Trust
Compliance & Methodology
AIRA is built to be defensible and auditable. This page explains how our assessment maps to the Digital Personal Data Protection Act, 2023 (DPDPA), how results are produced deterministically, and the strict boundaries we place on AI.
Our approach
We translate the DPDPA’s core obligations into a structured, weighted framework of 18 controls across five domains. Every result is computed in code from your answers, so it is consistent, repeatable, and explainable- the qualities an auditor, a board, or a regulator expects.
How the framework maps to the DPDPA
- Consent & Transparency → consent that is free, specific, informed, unconditional, and unambiguous; clear notice to the Data Principal; and demonstrable consent records.
- Data Principal Rights → the rights to access a summary of personal data, to correction and completion, to erasure, and to grievance redressal.
- Security Safeguards → reasonable security safeguards, breach detection and intimation, ongoing review, and staff awareness.
- Governance & Accountability → knowing your data (inventory), maintaining policies, and assigning clear ownership for data protection.
- Third Parties & Data Sharing → the Data Fiduciary remaining accountable for its Processors, recording disclosures, and binding vendors by contract.
Deterministic, auditable scoring
Each control is rated on a fixed maturity scale (Fully 100, Partially 50, Not Implemented 0, Not Sure 25). A domain score is the average of its controls; the final score is the weighted sum of domain scores (Consent 25%, Rights 20%, Security 25%, Governance 15%, Third Parties 15%).
There is no randomness and no AI anywhere in the scoring path. The same inputs always produce exactly the same score and classification, so your result can be reproduced and defended at any time.
How we bound AI
- AI is used in only two places: a live advisor during the assessment, and a single executive summary after it.
- AI explains and interprets results in plain business language; it never computes, changes, or determines any score, classification, maturity value, risk, or recommendation.
- All report content- charts, the assessment evidence, risks, recommendations, the roadmap, and the PDF- is generated entirely by the deterministic framework.
- Industry and data-type context affects how results are explained, never the numbers themselves.
Data security
AI and email credentials are kept strictly server-side and are never exposed to the browser. We transmit only the minimum context required to generate advisory text, use encrypted connections, and limit access to data on a need-to-know basis. See our Privacy Policy for the full detail.
Auditability & evidence
Every report includes an Assessment Evidence section that records, control by control, what you answered, its maturity, the DPDPA obligation it maps to, a deterministic interpretation, and the recommended improvement. This gives you a clear, reviewable trail of how the score was reached.
What this is- and is not
AIRA is a readiness assessment that helps you understand, prioritize, and plan your DPDPA program. It is not a certification, an audit opinion, or legal advice. Penalties for non-compliance under the DPDPA can be significant, so use AIRA to focus your effort and validate binding decisions with a qualified professional.
Contact
Questions about our methodology, security, or DPDPA alignment? Contact us at hello@bughunters.io.