bmad-plus 0.7.5 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +479 -425
- package/LICENSE +21 -21
- package/README.md +557 -447
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +62 -57
- package/readme-international/README.de.md +584 -426
- package/readme-international/README.es.md +601 -518
- package/readme-international/README.fr.md +599 -516
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/module.yaml +283 -280
- package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
- package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
- package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
- package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
- package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
- package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
- package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
- package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
- package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
- package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
- package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
- package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
- package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
- package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
- package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
- package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
- package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
- package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
- package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
- package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
- package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
- package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
- package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
- package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
- package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/bmad-plus-npx.js +3 -5
- package/tools/cli/commands/autoconfig.js +508 -489
- package/tools/cli/commands/doctor.js +219 -222
- package/tools/cli/commands/install.js +548 -739
- package/tools/cli/commands/memory.js +194 -194
- package/tools/cli/commands/scan.js +362 -350
- package/tools/cli/commands/uninstall.js +96 -96
- package/tools/cli/commands/update.js +116 -174
- package/tools/cli/i18n.js +845 -763
- package/tools/cli/lib/memory-init.js +114 -0
- package/tools/cli/lib/pack-copy.js +84 -0
- package/tools/cli/lib/packs.js +114 -0
|
@@ -1,319 +1,319 @@
|
|
|
1
|
-
# DPDPA — Section-by-Section Reference
|
|
2
|
-
|
|
3
|
-
Digital Personal Data Protection Act, 2023. Presidential Assent: 11 August 2023.
|
|
4
|
-
44 Sections across 9 Chapters.
|
|
5
|
-
|
|
6
|
-
---
|
|
7
|
-
|
|
8
|
-
## Chapter I — Preliminary (Sections 1–3)
|
|
9
|
-
|
|
10
|
-
### Section 1 — Short Title, Extent, Commencement and Application
|
|
11
|
-
Establishes the short title: "Digital Personal Data Protection Act, 2023."
|
|
12
|
-
- Extends to the whole of India
|
|
13
|
-
- Commencement by phased notification in the Official Gazette
|
|
14
|
-
- Applies to digital personal data processing within India AND processing outside India
|
|
15
|
-
related to offering goods or services to individuals located in India
|
|
16
|
-
|
|
17
|
-
### Section 2 — Definitions
|
|
18
|
-
28 defined terms including:
|
|
19
|
-
|
|
20
|
-
| Term | Definition |
|
|
21
|
-
|------|-----------|
|
|
22
|
-
| **Appellate Tribunal** | Telecom Disputes Settlement and Appellate Tribunal (TDSAT) |
|
|
23
|
-
| **Board** | Data Protection Board of India |
|
|
24
|
-
| **Child** | Individual who has not completed **18 years of age** |
|
|
25
|
-
| **Consent Manager** | Body corporate registered by the Board enabling Data Principals to manage consent across multiple Data Fiduciaries via a single interoperable platform |
|
|
26
|
-
| **Data Fiduciary** | Any person who alone or jointly with others determines the **purpose and means** of processing of digital personal data (= GDPR "controller") |
|
|
27
|
-
| **Data Principal** | The individual to whom the personal data relates (= GDPR "data subject") |
|
|
28
|
-
| **Data Processor** | Any person who processes digital personal data on behalf of a Data Fiduciary under a contract (= GDPR "processor") |
|
|
29
|
-
| **Data Protection Officer (DPO)** | Individual appointed by a Significant Data Fiduciary as representative before the Board and grievance contact |
|
|
30
|
-
| **Digital personal data** | Personal data in digital form |
|
|
31
|
-
| **Personal data** | Any data about an individual who is identifiable directly or indirectly from such data |
|
|
32
|
-
| **Personal data breach** | Unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability of digital personal data |
|
|
33
|
-
| **Processing** | Any automated operation on digital personal data including collection, recording, storage, retrieval, use, sharing, transmission, erasure, and destruction |
|
|
34
|
-
| **Significant Data Fiduciary (SDF)** | Data Fiduciary notified by Central Government based on volume/sensitivity, risk to rights, impact on sovereignty, electoral democracy, state security, or public order |
|
|
35
|
-
| **Specified purpose** | The purpose mentioned in the Data Fiduciary's notice for which the Data Principal provided personal data |
|
|
36
|
-
|
|
37
|
-
### Section 3 — Application (Territorial Scope)
|
|
38
|
-
The Act applies to:
|
|
39
|
-
- Processing of digital personal data **within India**, and
|
|
40
|
-
- Processing **outside India** if it relates to offering goods or services to individuals
|
|
41
|
-
located in India at the time the personal data is collected
|
|
42
|
-
|
|
43
|
-
Partial exemption: Processing under contracts with foreign entities of data of
|
|
44
|
-
Data Principals **not located in India** is exempt from most obligations (Section 17(g)).
