bmad-plus 0.7.5 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -425
  2. package/LICENSE +21 -21
  3. package/README.md +555 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -222
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,319 +1,319 @@
1
- # DPDPA — Section-by-Section Reference
2
-
3
- Digital Personal Data Protection Act, 2023. Presidential Assent: 11 August 2023.
4
- 44 Sections across 9 Chapters.
5
-
6
- ---
7
-
8
- ## Chapter I — Preliminary (Sections 1–3)
9
-
10
- ### Section 1 — Short Title, Extent, Commencement and Application
11
- Establishes the short title: "Digital Personal Data Protection Act, 2023."
12
- - Extends to the whole of India
13
- - Commencement by phased notification in the Official Gazette
14
- - Applies to digital personal data processing within India AND processing outside India
15
- related to offering goods or services to individuals located in India
16
-
17
- ### Section 2 — Definitions
18
- 28 defined terms including:
19
-
20
- | Term | Definition |
21
- |------|-----------|
22
- | **Appellate Tribunal** | Telecom Disputes Settlement and Appellate Tribunal (TDSAT) |
23
- | **Board** | Data Protection Board of India |
24
- | **Child** | Individual who has not completed **18 years of age** |
25
- | **Consent Manager** | Body corporate registered by the Board enabling Data Principals to manage consent across multiple Data Fiduciaries via a single interoperable platform |
26
- | **Data Fiduciary** | Any person who alone or jointly with others determines the **purpose and means** of processing of digital personal data (= GDPR "controller") |
27
- | **Data Principal** | The individual to whom the personal data relates (= GDPR "data subject") |
28
- | **Data Processor** | Any person who processes digital personal data on behalf of a Data Fiduciary under a contract (= GDPR "processor") |
29
- | **Data Protection Officer (DPO)** | Individual appointed by a Significant Data Fiduciary as representative before the Board and grievance contact |
30
- | **Digital personal data** | Personal data in digital form |
31
- | **Personal data** | Any data about an individual who is identifiable directly or indirectly from such data |
32
- | **Personal data breach** | Unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability of digital personal data |
33
- | **Processing** | Any automated operation on digital personal data including collection, recording, storage, retrieval, use, sharing, transmission, erasure, and destruction |
34
- | **Significant Data Fiduciary (SDF)** | Data Fiduciary notified by Central Government based on volume/sensitivity, risk to rights, impact on sovereignty, electoral democracy, state security, or public order |
35
- | **Specified purpose** | The purpose mentioned in the Data Fiduciary's notice for which the Data Principal provided personal data |
36
-
37
- ### Section 3 — Application (Territorial Scope)
38
- The Act applies to:
39
- - Processing of digital personal data **within India**, and
40
- - Processing **outside India** if it relates to offering goods or services to individuals
41
- located in India at the time the personal data is collected
42
-
43
- Partial exemption: Processing under contracts with foreign entities of data of
44
- Data Principals **not located in India** is exempt from most obligations (Section 17(g)).
45
-
46
- ---
47
-
48
- ## Chapter II — Obligations of Data Fiduciary (Sections 4–10)
49
-
50
- ### Section 4 — Grounds for Processing Personal Data
51
- Two and only two lawful bases:
52
- - **(a) Consent** as specified in Section 6
53
- - **(b) Certain legitimate uses** as enumerated in Section 7
54
-
55
- No other lawful basis exists. Processing outside these two grounds is unlawful.
56
-
57
- ### Section 5 — Notice to Data Principal
58
- Before or at the time of requesting consent, Data Fiduciaries must provide a notice:
59
- - In clear and plain language (implemented by Rule 3 of DPDP Rules 2025)
60
- - As a standalone, independent document (not bundled in T&Cs)
61
- - Containing: purposes; data categories; recipients; retention period; Data Principal rights; Board complaint mechanism; consent withdrawal procedure
62
-
63
- **Key obligation:** Notice must be retrievable at any time from the Data Fiduciary's platform or website.
64
-
65
- **Existing data (Section 5(2)):** For data collected before the Act's commencement but still being processed, Fiduciaries must provide a notice of the same content within prescribed time after the Act takes effect.
66
-
67
- ### Section 6 — Consent
68
- Consent must be:
69
- - **Free** — not conditioned on acceptance of services
70
- - **Specific** — for a particular specified purpose
71
- - **Informed** — given after receiving the Section 5 notice
72
- - **Unconditional** — no conditions or coercion
73
- - **Unambiguous** — expressed by clear affirmative action
74
-
75
- **Section 6(3):** Consent may be given through a Consent Manager registered by the Board.
76
-
77
- **Section 6(4):** Data Principals may withdraw consent at any time. Ease of withdrawal must match ease of giving consent. Prior processing remains lawful; post-withdrawal processing must stop.
