDPR compliance simultaneously?

Yes. Grantex's consent records support multiple regulatory frameworks simultaneously. A single DPDPConsentRecord can include DPDP Act section mappings, GDPR Article 6 legal bases, and EU AI Act article references. The export system generates framework-specific reports from the same underlying data.

Grantex DPDP — AI Agent Compliance for India's DPDP Act 2023

Regulatory Coverage

Three frameworks. One integration.

Grantex maps your AI agent authorization infrastructure directly to regulatory requirements. No separate compliance layer needed.

🇮🇳

DPDP Act 2023

India's Digital Personal Data Protection Act creates specific obligations for AI agents that process personal data of Indian residents.

S.6 Consent for personal data processing

S.4 Purpose limitation and lawful processing

S.6(6) Right to withdraw consent

S.11 Data principal rights

S.8 Data fiduciary obligations

S.13 Grievance redressal

🇪🇺

EU AI Act

The world's first comprehensive AI regulation. Key provisions for AI agent deployments become binding in August 2026.

Art. 9 Risk management systems

Art. 13 Transparency and information

Art. 14 Human oversight

Art. 17 Quality management systems

Art. 26 Deployer obligations

🛡

OWASP Agentic Top 10

The first industry threat taxonomy for AI agents. Published December 2025. Four of ten risks directly addressed by authorization infrastructure.

ASI-01 Agent goal hijacking

ASI-03 Identity and privilege abuse

ASI-05 Privilege escalation

ASI-10 Rogue agents (no revocation)

What Grantex Does

Structured consent records for every grant

Every Grantex authorization creates a DPDPConsentRecord that maps directly to DPDP Act requirements. No bolted-on compliance layer — it is the authorization layer.

create-consent.ts TypeScript

import { DPDPClient } from '@grantex/dpdp';

const dpdp = new DPDPClient({
  apiKey: process.env.GRANTEX_API_KEY,
});

// Create a DPDP-compliant consent record
const consent = await dpdp.createConsentRecord({
  principalId: 'user_rajesh_kumar',
  agentId:     'ag_calendar_assistant',
  purposes: [
    {
      code:        'calendar:read',
      description: 'Read calendar events',
      dpdpSection: 'S.4',
      retention:   '30d',
    },
    {
      code:        'calendar:write',
      description: 'Create and modify events',
      dpdpSection: 'S.4',
      retention:   '30d',
    },
  ],
  consentNotice: {
    language: 'en',
    text: 'This agent will access your calendar to schedule and manage meetings on your behalf.',
  },
  dataCategories: ['schedule', 'contacts'],
  crossBorder:    false,
});

// consent.id          → "cns_01HZ..."
// consent.status      → "active"
// consent.withdrawUrl → consent withdrawal endpoint
// consent.grantId     → linked Grantex grant

S.6 Structured Consent

Each consent record captures the specific data principal, the agent, the purposes, and a plain-language consent notice. The record is immutable and timestamped.

S.4 Purpose Limitation

Every purpose is tagged with its DPDP section reference and a retention period. The agent can only access data for the declared purposes. Enforcement happens at the grant token level — the JWT scopes match the declared purposes.

S.6(6) Right to Withdraw

Every consent record includes a withdrawal URL. Withdrawal triggers instant revocation of the underlying Grantex grant, cascading to all delegated sub-agents. The withdrawal is as easy as granting consent.

Art. 15 Data Access

The consent record links to all audit entries for that grant. Data principals can export their complete processing history via the portal or API.

Art. 13 Transparency

The consent notice is stored alongside the technical authorization. Auditors can verify that the user saw a clear explanation of what the agent does.

Compliance Dashboard

Real-time compliance visibility

Monitor consent status, purpose adherence, and withdrawal rates across all agents and data principals.

grantex.dev/dashboard/compliance

DPDP Compliance Overview

All Agents Active Withdrawn Expired

847

Active Consents

Agents Deployed

Withdrawals (30d)

100%

Purpose Adherence

Agent	Principal	Purposes	Status	Granted
calendar-assistant	rajesh.kumar@example.com	calendar:read, calendar:write	Active	2026-04-01
email-summarizer	priya.sharma@example.com	email:read	Active	2026-03-28
doc-analyzer	amit.patel@example.com	files:read, files:analyze	Withdrawn	2026-03-15
hr-assistant	deepa.nair@example.com	employee:read, payroll:view	Active	2026-03-10
travel-planner	vikram.singh@example.com	calendar:read, travel:book	Expired	2026-02-20

Data Principal Portal

Your users manage their own consent

DPDP Act Section 11 requires that data principals can access, correct, and withdraw their consent at any time. Grantex provides this out of the box.

✓

View all active consents

Data principals see every agent that has access to their data, what scopes were granted, when consent was given, and retention periods.

