bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,319 +1,319 @@
1
- # DPDPA — Section-by-Section Reference
2
-
3
- Digital Personal Data Protection Act, 2023. Presidential Assent: 11 August 2023.
4
- 44 Sections across 9 Chapters.
5
-
6
- ---
7
-
8
- ## Chapter I — Preliminary (Sections 1–3)
9
-
10
- ### Section 1 — Short Title, Extent, Commencement and Application
11
- Establishes the short title: "Digital Personal Data Protection Act, 2023."
12
- - Extends to the whole of India
13
- - Commencement by phased notification in the Official Gazette
14
- - Applies to digital personal data processing within India AND processing outside India
15
- related to offering goods or services to individuals located in India
16
-
17
- ### Section 2 — Definitions
18
- 28 defined terms including:
19
-
20
- | Term | Definition |
21
- |------|-----------|
22
- | **Appellate Tribunal** | Telecom Disputes Settlement and Appellate Tribunal (TDSAT) |
23
- | **Board** | Data Protection Board of India |
24
- | **Child** | Individual who has not completed **18 years of age** |
25
- | **Consent Manager** | Body corporate registered by the Board enabling Data Principals to manage consent across multiple Data Fiduciaries via a single interoperable platform |
26
- | **Data Fiduciary** | Any person who alone or jointly with others determines the **purpose and means** of processing of digital personal data (= GDPR "controller") |
27
- | **Data Principal** | The individual to whom the personal data relates (= GDPR "data subject") |
28
- | **Data Processor** | Any person who processes digital personal data on behalf of a Data Fiduciary under a contract (= GDPR "processor") |
29
- | **Data Protection Officer (DPO)** | Individual appointed by a Significant Data Fiduciary as representative before the Board and grievance contact |
30
- | **Digital personal data** | Personal data in digital form |
31
- | **Personal data** | Any data about an individual who is identifiable directly or indirectly from such data |
32
- | **Personal data breach** | Unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability of digital personal data |
33
- | **Processing** | Any automated operation on digital personal data including collection, recording, storage, retrieval, use, sharing, transmission, erasure, and destruction |
34
- | **Significant Data Fiduciary (SDF)** | Data Fiduciary notified by Central Government based on volume/sensitivity, risk to rights, impact on sovereignty, electoral democracy, state security, or public order |
35
- | **Specified purpose** | The purpose mentioned in the Data Fiduciary's notice for which the Data Principal provided personal data |
36
-
37
- ### Section 3 — Application (Territorial Scope)
38
- The Act applies to:
39
- - Processing of digital personal data **within India**, and
40
- - Processing **outside India** if it relates to offering goods or services to individuals
41
- located in India at the time the personal data is collected
42
-
43
- Partial exemption: Processing under contracts with foreign entities of data of
44
- Data Principals **not located in India** is exempt from most obligations (Section 17(g)).
45
-
46
- ---
47
-
48
- ## Chapter II — Obligations of Data Fiduciary (Sections 4–10)
49
-
50
- ### Section 4 — Grounds for Processing Personal Data
51
- Two and only two lawful bases:
52
- - **(a) Consent** as specified in Section 6
53
- - **(b) Certain legitimate uses** as enumerated in Section 7
54
-
55
- No other lawful basis exists. Processing outside these two grounds is unlawful.
56
-
57
- ### Section 5 — Notice to Data Principal
58
- Before or at the time of requesting consent, Data Fiduciaries must provide a notice:
59
- - In clear and plain language (implemented by Rule 3 of DPDP Rules 2025)
60
- - As a standalone, independent document (not bundled in T&Cs)
61
- - Containing: purposes; data categories; recipients; retention period; Data Principal rights; Board complaint mechanism; consent withdrawal procedure
62
-
63
- **Key obligation:** Notice must be retrievable at any time from the Data Fiduciary's platform or website.
64
-
65
- **Existing data (Section 5(2)):** For data collected before the Act's commencement but still being processed, Fiduciaries must provide a notice of the same content within prescribed time after the Act takes effect.
66
-
67
- ### Section 6 — Consent
68
- Consent must be:
69
- - **Free** — not conditioned on acceptance of services
70
- - **Specific** — for a particular specified purpose
71
- - **Informed** — given after receiving the Section 5 notice
72
- - **Unconditional** — no conditions or coercion
73
- - **Unambiguous** — expressed by clear affirmative action
74
-
75
- **Section 6(3):** Consent may be given through a Consent Manager registered by the Board.
76
-
77
- **Section 6(4):** Data Principals may withdraw consent at any time. Ease of withdrawal must match ease of giving consent. Prior processing remains lawful; post-withdrawal processing must stop.
78
-
79
- **Section 6(5):** The burden of proving valid consent lies on the Data Fiduciary.
