Skip to main content
Active on every WordPress site
IndiaIndia · DPDPA 2023

WordPress hosting with DPDPA plugin built into the platform.

Consent manager, privacy portal, Data Principal request workflow, and signed DPA — handled by Yovale's compliance MU-plugin. You don't install it. You don't update it. You don't pay for it. It's how every Yovale site ships, on every plan.

Effective: August 11, 2023Penalty: up to ₹250 croreJurisdiction: India
yoursite.in
Privacy preferencesIndia detected

We use cookies and process personal data to run this site. You can consent to all, choose specific purposes, or only allow what's strictly necessary.

handled by Yovale · no plugin installed
what DPDPA requires

Six duties you have to honor.

The Digital Personal Data Protection Act, 2023 — enacted in India on August 11, 2023 — gives Data Principals enforceable rights over their personal data and imposes strict duties on Data Fiduciaries. Running a WordPress site that processes data of Indian residents means honoring these. The Data Protection Board of India can issue penalties up to ₹250 crore per breach class.

  • 01

    Explicit consent

    Data Principals must opt in BEFORE you process their personal data — analytics, marketing pixels, account signups. Consent must be free, specific, informed, and unconditional. Bundled consent and 'by using this site you agree' notices fail the test.

  • 02

    Data Principal rights

    Anyone can request access to, correction of, or erasure of their personal data. You also honor the right to nominate (post-death) and the right to withdraw consent at any time, as easily as it was given.

  • 03

    Grievance redressal

    Every Data Fiduciary must publish a contactable grievance officer and respond within the statutory window. Unresolved grievances escalate to the Data Protection Board of India.

  • 04

    Consent Manager interface

    Consent must be manageable through a transparent, auditable interface. Data Principals can review, modify, or withdraw consent for each processing purpose — not a blanket toggle.

  • 05

    Audit log

    Maintain a tamper-proof record of every consent given, modified, or withdrawn, and every Data Principal request and how it was resolved. Produce it for the Data Protection Board on request.

  • 06

    Breach notification

    Notify the Data Protection Board of India and affected Data Principals of personal data breaches within the statutory window (currently 72 hours under the draft rules). Signed DPA required with every processor.

how Yovale handles it

Built into the platform. Not a plugin you install.

Yovale ships DPDPA compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. Updates ship through the same channel your hosting updates do.

Consent Manager UI

Geo-aware. India visitors see a per-purpose consent interface before any non-essential script fires. Each purpose (analytics, marketing, personalization) has its own toggle. Records are stored as auditable Data Principal events, not as wp_options.

Privacy portal

/.well-known/privacy on every Yovale site. Data Principals view, export, correct, or delete their data without filing a ticket. They can nominate another individual and withdraw consent. You see every request in the Compliance dashboard tab.

Audit log

Every consent event and every Data Principal request is logged at the Cloudflare edge worker layer. Tamper-proof, queryable, retained for the statutory period. Exportable in JSON or CSV for the Data Protection Board.

Signed DPA

Pre-signed Data Processing Agreement available in your dashboard. Lists Yovale as Data Processor, you as Data Fiduciary, every sub-processor (Cloudflare, Anexia, R2), data flows, security measures, and breach notification SLAs. PDF download for your records.

plugin vs platform

Why infrastructure beats a plugin.

Typical WordPress DPDPA plugin

  • Adds 200-500ms to every page load (banner JS, cookie scan, DB writes)
  • Stores consent records in wp_options — slow, untyped, breaks with object caching
  • Updates through wp-admin — you maintain it, you break it, you debug conflicts
  • Costs ₹4,000-10,000/year per site for a real Consent Manager
  • Breaks when you migrate hosts; Data Principal consent history is lost

Yovale's built-in approach

  • 0ms latency — consent state computed at the edge worker, cached in the CDN
  • Audit log in a dedicated database, queryable, never blocks page render
  • Updates ship through the platform — you don't see them, you don't break them
  • Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
  • Travels with your site forever — Data Principal records are yours to export
Your dashboard

14 regulations. One toggle each. All automatic.

Regulations14
OPT-IN
DPDPA
Digital Personal Data Protection Act
GDPR
General Data Protection Regulation
CCPA
California Consumer Privacy Act
LGPD
Lei Geral de Proteção de Dados
PIPEDA
Personal Information Protection and Electronic Documents Act
+ 9 more regulations · all opt-in
DPDPA
Digital Personal Data Protection Act
OPT-IN
Effective
August 11, 2023
Consent mode
Opt-in
Authority
DPB
Max penalty
₹250 cr
Key requirements
  • Explicit consent per purpose
  • Data Principal access and erasure rights
  • Grievance redressal officer
  • Breach notification to DPB
common questions

DPDPA + Yovale, answered.

Do I need to install a DPDPA plugin on top of Yovale?

No. The compliance MU-plugin is part of the hosting, not something you add. Installing a separate DPDPA or cookie-consent plugin (Complianz, CookieBot, CookieYes) on top of Yovale would create duplicate consent banners and confuse Data Principals. The platform handles it.

Does this work for non-India sites?

Yes. The compliance system is geo-aware. India visitors see DPDPA consent flows with per-purpose toggles. EU visitors see GDPR opt-in. US visitors see CCPA opt-out. The same hosting handles every regulation automatically — no extra config per region.

What if I get a Data Principal request?

Data Principals handle most requests themselves through the privacy portal at /.well-known/privacy on your domain — access, correction, erasure, withdraw consent, nominate. For requests that require human review, you see them in your dashboard Compliance tab with the statutory SLA timer.

Is the DPA legally binding under DPDPA?

Yes. It's a pre-signed agreement that names Yovale as Data Processor and you as Data Fiduciary, aligned with the DPDPA's processor-fiduciary contract requirements. Available as a PDF download in the dashboard. Lists every sub-processor (Cloudflare, Anexia, R2) and the security measures applied.

Who is the grievance officer?

You — the site owner — are the grievance officer for Data Principal complaints about content and services on your site. Yovale acts as Data Processor and handles infrastructure-level grievances about hosting, storage, and security. Your dashboard surfaces both queues so nothing falls through.

What about plugin conflicts?

Since Yovale's DPDPA system is a must-use plugin (mu-plugin), it loads before any other plugin and can't be deactivated. It can't conflict with WP Rocket, your cache plugin, or anything else — the platform owns it.

Ship a DPDPA-compliant WordPress site in 60 seconds.

Every Yovale site is DPDPA-ready from the moment you deploy. No plugin to install. No DPA to chase. No Consent Manager to configure. Start the free Growth trial and see your first compliance dashboard.

Start free trialfree Growth trial · no credit card · DPDPA active from minute one