Manatoko DPDP
This site is password-protected.
This site is password-protected.
Section 9 requires verifiable parental consent before processing any child’s data. Section 8(1) makes you liable for every EdTech vendor’s failure. Manatoko DPDP is a workflow solution that addresses both — using the same credential architecture that already issues tamper-proof degrees and transcripts. Agents execute the compliance program. Wallets hold the credentials. Your leadership governs the decisions.
Section 9 enforcement begins May 2027. DPDP Rules notified November 2025.
The DPDP Act 2023 applies to any institution that processes digital personal data of Indian residents — which includes every school, college, university, and EdTech platform that holds student records. The Rules were notified 13 November 2025. Core obligations become enforceable May 2027.
Section 9 is the most consequential obligation for education: before processing any personal data of a child under 18, the institution must obtain identity-verified, purpose-specific, revocable parental consent. Admission form signatures do not qualify. A checkbox does not qualify.
Section 8(1) imposes absolute fiduciary liability for processor failures — no contractual escape. If your attendance app, LMS, or proctoring software is breached, your institution is liable regardless of the vendor’s privacy policy. Penalty ceiling: ₹200 crore for children’s data violations.
Conventional DPDP readiness for education — whether it is a privacy consultant, a SaaS compliance tool, or an in-house team — starts from the same assumption: your institution holds large quantities of student personal data, and the task is to manage it better. Inventory it. Protect it. Obtain consent for it. Govern the EdTech vendors who touch it.
Manatoko DPDP starts from a different premise. The same credential architecture that already issues tamper-proof degrees at manatoko.me can also issue Section 9-compliant parental consent credentials — to the parent’s wallet. The institution stops holding the biometric. The student holds their own academic record. The EdTech processor’s attestation credential replaces the contract stack that never resolves Section 8(1) exposure.
Parent Meera verifies her identity via Aadhaar OTP or DigiLocker. A verifiable consent credential is issued to her wallet: purpose-specific, timestamped, revocable. The school holds a confirmation — not the biometric. Section 9 is satisfied without the institution holding sensitive identity data.
A tamper-proof, blockchain-anchored verifiable credential is issued directly to the student’s self-custodied wallet. Any employer verifies it instantly without calling the registrar. The university leaves the verification chain for those interactions. Already demonstrated at manatoko.me.
The school verifies parental consent without holding identity documents. Employers verify degrees without university involvement. EdTech processors hold attestation credentials in their wallets — your institution holds the presentation result, not the vendor’s raw compliance records.
Not every educational workflow qualifies for data custody elimination. Core administrative records — grades, attendance, financial records — remain in institutional custody. The Manatoko DPDP assessment identifies which workflows qualify for full elimination, which require partial redesign, and which must remain conventional. Three legal questions about the VC architecture require a formal opinion before the first pilot — Manatoko DPDP includes referrals to DPDP-qualified Indian privacy law firms for this opinion.
The Ingestion Agent processes all submitted documents — admission policies, EdTech vendor contracts, consent notices, staff SOPs, system inventory. It classifies, indexes, and prepares them for assessment.
Maps every workflow that touches student or parental personal data. Specifically identifies Section 9 gaps (where parental consent is missing or not verifiable), Section 8(1) gaps (EdTech processors without adequate DPAs), behavioral tracking risks, and which workflows qualify for data custody elimination via VC.
Designs target-state workflows — new parental consent flows, EdTech processor governance structures with DPAs, role accountability maps, and a remediation roadmap. Every redesign is presented for your leadership’s approval before implementation begins.
Executes the remediation work. The Credential Agent deploys Manatoko VC for qualifying workflows — issuing Section 9-compliant parental consent credentials to parent wallets, academic degree credentials to student wallets, and processor attestation credentials to EdTech vendor wallets. No personal data is retained by Manatoko.
Assembles the executive readiness dossier, evidence pack, readiness scorecard, and self-attestation package — structured for NAAC inspection, board presentation, or Data Protection Board inquiry. Every output is traceable to source documents with full audit chains.
Complete assessment of every workflow touching student and parental personal data, with Section 9 gap register and EdTech processor risk mapping.
Visual map of where personal data sits across your institution — admission, attendance, EdTech, examinations, alumni data — by risk and custody.
Target-state workflows for parental consent, EdTech processor governance with DPAs, student credential issuance, and consent withdrawal.
Regulator-ready documentation: Section 9 consent records, processor attestation credentials, academic credential infrastructure, audit trails — structured for NAAC or Data Protection Board inquiry.
Board-level summary with readiness scorecard, domain assessments, and residual risk register for leadership sign-off and Phase 2 planning.
Defensible, evidence-backed statement of baseline readiness — with referral to DPDP-qualified Indian privacy law firms for legal review of Section 9 mechanisms and government institution exemptions.