80
-
81
- **Section 6(6):** Consent obtained in violation of these requirements is void.
82
-
83
- ### Section 7 — Certain Legitimate Uses (Closed List)
84
- Eight enumerated legitimate uses where consent is NOT required:
85
-
86
- 1. Purpose the Data Principal voluntarily provided data for (unless specifically objected)
87
- 2. State benefits, subsidies, services, certificates, licenses, or permits
88
- 3. State functions under Indian law or interests of sovereignty/security/integrity
89
- 4. Legal obligation to disclose to State or its instrumentalities
90
- 5. Employment purposes or safeguarding employer against loss/liability — including prevention of corporate espionage, IP theft, and classified information leakage by employees
91
- 6. Disaster management per the Disaster Management Act, 2005
92
- 7. Medical emergencies and safeguarding individuals during disasters or epidemics
93
- 8. Other prescribed purposes as notified by Central Government
94
-
95
- > **Precision note:** The employment category (Section 7(e)) covers both routine HR processing AND the employer's interest in preventing corporate espionage/IP theft by employees. These are part of a single clause — not separate categories. A prior version of this file incorrectly listed a duplicate "prevention of corporate espionage" as a ninth item; that entry has been removed.
96
-
97
- This list is **exhaustive**. No general "legitimate interests" balancing test.
98
-
99
- ### Section 8 — General Obligations of Data Fiduciary
100
- Every Data Fiduciary must:
101
-
102
- 1. **Appoint Data Processors under contract** — valid written contract per Rule 16
103
- 2. **Ensure data quality** — accuracy, completeness, consistency for data used in decisions or shared with other Fiduciaries
104
- 3. **Implement security safeguards** — appropriate technical and organisational measures per Rule 7
105
- 4. **Erase data** when: purpose fulfilled; consent withdrawn; Data Principal exercises erasure right; retention no longer necessary
106
- 5. **Direct Processors to erase** data upon termination of processing engagement
107
- 6. **Notify personal data breach** to the Board without delay and in detail within 72 hours per Rule 6
108
- 7. **Grievance mechanism** — Establish effective, accessible grievance mechanism and respond within prescribed period
109
-
110
- **Section 8(7) — Retention and Erasure:**
111
- Data Fiduciaries must erase data from their systems and from Processors' systems upon:
112
- - Withdrawal of consent (unless retention required by law)
113
- - Purpose fulfilment
114
- - Section 12(3) erasure request
115
-
116
- ### Section 9 — Processing of Children's Personal Data
117
- **Age threshold:** Under 18 years.
118
-
119
- **Section 9(1):** Verifiable parental/lawful guardian consent required before any child data processing.
120
-
121
- **Section 9(2) — Prohibited processing (no exceptions unless prescribed):**
122
- - Tracking or behavioural monitoring of children
123
- - Targeted advertising directed at children
124
- - Any processing likely to cause detrimental effect on child's well-being
125
-
126
- **Section 9(3) — Exemptions:** May be prescribed for certain classes of Data Fiduciaries (health, safety, education, essential services).
127
-
128
- **Penalty:** Maximum ₹200 crore per violation. One of the highest penalty tiers.
129
-
130
- ### Section 10 — Additional Obligations of Significant Data Fiduciaries
131
-
132
- **Designation:** Central Government notifies entities as SDFs based on:
133
- - Volume and sensitivity of data processed
134
- - Risk of harm to Data Principals' rights
135
- - Impact on India's sovereignty, integrity, security
136
- - Risk to electoral democracy or public order
137
-
138
- **Additional obligations (beyond Section 8):**
139
- - **India-based Data Protection Officer** — individual resident in India; sole Board representative; Data Principal grievance contact
140
- - **Annual Data Protection Impact Assessment (DPIA)** — evaluates compliance, Data Principal rights exercise, safeguard adequacy, large-scale processing risks
141
- - **Annual independent data audit** — by qualified external auditor; report submitted to the Board
142
- - **Data localization** — specified data categories must remain within India (when notified)
143
- - **Comply with any other prescribed measures** as directed by government
144
-
145
- ---
146
-
147
- ## Chapter III — Rights and Duties of Data Principal (Sections 11–15)
148
-
149
- ### Section 11 — Right to Access Information
150
- Data Principals may request, and Data Fiduciaries must provide (within prescribed period):
151
- - Summary of personal data being processed
152
- - Description of the processing activities (purpose, legal basis, duration)
153
- - Identities and contact details of all Data Fiduciaries and Processors holding or processing the data
154
- - Description of personal data shared with each recipient
155
-
156
- ### Section 12 — Right to Correction, Completion, Updating, and Erasure
157
- Data Principals may:
158
- - **(12(1)(a))** Request correction of inaccurate or misleading personal data
159
- - **(12(1)(b))** Request completion of incomplete personal data
160
- - **(12(1)(c))** Request updating of outdated personal data
161
- - **(12(3))** Request erasure of personal data no longer necessary for the specified purpose
162
-
163
- **Limitations on erasure (Section 12(4)):**
164
- Data Fiduciaries may refuse erasure where:
165
- - Retention necessary for the specified purpose
166
- - Retention required by law (statutory record-keeping)
167
- - Retention necessary to enforce/defend legal rights or claims
168
-
169
- ### Section 13 — Right of Grievance Redressal
170
- - Data Principals must have access to an effective grievance mechanism provided by the Data Fiduciary or Consent Manager
171
- - Mechanism must be accessible, responsive, and as prescribed by rules
172
- - Data Fiduciaries must respond within the prescribed timeframe
173
- - **Mandatory exhaustion:** Data Principals must exhaust the Fiduciary's grievance mechanism before filing a complaint with the Data Protection Board
174
-
175
- ### Section 14 — Right to Nominate
176
- Data Principals may nominate an individual to exercise their Section 11, 12, and 13 rights in the event of:
177
- - Death of the Data Principal, or
178
- - Incapacity (defined as unsoundness of mind or infirmity of body rendering the Principal unable to exercise rights)
179
-
180
- Nominees exercise rights as if they were the Data Principal.
