Sammati
DPDPA enforcement: ~14 May 2027

Consent your users can verify.
Compliance you can prove.

Sammati is India’s only DPDPA-native consent platform with a cryptographically verifiable, hash-chained ledger. Every consent is an immutable receipt — your auditor’s best friend.

Anchored to ISO/IEC TS 27560 + Kantara model · आपकी सम्मति, आपके नियंत्रण में।

Consent Receipt

ISO/IEC TS 27560 — model

Verified

Data Principal

data-principal@example.in

Data Fiduciary

Acme Fintech Pvt. Ltd.

Purpose

Marketing communications — product updates and offers

Language

English (en-IN)

Timestamp

2026-06-30T09:41:17.382Z

SHA-256 receipt hash

3a7bd2e8f14c905a1b6d0f8c2e4517a93b2d6f1e8c4a7b0e5d3f9c2a1b4e7d8f

A real receipt is stored in an immutable, hash-chained ledger. Any modification breaks the chain — permanently.

Receipt intact — hash verified

₹250 Cr

Max penalty — security failures

72 hrs

Board breach notification window

22 languages

Supported for multilingual notices

~14 May 2027

Most DPDPA obligations enforced

India-first. Not GDPR-retrofitted.

Built for DPDPA from the ground up — not bolted on.

Global platforms like OneTrust and Sprinto treat DPDPA as one jurisdiction among many. Sammati treats it as the only one that matters for your company. India-native defaults: right-to-nominate workflows, DPDP Rules 2025 notice templates, Board complaint pathways, and multilingual consent in the languages your users actually speak — out of the box.

What is a Data Fiduciary?

Under the DPDPA, a Data Fiduciary is any company that decides why and how personal data is processed — your customers. If you collect, use, or store personal data of people in India, you are a Data Fiduciary and the law applies to you.

Dead simple

Three steps to audit-ready

01

Generate a notice

Sammati produces a standalone, itemised notice in the language of the user's choice — bound to a specific purpose, versioned, and stored with the receipt.

02

Capture consent

Your users opt in (or out) via the embeddable SDK banner or the Sammati-hosted preference center. No pre-ticked boxes. Withdrawal is as easy as grant.

03

Mint a verifiable receipt

Every grant or withdrawal creates an immutable, hash-chained receipt. Your auditor can verify any receipt in seconds — no spreadsheet, no trust required.

The gap we fill

Why Sammati — and why now

The field splits into SOC-2 platforms bolting on DPDPA, consulting firms charging by the project, and GDPR-first global suites. None of them started in India.

Native consent management

Most GRC platforms have no CMP — you bolt on a cookie banner and hope.

Sammati is the consent management layer: notice generation, SDK banner, preference center, withdrawal propagation, and a verifiable ledger — all in one, all DPDPA-native.

Multilingual out of the box

Global tools default to English. Translating 22 Indian languages is your problem.

Notices and consent flows in English and Hindi today; the framework is built for all 22 scheduled languages. The consent receipt records exactly which language the user saw.

Cryptographically verifiable ledger

A spreadsheet of consent timestamps is not a burden-of-proof record. A screenshot is not evidence.

Every grant and withdrawal is SHA-256 hash-chained. Any modification to the record breaks the chain — permanently. Your auditor can verify any receipt in seconds.

Transparent INR pricing

USD-anchored, quote-only pricing. Enterprise contracts that take months to close.

Public, lakh-denominated tiers. Self-serve signup. No sales call required for Starter or Growth. You know the number before you talk to us.

The artefact

A receipt your auditor can verify — without calling you.

Every consent interaction produces a machine-readable receipt anchored to the exact notice text the user saw, in the language they saw it. Any receipt can be verified at /verify with no login — paste the receipt ID and the hash checks itself.

The ledger is append-only, DB-enforced (Postgres triggers), and tamper-evident. Withdrawals are recorded alongside grants — the chain is the proof that the right to withdraw was honoured. Erasure is crypto-shred, never a row delete.

Consent Receipt

Verified

Receipt ID

cr_01JD2XKF8MRVBWNQ4SGKZ7PTAE

Data Principal

priya.sharma@example.in

Data Fiduciary

Acme Fintech Pvt. Ltd.

Purpose

Marketing communications

Notice version

v3 (en-IN, 2026-04-01)

Language seen

English (en-IN)

Timestamp (UTC)

2026-06-30T09:41:17.382Z

Status

GRANTED

SHA-256 hash

3a7bd2e8…d3f9c2a1b4e7d8f

ISO/IEC TS 27560 model · Kantara Consent Receipt specification · DRAFT — review by your legal team

Transparent pricing

INR pricing. No surprises.

Annual billing. All tiers include a 14-day free trial (no card required). +18% GST applicable.

Starter

₹49,000/ year

Up to 10,000 data principals

  • Consent capture + preference center
  • Multilingual notices (EN + HI)
  • Hash-chained consent ledger
  • DSR portal (1 active right type)
  • Verifiable receipt at /verify
  • Email support
Start free trial
Most popular

Growth

₹2,00,000/ year

Up to 1,00,000 data principals

  • Everything in Starter
  • All DSR right types (correction, erasure, nomination)
  • Signed withdrawal webhooks to connectors
  • Compliance health score + evidence export
  • Auditor portal read-access
  • Priority support + onboarding call
Start free trial

Professional

₹7,00,000/ year

Up to 10,00,000 data principals

  • Everything in Growth
  • Custom notice templates (lawyer-reviewed add-on)
  • DPIA workflow moduleComing
  • SDF readiness checklist + DPO report packComing
  • SSO / SAML
  • Dedicated CSM + SLA
Talk to us

Scale

₹15,00,000+/ year

Unlimited data principals

  • Everything in Professional
  • On-premise / VPC deploy option
  • Consent-Manager-readiness (DPB path)Coming
  • Sectoral DPDPA addendums
  • Auditor rev-share programme
  • Custom SLA + dedicated infra
Contact us

Prices are in Indian Rupees (INR) and exclusive of GST (18%). Pricing is indicative and subject to change. Contact us for multi-year or volume discounts.

Trust center

Security and residency — no fine print

India data residency

All consent data stored in AWS Mumbai (ap-south-1). No cross-border transfer unless you configure connectors to do so.

Encrypted at rest + in transit

TLS 1.3 in transit. AES-256 at rest. Database-level encryption. Credentials via HashiCorp Vault — no hardcoded secrets.

Append-only ledger

The consent ledger is append-only, DB-enforced via Postgres triggers — tamper-evident by design. Records are never updated or deleted; every state change is a new hash-linked entry. Erasure is crypto-shred, never a row delete.

Honest scope

Sammati helps you produce, record, and track the artefacts DPDPA requires. It supports your DPDPA obligations — your legal team owns the compliance determination. Generated output is watermarked DRAFT.

Free · No signup required

Where does your DPDPA exposure sit today?

Answer 8 questions about your data collection, consent workflows, and DSR readiness. We’ll surface your top 3 risks and where Sammati closes them — in 5 minutes, with no account required.