Governance & Compliance
Assessments, compliance frameworks, privacy centers, and evidence management
Overview
Neostra's Governance & Compliance module provides a comprehensive toolkit for managing privacy assessments, tracking regulatory compliance, publishing privacy centers, and maintaining tamper-evident audit records. It supports the full lifecycle from readiness assessment through ongoing compliance monitoring.
Assessments
Create, assign, and complete privacy assessments using customizable templates with versioned draft/publish cycles.
Readiness Scanner
Score your organization's compliance readiness against DPDPA, GDPR, and other frameworks with pre-built assessment templates.
Privacy Centers
Publish configurable privacy policy pages with multi-language support and flexible layouts.
Evidence Vault
Maintain tamper-evident audit records with SHA-256 hashing across 114 tracked audit actions.
Assessments
Assessment Lifecycle
Assessments follow a structured lifecycle from creation through completion, with support for multi-user assignment and PDF export.
Create an Assessment
Create a new assessment from a published template. Assessments inherit the template's sections and questions.
curl -X POST https://api.neostra.io/v1/assessments \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "DPDPA Readiness Assessment - Q1 2026",
"templateId": "tmpl_dpdpa_v2",
"brandId": "brand_001"
}'
Assign to Users
Assign the assessment to one or more users who will be responsible for completing their respective sections.
curl -X POST https://api.neostra.io/v1/assessments/{assessmentId}/assign \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"userIds": ["user_101", "user_102", "user_103"]
}'
Complete Questions
Assigned users respond to questions within each section. Answers support text, single-select, multi-select, and file upload types.
curl -X PUT https://api.neostra.io/v1/assessments/{assessmentId}/sections/{sectionId}/questions/{questionId}/answer \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"value": "Yes, data encryption at rest is enforced.",
"evidence": ["evidence_file_001"]
}'
Review and Approve
Reviewers examine submitted answers, request changes if needed, or approve the completed assessment.
Export
Export the completed assessment as a PDF document for offline sharing or regulatory submission.
curl -X GET https://api.neostra.io/v1/assessments/{assessmentId}/export \
-H "Authorization: Bearer <token>" \
-H "Accept: application/pdf"
Template Management
Assessment templates define the structure of assessments including sections, questions, and scoring rules. Templates support a versioned draft/publish/discard workflow.
- Draft: Template is being edited. Not available for assessment creation.
- Published: Template is locked and available for use in new assessments.
- Discard: Removes an unpublished draft version.
curl -X POST https://api.neostra.io/v1/templates \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "DPDPA Readiness Template",
"description": "Assess organizational readiness for India DPDPA compliance"
}'
curl -X POST https://api.neostra.io/v1/templates/{templateId}/sections \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"title": "Data Protection Officer",
"order": 1
}'
curl -X POST https://api.neostra.io/v1/templates/{templateId}/sections/{sectionId}/questions \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"text": "Has your organization appointed a Data Protection Officer?",
"type": "SINGLE_SELECT",
"options": ["Yes", "No", "In Progress"],
"weight": 5
}'
curl -X POST https://api.neostra.io/v1/templates/{templateId}/publish \
-H "Authorization: Bearer <token>"
Templates can be exported as JSON for backup or sharing across tenants, and imported to create new templates from exported files.
# Export template as JSON
curl -X GET https://api.neostra.io/v1/templates/{templateId}/export \
-H "Authorization: Bearer <token>" \
-o template_backup.json
# Import template from JSON
curl -X POST https://api.neostra.io/v1/templates/import \
-H "Authorization: Bearer <token>" \
-F "file=@template_backup.json"
Readiness Scanner
The Readiness Scanner uses pre-built assessment templates to calculate compliance readiness scores across your organization.
| Framework | Template | Sections | Questions |
|---|---|---|---|
| India DPDPA | tmpl_dpdpa_v2 | 8 | 45+ |
| EU GDPR | tmpl_gdpr_v1 | 11 | 60+ |
The AssessmentDashboardController provides aggregated statistics for compliance readiness tracking.