181
-
182
- ### Section 15 — Duties of Data Principal
183
- Data Principals must:
184
- - Comply with all applicable laws when exercising rights
185
- - Not register false or frivolous complaints with Fiduciaries or the Board
186
- - Not furnish false particulars or suppress material information
187
- - Not impersonate another individual
188
- - Not misuse their rights to harass Data Fiduciaries
189
-
190
- Breach of these duties: penalty up to **₹10,000** (personal liability).
191
-
192
- ---
193
-
194
- ## Chapter IV — Special Provisions (Sections 16–17)
195
-
196
- ### Section 16 — Transfer of Personal Data Outside India
197
- **Mechanism: Blacklist approach**
198
-
199
- Data Fiduciaries may transfer personal data outside India to **any country or territory**, EXCEPT those specifically **notified by the Central Government as restricted**.
200
-
201
- **Current status (April 2026):** No countries have been notified. All transfers currently permitted.
202
-
203
- **Government notification power:** Central Government may restrict transfers based on national security concerns, weak data protection frameworks, public policy considerations. Monitor MeitY Official Gazette.
204
-
205
- **Operational guidance:**
206
- - Transfers permitted to all countries absent a notification
207
- - Apply contractual safeguards with recipients regardless
208
- - Do not assume permanent unrestricted status; plan for potential future restrictions
209
- - Sensitive data categories: apply enhanced protection even when transfer is technically permitted
210
-
211
- ### Section 17 — Exemptions
212
- Exemptions from Chapters II, III, and Section 16:
213
-
214
- | # | Category | Scope of Exemption |
215
- |---|----------|-------------------|
216
- | (a) | Legal rights enforcement | Processing to enforce legal rights or claims, or defend legal proceedings |
217
- | (b) | Judicial/regulatory functions | Courts, tribunals, regulatory/supervisory bodies in official capacity |
218
- | (c) | Law enforcement | Prevention, detection, investigation, prosecution of offences |
219
- | (d) | State security (notified) | State instrumentalities notified by Central Government — sovereignty, integrity, security, public order, friendly foreign relations |
220
- | (e) | Financial defaults | Financial institutions processing data when individual has defaulted on loan repayment |
221
- | (f) | Research and statistics | Research, archiving, statistical processing — provided individual identity cannot be inferred (anonymisation/pseudonymisation required) |
222
- | (g) | Extra-territorial / foreign contracts | Processing outside India of non-resident Data Principals under contracts with foreign entities |
223
- | (h) | Voluntarily provided (notified) | Data voluntarily provided for notified public benefit purposes |
224
- | (i) | Partial state exemptions | State processing exempt from erasure/correction rights in specific circumstances |
225
- | (j) | Startups and small entities | Central Government may exempt notified classes from sub-sections of Sections 5, 8, 10, 11 |
226
-
227
- ---
228
-
229
- ## Chapter V — Data Protection Board of India (Sections 18–26)
230
-
231
- ### Section 18 — Establishment
232
- Creates the Data Protection Board of India as a **body corporate** with perpetual succession; power to acquire/hold/dispose property; to contract; to sue and be sued.
233
-
234
- ### Section 19 — Composition
235
- - **Chairperson** — Appointed by Central Government; expertise in data governance, IT, cyber law, public administration
236
- - **Members** — Notified number; appointed by Central Government; similar qualification criteria
237
-
238
- ### Section 20–21 — Tenure and Removal
239
- Fixed terms; removal possible only for misconduct, incapacity, or insolvency.