78
-
79
- **Section 6(5):** The burden of proving valid consent lies on the Data Fiduciary.
80
-
81
- **Section 6(6):** Consent obtained in violation of these requirements is void.
82
-
83
- ### Section 7 — Certain Legitimate Uses (Closed List)
84
- Eight enumerated legitimate uses where consent is NOT required:
85
-
86
- 1. Purpose the Data Principal voluntarily provided data for (unless specifically objected)
87
- 2. State benefits, subsidies, services, certificates, licenses, or permits
88
- 3. State functions under Indian law or interests of sovereignty/security/integrity
89
- 4. Legal obligation to disclose to State or its instrumentalities
90
- 5. Employment purposes or safeguarding employer against loss/liability — including prevention of corporate espionage, IP theft, and classified information leakage by employees
91
- 6. Disaster management per the Disaster Management Act, 2005
92
- 7. Medical emergencies and safeguarding individuals during disasters or epidemics
93
- 8. Other prescribed purposes as notified by Central Government
94
-
95
- > **Precision note:** The employment category (Section 7(e)) covers both routine HR processing AND the employer's interest in preventing corporate espionage/IP theft by employees. These are part of a single clause — not separate categories. A prior version of this file incorrectly listed a duplicate "prevention of corporate espionage" as a ninth item; that entry has been removed.
96
-
97
- This list is **exhaustive**. No general "legitimate interests" balancing test.
98
-
99
- ### Section 8 — General Obligations of Data Fiduciary
100
- Every Data Fiduciary must:
101
-
102
- 1. **Appoint Data Processors under contract** — valid written contract per Rule 16
103
- 2. **Ensure data quality** — accuracy, completeness, consistency for data used in decisions or shared with other Fiduciaries
104
- 3. **Implement security safeguards** — appropriate technical and organisational measures per Rule 7
105
- 4. **Erase data** when: purpose fulfilled; consent withdrawn; Data Principal exercises erasure right; retention no longer necessary
106
- 5. **Direct Processors to erase** data upon termination of processing engagement
107
- 6. **Notify personal data breach** to the Board without delay and in detail within 72 hours per Rule 6
108
- 7. **Grievance mechanism** — Establish effective, accessible grievance mechanism and respond within prescribed period
109
-
110
- **Section 8(7) — Retention and Erasure:**
111
- Data Fiduciaries must erase data from their systems and from Processors' systems upon:
112
- - Withdrawal of consent (unless retention required by law)
113
- - Purpose fulfilment
114
- - Section 12(3) erasure request
115
-
116
- ### Section 9 — Processing of Children's Personal Data
117
- **Age threshold:** Under 18 years.
118
-
119
- **Section 9(1):** Verifiable parental/lawful guardian consent required before any child data processing.
120
-
121
- **Section 9(2) — Prohibited processing (no exceptions unless prescribed):**
122
- - Tracking or behavioural monitoring of children
123
- - Targeted advertising directed at children
124
- - Any processing likely to cause detrimental effect on child's well-being
125
-
126
- **Section 9(3) — Exemptions:** May be prescribed for certain classes of Data Fiduciaries (health, safety, education, essential services).
127
-
128
- **Penalty:** Maximum ₹200 crore per violation. One of the highest penalty tiers.
129
-
130
- ### Section 10 — Additional Obligations of Significant Data Fiduciaries
131
-
132
- **Designation:** Central Government notifies entities as SDFs based on:
133
- - Volume and sensitivity of data processed
134
- - Risk of harm to Data Principals' rights
135
- - Impact on India's sovereignty, integrity, security
136
- - Risk to electoral democracy or public order
137
-
138
- **Additional obligations (beyond Section 8):**
139
- - **India-based Data Protection Officer** — individual resident in India; sole Board representative; Data Principal grievance contact
140
- - **Annual Data Protection Impact Assessment (DPIA)** — evaluates compliance, Data Principal rights exercise, safeguard adequacy, large-scale processing risks
141
- - **Annual independent data audit** — by qualified external auditor; report submitted to the Board
142
- - **Data localization** — specified data categories must remain within India (when notified)
143
- - **Comply with any other prescribed measures** as directed by government
144
-
145
- ---
146
-
147
- ## Chapter III — Rights and Duties of Data Principal (Sections 11–15)
148
-
149
- ### Section 11 — Right to Access Information
150
- Data Principals may request, and Data Fiduciaries must provide (within prescribed period):
151
- - Summary of personal data being processed
152
- - Description of the processing activities (purpose, legal basis, duration)
153
- - Identities and contact details of all Data Fiduciaries and Processors holding or processing the data
154
- - Description of personal data shared with each recipient
