FieldGovern is built for India's Digital Personal Data Protection Act 2023. Full compliance mapping — purpose limitation, consent, data principal rights, breach reporting.
DPDP 2023 Ready Data Localisation Consent Audit Trail Breach NotificationThe Digital Personal Data Protection Act 2023 (DPDP) governs how organisations collect, process, store, and share personal data of Indian citizens. For field data collection — surveys, enumerations, panel studies — the key obligations are:
Personal data must be collected for a specific, clear purpose. Consent must be free, specific, informed, and unconditional — and must be recorded.
Only data necessary for the stated purpose may be collected. Extra fields that aren't needed = liability.
Respondents have the right to access, correct, and erase their data. Organisations must have a mechanism to honour these requests.
Data breaches must be reported to the Data Protection Board and affected data principals within 72 hours of discovery.
Organisations that decide the purpose and means of processing (data fiduciaries) must appoint a Data Protection Officer if required, and publish a privacy policy.
When engaging a data processor (like FieldGovern), a written DPA is required that specifies the scope, purpose, and security obligations.
Below is a clause-by-clause mapping of the DPDP Act's obligations to FieldGovern's implemented controls.
| DPDP Obligation | FieldGovern Control | Status |
|---|---|---|
| S.6 — Consent Free, specific, informed, unconditional consent before collection |
Consent question type in form builder. Consent timestamp + IP logged per submission. Public-survey link includes consent preamble. | Implemented |
| S.6(6) — Consent withdrawal Data principal can withdraw at any time |
Soft-delete endpoint for submission data. Org admins can action withdrawal requests against respondent ID/phone. | Implemented |
| S.8 — Purpose limitation Data used only for stated purpose |
Form-level "data purpose" field (JSONB). Export API tags all exports with purpose + user ID in audit log. | Implemented |
| S.8(3) — Data accuracy Data must be accurate and complete |
FgCleaner QC engine flags duplicate, incomplete, and implausible submissions before approval. Approval workflow prevents inaccurate data from becoming "official". | Implemented |
| S.8(7) — Storage limitation Data not retained beyond purpose |
Tenant-level retention policy setting (days). Scheduler auto-archives submissions past retention. Configurable per program. | In roadmap |
| S.11 — Right to access Data principal can request their data |
Export by respondent ID/phone exports all submissions for that individual. CSV/PDF output. | Implemented |
| S.12 — Right to correction/erasure Data principal can correct or erase their data |
Org admins can edit or delete individual submission records. Audit log records the action, actor, and timestamp. | Implemented |
| S.13 — Right to grievance redressal Mechanism to raise and address grievances |
Grievance email configurable per-tenant (shown in privacy policy template). Response SLA tracked by org admin. | Manual process |
| S.8(5) — Data breach notification Notify Board + data principals within 72h |
Sentry real-time error alerting. Breach notification template included in DPA (see link below). Manual escalation process. | Template provided |
| S.9 — Children's data Verifiable parental consent for minors |
Form-level "minor respondent" flag triggers guardian-consent question. Age-gate logic configurable. | Implemented |
| S.8(4) — Security safeguards Appropriate technical + organisational measures |
JWT HS256 + bcrypt. Row-level tenant isolation. TLS everywhere. OPFS encrypted offline storage. Sentry + structured audit log. | Implemented |
| Data localisation Personal data of Indian citizens stored in India |
Deployable on Oracle Cloud India (Mumbai/Hyderabad), Hetzner India, or any on-premise server. Data never leaves your chosen region. | Self-hosted option |
| Data Processing Agreement Written DPA with processor required |
Standard DPA template available below. Can be customised for each client engagement. | Template available |
Before deploying a survey program, run through this checklist in FieldGovern:
FieldGovern (operated by Dataworx) is a data processor. Your organisation — the NGO, research institute, or government body running the survey — is the data fiduciary. You determine the purpose and means of processing; we process data on your instructions.
Yes. FieldGovern is fully self-hostable via Docker Compose on any Linux server in India. Your data never leaves your infrastructure. This satisfies both DPDP data localisation requirements and internal IT policies at most government bodies.
We will notify the affected tenant within 6 hours of discovery. Our breach notification template (included in the DPA) guides you through notifying the Data Protection Board and affected data principals within the 72-hour DPDP window. Sentry monitors all backend errors in real time.
Yes — the DPDP Act requires a written agreement between data fiduciary and data processor. We provide a standard DPA template that can be signed digitally. Download it below.
Yes. The audit log export (CSV) includes every consent capture event: submission ID, respondent phone (hashed), form version, timestamp, and GPS coordinates of the device at time of consent.
Our standard Data Processing Agreement is pre-filled with FieldGovern's security commitments and DPDP obligations. Have your legal team review and sign digitally.
View DPA Template Start Free Trial