240
-
241
- ### Section 22–23 — Officers, Employees, and Public Servant Status
242
- Board members and officers are **deemed public servants** under Indian Penal Code — enabling criminal liability for breach of duty.
243
-
244
- ### Section 24 — Chairperson's Powers
245
- Executive and administrative powers of the Chairperson including agenda-setting, proceedings management.
246
-
247
- ### Section 25 — Powers and Functions of the Board
248
- - Receive and adjudicate complaints from Data Principals
249
- - Investigate personal data breaches
250
- - Issue financial penalties
251
- - Issue binding compliance directions
252
- - Facilitate alternate dispute resolution
253
- - Accept voluntary undertakings from Data Fiduciaries
254
-
255
- ### Section 26 — Procedure
256
- Board establishes hearing rules including evidence presentation, witness examination, and natural justice (right to be heard, impartial adjudication).
257
-
258
- ---
259
-
260
- ## Chapter VI — Appeals and ADR (Sections 27–32)
261
-
262
- ### Section 27 — Appeal to TDSAT
263
- Orders of the Board may be appealed to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** within prescribed period.
264
-
265
- ### Section 28 — TDSAT Orders Executable as Civil Decree
266
- TDSAT orders have the force of a civil court decree — enforceable through civil execution proceedings.
267
-
268
- ### Section 29 — Alternate Dispute Resolution
269
- Board may facilitate mediation/conciliation between Data Principals and Data Fiduciaries.
270
-
271
- ### Section 30 — Voluntary Undertaking
272
- Data Fiduciaries may offer voluntary undertakings to remedy violations. Board may accept. Breach of voluntary undertaking: penalty up to **₹50 crore**.
273
-
274
- ### Section 31 — Limitation for Filing Complaint
275
- Prescribed time limits for Data Principals to file complaints after becoming aware of a violation.
276
-
277
- ### Section 32 — Protection of Actions Taken in Good Faith
278
- Board members and staff protected from civil/criminal liability for good faith actions.
279
-
280
- ---
281
-
282
- ## Chapter VII — Penalties (Sections 33–34)
283
-
284
- ### Section 33 — Financial Penalties
285
- **Penalty Schedule:**
286
-
287
- | Violation | Maximum Penalty |
288
- |-----------|----------------|
289
- | Failure to implement reasonable security safeguards (Section 8(3)) | ₹250 crore |
290
- | Failure to notify personal data breach to Board (Section 8(6)/Rule 6) | ₹200 crore |
291
- | Violation of children's data obligations (Section 9) | ₹200 crore |
292
- | SDF non-compliance with additional obligations (Section 10) | ₹150 crore |
293
- | Breach of voluntary undertaking (Section 30) | ₹50 crore |
294
- | Other violations | ₹50 crore |
295
- | Data Principal duty violation (false complaints, impersonation) | ₹10,000 |
296
-
297
- **Section 33(2) — Seven factors for penalty determination:**
298
- 1. Nature and gravity of the violation
299
- 2. Scale of impact on Data Principals
300
- 3. Frequency (first-time vs. repeated)
301
- 4. Promptness of remediation and cooperation
302
- 5. Proportionality to violator's financial condition
303
- 6. Intentionality vs. negligence
304
- 7. Other prescribed factors
305
-
306
- ### Section 34 — Crediting of Penalties
307
- All penalty amounts credited to the Consolidated Fund of India.
308
-
309
- ---
310
-
311
- ## Chapter VIII — Miscellaneous (Sections 35–44)
312
-
313
- ### Section 35 — Power to Make Rules
314
- Central Government has plenary power to make rules to carry out the provisions of the Act. Rules subject to Parliament laying (approval/modification by Parliament if tabled).
315
-
316
- ### Section 36–44
317
- Cover: power to give directions; delegation to officers; protection from legal proceedings against the Board; amendments to other laws (IT Act 2000, RTI Act 2005); maintenance of confidentiality; publication of Board procedures; interpretation provisions; repeal and savings.
318
-
319
- **Notable:** Section 43 and 44 amend the **Information Technology Act, 2000** — removing IT Act's data protection provisions (Sections 43A and 72A) and replacing them with DPDPA. This clarifies that DPDPA is the lex specialis for digital personal data; IT Act no longer applies to personal data protection.
1
+ # DPDPA — Section-by-Section Reference
2
+
3
+ Digital Personal Data Protection Act, 2023. Presidential Assent: 11 August 2023.
4
+ 44 Sections across 9 Chapters.