You face Section 9 parental consent obligations and EdTech processor exposure but have no privacy staff. Agents replace the compliance office that does not exist. Delivery through your school board, educational federation, or virtual DPO partner.
You may already issue digital credentials via NAD or DigiLocker. The gap is in the compliance workflow layer: Section 9 parental consent, EdTech processor governance, and the evidence pack. Manatoko DPDP adds that layer to your existing credential infrastructure.
You are a data processor serving schools and colleges. Every client faces Section 8(1) exposure because of you. A processor attestation credential issued through Manatoko DPDP gives your clients defensible evidence of your readiness — and makes you the processor partner they can trust.
Agents do the work. Wallets hold the data. Humans make the decisions.
The section above describes what Manatoko DPDP for Education does. The demo below shows it — including the Section 9 parental consent credential flow, the student degree credential in a self-custodied wallet, and the EdTech processor attestation workflow.
Enter your work email to unlock the interactive walkthrough. No password. No sales call.
Yes. Any institution that processes digital personal data — which includes digitised admission forms, attendance records, academic databases, online fee systems, or EdTech platforms — is a Data Fiduciary. This applies to private schools, government schools, engineering colleges, and EdTech platforms equally.
Because virtually every school processes data of children under 18, Section 9 is the most consequential obligation for the education sector — and also the one most institutions are currently furthest from meeting.
The DPDP Act requires that before processing any personal data of a child under 18, the institution must obtain identity-verified, purpose-specific, revocable parental consent. DPDP Rules 2025 specify three acceptable verification mechanisms: reliable identity details already held, a government-issued virtual token, or DigiLocker.
An admission form signature does not qualify. A checkbox does not qualify. Manatoko DPDP’s Credential Agent issues a verifiable parental consent credential to the parent’s wallet — satisfying all three requirements and creating an immutable audit record.
No. Section 8(1) makes your institution absolutely liable for any processor failure — no contractual escape. If your attendance app, LMS, or proctoring software mishandles student data, your school is liable regardless of what the vendor’s privacy policy says.
Manatoko DPDP’s Assessment Agent maps all your processor relationships, the Governance Redesign Agent produces the necessary DPAs, and the Credential Agent issues processor attestation credentials that give your institution defensible evidence of Section 8(1) due diligence.
DPDP Rules 2025 provide limited exemptions for educational institutions. Core academic functions — attendance tracking, grading, issuing certificates — may be justified on contractual necessity through enrolment rather than explicit consent.
However, exemptions do not cover sharing student data with third-party EdTech platforms for analytics, marketing, or AI model training. Behavioral tracking is prohibited except for educational or safety purposes. The Assessment Agent maps which of your workflows rely on consent, which on contractual necessity, and which are currently unlawful.
Manatoko DPDP is a 90-day baseline readiness program for DPDP compliance, executed through autonomous AI agents. For education, the program has two dimensions: the DPDP compliance workflow — assessment, governance redesign, implementation, evidence assembly — and selective deployment of Manatoko VC for the workflows where data custody elimination is feasible.
It is not a consulting engagement. Agents execute. Your leadership governs the decisions.
Every digital workflow touching personal data: admission forms and consent mechanisms, attendance and grade systems, EdTech processor relationships, student photo and video usage, alumni data, financial records, and any AI-driven analytics tools.
The Assessment Agent specifically identifies Section 9 gaps (where parental consent is missing or not verifiable), Section 8(1) gaps (processors without adequate DPAs), behavioral tracking risks, and which workflows qualify for data custody elimination via VC.
A current-state diagnosis, PII custody heatmap, redesigned consent and workflow processes, DPAs and processor attestation credentials for EdTech vendors, verifiable parental consent infrastructure, academic credential issuance capability, and an evidence pack for NAAC inspection, board presentation, or Data Protection Board inquiry.
The 90-day program delivers Phase 1 baseline readiness. Ongoing Phase 2 and Phase 3 work is required for full May 2027 compliance. A Phase 2 planning handoff is produced at Day 90.
A student who receives their degree as a Manatoko VC — rather than a paper certificate or a DigiLocker PDF — holds a tamper-proof, blockchain-anchored proof of their qualification in their own self-custodied wallet. Any employer verifies it instantly without calling your registrar. The university leaves the verification chain for those interactions.
This is the capability already demonstrated on manatoko.me. Manatoko DPDP for Education packages it alongside the DPDP compliance workflow as a unified program — because the same VC infrastructure that issues the degree also issues the parental consent credential.
The two are complementary. DigiLocker is a government-managed document repository — documents are fetched from issuing authorities on demand, are not W3C Verifiable Credentials, and do not support attribute-level selective disclosure. Manatoko VC issues credentials to student wallets that can be verified offline without querying any central server.
