Documentation

Sanad docs

Everything you need to evaluate, integrate, audit, or operate Sanad. Designed to be readable in under 30 minutes by a non-technical compliance officer; deep enough for a CERT-In auditor.

Getting started

5-minute first run

Sign up, verify email, sign in, issue your first consent receipt.

Setup checklist

Five short steps after first login. Live progress tracking.

Sector guides — quickstarts

Schools

DPDP §9 + Rule 10 parental consent. CBSE-aligned retention. Photo / event-comm consent.

MSMEs

Customer KYC. Marketing consent. Vendor / processor data sharing. Income Tax + GST retention.

Clinics & hospitals

Patient registration. Procedure consent. Insurance / TPA data sharing. Pediatric extended retention.

SDFs / SaaS

Significant Data Fiduciary obligations. Automated-decision logging. Cross-border safeguards.

Sector deep playbooks (30-day operational)

School playbook

Day 1 / Day 7 / Day 30 setup. Four consent templates. Retention table. Three incident scenarios. Audit-prep Q&A.

MSME playbook

30-day rollout. Customer / marketing / employee / vendor consent. Cross-border SaaS register. GeM-audit Q&A.

Healthcare playbook

30-day rollout. Six consent templates. Pediatric / maternal retention. Four incident scenarios. NABH / IRDAI / DPB audit-prep.

Auditor / regulator

Offline verifier

Paste any signed Sanad artifact, verify Ed25519 in your browser. No server trust.

Verifier SDK

Open-source JS / Python / Go reference implementations for air-gapped verification.

Artifact types

All 19 typed prefixes (CR-, IN-, RR-, PL-, RS-, …) with regulatory mapping + field reference.

Security policy

Disclosure programme + scope + 2-day acknowledgment SLA + safe-harbour clause.

Developer reference

API reference

Every endpoint — auth, consent, rights, incidents, governance, aggregates.

Webhooks

HMAC-SHA256 outbound delivery. Subscribe to event types. Auto-disable on 10 consecutive failures.

Verify API

Pay-per-call verification API for insurers, banks, audit firms (L4 commercial).

Sector quickstarts

Schools (K-12 / college / coaching)

  1. Sign up at /dpo/signup, pick "School", enter your district + state.
  2. After email verification, your console pre-loads a starter pack: 5 sector policies, retention schedules, 3 consent templates (parental admission / newsletter-photo / photo-usage).
  3. Issue your first parental consent receipt for one student → confirms the signing pipeline works.
  4. Install Sentinel on the school office's Windows endpoint via the .bat installer (5 min).
  5. Add a webhook to push consent / incident events to your school MIS.

MSMEs (manufacturing / services / trade)

  1. Sign up at /dpo/signup, pick the right MSME tier (micro / small / medium based on turnover).
  2. Pre-loaded retention schedules align with Income Tax (8y) + GST norms.
  3. Templates cover the three common consent types: customer KYC, marketing communications, vendor / payment-gateway data sharing.
  4. Issue one customer-onboarding consent → use as proof during a GeM compliance audit.
  5. Add cross-border transfer registrations (DPDP §16) for any non-India SaaS you use.

Clinics & hospitals

  1. Pick "Clinic" or "Hospital" at signup. Hospital tier includes pediatric (25-year retention) + maternal (21-year) records.
  2. Patient-registration template handles ABDM-aligned identifiers + ABHA ID linkage.
  3. Pre-procedure consent + insurance/TPA data-sharing templates ship as drafts — review and approve.
  4. Use the breach response tabletop drill before a real incident — generates CERT-In Form A + DPDP Form B drafts.

SDFs / SaaS / fintech / AI platforms

  1. Take the free DPDP audit first — get a tier recommendation tied to your specific gaps.
  2. Sign up at the recommended tier. SDFs notified by the DPB get the Enterprise tier.
  3. Critical SDF surfaces: automated-decision consent + logging, RoPA, DPIA per high-risk feature, cross-border SCCs.
  4. Webhook every consent + incident event into your SIEM.

Need help we haven't documented? support@cognoshift.in