|
|
45
|
-
|
|
46
|
-
---
|
|
47
|
-
|
|
48
|
-
## Chapter II — Obligations of Data Fiduciary (Sections 4–10)
|
|
49
|
-
|
|
50
|
-
### Section 4 — Grounds for Processing Personal Data
|
|
51
|
-
Two and only two lawful bases:
|
|
52
|
-
- **(a) Consent** as specified in Section 6
|
|
53
|
-
- **(b) Certain legitimate uses** as enumerated in Section 7
|
|
54
|
-
|
|
55
|
-
No other lawful basis exists. Processing outside these two grounds is unlawful.
|
|
56
|
-
|
|
57
|
-
### Section 5 — Notice to Data Principal
|
|
58
|
-
Before or at the time of requesting consent, Data Fiduciaries must provide a notice:
|
|
59
|
-
- In clear and plain language (implemented by Rule 3 of DPDP Rules 2025)
|
|
60
|
-
- As a standalone, independent document (not bundled in T&Cs)
|
|
61
|
-
- Containing: purposes; data categories; recipients; retention period; Data Principal rights; Board complaint mechanism; consent withdrawal procedure
|
|
62
|
-
|
|
63
|
-
**Key obligation:** Notice must be retrievable at any time from the Data Fiduciary's platform or website.
|
|
64
|
-
|
|
65
|
-
**Existing data (Section 5(2)):** For data collected before the Act's commencement but still being processed, Fiduciaries must provide a notice of the same content within prescribed time after the Act takes effect.
|
|
66
|
-
|
|
67
|
-
### Section 6 — Consent
|
|
68
|
-
Consent must be:
|
|
69
|
-
- **Free** — not conditioned on acceptance of services
|
|
70
|
-
- **Specific** — for a particular specified purpose
|
|
71
|
-
- **Informed** — given after receiving the Section 5 notice
|
|
72
|
-
- **Unconditional** — no conditions or coercion
|
|
73
|
-
- **Unambiguous** — expressed by clear affirmative action
|
|
74
|
-
|
|
75
|
-
**Section 6(3):** Consent may be given through a Consent Manager registered by the Board.
|
|
76
|
-
|
|
77
|
-
**Section 6(4):** Data Principals may withdraw consent at any time. Ease of withdrawal must match ease of giving consent. Prior processing remains lawful; post-withdrawal processing must stop.
