GUIDE · January 2026 · 22 min read

How Pinaakini maps to DPDP 2023 section by section

A compliance officer or DPO evaluating Pinaakini Enterprise needs to know exactly which control satisfies which obligation. This document maps every relevant DPDP 2023 section to the specific Pinaakini architecture component that addresses it.

Methodology

This mapping covers Sections 8 through 13 of the DPDP Act 2023 — the provisions that impose direct obligations on Data Fiduciaries. For each relevant sub-section, we identify the obligation, the Pinaakini component that addresses it, and the evidence artefact that demonstrates compliance to the Data Protection Board.

This document is intended to be used alongside your organisation's existing compliance programme, not as a replacement for legal advice. The DPDP Act is new — Board guidance and case law will continue to develop.

Section 8 — Obligations of Data Fiduciaries

Section 8(1) — Lawful processing

Obligation: Personal data may only be processed for the purpose for which consent was obtained, or for a legitimate use as specified in the Act.

Pinaakini control: The gateway can be configured with a purpose registry — a list of approved AI processing purposes mapped to the consent categories in your consent management system. Prompts that appear to contain data being processed outside an approved purpose trigger an alert and are blocked.

Evidence artefact: Purpose registry configuration file; alert log showing blocked out-of-purpose processing attempts; audit log entries with purpose code attached to each interaction.

Section 8(3) — Data minimisation

Obligation: Only personal data necessary for the specified purpose may be processed. Excess personal data must not be collected or processed.

Pinaakini control: This is the core function of the redaction layer. Every identifier beyond what is necessary for the AI task is stripped before the prompt is transmitted. The gateway does not allow the AI system to receive more personal data than the task requires — because it removes it.

Evidence artefact: Per-interaction redaction log showing which data types were removed from each prompt; monthly summary showing PII interception rates by data type and department.

Section 8(4) — Accuracy

Obligation: The Data Fiduciary must ensure that personal data is accurate and complete where it is likely to be used to make a decision affecting the data principal.

Pinaakini control: Pinaakini does not validate the accuracy of data — that is upstream of the gateway. However, the gateway prevents inaccurate personal data from being transmitted to AI systems for decisions, by replacing it with typed tokens that cannot be mistaken for real data values. This prevents the AI from making decisions based on data that the organisation has not validated.

Evidence artefact: Architecture diagram showing the redaction-before-transmission flow; confirmation that AI outputs use tokenised references, not raw PII values.

Section 8(7) — Storage limitation

Obligation: Personal data must not be retained beyond the period necessary for the purpose for which it was processed.

Pinaakini control: The gateway does not store personal data. The audit log records the data type (e.g., "Aadhaar Number", "PAN") but not the value. The original data remains in the organisation's own systems, subject to their existing retention policies. The gateway adds no new personal data stores.

Evidence artefact: Gateway architecture documentation confirming zero personal data retention; audit log schema showing data type but not data value in log entries.

Section 8(8) — Reasonable security safeguards

Obligation: Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches.

Pinaakini control: The gateway is the primary technical safeguard addressing the AI-specific breach surface. It prevents personal data from reaching external AI systems, which is the most common source of AI-related data exposure. Deployed in the organisation's VPC, it inherits the organisation's existing network security posture and adds the redaction layer on top.

Evidence artefact: Security architecture review; penetration test results; deployment documentation showing VPC isolation; NER accuracy metrics (99.7% detection rate on Indian PII formats).

Section 9 — Processing of children's data

Obligation: Personal data of persons under 18 may only be processed with verifiable parental consent. Certain processing harmful to children is prohibited regardless of consent.

Pinaakini control: The gateway flags prompts that contain data associated with minors (based on age indicators in context, or explicit age fields). These are routed to a separate review queue rather than processed automatically. This does not satisfy Section 9 independently — parental consent verification must happen upstream — but the gateway prevents accidental AI processing of children's data without human review.

Evidence artefact: Review queue log for child-data-flagged prompts; configuration showing the flagging rules.

Section 11 — Personal data breach

Obligation: The Data Fiduciary must notify the Board and affected data principals of a personal data breach in the prescribed manner and timeline.

Pinaakini control: The gateway's audit log is the primary evidence asset in a breach investigation. Because the log records every AI interaction — including the data type that was redacted — it enables the organisation to rapidly determine whether any personal data reached an external system, and if so, which data type, whose interaction, and to which AI system.

In the event that personal data does reach an external system (a gap in the redaction, a misconfiguration), the audit log provides the forensic trail required by the Board's breach notification guidance: who, when, what type of data, what system received it.

Evidence artefact: Audit log query demonstrating the ability to reconstruct per-interaction data flows; incident response runbook referencing the audit log as the primary forensic source.

Section 13 — Grievance redressal

Obligation: Data Fiduciaries must establish a grievance redressal mechanism and respond to data principal complaints within a prescribed period.

Pinaakini control: The audit log enables the organisation to respond to data principal requests with specificity — "Your data was processed by our AI system on [date]. The following data types were present in the interaction and were redacted before transmission: [list]. No personal data was transmitted to any external AI system." This is a materially better response than most organisations can currently provide.

Evidence artefact: Sample grievance response template using audit log data; demonstration of audit log query for a specific user's interactions.

Evidence pack for the Board

For organisations required to submit compliance declarations to the DPBI, or responding to a Board examination, the following evidence pack is generated from Pinaakini Enterprise's audit system:

  • Architecture diagram — showing the gateway position in the data flow, with data residency boundaries marked.
  • Redaction log summary — monthly count of PII interceptions by data type, department, and AI model destination.
  • Purpose registry — configuration showing approved AI processing purposes and their mapping to consent categories.
  • Security assessment — penetration test results and NER accuracy benchmarks.
  • Data retention confirmation — attestation that the gateway retains no personal data values.

Gaps Pinaakini does not cover

This mapping would be incomplete without acknowledging what Pinaakini does not cover. The following DPDP obligations require action outside the gateway:

  • Section 6 — Consent management: Pinaakini enforces processing against a consent registry, but the consent itself must be obtained and managed by the organisation's consent management system.
  • Section 9 — Parental consent verification: The gateway flags child-data scenarios, but verifiable parental consent must be obtained upstream.
  • Section 14 — Significant Data Fiduciary obligations: DPIAs, Data Protection Officer appointment, and periodic audits are organisational obligations that the gateway supports (by providing audit data) but cannot perform.
  • Section 16 — Cross-border data transfers: The gateway prevents personal data from reaching external AI systems, which is the most common cross-border transfer scenario in enterprise AI. However, it does not address cross-border transfers in other systems.
Download the full compliance mapping

The complete DPDP-to-Pinaakini control mapping — in the format required by the Data Protection Board's examination questionnaire — is available to enterprise customers and POC participants. Request it from our compliance team.

Continue reading
GUIDE

A complete DPDP 2023 compliance guide for enterprise AI usage

 NEWS

RBI advisory on AI in banking — customer data protection now a supervisory priority

 BLOG

PII in the enterprise AI era — the Indian data type taxonomy

 BLOG

Sovereign AI vs Cloud AI — why India's critical sectors cannot afford to be agnostic