155
-
156
- ### Section 12 — Right to Correction, Completion, Updating, and Erasure
157
- Data Principals may:
158
- - **(12(1)(a))** Request correction of inaccurate or misleading personal data
159
- - **(12(1)(b))** Request completion of incomplete personal data
160
- - **(12(1)(c))** Request updating of outdated personal data
161
- - **(12(3))** Request erasure of personal data no longer necessary for the specified purpose
162
-
163
- **Limitations on erasure (Section 12(4)):**
164
- Data Fiduciaries may refuse erasure where:
165
- - Retention necessary for the specified purpose
166
- - Retention required by law (statutory record-keeping)
167
- - Retention necessary to enforce/defend legal rights or claims
168
-
169
- ### Section 13 — Right of Grievance Redressal
170
- - Data Principals must have access to an effective grievance mechanism provided by the Data Fiduciary or Consent Manager
171
- - Mechanism must be accessible, responsive, and as prescribed by rules
172
- - Data Fiduciaries must respond within the prescribed timeframe
173
- - **Mandatory exhaustion:** Data Principals must exhaust the Fiduciary's grievance mechanism before filing a complaint with the Data Protection Board
174
-
175
- ### Section 14 — Right to Nominate
176
- Data Principals may nominate an individual to exercise their Section 11, 12, and 13 rights in the event of:
177
- - Death of the Data Principal, or
178
- - Incapacity (defined as unsoundness of mind or infirmity of body rendering the Principal unable to exercise rights)
179
-
180
- Nominees exercise rights as if they were the Data Principal.
181
-
182
- ### Section 15 — Duties of Data Principal
183
- Data Principals must:
184
- - Comply with all applicable laws when exercising rights
185
- - Not register false or frivolous complaints with Fiduciaries or the Board
186
- - Not furnish false particulars or suppress material information
187
- - Not impersonate another individual
188
- - Not misuse their rights to harass Data Fiduciaries
189
-
190
- Breach of these duties: penalty up to **₹10,000** (personal liability).
191
-
192
- ---
193
-
194
- ## Chapter IV — Special Provisions (Sections 16–17)
195
-
196
- ### Section 16 — Transfer of Personal Data Outside India
197
- **Mechanism: Blacklist approach**
198
-
199
- Data Fiduciaries may transfer personal data outside India to **any country or territory**, EXCEPT those specifically **notified by the Central Government as restricted**.
200
-
201
- **Current status (April 2026):** No countries have been notified. All transfers currently permitted.
202
-
203
- **Government notification power:** Central Government may restrict transfers based on national security concerns, weak data protection frameworks, public policy considerations. Monitor MeitY Official Gazette.
204
-
205
- **Operational guidance:**
206
- - Transfers permitted to all countries absent a notification
207
- - Apply contractual safeguards with recipients regardless
208
- - Do not assume permanent unrestricted status; plan for potential future restrictions
209
- - Sensitive data categories: apply enhanced protection even when transfer is technically permitted
210
-
211
- ### Section 17 — Exemptions
212
- Exemptions from Chapters II, III, and Section 16:
213
-
214
- | # | Category | Scope of Exemption |
215
- |---|----------|-------------------|
216
- | (a) | Legal rights enforcement | Processing to enforce legal rights or claims, or defend legal proceedings |
217
- | (b) | Judicial/regulatory functions | Courts, tribunals, regulatory/supervisory bodies in official capacity |
218
- | (c) | Law enforcement | Prevention, detection, investigation, prosecution of offences |
219
- | (d) | State security (notified) | State instrumentalities notified by Central Government — sovereignty, integrity, security, public order, friendly foreign relations |
220
- | (e) | Financial defaults | Financial institutions processing data when individual has defaulted on loan repayment |
221
- | (f) | Research and statistics | Research, archiving, statistical processing — provided individual identity cannot be inferred (anonymisation/pseudonymisation required) |
222
- | (g) | Extra-territorial / foreign contracts | Processing outside India of non-resident Data Principals under contracts with foreign entities |
223
- | (h) | Voluntarily provided (notified) | Data voluntarily provided for notified public benefit purposes |
224
- | (i) | Partial state exemptions | State processing exempt from erasure/correction rights in specific circumstances |
225
- | (j) | Startups and small entities | Central Government may exempt notified classes from sub-sections of Sections 5, 8, 10, 11 |
226
-
227
- ---
228
-
229
- ## Chapter V — Data Protection Board of India (Sections 18–26)
230
-
231
- ### Section 18 — Establishment
232
- Creates the Data Protection Board of India as a **body corporate** with perpetual succession; power to acquire/hold/dispose property; to contract; to sue and be sued.