|
|
78
|
-
|
|
79
|
-
**Section 6(5):** The burden of proving valid consent lies on the Data Fiduciary.
|
|
80
|
-
|
|
81
|
-
**Section 6(6):** Consent obtained in violation of these requirements is void.
|
|
82
|
-
|
|
83
|
-
### Section 7 — Certain Legitimate Uses (Closed List)
|
|
84
|
-
Eight enumerated legitimate uses where consent is NOT required:
|
|
85
|
-
|
|
86
|
-
1. Purpose the Data Principal voluntarily provided data for (unless specifically objected)
|
|
87
|
-
2. State benefits, subsidies, services, certificates, licenses, or permits
|
|
88
|
-
3. State functions under Indian law or interests of sovereignty/security/integrity
|
|
89
|
-
4. Legal obligation to disclose to State or its instrumentalities
|
|
90
|
-
5. Employment purposes or safeguarding employer against loss/liability — including prevention of corporate espionage, IP theft, and classified information leakage by employees
|
|
91
|
-
6. Disaster management per the Disaster Management Act, 2005
|
|
92
|
-
7. Medical emergencies and safeguarding individuals during disasters or epidemics
|
|
93
|
-
8. Other prescribed purposes as notified by Central Government
|
|
94
|
-
|
|
95
|
-
> **Precision note:** The employment category (Section 7(e)) covers both routine HR processing AND the employer's interest in preventing corporate espionage/IP theft by employees. These are part of a single clause — not separate categories. A prior version of this file incorrectly listed a duplicate "prevention of corporate espionage" as a ninth item; that entry has been removed.
|
|
96
|
-
|
|
97
|
-
This list is **exhaustive**. No general "legitimate interests" balancing test.
|
|
98
|
-
|
|
99
|
-
### Section 8 — General Obligations of Data Fiduciary
|
|
100
|
-
Every Data Fiduciary must:
|
|
101
|
-
|
|
102
|
-
1. **Appoint Data Processors under contract** — valid written contract per Rule 16
|
|
103
|
-
2. **Ensure data quality** — accuracy, completeness, consistency for data used in decisions or shared with other Fiduciaries
|
|
104
|
-
3. **Implement security safeguards** — appropriate technical and organisational measures per Rule 7
|
|
105
|
-
4. **Erase data** when: purpose fulfilled; consent withdrawn; Data Principal exercises erasure right; retention no longer necessary
|
|
106
|
-
5. **Direct Processors to erase** data upon termination of processing engagement
|
|
107
|
-
6. **Notify personal data breach** to the Board without delay and in detail within 72 hours per Rule 6
|
|
108
|
-
7. **Grievance mechanism** — Establish effective, accessible grievance mechanism and respond within prescribed period
|
|
109
|
-
|
|
110
|
-
**Section 8(7) — Retention and Erasure:**
|
|
111
|
-
Data Fiduciaries must erase data from their systems and from Processors' systems upon:
|
|
112
|
-
- Withdrawal of consent (unless retention required by law)
|
|
113
|
-
- Purpose fulfilment
|
|
114
|
-
- Section 12(3) erasure request
|
|
115
|
-
|
|
116
|
-
### Section 9 — Processing of Children's Personal Data
|
|
117
|
-
**Age threshold:** Under 18 years.
|
|
118
|
-
|
|
119
|
-
**Section 9(1):** Verifiable parental/lawful guardian consent required before any child data processing.
|
|
120
|
-
|
|
121
|
-
**Section 9(2) — Prohibited processing (no exceptions unless prescribed):**
|
|
122
|
-
- Tracking or behavioural monitoring of children
|
|
123
|
-
- Targeted advertising directed at children
|
|
124
|
-
- Any processing likely to cause detrimental effect on child's well-being
|
|
125
|
-
|
|
126
|
-
**Section 9(3) — Exemptions:** May be prescribed for certain classes of Data Fiduciaries (health, safety, education, essential services).