5
+
6
+ ---
7
+
8
+ ## Chapter I — Preliminary (Sections 1–3)
9
+
10
+ ### Section 1 — Short Title, Extent, Commencement and Application
11
+ Establishes the short title: "Digital Personal Data Protection Act, 2023."
12
+ - Extends to the whole of India
13
+ - Commencement by phased notification in the Official Gazette
14
+ - Applies to digital personal data processing within India AND processing outside India
15
+ related to offering goods or services to individuals located in India
16
+
17
+ ### Section 2 — Definitions
18
+ 28 defined terms including:
19
+
20
+ | Term | Definition |
21
+ |------|-----------|
22
+ | **Appellate Tribunal** | Telecom Disputes Settlement and Appellate Tribunal (TDSAT) |
23
+ | **Board** | Data Protection Board of India |
24
+ | **Child** | Individual who has not completed **18 years of age** |
25
+ | **Consent Manager** | Body corporate registered by the Board enabling Data Principals to manage consent across multiple Data Fiduciaries via a single interoperable platform |
26
+ | **Data Fiduciary** | Any person who alone or jointly with others determines the **purpose and means** of processing of digital personal data (= GDPR "controller") |
27
+ | **Data Principal** | The individual to whom the personal data relates (= GDPR "data subject") |
28
+ | **Data Processor** | Any person who processes digital personal data on behalf of a Data Fiduciary under a contract (= GDPR "processor") |
29
+ | **Data Protection Officer (DPO)** | Individual appointed by a Significant Data Fiduciary as representative before the Board and grievance contact |
30
+ | **Digital personal data** | Personal data in digital form |
31
+ | **Personal data** | Any data about an individual who is identifiable directly or indirectly from such data |
32
+ | **Personal data breach** | Unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability of digital personal data |
33
+ | **Processing** | Any automated operation on digital personal data including collection, recording, storage, retrieval, use, sharing, transmission, erasure, and destruction |
34
+ | **Significant Data Fiduciary (SDF)** | Data Fiduciary notified by Central Government based on volume/sensitivity, risk to rights, impact on sovereignty, electoral democracy, state security, or public order |
35
+ | **Specified purpose** | The purpose mentioned in the Data Fiduciary's notice for which the Data Principal provided personal data |
36
+
37
+ ### Section 3 — Application (Territorial Scope)
38
+ The Act applies to:
39
+ - Processing of digital personal data **within India**, and
40
+ - Processing **outside India** if it relates to offering goods or services to individuals
41
+ located in India at the time the personal data is collected
42
+
43
+ Partial exemption: Processing under contracts with foreign entities of data of
44
+ Data Principals **not located in India** is exempt from most obligations (Section 17(g)).
45
+
46
+ ---
47
+
48
+ ## Chapter II — Obligations of Data Fiduciary (Sections 4–10)
49
+
50
+ ### Section 4 — Grounds for Processing Personal Data
51
+ Two and only two lawful bases:
52
+ - **(a) Consent** as specified in Section 6
53
+ - **(b) Certain legitimate uses** as enumerated in Section 7
54
+
55
+ No other lawful basis exists. Processing outside these two grounds is unlawful.
56
+
57
+ ### Section 5 — Notice to Data Principal
58
+ Before or at the time of requesting consent, Data Fiduciaries must provide a notice:
59
+ - In clear and plain language (implemented by Rule 3 of DPDP Rules 2025)
60
+ - As a standalone, independent document (not bundled in T&Cs)
61
+ - Containing: purposes; data categories; recipients; retention period; Data Principal rights; Board complaint mechanism; consent withdrawal procedure
62
+
63
+ **Key obligation:** Notice must be retrievable at any time from the Data Fiduciary's platform or website.
64
+
65
+ **Existing data (Section 5(2)):** For data collected before the Act's commencement but still being processed, Fiduciaries must provide a notice of the same content within prescribed time after the Act takes effect.
66
+
67
+ ### Section 6 — Consent
68
+ Consent must be:
69
+ - **Free** — not conditioned on acceptance of services
70
+ - **Specific** — for a particular specified purpose
71
+ - **Informed** — given after receiving the Section 5 notice
72
+ - **Unconditional** — no conditions or coercion
73
+ - **Unambiguous** — expressed by clear affirmative action
74
+
75
+ **Section 6(3):** Consent may be given through a Consent Manager registered by the Board.
76
+
77
+ **Section 6(4):** Data Principals may withdraw consent at any time. Ease of withdrawal must match ease of giving consent. Prior processing remains lawful; post-withdrawal processing must stop.
78
+
79
+ **Section 6(5):** The burden of proving valid consent lies on the Data Fiduciary.
80
+
81
+ **Section 6(6):** Consent obtained in violation of these requirements is void.
