AMLEGALS · Original Intellectual Property · 2025
PRAMAANA™
प्रमाण · Proof. Evidence. Authority.
The Evidence Readiness Framework for DPDPA 2023.
The Board does not ask whether you are compliant.
It asks: can you prove it — today, under oath?
Burden Reversal Doctrine™
Proof Gap Index™
Day Zero Test™
Evidence Void™
Tribunal Readiness Score™
₹250
CRORE
Maximum penalty under §16 per instance
Not per year. Per instance.
72
HOURS
Mandatory DPB breach notification window
Miss it. Separate instance.
D+0
DAY ZERO
Burden reverses the moment inquiry begins
No grace period in law.
What PRAMAANA™ Is
Every privacy framework measures what an organisation says it does.
PRAMAANA™ measures what an organisation can prove it does — with evidence that survives Board scrutiny, judicial inquiry, and cross-examination. Five pillars. One Tribunal Readiness Score™. No ambiguity.
PRAMAANA™ measures what an organisation can prove it does — with evidence that survives Board scrutiny, judicial inquiry, and cross-examination. Five pillars. One Tribunal Readiness Score™. No ambiguity.
38
POINTS
Average Proof Gap in Indian organisations
That gap is what the Board reveals.
91%
OF ORGANISATIONS
Have no defensible consent architecture under §5 and §6
Zero
GRACE DAYS
Evidence you cannot produce on Day 1 does not exist in law
AMLEGALS Original IP · Five Founding DoctrinesThe Intellectual Architecture
The Intellectual Architecture
Behind Every Pillar
Doctrine 01
Burden Reversal Doctrine™
The instant the Board initiates inquiry, the entire burden of proof reverses to the Data Fiduciary. You prove compliance. The Board does not prove violation. Evidence you cannot produce on Day Zero does not exist in law.
Doctrine 02
Proof Gap Index™
The measurable distance between what an organisation claims as compliance and what it can actually produce as admissible evidence under Board scrutiny. The gap is the active exposure — not a theoretical risk.
Doctrine 03
Day Zero Test™
If Board inquiry began at 9:00 AM today, what evidence could you produce within four hours? The Day Zero Test™ is the only compliance test that matters. Everything else is preparation for a meeting that may never come.
Doctrine 04
Evidence Void™
The structural gap between having a privacy programme and having a Board-defensible evidence architecture. Most Indian organisations live in the Evidence Void™ and do not know it. PRAMAANA™ makes it visible.
Doctrine 05
Consent Trap™
The gap between obtaining consent and maintaining its legal validity over time. Consent obtained once and never maintained becomes legally hollow. The Board sees the expiry date — not the original collection event.
“
A policy document is not evidence of compliance. It is evidence that you knew the rules. The Board treats that document as the first exhibit in a penalty proceeding.
Anandaday Misshra · Founder, AMLEGALS · Architect, PRAMAANA™
Five Evidence Pillars · DPDPA 2023 NativeFive Pillars.
Five Pillars.
One Score.
One Board Truth.
PRAMAANA™ was not built from compliance checklists or GDPR playbooks. It was constructed directly from the text of the DPDPA 2023 — section by section, obligation by obligation, by lawyers who spent 27 years inside Indian jurisprudence.
Each pillar owns a dimension of evidence. Each has a Board question. Each carries a penalty exposure. The framework produces a single output: the Tribunal Readiness Score™ — one number, five inputs, weighted by governance materiality.
01
SANCTION
The Consent Pillar · §5, §6, §7
₹50–200 Cr
02
KARTAVYA
The Accountability Pillar · §8, §10
₹50 Cr
03
ADHIKAR
The Rights Pillar · §11–14
₹50 Cr
04
PRASAR
The Transfer Pillar · §16
₹250 Cr
05
SURAKSHA
The Breach Pillar · §8(6), §8(7)
₹50 Cr
01
SANCTION
The Consent Pillar
§5 · §6 · §7 · §9
Max Exposure
₹200 Cr
▼
Consent Trap™ · AMLEGALS IP
The gap between obtaining consent and maintaining its legal validity. Most organisations get consent once, document it, and move on. The original consent becomes legally hollow within months. The Board does not see a consent collection event. It sees an expired, unrenewed, legally indefensible record.