|
|
127
|
-
|
|
128
|
-
**Penalty:** Maximum ₹200 crore per violation. One of the highest penalty tiers.
|
|
129
|
-
|
|
130
|
-
### Section 10 — Additional Obligations of Significant Data Fiduciaries
|
|
131
|
-
|
|
132
|
-
**Designation:** Central Government notifies entities as SDFs based on:
|
|
133
|
-
- Volume and sensitivity of data processed
|
|
134
|
-
- Risk of harm to Data Principals' rights
|
|
135
|
-
- Impact on India's sovereignty, integrity, security
|
|
136
|
-
- Risk to electoral democracy or public order
|
|
137
|
-
|
|
138
|
-
**Additional obligations (beyond Section 8):**
|
|
139
|
-
- **India-based Data Protection Officer** — individual resident in India; sole Board representative; Data Principal grievance contact
|
|
140
|
-
- **Annual Data Protection Impact Assessment (DPIA)** — evaluates compliance, Data Principal rights exercise, safeguard adequacy, large-scale processing risks
|
|
141
|
-
- **Annual independent data audit** — by qualified external auditor; report submitted to the Board
|
|
142
|
-
- **Data localization** — specified data categories must remain within India (when notified)
|
|
143
|
-
- **Comply with any other prescribed measures** as directed by government
|
|
144
|
-
|
|
145
|
-
---
|
|
146
|
-
|
|
147
|
-
## Chapter III — Rights and Duties of Data Principal (Sections 11–15)
|
|
148
|
-
|
|
149
|
-
### Section 11 — Right to Access Information
|
|
150
|
-
Data Principals may request, and Data Fiduciaries must provide (within prescribed period):
|
|
151
|
-
- Summary of personal data being processed
|
|
152
|
-
- Description of the processing activities (purpose, legal basis, duration)
|
|
153
|
-
- Identities and contact details of all Data Fiduciaries and Processors holding or processing the data
|
|
154
|
-
- Description of personal data shared with each recipient
|
|
155
|
-
|
|
156
|
-
### Section 12 — Right to Correction, Completion, Updating, and Erasure
|
|
157
|
-
Data Principals may:
|
|
158
|
-
- **(12(1)(a))** Request correction of inaccurate or misleading personal data
|
|
159
|
-
- **(12(1)(b))** Request completion of incomplete personal data
|
|
160
|
-
- **(12(1)(c))** Request updating of outdated personal data
|
|
161
|
-
- **(12(3))** Request erasure of personal data no longer necessary for the specified purpose
|
|
162
|
-
|
|
163
|
-
**Limitations on erasure (Section 12(4)):**
|
|
164
|
-
Data Fiduciaries may refuse erasure where:
|
|
165
|
-
- Retention necessary for the specified purpose
|
|
166
|
-
- Retention required by law (statutory record-keeping)
|
|
167
|
-
- Retention necessary to enforce/defend legal rights or claims
|
|
168
|
-
|
|
169
|
-
### Section 13 — Right of Grievance Redressal
|
|
170
|
-
- Data Principals must have access to an effective grievance mechanism provided by the Data Fiduciary or Consent Manager
|
|
171
|
-
- Mechanism must be accessible, responsive, and as prescribed by rules
|
|
172
|
-
- Data Fiduciaries must respond within the prescribed timeframe
|
|
173
|
-
- **Mandatory exhaustion:** Data Principals must exhaust the Fiduciary's grievance mechanism before filing a complaint with the Data Protection Board
|
|
174
|
-
|
|
175
|
-
### Section 14 — Right to Nominate
|
|
176
|
-
Data Principals may nominate an individual to exercise their Section 11, 12, and 13 rights in the event of:
|
|
177
|
-
- Death of the Data Principal, or
|
|
178
|
-
- Incapacity (defined as unsoundness of mind or infirmity of body rendering the Principal unable to exercise rights)
|
|
179
|
-
|
|
180
|
-
Nominees exercise rights as if they were the Data Principal.
|
|
181
|
-
|
|
182
|
-
### Section 15 — Duties of Data Principal
|
|
183
|
-
Data Principals must:
|
|
184
|
-
- Comply with all applicable laws when exercising rights
|
|
185
|
-
- Not register false or frivolous complaints with Fiduciaries or the Board
|
|
186
|
-
- Not furnish false particulars or suppress material information
|
|
187
|
-
- Not impersonate another individual
|
|
188
|
-
- Not misuse their rights to harass Data Fiduciaries
|
|
189
|
-
|
|
190
|
-
Breach of these duties: penalty up to **₹10,000** (personal liability).