curl -X GET "https://api.neostra.io/v1/assessments/dashboard/summary?brandId=brand_001" \
-H "Authorization: Bearer <token>"
curl -X GET "https://api.neostra.io/v1/assessments/dashboard/summary?templateId=tmpl_dpdpa_v2" \
-H "Authorization: Bearer <token>"
curl -X GET "https://api.neostra.io/v1/assessments/dashboard/summary?from=2026-01-01&to=2026-03-31" \
-H "Authorization: Bearer <token>"
Compliance Frameworks
Neostra ships with pre-seeded regulation data managed through database migrations. The RegulationController provides access to framework details.
# List all regulations
curl -X GET https://api.neostra.io/v1/regulations \
-H "Authorization: Bearer <token>"
# Get regulation details
curl -X GET https://api.neostra.io/v1/regulations/{regulationId} \
-H "Authorization: Bearer <token>"
Compliance frameworks are pre-seeded via the CU010_RegulationsInitializerChangeUnit migration in neostra-migrations. New frameworks are added through platform updates.
Privacy Centers
Privacy Centers let you publish configurable privacy policy pages for your end users with multi-language support and flexible layouts.
Create a Privacy Center
curl -X POST https://api.neostra.io/v1/privacy-centers \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "Customer Privacy Portal",
"brandId": "brand_001",
"subdomain": "privacy"
}'
Configure Layout
Choose from supported layout types and customize the appearance.
curl -X PUT https://api.neostra.io/v1/privacy-centers/{centerId}/config \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"layout": "LEFT_MENU",
"theme": {
"primaryColor": "#1a73e8",
"logo": "https://cdn.example.com/logo.png"
},
"languages": ["en", "hi", "ta"]
}'
Publish
Publish the privacy center to make it accessible to your end users.
curl -X POST https://api.neostra.io/v1/privacy-centers/{centerId}/publish \
-H "Authorization: Bearer <token>"
Layout Options
Left Menu
Sidebar navigation with content sections listed vertically. Ideal for comprehensive privacy policies with many sections.
Tabs
Horizontal tab navigation across the top. Suitable for concise policies with a few key sections.
Tiles
Card-based grid layout. Best for landing pages that link to detailed sub-pages.
Evidence Vault
The Evidence Vault provides tamper-evident audit logging across the entire Neostra platform. An AuditLoggingAspect automatically captures actions and generates SHA-256 hashes for integrity verification.
# Query audit log
curl -X GET "https://api.neostra.io/v1/audit-logs?action=ASSESSMENT_COMPLETED&from=2026-01-01" \
-H "Authorization: Bearer <token>"
Permissions
Access to governance features is controlled by granular permissions.
| Resource | Permissions |
|---|---|
| Assessments | assessments:create, assessments:view, assessments:list, assessments:edit |
| Templates | templates:create, templates:view, templates:list, templates:edit, templates:delete, templates:export |
| Privacy Centers | privacy-centers:create, privacy-centers:view, privacy-centers:edit |
Tenant provisioning, subscription management, and user/role administration are handled by the astra-core service. Contact your platform administrator to manage tenant-level access.
Controller Reference
| Controller | Path Prefix | Purpose |
|---|---|---|
AssessmentController | /assessments | Assessment CRUD and lifecycle |
TemplateController | /templates | Template management and versioning |
SectionController | /templates/{id}/sections | Template section management |
QuestionController | /templates/{id}/.../questions | Question management within sections |
AnswerController | /assessments/{id}/.../answer | Answer submission and retrieval |
AssessmentDashboardController | /assessments/dashboard | Aggregated compliance statistics |
RegulationController | /regulations | Compliance framework reference data |
PrivacyCenterController | /privacy-centers | Privacy center CRUD and publishing |
PrivacyCenterConfigController | /privacy-centers/{id}/config | Layout and theme configuration |
Governance Setup
The Governance Setup module establishes the foundational governance layer required for DPDP compliance. It ensures organizations have clear ownership and accountability, a formal documented governance charter, and defined internal privacy workflows and escalation pathways.
