DPDP-compliant HR software for India
SKILWI.ai is built DPDP 2023-native. Employee personal data is encrypted with AES-256, every access is audit-logged, people can be erased on request, and each organisation gets its own grievance officer. A full security audit (VAPT) was completed in May 2026.
India's Digital Personal Data Protection Act, 2023 applies to every Indian employee and candidate record you hold — today, not at some future date. Penalties reach ₹250 crore per instance of non-compliance. For a CHRO, that turns employee data from an HR concern into a board-level one.
Who is responsible — you or your software?
Both, and the split matters. Under the DPDP Act your company is the Data Fiduciary: you decide why employee data is collected and you carry the legal duty. SKILWI is the Data Processor: we process that data on your instruction and provide the technical safeguards. No vendor can make you "automatically compliant" — anyone who claims that is overselling. What good software does is give you controls strong enough that the Fiduciary side becomes straightforward.
How SKILWI maps to DPDP obligations
Each row is a duty the Act places on you, and the control SKILWI ships to support it.
| DPDP 2023 obligation | SKILWI control |
|---|---|
| Security safeguards for personal data | AES-256 encryption of PII at rest, PBKDF2 at 100,000 iterations, TLS in transit |
| Purpose limitation & access control | Role-based access, scoped per organisation; no cross-tenant data access |
| Consent before processing | Consent capture at the point of data entry, recorded per organisation |
| Right to erasure | Erasure flow that hard-deletes a person's PII on request |
| Grievance redressal | A grievance officer configurable per organisation, surfaced in-product |
| Accountability & breach readiness | Audit log of every PII access; tenant isolation enforced |
| Third-party processors | Data Processing Agreements in place with AI and infrastructure vendors |
| Independent verification | Full VAPT across OWASP and API Top 10 completed May 2026 |
What this means in practice
- Encryption is the default, not an upgrade. Personal fields are encrypted the moment they are stored — there is no "plain text" tier.
- One customer can never see another. Data is isolated per organisation, and that boundary was specifically tested in the May 2026 audit.
- Erasure is a feature, not a support ticket. When an employee exercises their right to be forgotten, the data is removed, not flagged.
- You get a named grievance officer. The DPDP Act requires one; SKILWI lets each organisation set theirs inside the product.
Common questions
- Is SKILWI DPDP compliant?
- SKILWI is built DPDP 2023-native and provides the processor-side controls; your organisation, as Data Fiduciary, sets the lawful purpose. A full VAPT was completed in May 2026.
- Where is employee data encrypted?
- All PII is encrypted at rest with AES-256 and PBKDF2 (100,000 iterations), and served only over TLS.
- Can employees delete their data?
- Yes — the erasure flow hard-deletes a person's PII on request, supporting the right to erasure.