Active on every WordPress site

India · DPDPA 2023

WordPress hosting with DPDPA plugin built into the platform.

Consent manager, privacy portal, Data Principal request workflow, and signed DPA — handled by Yovale's compliance MU-plugin. You don't install it. You don't update it. You don't pay for it. It's how every Yovale site ships, on every plan.

Effective: August 11, 2023Penalty: up to ₹250 croreJurisdiction: India

Start free trial See pricing

yoursite.in

Privacy preferencesIndia detected

We use cookies and process personal data to run this site. You can consent to all, choose specific purposes, or only allow what's strictly necessary.

handled by Yovale · no plugin installed

what DPDPA requires

Six duties you have to honor.

The Digital Personal Data Protection Act, 2023 — enacted in India on August 11, 2023 — gives Data Principals enforceable rights over their personal data and imposes strict duties on Data Fiduciaries. Running a WordPress site that processes data of Indian residents means honoring these. The Data Protection Board of India can issue penalties up to ₹250 crore per breach class.

01
Explicit consent
Data Principals must opt in BEFORE you process their personal data — analytics, marketing pixels, account signups. Consent must be free, specific, informed, and unconditional. Bundled consent and 'by using this site you agree' notices fail the test.
02
Data Principal rights
Anyone can request access to, correction of, or erasure of their personal data. You also honor the right to nominate (post-death) and the right to withdraw consent at any time, as easily as it was given.
03
Grievance redressal
Every Data Fiduciary must publish a contactable grievance officer and respond within the statutory window. Unresolved grievances escalate to the Data Protection Board of India.
04
Consent Manager interface
Consent must be manageable through a transparent, auditable interface. Data Principals can review, modify, or withdraw consent for each processing purpose — not a blanket toggle.
05
Audit log
Maintain a tamper-proof record of every consent given, modified, or withdrawn, and every Data Principal request and how it was resolved. Produce it for the Data Protection Board on request.
06
Breach notification
Notify the Data Protection Board of India and affected Data Principals of personal data breaches within the statutory window (currently 72 hours under the draft rules). Signed DPA required with every processor.

how Yovale handles it

Built into the platform. Not a plugin you install.

Yovale ships DPDPA compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. Updates ship through the same channel your hosting updates do.

Consent Manager UI

Geo-aware. India visitors see a per-purpose consent interface before any non-essential script fires. Each purpose (analytics, marketing, personalization) has its own toggle. Records are stored as auditable Data Principal events, not as wp_options.

Privacy portal

/.well-known/privacy on every Yovale site. Data Principals view, export, correct, or delete their data without filing a ticket. They can nominate another individual and withdraw consent. You see every request in the Compliance dashboard tab.

Audit log

Every consent event and every Data Principal request is logged at the Cloudflare edge worker layer. Tamper-proof, queryable, retained for the statutory period. Exportable in JSON or CSV for the Data Protection Board.

Signed DPA

Pre-signed Data Processing Agreement available in your dashboard. Lists Yovale as Data Processor, you as Data Fiduciary, every sub-processor (Cloudflare, Anexia, R2), data flows, security measures, and breach notification SLAs. PDF download for your records.

plugin vs platform

Why infrastructure beats a plugin.

Typical WordPress DPDPA plugin

Adds 200-500ms to every page load (banner JS, cookie scan, DB writes)
Stores consent records in wp_options — slow, untyped, breaks with object caching
Updates through wp-admin — you maintain it, you break it, you debug conflicts
Costs ₹4,000-10,000/year per site for a real Consent Manager
Breaks when you migrate hosts; Data Principal consent history is lost

Yovale's built-in approach

0ms latency — consent state computed at the edge worker, cached in the CDN
Audit log in a dedicated database, queryable, never blocks page render
Updates ship through the platform — you don't see them, you don't break them
Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
Travels with your site forever — Data Principal records are yours to export

Your dashboard

14 regulations. One toggle each. All automatic.

Regulations14

OPT-IN

DPDPA

Digital Personal Data Protection Act

OPT-IN

GDPR

General Data Protection Regulation

CCPA

California Consumer Privacy Act

LGPD

Lei Geral de Proteção de Dados

PIPEDA

Personal Information Protection and Electronic Documents Act

+ 9 more regulations · all opt-in

DPDPA

Digital Personal Data Protection Act

OPT-IN

Effective

August 11, 2023

Consent mode

Opt-in

Authority

DPB

Max penalty

₹250 cr

Key requirements

Explicit consent per purpose
Data Principal access and erasure rights
Grievance redressal officer
Breach notification to DPB

common questions

DPDPA + Yovale, answered.

Do I need to install a DPDPA plugin on top of Yovale?

No. The compliance MU-plugin is part of the hosting, not something you add. Installing a separate DPDPA or cookie-consent plugin (Complianz, CookieBot, CookieYes) on top of Yovale would create duplicate consent banners and confuse Data Principals. The platform handles it.

Does this work for non-India sites?

Yes. The compliance system is geo-aware. India visitors see DPDPA consent flows with per-purpose toggles. EU visitors see GDPR opt-in. US visitors see CCPA opt-out. The same hosting handles every regulation automatically — no extra config per region.

What if I get a Data Principal request?

Data Principals handle most requests themselves through the privacy portal at /.well-known/privacy on your domain — access, correction, erasure, withdraw consent, nominate. For requests that require human review, you see them in your dashboard Compliance tab with the statutory SLA timer.

Is the DPA legally binding under DPDPA?

Yes. It's a pre-signed agreement that names Yovale as Data Processor and you as Data Fiduciary, aligned with the DPDPA's processor-fiduciary contract requirements. Available as a PDF download in the dashboard. Lists every sub-processor (Cloudflare, Anexia, R2) and the security measures applied.

Who is the grievance officer?

You — the site owner — are the grievance officer for Data Principal complaints about content and services on your site. Yovale acts as Data Processor and handles infrastructure-level grievances about hosting, storage, and security. Your dashboard surfaces both queues so nothing falls through.

What about plugin conflicts?

Since Yovale's DPDPA system is a must-use plugin (mu-plugin), it loads before any other plugin and can't be deactivated. It can't conflict with WP Rocket, your cache plugin, or anything else — the platform owns it.

Ship a DPDPA-compliant WordPress site in 60 seconds.

Every Yovale site is DPDPA-ready from the moment you deploy. No plugin to install. No DPA to chase. No Consent Manager to configure. Start the free Growth trial and see your first compliance dashboard.

Start free trialfree Growth trial · no credit card · DPDPA active from minute one