233
-
234
- ### Section 19 — Composition
235
- - **Chairperson** — Appointed by Central Government; expertise in data governance, IT, cyber law, public administration
236
- - **Members** — Notified number; appointed by Central Government; similar qualification criteria
237
-
238
- ### Section 20–21 — Tenure and Removal
239
- Fixed terms; removal possible only for misconduct, incapacity, or insolvency.
240
-
241
- ### Section 22–23 — Officers, Employees, and Public Servant Status
242
- Board members and officers are **deemed public servants** under Indian Penal Code — enabling criminal liability for breach of duty.
243
-
244
- ### Section 24 — Chairperson's Powers
245
- Executive and administrative powers of the Chairperson including agenda-setting, proceedings management.
246
-
247
- ### Section 25 — Powers and Functions of the Board
248
- - Receive and adjudicate complaints from Data Principals
249
- - Investigate personal data breaches
250
- - Issue financial penalties
251
- - Issue binding compliance directions
252
- - Facilitate alternate dispute resolution
253
- - Accept voluntary undertakings from Data Fiduciaries
254
-
255
- ### Section 26 — Procedure
256
- Board establishes hearing rules including evidence presentation, witness examination, and natural justice (right to be heard, impartial adjudication).
257
-
258
- ---
259
-
260
- ## Chapter VI — Appeals and ADR (Sections 27–32)
261
-
262
- ### Section 27 — Appeal to TDSAT
263
- Orders of the Board may be appealed to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** within prescribed period.
264
-
265
- ### Section 28 — TDSAT Orders Executable as Civil Decree
266
- TDSAT orders have the force of a civil court decree — enforceable through civil execution proceedings.
267
-
268
- ### Section 29 — Alternate Dispute Resolution
269
- Board may facilitate mediation/conciliation between Data Principals and Data Fiduciaries.
270
-
271
- ### Section 30 — Voluntary Undertaking
272
- Data Fiduciaries may offer voluntary undertakings to remedy violations. Board may accept. Breach of voluntary undertaking: penalty up to **₹50 crore**.
273
-
274
- ### Section 31 — Limitation for Filing Complaint
275
- Prescribed time limits for Data Principals to file complaints after becoming aware of a violation.
276
-
277
- ### Section 32 — Protection of Actions Taken in Good Faith
278
- Board members and staff protected from civil/criminal liability for good faith actions.
279
-
280
- ---
281
-
282
- ## Chapter VII — Penalties (Sections 33–34)
283
-
284
- ### Section 33 — Financial Penalties
285
- **Penalty Schedule:**
286
-
287
- | Violation | Maximum Penalty |
288
- |-----------|----------------|
289
- | Failure to implement reasonable security safeguards (Section 8(3)) | ₹250 crore |
290
- | Failure to notify personal data breach to Board (Section 8(6)/Rule 6) | ₹200 crore |
291
- | Violation of children's data obligations (Section 9) | ₹200 crore |
292
- | SDF non-compliance with additional obligations (Section 10) | ₹150 crore |
293
- | Breach of voluntary undertaking (Section 30) | ₹50 crore |
294
- | Other violations | ₹50 crore |
295
- | Data Principal duty violation (false complaints, impersonation) | ₹10,000 |
296
-
297
- **Section 33(2) — Seven factors for penalty determination:**
298
- 1. Nature and gravity of the violation
299
- 2. Scale of impact on Data Principals
300
- 3. Frequency (first-time vs. repeated)
301
- 4. Promptness of remediation and cooperation
302
- 5. Proportionality to violator's financial condition
303
- 6. Intentionality vs. negligence
304
- 7. Other prescribed factors
305
-
306
- ### Section 34 — Crediting of Penalties
307
- All penalty amounts credited to the Consolidated Fund of India.
308
-
309
- ---
310
-
311
- ## Chapter VIII — Miscellaneous (Sections 35–44)
312
-
313
- ### Section 35 — Power to Make Rules
314
- Central Government has plenary power to make rules to carry out the provisions of the Act. Rules subject to Parliament laying (approval/modification by Parliament if tabled).
315
-
316
- ### Section 36–44
317
- Cover: power to give directions; delegation to officers; protection from legal proceedings against the Board; amendments to other laws (IT Act 2000, RTI Act 2005); maintenance of confidentiality; publication of Board procedures; interpretation provisions; repeal and savings.
318
-
319
- **Notable:** Section 43 and 44 amend the **Information Technology Act, 2000** — removing IT Act's data protection provisions (Sections 43A and 72A) and replacing them with DPDPA. This clarifies that DPDPA is the lex specialis for digital personal data; IT Act no longer applies to personal data protection.
1
+ # DPDPA — Section-by-Section Reference
2
+
3
+ Digital Personal Data Protection Act, 2023. Presidential Assent: 11 August 2023.
4
+ 44 Sections across 9 Chapters.