Evidence Architecture
Timestamped consent records per processing category, accessible in under 4 hours
Purpose specificity documentation — per activity, not generic
Withdrawal mechanism with confirmation log and timestamp
Quarterly consent maintenance cadence — evidence of renewal
Verifiable parental consent mechanism for children’s data under §9
The Board's Exact Question
“Produce valid and current consent records for every processing activity — free, specific, informed, withdrawable, and dated within the last 12 months.”
DPDPA Section Mapping
§5
Notice — plain language, purpose specific
Critical
§6
Consent — free, informed, unconditional
Critical
§7
Legitimate use — state, employment, emergency
High
§9
Children’s data — verifiable parental consent
Critical
02
KARTAVYA
The Accountability Pillar
§8 · §10
Max Exposure
₹50 Cr
▼
Accountability Void™ · AMLEGALS IP
The structural absence of a traceable decision chain in data processing. Most organisations have a DPO designation on letterhead. Few have a DPO with documented authority, a functioning escalation chain, and a tested breach response mandate. The Board asks who decided. Most organisations cannot name a person.
Evidence Architecture
DPO appointment — board resolution, authority matrix, reporting line
Processing decision audit trail — who authorised, when, under what basis
Breach response chain — named incident commander with documented mandate
Data retention schedule — automated deletion with deletion logs
DPIA conducted for all high-risk processing activities
The Board's Exact Question
“Name the individual accountable for every data processing decision. Produce their documented authority and demonstrate the breach response chain effective today.”
DPDPA Section Mapping
§8
Accuracy, retention, security, breach obligations
Critical
§8(6)
Breach notification — 72 hours to DPB
Critical
§10
SDF — DPO, DPIA, independent audit, localisation
High
03
ADHIKAR
The Rights Pillar
§11 · §12 · §13 · §14
Max Exposure
₹50 Cr
▼
Rights on Paper™ · AMLEGALS IP
The presence of a rights policy without an operational fulfilment mechanism. The policy is evidence that you knew the obligation. The absence of a fulfilment record is evidence that you knew the obligation and chose not to operationalise it. That distinction matters enormously in adjudication.
Evidence Architecture
Rights request register — timestamped intake, response, and closure for every request
Correction and erasure evidence — operational mechanism with audit log
Grievance resolution documentation — named officer, workflow, resolution evidence
Statutory timeline compliance — evidence every request resolved within period
The Board's Exact Question
“For every rights request in the last 12 months, produce the request log, the response with timestamp, and evidence the statutory period was met without exception.”
DPDPA Section Mapping
§11
Right to information about processing
High
§12
Right to correction and erasure
High
§14
Right to nominate — death and incapacity
High
04
PRASAR
The Transfer Pillar · Highest Penalty Exposure
§16
Max Exposure
₹250 Cr
▼
Transfer Blindspot™ · AMLEGALS IP
Most organisations do not know where their data goes. SaaS tools onboarded without review. Cloud processors in unnotified jurisdictions. Third party APIs transferring Indian personal data without a legal basis. The Board’s §16 inquiry carries the highest penalty in the entire DPDPA. And most organisations cannot produce a transfer map within 24 hours of an inquiry notice.
Evidence Architecture
Cross-border transfer map — current within 30 days, covering all vendors and SaaS tools
Notified country verification — every destination verified against Government list
Vendor DPA register — signed DPA with every processor handling Indian personal data
SaaS audit — every tool audited for cross-border data flows
The Board's Exact Question
“Produce today a complete map of every cross-border personal data flow — recipient country, legal basis, vendor DPA, and evidence of Government-notified jurisdiction status.”
DPDPA Section Mapping
§16
Transfer to Government-notified countries only
Critical
§16(2)
Government may impose additional restrictions
Critical
§8(1)
Security standards apply to transferred data
Critical
05
SURAKSHA
The Breach Pillar
§8(6) · §8(7)
Max Exposure
₹50 Cr
▼
72-Hour Fiction™ · AMLEGALS IP
Most organisations have a breach response policy. Very few have tested it. An untested policy is not evidence of readiness — it is evidence of intent to be ready. That is not the same thing under DPDPA. The Board asks for drill evidence. Not policy documents. Drill evidence. Date, scope, simulated scenario, response timeline, gaps identified, remediation completed.
Evidence Architecture
Incident response playbook — board-approved, named incident commander, escalation chain
Playbook drill — documented evidence with date, scenario, timeline, and remediation
DPB notification protocol — named person, tested, included in drill documentation
Breach detection capability — automated alert with documented trigger mechanism
The Board's Exact Question
“Demonstrate your 72-hour notification capability right now — produce the playbook, name the incident commander, show the last drill date and outcomes, evidence the DPB notification protocol.”
