Skip to content
checkDPDP

Trust & security

How we handle your data — and our own.

A scanner that grades other people's compliance has no business cutting corners on its own. Here's everything you'd want to know before pasting a URL in.

How the scanner works

When you submit a URL, we fetch the page using a server-side scanner with a clearly-identified user agent (Mozilla/5.0 (compatible; checkDPDPbot/1.0; +https://checkdpdp.in/security)). We render the page, observe which scripts run, look for a consent banner, check for a privacy notice and grievance contact, and inspect HTTPS configuration and security headers.

What we touch and what we keep

  • What we fetch: the page you submit, plus its referenced assets (scripts, stylesheets, images) — exactly what a regular browser would fetch.
  • What we keep: the URL, the score, a per-category summary, and the IP address that initiated the scan (kept for 7 days for abuse-prevention). We do not archive the page contents or its assets.
  • What we don't do: bypass logins, attempt authenticated areas, brute-force directories, or scan anything not publicly accessible.

Our own DPDP posture

We're a Data Fiduciary too — these are the same controls we recommend on the checklist:

  • HTTPS enforced site-wide (HSTS, preload).
  • Modern headers: Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-Frame-Options.
  • A DPDP-style notice (see Privacy Policy) and a published Grievance Officer.
  • Cookie consent on our own site: granular, no pre-ticks, reject as easy as accept, withdraw from the footer.
  • Role-based access to scan records; access logs reviewed.
  • Backups encrypted; restore is tested.

Reporting a vulnerability

If you find a security issue in checkDPDP, please email security@checkdpdp.in. We aim to acknowledge within 2 business days and to ship a fix or mitigation as quickly as the severity warrants. We don't (yet) run a paid bug bounty — but we'll publicly credit researchers who help us.

Please don't test against other users' URLs. Limit testing to checkdpdp.in itself, or to a domain you own.

Sub-processors

We try to keep this list short. Current sub-processors:

  • Vercel (US/India regions) — application hosting.
  • Cloudflare — CDN and DDoS mitigation.
  • Resend — transactional email.
  • PostHog (EU region) — first-party product analytics, behind consent.

We update this page whenever the list changes. For DPDP-related queries, contact grievance@checkdpdp.in.

Quick links

Related pages

Privacy PolicyCookie PolicyDisclaimer