5
+
6
+ ---
7
+
8
+ ## Chapter I — Preliminary (Sections 1–3)
9
+
10
+ ### Section 1 — Short Title, Extent, Commencement and Application
11
+ Establishes the short title: "Digital Personal Data Protection Act, 2023."
12
+ - Extends to the whole of India
13
+ - Commencement by phased notification in the Official Gazette
14
+ - Applies to digital personal data processing within India AND processing outside India
15
+ related to offering goods or services to individuals located in India
16
+
17
+ ### Section 2 — Definitions
18
+ 28 defined terms including:
19
+
20
+ | Term | Definition |
21
+ |------|-----------|
22
+ | **Appellate Tribunal** | Telecom Disputes Settlement and Appellate Tribunal (TDSAT) |
23
+ | **Board** | Data Protection Board of India |
24
+ | **Child** | Individual who has not completed **18 years of age** |
25
+ | **Consent Manager** | Body corporate registered by the Board enabling Data Principals to manage consent across multiple Data Fiduciaries via a single interoperable platform |
26
+ | **Data Fiduciary** | Any person who alone or jointly with others determines the **purpose and means** of processing of digital personal data (= GDPR "controller") |
27
+ | **Data Principal** | The individual to whom the personal data relates (= GDPR "data subject") |
28
+ | **Data Processor** | Any person who processes digital personal data on behalf of a Data Fiduciary under a contract (= GDPR "processor") |
29
+ | **Data Protection Officer (DPO)** | Individual appointed by a Significant Data Fiduciary as representative before the Board and grievance contact |
30
+ | **Digital personal data** | Personal data in digital form |
31
+ | **Personal data** | Any data about an individual who is identifiable directly or indirectly from such data |
32
+ | **Personal data breach** | Unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability of digital personal data |
33
+ | **Processing** | Any automated operation on digital personal data including collection, recording, storage, retrieval, use, sharing, transmission, erasure, and destruction |
34
+ | **Significant Data Fiduciary (SDF)** | Data Fiduciary notified by Central Government based on volume/sensitivity, risk to rights, impact on sovereignty, electoral democracy, state security, or public order |
35
+ | **Specified purpose** | The purpose mentioned in the Data Fiduciary's notice for which the Data Principal provided personal data |
36
+
37
+ ### Section 3 — Application (Territorial Scope)
38
+ The Act applies to:
39
+ - Processing of digital personal data **within India**, and
40
+ - Processing **outside India** if it relates to offering goods or services to individuals
41
+ located in India at the time the personal data is collected
42
+
43
+ Partial exemption: Processing under contracts with foreign entities of data of
44
+ Data Principals **not located in India** is exempt from most obligations (Section 17(g)).
45
+
46
+ ---
47
+
48
+ ## Chapter II — Obligations of Data Fiduciary (Sections 4–10)
49
+
50
+ ### Section 4 — Grounds for Processing Personal Data
51
+ Two and only two lawful bases:
52
+ - **(a) Consent** as specified in Section 6
53
+ - **(b) Certain legitimate uses** as enumerated in Section 7
54
+
55
+ No other lawful basis exists. Processing outside these two grounds is unlawful.
56
+
57
+ ### Section 5 — Notice to Data Principal
58
+ Before or at the time of requesting consent, Data Fiduciaries must provide a notice:
59
+ - In clear and plain language (implemented by Rule 3 of DPDP Rules 2025)
60
+ - As a standalone, independent document (not bundled in T&Cs)
61
+ - Containing: purposes; data categories; recipients; retention period; Data Principal rights; Board complaint mechanism; consent withdrawal procedure
62
+
63
+ **Key obligation:** Notice must be retrievable at any time from the Data Fiduciary's platform or website.
64
+
65
+ **Existing data (Section 5(2)):** For data collected before the Act's commencement but still being processed, Fiduciaries must provide a notice of the same content within prescribed time after the Act takes effect.
66
+
67
+ ### Section 6 — Consent
68
+ Consent must be:
69
+ - **Free** — not conditioned on acceptance of services
70
+ - **Specific** — for a particular specified purpose
71
+ - **Informed** — given after receiving the Section 5 notice
72
+ - **Unconditional** — no conditions or coercion
73
+ - **Unambiguous** — expressed by clear affirmative action
74
+
75
+ **Section 6(3):** Consent may be given through a Consent Manager registered by the Board.
76
+
77
+ **Section 6(4):** Data Principals may withdraw consent at any time. Ease of withdrawal must match ease of giving consent. Prior processing remains lawful; post-withdrawal processing must stop.
78
+
79
+ **Section 6(5):** The burden of proving valid consent lies on the Data Fiduciary.
80
+
81
+ **Section 6(6):** Consent obtained in violation of these requirements is void.