82
+
83
+ ### Section 7 — Certain Legitimate Uses (Closed List)
84
+ Eight enumerated legitimate uses where consent is NOT required:
85
+
86
+ 1. Purpose the Data Principal voluntarily provided data for (unless specifically objected)
87
+ 2. State benefits, subsidies, services, certificates, licenses, or permits
88
+ 3. State functions under Indian law or interests of sovereignty/security/integrity
89
+ 4. Legal obligation to disclose to State or its instrumentalities
90
+ 5. Employment purposes or safeguarding employer against loss/liability — including prevention of corporate espionage, IP theft, and classified information leakage by employees
91
+ 6. Disaster management per the Disaster Management Act, 2005
92
+ 7. Medical emergencies and safeguarding individuals during disasters or epidemics
93
+ 8. Other prescribed purposes as notified by Central Government
94
+
95
+ > **Precision note:** The employment category (Section 7(e)) covers both routine HR processing AND the employer's interest in preventing corporate espionage/IP theft by employees. These are part of a single clause — not separate categories. A prior version of this file incorrectly listed a duplicate "prevention of corporate espionage" as a ninth item; that entry has been removed.
96
+
97
+ This list is **exhaustive**. No general "legitimate interests" balancing test.
98
+
99
+ ### Section 8 — General Obligations of Data Fiduciary
100
+ Every Data Fiduciary must:
101
+
102
+ 1. **Appoint Data Processors under contract** — valid written contract per Rule 16
103
+ 2. **Ensure data quality** — accuracy, completeness, consistency for data used in decisions or shared with other Fiduciaries
104
+ 3. **Implement security safeguards** — appropriate technical and organisational measures per Rule 7
105
+ 4. **Erase data** when: purpose fulfilled; consent withdrawn; Data Principal exercises erasure right; retention no longer necessary
106
+ 5. **Direct Processors to erase** data upon termination of processing engagement
107
+ 6. **Notify personal data breach** to the Board without delay and in detail within 72 hours per Rule 6
108
+ 7. **Grievance mechanism** — Establish effective, accessible grievance mechanism and respond within prescribed period
109
+
110
+ **Section 8(7) — Retention and Erasure:**
111
+ Data Fiduciaries must erase data from their systems and from Processors' systems upon:
112
+ - Withdrawal of consent (unless retention required by law)
113
+ - Purpose fulfilment
114
+ - Section 12(3) erasure request
115
+
116
+ ### Section 9 — Processing of Children's Personal Data
117
+ **Age threshold:** Under 18 years.
118
+
119
+ **Section 9(1):** Verifiable parental/lawful guardian consent required before any child data processing.
120
+
121
+ **Section 9(2) — Prohibited processing (no exceptions unless prescribed):**
122
+ - Tracking or behavioural monitoring of children
123
+ - Targeted advertising directed at children
124
+ - Any processing likely to cause detrimental effect on child's well-being
125
+
126
+ **Section 9(3) — Exemptions:** May be prescribed for certain classes of Data Fiduciaries (health, safety, education, essential services).
127
+
128
+ **Penalty:** Maximum ₹200 crore per violation. One of the highest penalty tiers.
129
+
130
+ ### Section 10 — Additional Obligations of Significant Data Fiduciaries
131
+
132
+ **Designation:** Central Government notifies entities as SDFs based on:
133
+ - Volume and sensitivity of data processed
134
+ - Risk of harm to Data Principals' rights
135
+ - Impact on India's sovereignty, integrity, security
136
+ - Risk to electoral democracy or public order
137
+
138
+ **Additional obligations (beyond Section 8):**
139
+ - **India-based Data Protection Officer** — individual resident in India; sole Board representative; Data Principal grievance contact
140
+ - **Annual Data Protection Impact Assessment (DPIA)** — evaluates compliance, Data Principal rights exercise, safeguard adequacy, large-scale processing risks
141
+ - **Annual independent data audit** — by qualified external auditor; report submitted to the Board
142
+ - **Data localization** — specified data categories must remain within India (when notified)
143
+ - **Comply with any other prescribed measures** as directed by government
144
+
145
+ ---
146
+
147
+ ## Chapter III — Rights and Duties of Data Principal (Sections 11–15)
148
+
149
+ ### Section 11 — Right to Access Information
150
+ Data Principals may request, and Data Fiduciaries must provide (within prescribed period):
151
+ - Summary of personal data being processed
152
+ - Description of the processing activities (purpose, legal basis, duration)
153
+ - Identities and contact details of all Data Fiduciaries and Processors holding or processing the data
154
+ - Description of personal data shared with each recipient
155
+
156
+ ### Section 12 — Right to Correction, Completion, Updating, and Erasure
