
An illustrative example of how Pramaan takes a fast-moving SaaS company from "we know DPDP applies" to an operated, defensible compliance posture — without derailing the roadmap.
Illustrative example. This is a representative scenario, not a real client engagement — it shows how Pramaan typically helps a company of this shape.
A growing B2B SaaS company holds personal data on tens of thousands of user accounts, plus the data their customers' end-users generate inside the product. They knew DPDP applied — they just had no idea where to start, and no one whose job it was to find out.
The specifics were familiar:
- Personal data spread across the product database, a CRM, a help-desk tool, analytics, email marketing and a payment processor — with no single map of what sat where.
- A privacy policy written years ago that nobody had revisited against the Act.
- No process for a user who asks "what do you hold on me?" or "delete my account and data."
- Uncertainty about the lawful basis for each thing they did with data.
- No breach plan, and no clarity on the reporting clock if something went wrong.
Engineering-led and moving fast, they had no appetite to turn compliance into a project that stalled the roadmap.
We treated it as an operating problem, not a paperwork one.
- Mapped the data. A record of what personal data they process, why, and which tools and sub-processors touch it — the data map they'd never had.
- Fixed the lawful basis. For each purpose, the correct basis, documented so they could actually show it.
- Rewrote notice and consent. Plain-language notice and consent flows that meet the standard, not a buried policy.
- Stood up the rights workflow. Access, correction and erasure requests land in a tracked workflow, each with its response clock.
- Built the processor register. Every vendor that processes data on their behalf, documented, with responsibility made explicit.
- Wrote the breach playbook. A guided process with the statutory reporting window built in.
All of it operated on an ongoing basis — the judgment calls stay with people who understand the law, not the engineering team.
What a company like this ends up with:
- A clear, current map of the personal data they hold and why — no more guessing.
- Notices and consent that meet the DPDP standard.
- Every data-principal request tracked against its deadline, with overdue surfaced early.
- Sub-processors documented and accountable.
- A breach plan ready before they need it.
- Founders and engineers back on the product — compliance handled, not hovering.
This is an illustrative example of Pramaan's approach, not a specific client result. Your own obligations should be confirmed for your business — book a free compliance review.