Compliance pillar
DPDP Act, 2023 — India's GDPR.
The Digital Personal Data Protection Act, 2023 reframes how Indian platforms handle personal data. Captable was built with the DPDP obligations baked in — not bolted on after notification.
Data residency in India
Captable's production data lives in Indian regions — currently AWS ap-south-1 (Mumbai) with a hot-standby in ap-south-2 (Hyderabad). The DPDP Act's eventual notification of cross-border restrictions is a configuration change for us, not a re-architecture.
Encryption + access controls
All personal data is encrypted at rest with managed AWS KMS keys and in transit with TLS 1.2+. Application-level access is gated by SSO-backed roles; stakeholder views are scoped to their own grants only. Sensitive PII (PAN, Aadhaar) is field-level encrypted with a separate key.
Consent management
Section 6 of the DPDP Act requires explicit consent before processing personal data for any purpose other than the stated one. Captable's consent ledger captures every purpose, the consent timestamp, and the withdrawal history — exportable to the data principal on request under Section 11.
Breach notification
Section 8(6) of the DPDP Act requires data fiduciaries to notify both the Data Protection Board and the affected data principals of a personal-data breach. Captable runs a 72-hour incident-response playbook with templated notification + a forensic ledger export.
Rights of the data principal — operational, not aspirational.
- Right to access (§11). Every stakeholder can pull a JSON export of all data Captable holds about them.
- Right to correction + erasure (§12). In-app workflow for correction; erasure honored against retention periods set by company law.
- Right to grievance redressal (§13). Single grievance officer endpoint, SLA-backed, escalable to the Data Protection Board.
- Right to nominate (§14). Stakeholders can nominate a successor for their account in the event of incapacity or death.
Privacy by design, not by retrofit.
Captable's data model was reviewed against the DPDP Act before first commit. The compliance posture isn't a checkbox — it's how the database is shaped.