82
+
83
+ ### Section 7 — Certain Legitimate Uses (Closed List)
84
+ Eight enumerated legitimate uses where consent is NOT required:
85
+
86
+ 1. Purpose the Data Principal voluntarily provided data for (unless specifically objected)
87
+ 2. State benefits, subsidies, services, certificates, licenses, or permits
88
+ 3. State functions under Indian law or interests of sovereignty/security/integrity
89
+ 4. Legal obligation to disclose to State or its instrumentalities
90
+ 5. Employment purposes or safeguarding employer against loss/liability — including prevention of corporate espionage, IP theft, and classified information leakage by employees
91
+ 6. Disaster management per the Disaster Management Act, 2005
92
+ 7. Medical emergencies and safeguarding individuals during disasters or epidemics
93
+ 8. Other prescribed purposes as notified by Central Government
94
+
95
+ > **Precision note:** The employment category (Section 7(e)) covers both routine HR processing AND the employer's interest in preventing corporate espionage/IP theft by employees. These are part of a single clause — not separate categories. A prior version of this file incorrectly listed a duplicate "prevention of corporate espionage" as a ninth item; that entry has been removed.
96
+
97
+ This list is **exhaustive**. No general "legitimate interests" balancing test.
98
+
99
+ ### Section 8 — General Obligations of Data Fiduciary
100
+ Every Data Fiduciary must:
101
+
102
+ 1. **Appoint Data Processors under contract** — valid written contract per Rule 16
103
+ 2. **Ensure data quality** — accuracy, completeness, consistency for data used in decisions or shared with other Fiduciaries
104
+ 3. **Implement security safeguards** — appropriate technical and organisational measures per Rule 7
105
+ 4. **Erase data** when: purpose fulfilled; consent withdrawn; Data Principal exercises erasure right; retention no longer necessary
106
+ 5. **Direct Processors to erase** data upon termination of processing engagement
107
+ 6. **Notify personal data breach** to the Board without delay and in detail within 72 hours per Rule 6
108
+ 7. **Grievance mechanism** — Establish effective, accessible grievance mechanism and respond within prescribed period
109
+
110
+ **Section 8(7) — Retention and Erasure:**
111
+ Data Fiduciaries must erase data from their systems and from Processors' systems upon:
112
+ - Withdrawal of consent (unless retention required by law)
113
+ - Purpose fulfilment
114
+ - Section 12(3) erasure request
115
+
116
+ ### Section 9 — Processing of Children's Personal Data
117
+ **Age threshold:** Under 18 years.
118
+
119
+ **Section 9(1):** Verifiable parental/lawful guardian consent required before any child data processing.
120
+
121
+ **Section 9(2) — Prohibited processing (no exceptions unless prescribed):**
122
+ - Tracking or behavioural monitoring of children
123
+ - Targeted advertising directed at children
124
+ - Any processing likely to cause detrimental effect on child's well-being
125
+
126
+ **Section 9(3) — Exemptions:** May be prescribed for certain classes of Data Fiduciaries (health, safety, education, essential services).
127
+
128
+ **Penalty:** Maximum ₹200 crore per violation. One of the highest penalty tiers.
129
+
130
+ ### Section 10 — Additional Obligations of Significant Data Fiduciaries
131
+
132
+ **Designation:** Central Government notifies entities as SDFs based on:
133
+ - Volume and sensitivity of data processed
134
+ - Risk of harm to Data Principals' rights
135
+ - Impact on India's sovereignty, integrity, security
136
+ - Risk to electoral democracy or public order
137
+
138
+ **Additional obligations (beyond Section 8):**
139
+ - **India-based Data Protection Officer** — individual resident in India; sole Board representative; Data Principal grievance contact
140
+ - **Annual Data Protection Impact Assessment (DPIA)** — evaluates compliance, Data Principal rights exercise, safeguard adequacy, large-scale processing risks
141
+ - **Annual independent data audit** — by qualified external auditor; report submitted to the Board
142
+ - **Data localization** — specified data categories must remain within India (when notified)
143
+ - **Comply with any other prescribed measures** as directed by government
144
+
145
+ ---
146
+
147
+ ## Chapter III — Rights and Duties of Data Principal (Sections 11–15)
148
+
149
+ ### Section 11 — Right to Access Information
150
+ Data Principals may request, and Data Fiduciaries must provide (within prescribed period):
151
+ - Summary of personal data being processed
152
+ - Description of the processing activities (purpose, legal basis, duration)
153
+ - Identities and contact details of all Data Fiduciaries and Processors holding or processing the data
154
+ - Description of personal data shared with each recipient
155
+
156
+ ### Section 12 — Right to Correction, Completion, Updating, and Erasure
