Documentation

How AIRA works

AIRA (AI Risk Advisor) is a DPDPA readiness assessment platform for Indian organizations. It profiles your organization, guides a tailored assessment across five compliance domains, and produces a defensible, board-ready readiness report. This guide explains the framework, the scoring method, and exactly where AI is- and is not- used.

Overview

AIRA turns a structured self-assessment into a clear readiness score, a prioritized set of risks and recommendations, a 30-60-90 day roadmap, and a downloadable PDF report. The assessment is grounded in the obligations of India’s Digital Personal Data Protection Act, 2023 (DPDPA), not a generic checklist.

Two principles drive the product: scoring is fully deterministic (computed in code, never by AI), and AI is used only to explain and guide- never to decide. This keeps your results consistent, repeatable, and explainable to auditors and boards.

Getting started

Start by profiling your organization: industry, employee count, the types of personal data you process, geographic scope, and approximate data volume. This context tailors how results are explained and what examples AIRA gives- it does not change the score.

You then answer 18 questions. Each question maps to a specific DPDPA obligation and includes guidance on what “good” looks like. You can move back and forth and revise answers before you finish.

The framework: five domains

The assessment is organized into five domains, each with a fixed weight that reflects its importance to overall DPDPA readiness. Weights are constants, so the score is a transparent weighted average.

  • Consent & Transparency- 25%: how you obtain, explain, and manage consent, and the notices you provide.
  • Data Principal Rights- 20%: how individuals access, correct, erase, and raise grievances about their data.
  • Security Safeguards- 25%: technical and organizational measures, breach response, and staff training.
  • Governance & Accountability- 15%: data inventory, policy review, and clear ownership of data protection.
  • Third Parties & Data Sharing- 15%: vendor assessment, data-sharing records, and processor contracts.

The 18 controls

Each domain contains three to four controls. The full set is:

  • Consent & Transparency: explicit consent capture, privacy notice, consent withdrawal, consent records.
  • Data Principal Rights: access requests, correction requests, deletion requests, grievance redressal.
  • Security Safeguards: access controls, data-breach response plan, security review cycle, privacy training.
  • Governance & Accountability: personal-data inventory, policy review cycle, privacy ownership.
  • Third Parties & Data Sharing: vendor risk assessment, data-sharing records, vendor data-protection clauses.

The maturity scale

For every control you choose one of four maturity levels, each worth a fixed number of points:

  • Fully Implemented- 100 points: the control is in place and operating across the organization.
  • Partially Implemented- 50 points: some implementation exists, but gaps remain.
  • Not Implemented- 0 points: the control is not in place.
  • Not Sure- 25 points: status is unknown. Uncertainty is itself treated as a risk (a “blind spot”).

How scoring works

A domain’s raw score is the average of its controls’ maturity points (0–100). Each domain’s contribution is its raw score multiplied by its weight, and the final readiness score is the sum of those contributions, rounded to a whole number out of 100.

Worked example: if Consent & Transparency (weight 25%) averages 50, it contributes 12.5 points toward the final 100. Do this for all five domains and add them up. Because the inputs and weights are fixed, the same answers always produce exactly the same score.

Classification bands

  • Excellent- 90 to 100: strong alignment with DPDPA expectations.
  • Good- 75 to 89: most controls exist; improvements recommended.
  • Moderate- 60 to 74: several important gaps exist.
  • High Risk- 40 to 59: significant compliance gaps.
  • Critical- 0 to 39: likely unprepared for DPDPA obligations.

Where AI is used

AI appears in exactly two places. During the assessment, AIRA acts as a senior compliance advisor- it explains DPDPA concepts, clarifies questions, gives industry-specific examples, and suggests what evidence should exist. It never selects an answer for you and never calculates anything.

After you finish, AIRA makes a single AI call to write a 150–200 word executive summary that explains your deterministic results in business language. Every other part of the report- scores, charts, risks, recommendations, roadmap, the assessment evidence, and the PDF- is produced entirely by the deterministic framework.

Your report

  • Overall readiness score, classification, and a domain breakdown (radar and bar charts).
  • An executive summary, key risks, and prioritized recommendations with effort estimates.
  • A 30-60-90 day roadmap that sequences the highest-impact actions first.
  • An Assessment Evidence review of every control- your answer, why it matters, and how to improve.
  • A downloadable, board-ready PDF, with the option to email it to yourself.

Frequently asked questions

Does the AI change my score? No. Scoring is deterministic; AI only explains. Will the same answers give the same result? Always. Is this a certification? No- it is a readiness assessment to help you prioritize and plan. Is it legal advice? No; validate binding decisions with a qualified professional.