|
|
191
|
-
|
|
192
|
-
---
|
|
193
|
-
|
|
194
|
-
## Chapter IV — Special Provisions (Sections 16–17)
|
|
195
|
-
|
|
196
|
-
### Section 16 — Transfer of Personal Data Outside India
|
|
197
|
-
**Mechanism: Blacklist approach**
|
|
198
|
-
|
|
199
|
-
Data Fiduciaries may transfer personal data outside India to **any country or territory**, EXCEPT those specifically **notified by the Central Government as restricted**.
|
|
200
|
-
|
|
201
|
-
**Current status (April 2026):** No countries have been notified. All transfers currently permitted.
|
|
202
|
-
|
|
203
|
-
**Government notification power:** Central Government may restrict transfers based on national security concerns, weak data protection frameworks, public policy considerations. Monitor MeitY Official Gazette.
|
|
204
|
-
|
|
205
|
-
**Operational guidance:**
|
|
206
|
-
- Transfers permitted to all countries absent a notification
|
|
207
|
-
- Apply contractual safeguards with recipients regardless
|
|
208
|
-
- Do not assume permanent unrestricted status; plan for potential future restrictions
|
|
209
|
-
- Sensitive data categories: apply enhanced protection even when transfer is technically permitted
|
|
210
|
-
|
|
211
|
-
### Section 17 — Exemptions
|
|
212
|
-
Exemptions from Chapters II, III, and Section 16:
|
|
213
|
-
|
|
214
|
-
| # | Category | Scope of Exemption |
|
|
215
|
-
|---|----------|-------------------|
|
|
216
|
-
| (a) | Legal rights enforcement | Processing to enforce legal rights or claims, or defend legal proceedings |
|
|
217
|
-
| (b) | Judicial/regulatory functions | Courts, tribunals, regulatory/supervisory bodies in official capacity |
|
|
218
|
-
| (c) | Law enforcement | Prevention, detection, investigation, prosecution of offences |
|
|
219
|
-
| (d) | State security (notified) | State instrumentalities notified by Central Government — sovereignty, integrity, security, public order, friendly foreign relations |
|
|
220
|
-
| (e) | Financial defaults | Financial institutions processing data when individual has defaulted on loan repayment |
|
|
221
|
-
| (f) | Research and statistics | Research, archiving, statistical processing — provided individual identity cannot be inferred (anonymisation/pseudonymisation required) |
|
|
222
|
-
| (g) | Extra-territorial / foreign contracts | Processing outside India of non-resident Data Principals under contracts with foreign entities |
|
|
223
|
-
| (h) | Voluntarily provided (notified) | Data voluntarily provided for notified public benefit purposes |
|
|
224
|
-
| (i) | Partial state exemptions | State processing exempt from erasure/correction rights in specific circumstances |
|
|
225
|
-
| (j) | Startups and small entities | Central Government may exempt notified classes from sub-sections of Sections 5, 8, 10, 11 |
|
|
226
|
-
|
|
227
|
-
---
|
|
228
|
-
|
|
229
|
-
## Chapter V — Data Protection Board of India (Sections 18–26)
|
|
230
|
-
|
|
231
|
-
### Section 18 — Establishment
|
|
232
|
-
Creates the Data Protection Board of India as a **body corporate** with perpetual succession; power to acquire/hold/dispose property; to contract; to sue and be sued.
|
|
233
|
-
|
|
234
|
-
### Section 19 — Composition
|
|
235
|
-
- **Chairperson** — Appointed by Central Government; expertise in data governance, IT, cyber law, public administration
|
|
236
|
-
- **Members** — Notified number; appointed by Central Government; similar qualification criteria
|
|
237
|
-
|
|
238
|
-
### Section 20–21 — Tenure and Removal
|
|
239
|
-
Fixed terms; removal possible only for misconduct, incapacity, or insolvency.
|
|
240
|
-
|
|
241
|
-
### Section 22–23 — Officers, Employees, and Public Servant Status
|
|
242
|
-
Board members and officers are **deemed public servants** under Indian Penal Code — enabling criminal liability for breach of duty.