157
+ Data Principals may:
158
+ - **(12(1)(a))** Request correction of inaccurate or misleading personal data
159
+ - **(12(1)(b))** Request completion of incomplete personal data
160
+ - **(12(1)(c))** Request updating of outdated personal data
161
+ - **(12(3))** Request erasure of personal data no longer necessary for the specified purpose
162
+
163
+ **Limitations on erasure (Section 12(4)):**
164
+ Data Fiduciaries may refuse erasure where:
165
+ - Retention necessary for the specified purpose
166
+ - Retention required by law (statutory record-keeping)
167
+ - Retention necessary to enforce/defend legal rights or claims
168
+
169
+ ### Section 13 — Right of Grievance Redressal
170
+ - Data Principals must have access to an effective grievance mechanism provided by the Data Fiduciary or Consent Manager
171
+ - Mechanism must be accessible, responsive, and as prescribed by rules
172
+ - Data Fiduciaries must respond within the prescribed timeframe
173
+ - **Mandatory exhaustion:** Data Principals must exhaust the Fiduciary's grievance mechanism before filing a complaint with the Data Protection Board
174
+
175
+ ### Section 14 — Right to Nominate
176
+ Data Principals may nominate an individual to exercise their Section 11, 12, and 13 rights in the event of:
177
+ - Death of the Data Principal, or
178
+ - Incapacity (defined as unsoundness of mind or infirmity of body rendering the Principal unable to exercise rights)
179
+
180
+ Nominees exercise rights as if they were the Data Principal.
181
+
182
+ ### Section 15 — Duties of Data Principal
183
+ Data Principals must:
184
+ - Comply with all applicable laws when exercising rights
185
+ - Not register false or frivolous complaints with Fiduciaries or the Board
186
+ - Not furnish false particulars or suppress material information
187
+ - Not impersonate another individual
188
+ - Not misuse their rights to harass Data Fiduciaries
189
+
190
+ Breach of these duties: penalty up to **₹10,000** (personal liability).
191
+
192
+ ---
193
+
194
+ ## Chapter IV — Special Provisions (Sections 16–17)
195
+
196
+ ### Section 16 — Transfer of Personal Data Outside India
197
+ **Mechanism: Blacklist approach**
198
+
199
+ Data Fiduciaries may transfer personal data outside India to **any country or territory**, EXCEPT those specifically **notified by the Central Government as restricted**.
200
+
201
+ **Current status (April 2026):** No countries have been notified. All transfers currently permitted.
202
+
203
+ **Government notification power:** Central Government may restrict transfers based on national security concerns, weak data protection frameworks, public policy considerations. Monitor MeitY Official Gazette.
204
+
205
+ **Operational guidance:**
206
+ - Transfers permitted to all countries absent a notification
207
+ - Apply contractual safeguards with recipients regardless
208
+ - Do not assume permanent unrestricted status; plan for potential future restrictions
209
+ - Sensitive data categories: apply enhanced protection even when transfer is technically permitted
210
+
211
+ ### Section 17 — Exemptions
212
+ Exemptions from Chapters II, III, and Section 16:
213
+
214
+ | # | Category | Scope of Exemption |
215
+ |---|----------|-------------------|
216
+ | (a) | Legal rights enforcement | Processing to enforce legal rights or claims, or defend legal proceedings |
217
+ | (b) | Judicial/regulatory functions | Courts, tribunals, regulatory/supervisory bodies in official capacity |
218
+ | (c) | Law enforcement | Prevention, detection, investigation, prosecution of offences |
219
+ | (d) | State security (notified) | State instrumentalities notified by Central Government — sovereignty, integrity, security, public order, friendly foreign relations |
220
+ | (e) | Financial defaults | Financial institutions processing data when individual has defaulted on loan repayment |
221
+ | (f) | Research and statistics | Research, archiving, statistical processing — provided individual identity cannot be inferred (anonymisation/pseudonymisation required) |
222
+ | (g) | Extra-territorial / foreign contracts | Processing outside India of non-resident Data Principals under contracts with foreign entities |
223
+ | (h) | Voluntarily provided (notified) | Data voluntarily provided for notified public benefit purposes |
224
+ | (i) | Partial state exemptions | State processing exempt from erasure/correction rights in specific circumstances |
225
+ | (j) | Startups and small entities | Central Government may exempt notified classes from sub-sections of Sections 5, 8, 10, 11 |
226
+
227
+ ---
228
+
229
+ ## Chapter V — Data Protection Board of India (Sections 18–26)
230
+
231
+ ### Section 18 — Establishment
232
+ Creates the Data Protection Board of India as a **body corporate** with perpetual succession; power to acquire/hold/dispose property; to contract; to sue and be sued.