DPDPA Section Mapping
§8(6)
Mandatory DPB breach notification — 72 hours
Critical
§8(7)
Retention — timely erasure on purpose fulfilment
High
§8(1)
Security safeguards — prevent breach at source
Critical
Tribunal Readiness Score™ · ComputationOne Score. Five Inputs.
One Score. Five Inputs.
One Board Truth.
TRS™ Computation Formula · AMLEGALS IP
TRS™ = (SSANCTION × 0.22) + (SKARTAVYA × 0.18)
+ (SADHIKAR × 0.15) + (SPRASAR × 0.28)
+ (SSURAKSHA × 0.17)
+ (SADHIKAR × 0.15) + (SPRASAR × 0.28)
+ (SSURAKSHA × 0.17)
Weights are set by penalty materiality under DPDPA 2023. PRASAR carries the highest weight because §16 carries the highest penalty — ₹250 crore per instance. Every weight reflects what the Board weighs, not what an auditor prefers.
SANCTION
22%
§5–6 combined ₹100Cr exposure. Consent is the Board’s first inquiry.
KARTAVYA
18%
Accountability chain is the governance backbone of every obligation.
ADHIKAR
15%
Rights fulfilment is measurable, auditable, and timestamped.
PRASAR
28%
₹250 Cr single-instance penalty. Highest weight by far. The Board’s most productive inquiry line.
SURAKSHA
17%
72-hour window creates automatic double-penalty risk — once for the breach, once for the notification failure.
TRS™ Scoring Bands · Governance VerdictWhat the Score Means.
What the Score Means.
What the Board Finds.
85 – 100
SATYAM
Evidence architecture is Board-ready. TRS™ is defensible under full inquiry. Maintain quarterly audits.
Quarterly PRAMAANA™ audit. No immediate remediation. Evidence survives Day Zero inquiry.
70 – 84
SIDDHA
Evidence defensible on most pillars. Specific gaps exist. 60-day remediation will move you to SATYAM.
Targeted pillar remediation. 60-day evidence sprint. Prioritise PRASAR if below threshold.
55 – 69
ASIDDHA
Visible evidence gaps. Proof Gap Index™ exceeds 30 points on at least two pillars. Intervention within 90 days.
Immediate PRAMAANA™ engagement. 90-day remediation roadmap. Do not present this to the Board without a plan.
0 – 54
MITHYA
Evidence architecture absent or non-functional. Active Board inquiry exposure. Policy exists on paper only.
Emergency AMLEGALS counsel required. This score indicates active exposure. Any inquiry results in penalty proceedings.
Proof Gap Index™ · AMLEGALS IPWhat Organisations Claim.
What Organisations Claim.
What They Can Prove.
The Proof Gap Index™ measures the distance between an organisation's claimed compliance position and the evidence it can actually produce under Board scrutiny. This gap — not a theoretical risk — is the active exposure.
The average Indian organisation's Proof Gap is 38 points. That is not a risk assessment number. That is the gap the Board reveals through inquiry. It is the number that appears in the penalty order.
“Compliance is not what you claim. It is what you can prove on Day 1 of Board inquiry.”
— Anandaday Misshra
Claimed
Provable
Consent
−34
Accountability
−31
Rights
−16
Transfer
−39
Breach
−24
Average Indian organisation Proof Gap: −38 points. That gap is not a risk. That gap is what the Board finds during inquiry — and what the penalty order reflects.
Burden Reversal Doctrine™ · AMLEGALS IPFrom the Moment Inquiry Begins,
From the Moment Inquiry Begins,
The Clock Runs Against You.
Evidence you cannot produce on Day Zero does not exist in law. Not in your filing cabinet. Not in your cloud. Not in law.
D0
Day Zero · Inquiry Initiated
Data Protection Board issues notice. Inquiry commences immediately.
Burden reverses entirely to you. You prove compliance. They do not prove violation.
D0
Day Zero · First Evidence Request
Board requests consent records for all processing categories — by processing activity.
Production window: 4 hours. No extension on first inquiry. No manual assembly.
4H
4 Hours
Transfer map and vendor DPA register requested. Every cross-border flow, every destination.
Each unmapped vendor transfer = ₹250 crore per instance. The Board needs no intent.
