DPDP Rules 2025 · Enforcement active
DORA in effect since Jan 2025

Scan your website for DPDP, GDPR & DORA violations in 60 seconds.

Find consent gaps, pre-consent tracking, and missing privacy notices, mapped to specific regulatory provisions. Free, no account required.

https://
or
Prefer a structured self-assessment?
A 10-minute checklist on your organisation's data practices. Covers DPDP, GDPR, and DORA end-to-end. No URL needed.
Take the self-assessment →
Regulatory sources
DPDP Act 2023 (MeitY) GDPR Full Text DORA (EUR-Lex) EDPB Guidelines ENISA
₹250 Cr
Max fine per instance under DPDP for consent violations
Personal
Data Fiduciaries are individually liable under DPDP Rules 2025
72 hrs
Your window to notify the Data Protection Board after a breach
DPDP full enforcement deadline
--days
--hours
--minutes
--seconds
May 13, 2027. Penalties start being imposed.
2,400+scans completed
3frameworks covered
60saverage scan time
Zerodata leaves your perimeter
80%+of scanned sites had pre-consent trackers
SCAN LOG: example.com
00:00.000Playwright browser spawned (Chromium headless)
00:00.412Navigating to https://example.com
00:01.103google-analytics.com/analytics.js loaded← PRE-CONSENT
00:01.104Consent banner detected (OneTrust CMP)
00:01.890connect.facebook.net/en_US/fbevents.js loaded← PRE-CONSENT
00:02.340Consent interaction simulated, checking "Reject All" availability
00:02.341No equivalent "Reject All" on first layer← VIOLATION
00:04.81223 network requests intercepted · 2 pre-consent trackers recorded
00:04.813Mapping to DPDP Sec. 5, GDPR Art. 6(1)(a), GDPR Art. 7 …
00:04.9013 violations found. Signed artifact generated.

Over 80% of sites scanned on Juro had at least one pre-consent tracker. Each finding cites the exact provision with no vague recommendations. 85% of websites globally collect data before any user interaction (PreConsent.io, 10,000+ sites, 2026).

Example findings This is what a real scan produces
WEB-001
Analytics scripts fire before user consent is obtained
Critical
Google Analytics and Meta Pixel load on page initialisation, before the consent banner is displayed or any user interaction occurs. Data is transmitted to third parties without a lawful basis.
Business impact Every user whose data was collected without consent can file a complaint with the Data Protection Board. There is no minimum threshold. A single complaint opens a full investigation. Fines reach ₹250 crore per instance under DPDP. Section 8(1) makes the data fiduciary responsible for processing carried out by vendors on its behalf, irrespective of any agreement to the contrary.
Sec. 5 DPDP · Art. 6 GDPR
Fix Block all analytics and advertising scripts from loading until the user grants explicit, granular consent. Use a consent management platform with tag manager integration.
WEB-002
Consent banner has no equivalent "Reject All" on first layer
High
The banner offers "Accept All" on the first layer but requires multiple clicks to reject non-essential cookies. Withdrawal must be as easy to exercise as consent.
Business impact Consent obtained this way is likely invalid under GDPR Art. 7 and DPDP Sec. 6. Any analytics or advertising data collected under it is unlawfully processed. Data Protection Authorities flag this pattern in the first round of any audit.
Sec. 6 DPDP · Art. 7 GDPR
Fix Add a clearly visible "Reject All" button on the first layer. Do not bury rejection behind a "Manage preferences" flow.

Built for the people who get asked "are we compliant?"

Engineers
See exactly which scripts fire before consent, which forms leak PII, and what to block. No vague recommendations: every finding cites the exact provision.
CISOs & Security Leads
Non-custodial scanning means nothing leaves the customer perimeter. Bring the check to the data, not the data to the check.
Compliance & Legal Teams
Get signed, deterministic findings mapped to DPDP sections, GDPR articles, and DORA provisions. Shareable with auditors and the Data Protection Board.

The difference shows up in evidence quality, not feature lists

OneTrust tells you a cookie exists. Juro tells you it fired 2.3 seconds before consent, violating GDPR Art. 6(1)(a). With a signed artifact your DPO can hand to a regulator.

Juro Legacy compliance suites Free cookie scanners
Architecture Non-custodial, agent-based Your data uploaded to their cloud Surface cookies only
Frameworks DPDP + GDPR + DORA One framework at a time GDPR only
Evidence Signed, deterministic artifacts Screenshot-based reports No evidence output
Surface scan Free, no account required Sales demo required Free, email-gated
India / DPDP Purpose-built from day one GDPR module adapted for DPDP Not covered

Things people ask before trusting a scan tool

How do I know the scan is accurate?

The scanner doesn't guess. It intercepts actual network requests as a real browser loads your page. If a script fires before the consent interaction, the scanner records the URL, the timestamp, and the exact millisecond offset. That's a deterministic fact, not a heuristic. Every finding is bundled into a signed artifact: the same inputs always produce the same SHA-256 hash, so any auditor can independently verify that the output hasn't been altered after the fact.

What is DPDP compliance and when does it start?

DPDP (Digital Personal Data Protection Act 2023) is India's data protection law. The DPDP Rules 2025 were notified on November 13, 2025, and enforcement is phased. Full compliance obligations become enforceable on May 13, 2027. It requires websites to obtain explicit user consent before collecting personal data, provide clear privacy notices in plain language, and implement data security measures. Fines reach ₹250 crore per violation. Under Section 8(1), the data fiduciary remains responsible for compliance, including for processing carried out by a data processor on its behalf, irrespective of any agreement to the contrary.

How does the compliance scanner work?

A headless Chromium browser loads your URL, intercepts every network request, and records which scripts fire before the consent interaction. Rules then match the observed behaviour against DPDP sections, GDPR articles, and DORA provisions. The result is a signed artifact: not a screenshot, not a checklist. It maps each violation to the specific provision and includes remediation steps.

Is the website compliance scanner really free?

Yes. The surface scanner is completely free with no account required. It checks website-layer compliance including consent flows, tracker timing, and privacy notice presence. For deeper infrastructure assessments (backend APIs, PII in logs, unencrypted data columns), contact us for a technical readiness assessment.

What is the difference between GDPR, DORA, and DPDP?

GDPR (General Data Protection Regulation) is the EU's data protection law covering all organisations processing EU residents' data. DORA (Digital Operational Resilience Act) is the EU's financial sector cybersecurity regulation that took effect January 17, 2025, covering ICT risk management, incident reporting, and third-party oversight. DPDP (Digital Personal Data Protection Act) is India's data protection law covering processing of digital personal data of Indian residents. The scanner checks for all three simultaneously.

What does the scanner detect on my website?

The scanner detects analytics and advertising scripts that fire before user consent, consent banners without an equivalent "Reject All" button, missing or incomplete privacy notices, forms that collect personal data without a lawful basis, and third-party trackers that transmit data without consent. Each finding cites the exact regulatory provision it violates.

How is Juro different from OneTrust, Vanta, or cookie scanners?

Juro is non-custodial: your data never leaves your perimeter. Legacy compliance suites like OneTrust and Vanta require you to upload data to their cloud. Free cookie scanners only check surface cookies and do not map findings to regulatory provisions. Juro produces signed, deterministic artifacts that can be independently verified, covering DPDP, GDPR, and DORA in a single scan.

Does Juro store or process my website data?

The scanner runs server-side against your public URL. Your page content, cookies, and user data are never written to disk. Only the analysis output is retained, for 90 days, to power the scan cache. For infrastructure assessments, the agent runs inside your VPC with a read-only IAM role and produces signed findings locally. Nothing is uploaded to our cloud.

Notice