157
+ Data Principals may:
158
+ - **(12(1)(a))** Request correction of inaccurate or misleading personal data
159
+ - **(12(1)(b))** Request completion of incomplete personal data
160
+ - **(12(1)(c))** Request updating of outdated personal data
161
+ - **(12(3))** Request erasure of personal data no longer necessary for the specified purpose
162
+
163
+ **Limitations on erasure (Section 12(4)):**
164
+ Data Fiduciaries may refuse erasure where:
165
+ - Retention necessary for the specified purpose
166
+ - Retention required by law (statutory record-keeping)
167
+ - Retention necessary to enforce/defend legal rights or claims
168
+
169
+ ### Section 13 — Right of Grievance Redressal
170
+ - Data Principals must have access to an effective grievance mechanism provided by the Data Fiduciary or Consent Manager
171
+ - Mechanism must be accessible, responsive, and as prescribed by rules
172
+ - Data Fiduciaries must respond within the prescribed timeframe
173
+ - **Mandatory exhaustion:** Data Principals must exhaust the Fiduciary's grievance mechanism before filing a complaint with the Data Protection Board
174
+
175
+ ### Section 14 — Right to Nominate
176
+ Data Principals may nominate an individual to exercise their Section 11, 12, and 13 rights in the event of:
177
+ - Death of the Data Principal, or
178
+ - Incapacity (defined as unsoundness of mind or infirmity of body rendering the Principal unable to exercise rights)
179
+
180
+ Nominees exercise rights as if they were the Data Principal.
181
+
182
+ ### Section 15 — Duties of Data Principal
183
+ Data Principals must:
184
+ - Comply with all applicable laws when exercising rights
185
+ - Not register false or frivolous complaints with Fiduciaries or the Board
186
+ - Not furnish false particulars or suppress material information
187
+ - Not impersonate another individual
188
+ - Not misuse their rights to harass Data Fiduciaries
189
+
190
+ Breach of these duties: penalty up to **₹10,000** (personal liability).
191
+
192
+ ---
193
+
194
+ ## Chapter IV — Special Provisions (Sections 16–17)
195
+
196
+ ### Section 16 — Transfer of Personal Data Outside India
197
+ **Mechanism: Blacklist approach**
198
+
199
+ Data Fiduciaries may transfer personal data outside India to **any country or territory**, EXCEPT those specifically **notified by the Central Government as restricted**.
200
+
201
+ **Current status (April 2026):** No countries have been notified. All transfers currently permitted.
202
+
203
+ **Government notification power:** Central Government may restrict transfers based on national security concerns, weak data protection frameworks, public policy considerations. Monitor MeitY Official Gazette.
204
+
205
+ **Operational guidance:**
206
+ - Transfers permitted to all countries absent a notification
207
+ - Apply contractual safeguards with recipients regardless
208
+ - Do not assume permanent unrestricted status; plan for potential future restrictions
209
+ - Sensitive data categories: apply enhanced protection even when transfer is technically permitted
210
+
211
+ ### Section 17 — Exemptions
212
+ Exemptions from Chapters II, III, and Section 16:
213
+
214
+ | # | Category | Scope of Exemption |
215
+ |---|----------|-------------------|
216
+ | (a) | Legal rights enforcement | Processing to enforce legal rights or claims, or defend legal proceedings |
217
+ | (b) | Judicial/regulatory functions | Courts, tribunals, regulatory/supervisory bodies in official capacity |
218
+ | (c) | Law enforcement | Prevention, detection, investigation, prosecution of offences |
219
+ | (d) | State security (notified) | State instrumentalities notified by Central Government — sovereignty, integrity, security, public order, friendly foreign relations |
220
+ | (e) | Financial defaults | Financial institutions processing data when individual has defaulted on loan repayment |
221
+ | (f) | Research and statistics | Research, archiving, statistical processing — provided individual identity cannot be inferred (anonymisation/pseudonymisation required) |
222
+ | (g) | Extra-territorial / foreign contracts | Processing outside India of non-resident Data Principals under contracts with foreign entities |
223
+ | (h) | Voluntarily provided (notified) | Data voluntarily provided for notified public benefit purposes |
224
+ | (i) | Partial state exemptions | State processing exempt from erasure/correction rights in specific circumstances |
225
+ | (j) | Startups and small entities | Central Government may exempt notified classes from sub-sections of Sections 5, 8, 10, 11 |
226
+
227
+ ---
228
+
229
+ ## Chapter V — Data Protection Board of India (Sections 18–26)
230
+
231
+ ### Section 18 — Establishment
232
+ Creates the Data Protection Board of India as a **body corporate** with perpetual succession; power to acquire/hold/dispose property; to contract; to sue and be sued.