DPDP-Mandated Roles
| Role | Required | Responsibilities |
|---|---|---|
| Data Protection Lead / DPO | Yes (DPO if SDF) | Oversight of DPDP program, point of contact for regulator, approve privacy notices, ensure DPIAs are completed |
| Grievance Officer | Yes | Receive and resolve data subject grievances, maintain grievance log, escalate to DP Lead |
| Executive Sponsor (CXO) | Yes | Final authority for high-risk decisions, regulatory escalation, board-level accountability |
| Security Lead | Recommended | Technical security controls, incident response support, security posture evidence |
| Legal Lead | Recommended | Legal basis advice, processor contracts, breach reporting, regulatory communication |
| Engineering Lead | Recommended | Privacy-by-design enforcement, retention and erasure mechanisms |
For organizations designated as Significant Data Fiduciaries (SDF), the DP Lead role MUST be populated with an independent DPO as required by DPDPA.
Governance Charter Generator
The Governance Charter Generator automatically creates a Data Protection Governance Charter based on the organization's configured governance roles. The charter is the foundational governance document reviewed by regulators, auditors, and internal stakeholders.
Configure Governance Roles
Add DPDP-required roles (DP Lead, Grievance Officer, Executive Sponsor) and recommended roles (Security, Legal, Engineering leads). The system validates that all mandatory roles are assigned before proceeding.
Auto-Generate Charter
The system generates a 14-section governance charter populated with role data, organization details, and DPDP-aligned content. Sections include: Purpose, Scope, DPDP Compliance Commitment, Roles & Responsibilities, Governance Structure, Escalation Matrix, Review Cadence, Change Management, Incident Linkage, Vendor Oversight, Grievance Mechanism, Glossary, Approvals, and Annexes.
Customize and Edit
Edit any section using a rich-text editor. Add company-specific context, custom sections, or modify auto-generated content. All edits are auto-saved with version tracking.
Publish and Export
Publish the charter (creating a locked, versioned record) and export as PDF or DOCX. Published charters include metadata: version number, generation timestamp, and Neostra branding. Published versions are automatically stored in the Evidence Vault.
Privacy Contact Generator
DPDP requires every Data Fiduciary to provide a publicly accessible grievance redressal mechanism. The Privacy Contact Generator automates the creation, hosting, and maintenance of this contact page.
Hosted Page
Auto-generated privacy contact page at https://{org-subdomain}.neostra.in/privacy-contact with Grievance Officer details, DP Lead escalation contact, and SLA timelines.
Embeddable
Provides HTML embed snippet, iFrame embed code, direct URL, and QR code for use in website footers, mobile apps, email signatures, and support portals.
The privacy contact page displays:
- Grievance Officer name, title, email, and phone (optional)
- Data Protection Lead / DPO details as escalation contact
- Grievance SLA (default: acknowledgement in 3 days, resolution in 7 days, editable per org)
- Submission method (direct email link or "Submit grievance" button linking to grievance form)
- A required DPDP legal disclaimer
The privacy contact page auto-updates whenever governance roles change. No manual intervention is required to keep the public-facing information current.
Escalation Matrix
| Issue Type | First Response | Escalation (if unresolved within SLA) | Final Authority |
|---|---|---|---|
| Data subject grievance | Grievance Officer | DP Lead (after 7 days) | Legal Lead |
| Security incident (medium/high) | Security Lead | DP Lead (immediately); Executive Sponsor if high severity | Executive Sponsor |
| Third-party contract risk | Engineering / Procurement | Legal Lead | DP Lead / Executive Sponsor |
| Regulatory communication | DP Lead | Legal Lead | Executive Sponsor |
SLA Defaults
- Initial acknowledgement to data principal: 3 business days
- Internal escalation to DP Lead for medium/high incidents: 48 hours
- Grievance response: 7 days
- Vendor contract review: 14 days
- Annual governance charter review with reminders at 30/15/7 days
Last updated 1 week ago
Built with Documentation.AI