Consent your users can verify.
Compliance you can prove.
Sammati is India’s only DPDPA-native consent platform with a cryptographically verifiable, hash-chained ledger. Every consent is an immutable receipt — your auditor’s best friend.
Anchored to ISO/IEC TS 27560 + Kantara model · आपकी सम्मति, आपके नियंत्रण में।
Consent Receipt
ISO/IEC TS 27560 — model
Data Principal
data-principal@example.in
Data Fiduciary
Acme Fintech Pvt. Ltd.
Purpose
Marketing communications — product updates and offers
Language
English (en-IN)
Timestamp
2026-06-30T09:41:17.382Z
SHA-256 receipt hash
3a7bd2e8f14c905a1b6d0f8c2e4517a93b2d6f1e8c4a7b0e5d3f9c2a1b4e7d8f
A real receipt is stored in an immutable, hash-chained ledger. Any modification breaks the chain — permanently.
Receipt intact — hash verified
₹250 Cr
Max penalty — security failures
72 hrs
Board breach notification window
22 languages
Supported for multilingual notices
~14 May 2027
Most DPDPA obligations enforced
India-first. Not GDPR-retrofitted.
Built for DPDPA from the ground up — not bolted on.
Global platforms like OneTrust and Sprinto treat DPDPA as one jurisdiction among many. Sammati treats it as the only one that matters for your company. India-native defaults: right-to-nominate workflows, DPDP Rules 2025 notice templates, Board complaint pathways, and multilingual consent in the languages your users actually speak — out of the box.
What is a Data Fiduciary?›
Under the DPDPA, a Data Fiduciary is any company that decides why and how personal data is processed — your customers. If you collect, use, or store personal data of people in India, you are a Data Fiduciary and the law applies to you.
Dead simple
Three steps to audit-ready
Generate a notice
Sammati produces a standalone, itemised notice in the language of the user's choice — bound to a specific purpose, versioned, and stored with the receipt.
Capture consent
Your users opt in (or out) via the embeddable SDK banner or the Sammati-hosted preference center. No pre-ticked boxes. Withdrawal is as easy as grant.
Mint a verifiable receipt
Every grant or withdrawal creates an immutable, hash-chained receipt. Your auditor can verify any receipt in seconds — no spreadsheet, no trust required.
The gap we fill
Why Sammati — and why now
The field splits into SOC-2 platforms bolting on DPDPA, consulting firms charging by the project, and GDPR-first global suites. None of them started in India.
Native consent management
“Most GRC platforms have no CMP — you bolt on a cookie banner and hope.”
Sammati is the consent management layer: notice generation, SDK banner, preference center, withdrawal propagation, and a verifiable ledger — all in one, all DPDPA-native.
Multilingual out of the box
“Global tools default to English. Translating 22 Indian languages is your problem.”
Notices and consent flows in English and Hindi today; the framework is built for all 22 scheduled languages. The consent receipt records exactly which language the user saw.
Cryptographically verifiable ledger
“A spreadsheet of consent timestamps is not a burden-of-proof record. A screenshot is not evidence.”
Every grant and withdrawal is SHA-256 hash-chained. Any modification to the record breaks the chain — permanently. Your auditor can verify any receipt in seconds.
Transparent INR pricing
“USD-anchored, quote-only pricing. Enterprise contracts that take months to close.”
Public, lakh-denominated tiers. Self-serve signup. No sales call required for Starter or Growth. You know the number before you talk to us.
The artefact
A receipt your auditor can verify — without calling you.
Every consent interaction produces a machine-readable receipt anchored to the exact notice text the user saw, in the language they saw it. Any receipt can be verified at /verify with no login — paste the receipt ID and the hash checks itself.
The ledger is append-only, DB-enforced (Postgres triggers), and tamper-evident. Withdrawals are recorded alongside grants — the chain is the proof that the right to withdraw was honoured. Erasure is crypto-shred, never a row delete.
Consent Receipt
VerifiedReceipt ID
cr_01JD2XKF8MRVBWNQ4SGKZ7PTAE
Data Principal
priya.sharma@example.in
Data Fiduciary
Acme Fintech Pvt. Ltd.
Purpose
Marketing communications
Notice version
v3 (en-IN, 2026-04-01)
Language seen
English (en-IN)
Timestamp (UTC)
2026-06-30T09:41:17.382Z
Status
GRANTED
SHA-256 hash
3a7bd2e8…d3f9c2a1b4e7d8f
ISO/IEC TS 27560 model · Kantara Consent Receipt specification · DRAFT — review by your legal team
Transparent pricing
INR pricing. No surprises.
Annual billing. All tiers include a 14-day free trial (no card required). +18% GST applicable.
Starter
₹49,000/ year
Up to 10,000 data principals
- ✓Consent capture + preference center
- ✓Multilingual notices (EN + HI)
- ✓Hash-chained consent ledger
- ✓DSR portal (1 active right type)
- ✓Verifiable receipt at /verify
- ✓Email support
Growth
₹2,00,000/ year
Up to 1,00,000 data principals
- ✓Everything in Starter
- ✓All DSR right types (correction, erasure, nomination)
- ✓Signed withdrawal webhooks to connectors
- ✓Compliance health score + evidence export
- ✓Auditor portal read-access
- ✓Priority support + onboarding call
Professional
₹7,00,000/ year
Up to 10,00,000 data principals
- ✓Everything in Growth
- ✓Custom notice templates (lawyer-reviewed add-on)
- ✓DPIA workflow moduleComing
- ✓SDF readiness checklist + DPO report packComing
- ✓SSO / SAML
- ✓Dedicated CSM + SLA
Scale
₹15,00,000+/ year
Unlimited data principals
- ✓Everything in Professional
- ✓On-premise / VPC deploy option
- ✓Consent-Manager-readiness (DPB path)Coming
- ✓Sectoral DPDPA addendums
- ✓Auditor rev-share programme
- ✓Custom SLA + dedicated infra
Prices are in Indian Rupees (INR) and exclusive of GST (18%). Pricing is indicative and subject to change. Contact us for multi-year or volume discounts.
Trust center
Security and residency — no fine print
India data residency
All consent data stored in AWS Mumbai (ap-south-1). No cross-border transfer unless you configure connectors to do so.
Encrypted at rest + in transit
TLS 1.3 in transit. AES-256 at rest. Database-level encryption. Credentials via HashiCorp Vault — no hardcoded secrets.
Append-only ledger
The consent ledger is append-only, DB-enforced via Postgres triggers — tamper-evident by design. Records are never updated or deleted; every state change is a new hash-linked entry. Erasure is crypto-shred, never a row delete.
Honest scope
Sammati helps you produce, record, and track the artefacts DPDPA requires. It supports your DPDPA obligations — your legal team owns the compliance determination. Generated output is watermarked DRAFT.
Free · No signup required
Where does your DPDPA exposure sit today?
Answer 8 questions about your data collection, consent workflows, and DSR readiness. We’ll surface your top 3 risks and where Sammati closes them — in 5 minutes, with no account required.