233
+
234
+ ### Section 19 — Composition
235
+ - **Chairperson** — Appointed by Central Government; expertise in data governance, IT, cyber law, public administration
236
+ - **Members** — Notified number; appointed by Central Government; similar qualification criteria
237
+
238
+ ### Section 20–21 — Tenure and Removal
239
+ Fixed terms; removal possible only for misconduct, incapacity, or insolvency.
240
+
241
+ ### Section 22–23 — Officers, Employees, and Public Servant Status
242
+ Board members and officers are **deemed public servants** under Indian Penal Code — enabling criminal liability for breach of duty.
243
+
244
+ ### Section 24 — Chairperson's Powers
245
+ Executive and administrative powers of the Chairperson including agenda-setting, proceedings management.
246
+
247
+ ### Section 25 — Powers and Functions of the Board
248
+ - Receive and adjudicate complaints from Data Principals
249
+ - Investigate personal data breaches
250
+ - Issue financial penalties
251
+ - Issue binding compliance directions
252
+ - Facilitate alternate dispute resolution
253
+ - Accept voluntary undertakings from Data Fiduciaries
254
+
255
+ ### Section 26 — Procedure
256
+ Board establishes hearing rules including evidence presentation, witness examination, and natural justice (right to be heard, impartial adjudication).
257
+
258
+ ---
259
+
260
+ ## Chapter VI — Appeals and ADR (Sections 27–32)
261
+
262
+ ### Section 27 — Appeal to TDSAT
263
+ Orders of the Board may be appealed to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** within prescribed period.
264
+
265
+ ### Section 28 — TDSAT Orders Executable as Civil Decree
266
+ TDSAT orders have the force of a civil court decree — enforceable through civil execution proceedings.
267
+
268
+ ### Section 29 — Alternate Dispute Resolution
269
+ Board may facilitate mediation/conciliation between Data Principals and Data Fiduciaries.
270
+
271
+ ### Section 30 — Voluntary Undertaking
272
+ Data Fiduciaries may offer voluntary undertakings to remedy violations. Board may accept. Breach of voluntary undertaking: penalty up to **₹50 crore**.
273
+
274
+ ### Section 31 — Limitation for Filing Complaint
275
+ Prescribed time limits for Data Principals to file complaints after becoming aware of a violation.
276
+
277
+ ### Section 32 — Protection of Actions Taken in Good Faith
278
+ Board members and staff protected from civil/criminal liability for good faith actions.
279
+
280
+ ---
281
+
282
+ ## Chapter VII — Penalties (Sections 33–34)
283
+
284
+ ### Section 33 — Financial Penalties
285
+ **Penalty Schedule:**
286
+
287
+ | Violation | Maximum Penalty |
288
+ |-----------|----------------|
289
+ | Failure to implement reasonable security safeguards (Section 8(3)) | ₹250 crore |
290
+ | Failure to notify personal data breach to Board (Section 8(6)/Rule 6) | ₹200 crore |
291
+ | Violation of children's data obligations (Section 9) | ₹200 crore |
292
+ | SDF non-compliance with additional obligations (Section 10) | ₹150 crore |
293
+ | Breach of voluntary undertaking (Section 30) | ₹50 crore |
294
+ | Other violations | ₹50 crore |
295
+ | Data Principal duty violation (false complaints, impersonation) | ₹10,000 |
296
+
297
+ **Section 33(2) — Seven factors for penalty determination:**
298
+ 1. Nature and gravity of the violation
299
+ 2. Scale of impact on Data Principals
300
+ 3. Frequency (first-time vs. repeated)
301
+ 4. Promptness of remediation and cooperation
302
+ 5. Proportionality to violator's financial condition
303
+ 6. Intentionality vs. negligence
304
+ 7. Other prescribed factors
305
+
306
+ ### Section 34 — Crediting of Penalties
307
+ All penalty amounts credited to the Consolidated Fund of India.
308
+
309
+ ---
310
+
311
+ ## Chapter VIII — Miscellaneous (Sections 35–44)
312
+
313
+ ### Section 35 — Power to Make Rules
314
+ Central Government has plenary power to make rules to carry out the provisions of the Act. Rules subject to Parliament laying (approval/modification by Parliament if tabled).
315
+
316
+ ### Section 36–44
317
+ Cover: power to give directions; delegation to officers; protection from legal proceedings against the Board; amendments to other laws (IT Act 2000, RTI Act 2005); maintenance of confidentiality; publication of Board procedures; interpretation provisions; repeal and savings.
318
+
319
+ **Notable:** Section 43 and 44 amend the **Information Technology Act, 2000** — removing IT Act's data protection provisions (Sections 43A and 72A) and replacing them with DPDPA. This clarifies that DPDPA is the lex specialis for digital personal data; IT Act no longer applies to personal data protection.