For institutions using NAD or DigiLocker for records, Manatoko credentials provide a portable, interoperable layer that extends beyond what either government system currently supports.
The Credential Agent processes the student’s personal data transiently — in memory, deleted immediately on completion. The credential is issued to the student’s wallet; Manatoko retains no copy. For credential-enabled workflows, the institution stops being a PII custodian for those verification events.
Your internal student information system remains unchanged. The change is what you share externally, not what you hold internally.
A verifiable claim of the qualification — degree type, programme, institution, issue date — without the student’s raw personal data being held by Manatoko or accessible to any verifier. The employer requests a credential presentation from the student’s wallet. They receive a verification result. The university is not involved.
Yes. Agents execute the program — assessment, redesign, implementation, evidence assembly. Your leadership approves at defined decision gates. For schools without capacity to govern the program directly, Manatoko DPDP can be delivered through your school board, educational federation, or a virtual DPO partner.
A structured pause where agents present outputs for your approval. Primary gates: after assessment (approve gap register before redesign begins) and after redesign (approve workflow designs before implementation begins). No agent proceeds without explicit approval from your team.
The Credential Agent sends the parent a consent request specifying the exact purpose: ‘Processing Rahul’s attendance, grades, and health records for academic management.’ The parent verifies their identity via Aadhaar OTP or DigiLocker. A verifiable consent credential is issued to the parent’s wallet: purpose-specific, timestamped, and revocable. The school receives a confirmation — not the parent’s biometric.
If the parent withdraws consent, they revoke the credential. The school’s verification of that credential will return ‘REVOKED’ — modelling the DPDP Section 6 consent withdrawal workflow.
An EdTech vendor — your LMS, attendance app, or assessment platform — completes a DPDP readiness assessment through Manatoko DPDP. A processor attestation credential is issued to the vendor’s representative wallet, confirming their readiness status and the scope of data they process on your behalf.
Your institution holds the credential presentation as Section 8(1) due diligence evidence. When a regulator asks how you govern your processors, this is the answer.
manatoko.me demonstrates the Manatoko VC capability for universities: credential issuance, digital wallet, instant verification. Manatoko DPDP for Education adds the compliance workflow layer: the agents that assess your institution’s DPDP readiness, redesign your consent and processor governance workflows, and deploy Manatoko VC specifically for the Section 9 parental consent use case — which does not appear in the manatoko.me university demo at all.
The demo on this site shows both: the academic credential flow from manatoko.me plus the new parental consent and processor attestation workflows.
A verification result: ‘Parental consent active — purpose-specific, timestamped, valid’ or ‘REVOKED’. For degree verification: ‘Priya Sharma — B.Tech CS, MIT Pune — Valid.’ No raw personal data. No Aadhaar number. No biometric.
For credential-enabled workflows, the institution is not a PII custodian for those verification events. Section 8(1) exposure for those workflows is structurally eliminated.
Section 17 of the DPDP Act provides exemptions for government entities for certain purposes. However, Section 9 obligations for children’s data apply broadly — government schools still need verifiable parental consent for non-essential data processing. Manatoko DPDP will refer you to DPDP-qualified Indian privacy law firms for advice on how government institution exemptions apply to your situation.
Accreditation bodies have not yet formally incorporated DPDP compliance into their frameworks. However, the Data Protection Board can investigate any educational institution that breaches DPDP obligations regardless of accreditation status. Institutions that build compliance infrastructure now will have defensible evidence ready for any future regulatory integration.
Yes. The Assessment Agent will identify what you have done, what is still missing, and where your highest remaining risk is. The 90-day program is calibrated to close those gaps — including Section 9 consent mechanisms and EdTech processor governance — rather than repeating work already done.
No. Manatoko DPDP produces a defensible, evidence-backed baseline readiness position. Not a government certification. Designed to be inspectable by a regulator, your board, and your auditors.
The 90-day program delivers Phase 1 baseline readiness — not full compliance. Not every workflow qualifies for data custody elimination; core academic records remain in institutional custody.
Three legal questions about the VC architecture require a formal opinion before the first pilot: transient processing obligations, on-chain record identifiability, and fiduciary designation during credential presentation. Manatoko DPDP will refer you to DPDP-qualified Indian privacy law firms for this opinion.
See the education workflow in action — the Section 9 parental consent credential, the student degree credential, the EdTech processor attestation, and the evidence pack. Enter your work email to unlock.
“DPDP compliance is a workflow problem. Agents solve it.”
“Agents do the work. Wallets hold the data. Humans make the decisions.”
“The credential infrastructure that issues degrees also issues consent receipts.”