✓

One-click withdrawal

Withdrawing consent is as easy as granting it. One click triggers instant revocation of the underlying grant token, cascading to all delegated sub-agents.

✓

Processing history

View the complete audit trail of what each agent did with the granted access. Hash-chained entries ensure the log cannot be tampered with.

✓

Data export

Export consent records, processing history, and agent metadata in machine-readable JSON. Satisfies DPDP Section 11 and GDPR Article 20.

✓

Grievance submission

Integrated grievance form per DPDP Section 13. Data principals can flag consent violations, and the system routes to the designated Data Protection Officer.

My AI Agent Consents

Calendar Assistant Active

calendar:read calendar:write

Granted Apr 1, 2026 · Retention: 30 days · Purpose: Schedule management

View activity Export data Withdraw consent

Email Summarizer Active

email:read

Granted Mar 28, 2026 · Retention: 7 days · Purpose: Email digest

View activity Export data Withdraw consent

Document Analyzer Withdrawn

files:read files:analyze

Granted Mar 15, 2026 · Withdrawn Mar 22, 2026

View activity Export data

Section Mapping

How Grantex maps to DPDP Act sections

Every DPDP obligation that applies to AI agent deployments has a corresponding Grantex feature. No gaps, no manual processes.

DPDP Section	Obligation	Grantex Feature
Section 4	Lawful purpose — personal data shall be processed only for a lawful purpose	Purpose-tagged consent records; JWT scp claim enforces scope at every API call
Section 5	Notice — data fiduciary must give notice before processing	Consent notice stored in DPDPConsentRecord; human-readable consent UI
Section 6	Consent — processing based on free, specific, informed consent	Structured consent flow; purpose-specific scope selection; immutable record
Section 6(6)	Withdrawal — consent withdrawal must be as easy as granting	One-click withdrawal in data principal portal; instant grant revocation
Section 8	Data fiduciary obligations — accuracy, storage limitation, security	Retention periods per purpose; auto-expiry; audit trail; encryption at rest
Section 8(7)	Grievance redressal — data fiduciary must have a grievance mechanism	Integrated grievance form in data principal portal; DPO routing
Section 9	Children's data — additional protections for minors	Age flag on consent records; separate approval flow for minor data principals
Section 11	Data principal rights — access, correction, erasure, portability	Self-service portal; JSON export; processing history; correction requests
Section 13	Grievance mechanism — respond within prescribed period	Grievance tracking with SLA timers; escalation to Data Protection Board
Section 16	Cross-border transfer — restrictions on data transfer outside India	crossBorder flag on consent records; data residency controls in grant tokens
Section 17	Data Protection Board — regulatory oversight and penalties	Audit export packages formatted for Board inspection requirements

Export & Audit

Audit-ready exports for every framework

Generate compliance evidence packages formatted for DPDP, GDPR, and EU AI Act requirements. One API call, framework-specific output.

DPDP Audit Export

Complete consent and processing records formatted for India's Data Protection Board. Includes all mandatory fields from Sections 6, 8, 11, and 13.

✓ Consent records with purpose mapping

✓ Data principal consent notices (original text)

✓ Withdrawal timestamps and cascaded revocations

✓ Grievance log with response SLAs

✓ Data retention compliance status

✓ Cross-border transfer declarations

GDPR Article 15 Export

Subject access request response package. All data processing activities related to a specific data principal, formatted per Article 15 requirements.

✓ Processing purposes and legal basis

✓ Categories of personal data processed

✓ Recipients and third-party access

✓ Retention periods per purpose

✓ Agent delegation chain (all sub-agents)

✓ Automated decision-making disclosure

EU AI Act Conformance Report

Technical documentation per Articles 9, 13, and 17. Maps your Grantex configuration to EU AI Act conformity requirements.

✓ Risk management controls (Art. 9)

✓ Transparency evidence (Art. 13)

✓ Human oversight mechanisms (Art. 14)

✓ Quality management documentation (Art. 17)

✓ Deployer obligation checklist (Art. 26)

✓ Anomaly detection and incident reports

export-audit.ts TypeScript

// Generate a DPDP audit export
const pack = await dpdp.exportAudit({
  framework: 'dpdp',
  dateRange: { from: '2026-01-01', to: '2026-04-01' },
  format:    'json',  // or 'csv', 'pdf'
});

// Also available: 'gdpr', 'eu-ai-act'
const gdprPack = await dpdp.exportAudit({
  framework:   'gdpr',
  principalId: 'user_rajesh_kumar',
  format:      'json',
});

Start building compliant AI agents today

The DPDP Act is active now. The EU AI Act is binding August 2026. Grantex gives you the compliance infrastructure so you can focus on shipping.

npm npm install @grantex/dpdp Copy

pip pip install grantex-dpdp Copy

Read the docs → DPDP Act mapping EU AI Act mapping View on GitHub

AI Agent Compliance. Solved.