Dalgo is now DPDP-Compliant. What does it mean for you?

Jul 2026

TL;DR

Dalgo is now DPDP-compliant as a Data Processor. Here’s what that means.

What this means for you

✅ Dalgo has undergone an independent DPDP legal audit by Pacta.

✅ Your data remains yours. Dalgo only processes it to provide the service you’ve signed up for.

✅ Our contracts, privacy terms, security safeguards and breach notification processes have been updated to align with DPDP requirements.

✅ Using a DPDP-compliant processor removes one major compliance risk from your data stack.

What it doesn’t mean

❌ Your organisation is not automatically DPDP compliant.

❌ As the Data Fiduciary, you’re still responsible for consent, data mapping, retention, beneficiary rights, and vendor governance.


There’s a date every organisation working with data in India should have circled: 13 May 2027.

That’s when the Digital Personal Data Protection (DPDP) Act, 2023 becomes fully enforceable. The implementing Rules were notified in November 2025, which started an 18-month countdown. There is no signal of a grace period, and the penalties are not symbolic – failure to maintain reasonable security safeguards can attract fines of up to ₹250 crore, and penalties can stack across categories.

It would be easy to assume this is a “big company” problem. It isn’t. The law applies to any organisation that processes the digital personal data of people in India, regardless of size or sector. And here’s the uncomfortable truth for our sector: NGOs often hold the most sensitive data of the most vulnerable people – health records, caste and income details, information about children, financial and biometric identifiers. DPDP was written precisely for data like this.

The good news is that one meaningful part of that burden just got lighter. Dalgo has completed a formal DPDP audit with Pacta, a specialist data-protection legal practice, and is now compliant as a data processor. This post explains what that actually means for you, what it doesn’t mean, and how to use the runway you have left.


First, the part most people get wrong

DPDP assigns roles, and the roles matter enormously.

  • You – the NGO – are the Data Fiduciary. You decide why beneficiary data is collected and how it’s used. Under the law, accountability sits with you even when you hand the actual processing to a vendor.
  • Dalgo is your Data Processor. We process data on your behalf, strictly to run the service you’ve asked us to run.
  • Your beneficiaries are the Data Principals. The law exists to give them control and protection.

Read that first point again, because it’s the one that trips people up: outsourcing the work does not outsource the responsibility. If a tool in your data chain mishandles a beneficiary’s information, the obligation to have prevented it – and to answer for it – is yours.

Which leads to the question every fiduciary eventually has to answer: Can I actually vouch for every system that touches my data?


Why a compliant processor is worth more than it sounds

One of the hardest, least glamorous parts of DPDP readiness is vendor assurance. The Rules explicitly require appropriate security provisions in the contract between a Data Fiduciary and its processors. In plain terms: you can’t just trust your tools – you have to be able to demonstrate they’re safe, contractually and technically.

For most NGOs, the data chain is longer than it looks: a collection app, a spreadsheet, a warehouse, a dashboard, and a handful of consultants. Every one of those is a link. A single weak link is a compliance gap – and, potentially, a liability.

When your analytics platform has already been audited and brought into line, that’s one link you no longer have to worry about. It’s an item you can move from your “open risk” column to your “handled” column, with a paper trail to back it up.


What “Dalgo is DPDP-compliant” concretely means for you

We want to be precise here, because vague assurances are exactly what the law is designed to end. Following the Pacta audit, here is what you can rely on:

You own your data. We don’t. Your data lives in your warehouse. Dalgo never takes ownership of it. Our right to use your data is contractually limited to two things only: providing the service you’ve signed up for, and improving the product. Nothing else. That limitation is now written explicitly into our agreements.

Your contracts and our privacy policy are aligned to the law. Pacta who is a social sector exclusive law firm and experts on DPDP laws, reviewed our SaaS agreement, consulting contracts, and data-use terms against DPDP – and, where relevant, GDPR – so that the paperwork holding your engagement together reflects real obligations.

Personal data is protected with reasonable security safeguards, including encryption. Where personally identifiable information moves through Dalgo – for instance, when data is fetched from your warehouse to render a dashboard – it can be encrypted in transit. In Dalgo, this is a setting available in your warehouse settings which you can enable if needed.

There’s a clear breach-notification path. If a personal-data breach involving your data occurs, our obligation is to inform you promptly, so that you – as the fiduciary – can meet your own duties to notify the Data Protection Board and the affected individuals without undue delay. You are never left to discover a problem on your own.

International engagements are covered too. For organisations governed by GDPR or based outside India, cross-border data flows need contractual safeguards such as Standard Contractual Clauses. Our agreements are built to accommodate that, so a partner in the EU, US, or Australia isn’t a compliance dead-end.


What this does not mean (and why we’re telling you)

We could stop at the good news. We won’t, because half a promise is worse than none.

Dalgo’s compliance does not make you compliant. It closes one gap – an important one – but you remain the Data Fiduciary, and the bulk of the obligations are yours to meet. A trustworthy processor makes your job easier and smaller; it does not make it disappear.

So here is the honest checklist of what still sits with you before May 2027:

  • Map your data. Know what personal data you hold, why, where it lives, who it’s shared with, and how long you keep it.
  • Fix your notices and consent. DPDP expects a clear, standalone consent notice – separate from your terms – explaining exactly what you collect and why, with an easy way to withdraw consent.
  • Be ready to honour beneficiary rights. People can ask what data you hold, ask you to correct it, and ask you to erase it. Erasure requests generally must be handled within 90 days – and that includes data held by your processors.
  • Set retention and deletion rules. Data shouldn’t outlive its purpose. Decide your retention periods and be able to act on them.
  • Have a breach-response plan. Detection, escalation, notification. Know who does what before you need to.
  • Vet all your vendors – not just us. Every tool in your chain needs the same scrutiny Dalgo has now been through.
  • Take special care with children’s data. If you work with minors – as many NGOs do – the Act treats anyone under 18 as a child and generally requires verifiable parental consent, with tracking and behavioural targeting prohibited. This is one of the highest-risk areas for our sector.

Why we did this, and why now

Dalgo exists to help NGOs make better decisions with their data. That mission only works if the people whose data it is – the families, students, patients, and communities our customers serve – are protected in the process. Compliance is a direct expression of the trust our customers place in us, and the trust their beneficiaries place in them.

A recent survey found that only about 16% of Indian consumers actually understand the DPDP law. In the social sector, where awareness has often trailed adoption, that gap is a risk – but it’s also an opportunity. Organisations that get ahead of this won’t just avoid penalties; they’ll earn something more durable. The ability to look a funder, a partner, or a beneficiary in the eye and say we handle your data with care, and we can prove it is becoming a genuine differentiator.

We’ve taken one hard thing off your plate. We’d like to help with the rest.

If you’re a Dalgo customer and want to walk through what your DPDP readiness looks like – where you stand, what’s covered by your use of Dalgo, and what still needs attention – reach out to us at support@dalgo.org. And if you’re earlier in the journey and just want to understand what DPDP means for an NGO like yours, we’re building resources and running sessions to help the whole sector get ready together.

Project Tech4Dev has also created an easy-to-use, DPDP self-assessment which you can take to assess where your organisation stands with respect to DPDP readiness – https://dpdp.projecttech4dev.org/ 

May 2027 is closer than it looks. Let’s not scramble. Let’s get ready.

You may also like

The Eval Layer Is the Product

AI Cohort Program 3.0: Empowering NGOs to Scale Impact with AI

TAF Capacity Building Grant | Progress Update