233
+
234
+ ### Section 19 — Composition
235
+ - **Chairperson** — Appointed by Central Government; expertise in data governance, IT, cyber law, public administration
236
+ - **Members** — Notified number; appointed by Central Government; similar qualification criteria
237
+
238
+ ### Section 20–21 — Tenure and Removal
239
+ Fixed terms; removal possible only for misconduct, incapacity, or insolvency.
240
+
241
+ ### Section 22–23 — Officers, Employees, and Public Servant Status
242
+ Board members and officers are **deemed public servants** under Indian Penal Code — enabling criminal liability for breach of duty.
243
+
244
+ ### Section 24 — Chairperson's Powers
245
+ Executive and administrative powers of the Chairperson including agenda-setting, proceedings management.
246
+
247
+ ### Section 25 — Powers and Functions of the Board
248
+ - Receive and adjudicate complaints from Data Principals
249
+ - Investigate personal data breaches
250
+ - Issue financial penalties
251
+ - Issue binding compliance directions
252
+ - Facilitate alternate dispute resolution
253
+ - Accept voluntary undertakings from Data Fiduciaries
254
+
255
+ ### Section 26 — Procedure
256
+ Board establishes hearing rules including evidence presentation, witness examination, and natural justice (right to be heard, impartial adjudication).
257
+
258
+ ---
259
+
260
+ ## Chapter VI — Appeals and ADR (Sections 27–32)
261
+
262
+ ### Section 27 — Appeal to TDSAT
263
+ Orders of the Board may be appealed to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** within prescribed period.
264
+
265
+ ### Section 28 — TDSAT Orders Executable as Civil Decree
266
+ TDSAT orders have the force of a civil court decree — enforceable through civil execution proceedings.
267
+
268
+ ### Section 29 — Alternate Dispute Resolution
269
+ Board may facilitate mediation/conciliation between Data Principals and Data Fiduciaries.
270
+
271
+ ### Section 30 — Voluntary Undertaking
272
+ Data Fiduciaries may offer voluntary undertakings to remedy violations. Board may accept. Breach of voluntary undertaking: penalty up to **₹50 crore**.
273
+
274
+ ### Section 31 — Limitation for Filing Complaint
275
+ Prescribed time limits for Data Principals to file complaints after becoming aware of a violation.
276
+
277
+ ### Section 32 — Protection of Actions Taken in Good Faith
278
+ Board members and staff protected from civil/criminal liability for good faith actions.
279
+
280
+ ---
281
+
282
+ ## Chapter VII — Penalties (Sections 33–34)
283
+
284
+ ### Section 33 — Financial Penalties
285
+ **Penalty Schedule:**
286
+
287
+ | Violation | Maximum Penalty |
288
+ |-----------|----------------|
289
+ | Failure to implement reasonable security safeguards (Section 8(3)) | ₹250 crore |
290
+ | Failure to notify personal data breach to Board (Section 8(6)/Rule 6) | ₹200 crore |
291
+ | Violation of children's data obligations (Section 9) | ₹200 crore |
292
+ | SDF non-compliance with additional obligations (Section 10) | ₹150 crore |
293
+ | Breach of voluntary undertaking (Section 30) | ₹50 crore |
294
+ | Other violations | ₹50 crore |
295
+ | Data Principal duty violation (false complaints, impersonation) | ₹10,000 |
296
+
297
+ **Section 33(2) — Seven factors for penalty determination:**
298
+ 1. Nature and gravity of the violation
299
+ 2. Scale of impact on Data Principals
300
+ 3. Frequency (first-time vs. repeated)
301
+ 4. Promptness of remediation and cooperation
302
+ 5. Proportionality to violator's financial condition
303
+ 6. Intentionality vs. negligence
304
+ 7. Other prescribed factors
305
+
306
+ ### Section 34 — Crediting of Penalties
307
+ All penalty amounts credited to the Consolidated Fund of India.
308
+
309
+ ---
310
+
311
+ ## Chapter VIII — Miscellaneous (Sections 35–44)
312
+
313
+ ### Section 35 — Power to Make Rules
314
+ Central Government has plenary power to make rules to carry out the provisions of the Act. Rules subject to Parliament laying (approval/modification by Parliament if tabled).
315
+
316
+ ### Section 36–44
317
+ Cover: power to give directions; delegation to officers; protection from legal proceedings against the Board; amendments to other laws (IT Act 2000, RTI Act 2005); maintenance of confidentiality; publication of Board procedures; interpretation provisions; repeal and savings.
318
+
319
+ **Notable:** Section 43 and 44 amend the **Information Technology Act, 2000** — removing IT Act's data protection provisions (Sections 43A and 72A) and replacing them with DPDPA. This clarifies that DPDPA is the lex specialis for digital personal data; IT Act no longer applies to personal data protection.