|
|
243
|
-
|
|
244
|
-
### Section 24 — Chairperson's Powers
|
|
245
|
-
Executive and administrative powers of the Chairperson including agenda-setting, proceedings management.
|
|
246
|
-
|
|
247
|
-
### Section 25 — Powers and Functions of the Board
|
|
248
|
-
- Receive and adjudicate complaints from Data Principals
|
|
249
|
-
- Investigate personal data breaches
|
|
250
|
-
- Issue financial penalties
|
|
251
|
-
- Issue binding compliance directions
|
|
252
|
-
- Facilitate alternate dispute resolution
|
|
253
|
-
- Accept voluntary undertakings from Data Fiduciaries
|
|
254
|
-
|
|
255
|
-
### Section 26 — Procedure
|
|
256
|
-
Board establishes hearing rules including evidence presentation, witness examination, and natural justice (right to be heard, impartial adjudication).
|
|
257
|
-
|
|
258
|
-
---
|
|
259
|
-
|
|
260
|
-
## Chapter VI — Appeals and ADR (Sections 27–32)
|
|
261
|
-
|
|
262
|
-
### Section 27 — Appeal to TDSAT
|
|
263
|
-
Orders of the Board may be appealed to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** within prescribed period.
|
|
264
|
-
|
|
265
|
-
### Section 28 — TDSAT Orders Executable as Civil Decree
|
|
266
|
-
TDSAT orders have the force of a civil court decree — enforceable through civil execution proceedings.
|
|
267
|
-
|
|
268
|
-
### Section 29 — Alternate Dispute Resolution
|
|
269
|
-
Board may facilitate mediation/conciliation between Data Principals and Data Fiduciaries.
|
|
270
|
-
|
|
271
|
-
### Section 30 — Voluntary Undertaking
|
|
272
|
-
Data Fiduciaries may offer voluntary undertakings to remedy violations. Board may accept. Breach of voluntary undertaking: penalty up to **₹50 crore**.
|
|
273
|
-
|
|
274
|
-
### Section 31 — Limitation for Filing Complaint
|
|
275
|
-
Prescribed time limits for Data Principals to file complaints after becoming aware of a violation.
|
|
276
|
-
|
|
277
|
-
### Section 32 — Protection of Actions Taken in Good Faith
|
|
278
|
-
Board members and staff protected from civil/criminal liability for good faith actions.
|
|
279
|
-
|
|
280
|
-
---
|
|
281
|
-
|
|
282
|
-
## Chapter VII — Penalties (Sections 33–34)
|
|
283
|
-
|
|
284
|
-
### Section 33 — Financial Penalties
|
|
285
|
-
**Penalty Schedule:**
|
|
286
|
-
|
|
287
|
-
| Violation | Maximum Penalty |
|
|
288
|
-
|-----------|----------------|
|
|
289
|
-
| Failure to implement reasonable security safeguards (Section 8(3)) | ₹250 crore |
|
|
290
|
-
| Failure to notify personal data breach to Board (Section 8(6)/Rule 6) | ₹200 crore |
|
|
291
|
-
| Violation of children's data obligations (Section 9) | ₹200 crore |
|
|
292
|
-
| SDF non-compliance with additional obligations (Section 10) | ₹150 crore |
|
|
293
|
-
| Breach of voluntary undertaking (Section 30) | ₹50 crore |
|
|
294
|
-
| Other violations | ₹50 crore |
|
|
295
|
-
| Data Principal duty violation (false complaints, impersonation) | ₹10,000 |
|
|
296
|
-
|
|
297
|
-
**Section 33(2) — Seven factors for penalty determination:**
|
|
298
|
-
1. Nature and gravity of the violation
|
|
299
|
-
2. Scale of impact on Data Principals
|
|
300
|
-
3. Frequency (first-time vs. repeated)
|
|
301
|
-
4. Promptness of remediation and cooperation
|
|
302
|
-
5. Proportionality to violator's financial condition
|
|
303
|
-
6. Intentionality vs. negligence
|
|
304
|
-
7. Other prescribed factors
|
|
305
|
-
|
|
306
|
-
### Section 34 — Crediting of Penalties
|
|
307
|
-
All penalty amounts credited to the Consolidated Fund of India.