24H
24 Hours
Breach response playbook and prior incident history reviewed. Drill documentation requested.
An untested policy is not evidence of readiness. The Board distinguishes between the two.
48H
48 Hours
DPO authority and full accountability chain examined. Board resolution requested.
Named DPO without a board-resolution authority matrix = no accountability chain in law.
ADJ
Adjudication
Board adjudicates on the evidence produced. No new evidence admitted post-inquiry.
Evidence not produced on Day Zero does not exist. The penalty order follows.
DPDPA 2023 · Full Obligation TopologyEvery Section of the Act
Every Section of the Act
Mapped to a PRAMAANA™ Pillar.
| Section | Obligation | Priority | PRAMAANA™ Pillar | Maximum Penalty |
|---|---|---|---|---|
| §5 | Notice — plain language, purpose-specific, mandatory at collection | Critical | SANCTION | ₹50 Cr |
| §6 | Consent — free, specific, informed, unconditional, withdrawable | Critical | SANCTION | ₹50 Cr |
| §7 | Legitimate uses — state functions, employment, medical emergencies | High | SANCTION | ₹50 Cr |
| §8 | General obligations — accuracy, retention, security, breach | Critical | KARTAVYA | ₹50 Cr |
| §8(6) | Breach notification — 72-hour mandatory window to DPB | Critical | SURAKSHA | ₹50 Cr |
| §9 | Children’s data — verifiable parental consent, no tracking or profiling | Critical | SANCTION | ₹200 Cr |
| §10 | Significant Data Fiduciaries — DPO, DPIA, independent audit, localisation | High | KARTAVYA | ₹50 Cr |
| §11 | Right to information about processing — mandatory on request | High | ADHIKAR | ₹50 Cr |
| §12 | Right to correction of inaccurate personal data | High | ADHIKAR | ₹50 Cr |
| §13 | Right to erasure once processing purpose is fulfilled | High | ADHIKAR | ₹50 Cr |
| §14 | Right to nominate a person for rights on death or incapacity | High | ADHIKAR | ₹50 Cr |
| §16 | Cross-border transfer — Government-notified countries only, per instance | Critical | PRASAR | ₹250 Cr |
| §20–29 | Data Protection Board — adjudication, inquiry, enforcement, penalties | Critical | ALL PILLARS | ₹250 Cr |
Maximum Aggregate Exposure
Across all five pillars · Per instance basis · DPDPA 2023
₹600 Crores
PRAMAANA™ Assessment MethodologyHow to Measure
How to Measure
Evidence Readiness.
The Tribunal Readiness Score™ is a structured evidence audit across five pillars. Each pillar has defined evidence items, weighted by DPDPA penalty materiality. This is not a survey. It is an evidence standard.
Eight steps. Five pillars. One score. The score a lawyer would compute before walking into a Board adjudication.
01
Organisation Scoping
Map all entities, systems, and processing activities covered by DPDPA. Define Data Fiduciary vs Processor boundaries.
02
Evidence Request — SANCTION & KARTAVYA
Request consent records, purpose documentation, DPO appointment, processing decision audit trails, and breach response chain.
03
Evidence Request — ADHIKAR, PRASAR & SURAKSHA
Request rights register, cross-border transfer map, vendor DPA register, breach playbook, drill documentation, and DPB notification protocol.
04
Evidence Audit — Gap Identification
Each evidence item assessed against the Board’s evidentiary standard. Scored 0–100. Gaps assigned to penalty exposure categories.
05
Proof Gap Index™ Computation
For each pillar: the distance between the organisation’s claimed compliance position and the evidence it can actually produce.
06
TRS™ Calculation
The Tribunal Readiness Score™ computed using the weighted formula. Weights reflect DPDPA 2023 penalty materiality.
07
Day Zero Test™
Simulate a Board inquiry beginning at 9:00 AM. What evidence can be produced within 4 hours — without manual assembly?
08
Remediation Architecture
For each gap: a specific evidence remediation action with a 90-day roadmap prioritised by penalty exposure removed per action.
❝
Privacy compliance done right is not a cost. It is the architecture of trust — and trust is the only asset that compounds without a ceiling.
Anandaday Misshra · Founder, AMLEGALS · Architect, PRAMAANA™
PRAMAANA™ · Five Evidence Pillars · One Tribunal Readiness Score™
© 2025 AMLEGALS · Original Intellectual Property · Anandaday Misshra · All Rights Reserved