|
|
308
|
-
|
|
309
|
-
---
|
|
310
|
-
|
|
311
|
-
## Chapter VIII — Miscellaneous (Sections 35–44)
|
|
312
|
-
|
|
313
|
-
### Section 35 — Power to Make Rules
|
|
314
|
-
Central Government has plenary power to make rules to carry out the provisions of the Act. Rules subject to Parliament laying (approval/modification by Parliament if tabled).
|
|
315
|
-
|
|
316
|
-
### Section 36–44
|
|
317
|
-
Cover: power to give directions; delegation to officers; protection from legal proceedings against the Board; amendments to other laws (IT Act 2000, RTI Act 2005); maintenance of confidentiality; publication of Board procedures; interpretation provisions; repeal and savings.
|
|
318
|
-
|
|
319
|
-
**Notable:** Section 43 and 44 amend the **Information Technology Act, 2000** — removing IT Act's data protection provisions (Sections 43A and 72A) and replacing them with DPDPA. This clarifies that DPDPA is the lex specialis for digital personal data; IT Act no longer applies to personal data protection.
|
|
1
|
+
# DPDPA — Section-by-Section Reference
|
|
2
|
+
|
|
3
|
+
Digital Personal Data Protection Act, 2023. Presidential Assent: 11 August 2023.
|
|
4
|
+
44 Sections across 9 Chapters.
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Chapter I — Preliminary (Sections 1–3)
|
|
9
|
+
|
|
10
|
+
### Section 1 — Short Title, Extent, Commencement and Application
|
|
11
|
+
Establishes the short title: "Digital Personal Data Protection Act, 2023."
|
|
12
|
+
- Extends to the whole of India
|
|
13
|
+
- Commencement by phased notification in the Official Gazette
|
|
14
|
+
- Applies to digital personal data processing within India AND processing outside India
|
|
15
|
+
related to offering goods or services to individuals located in India
|
|
16
|
+
|
|
17
|
+
### Section 2 — Definitions
|
|
18
|
+
28 defined terms including:
|
|
19
|
+
|
|
20
|
+
| Term | Definition |
|
|
21
|
+
|------|-----------|
|
|
22
|
+
| **Appellate Tribunal** | Telecom Disputes Settlement and Appellate Tribunal (TDSAT) |
|
|
23
|
+
| **Board** | Data Protection Board of India |
|
|
24
|
+
| **Child** | Individual who has not completed **18 years of age** |
|
|
25
|
+
| **Consent Manager** | Body corporate registered by the Board enabling Data Principals to manage consent across multiple Data Fiduciaries via a single interoperable platform |
|
|
26
|
+
| **Data Fiduciary** | Any person who alone or jointly with others determines the **purpose and means** of processing of digital personal data (= GDPR "controller") |
|
|
27
|
+
| **Data Principal** | The individual to whom the personal data relates (= GDPR "data subject") |
|
|
28
|
+
| **Data Processor** | Any person who processes digital personal data on behalf of a Data Fiduciary under a contract (= GDPR "processor") |
|
|
29
|
+
| **Data Protection Officer (DPO)** | Individual appointed by a Significant Data Fiduciary as representative before the Board and grievance contact |
|
|
30
|
+
| **Digital personal data** | Personal data in digital form |
|
|
31
|
+
| **Personal data** | Any data about an individual who is identifiable directly or indirectly from such data |
|
|
32
|
+
| **Personal data breach** | Unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability of digital personal data |
|
|
33
|
+
| **Processing** | Any automated operation on digital personal data including collection, recording, storage, retrieval, use, sharing, transmission, erasure, and destruction |
|
|
34
|
+
| **Significant Data Fiduciary (SDF)** | Data Fiduciary notified by Central Government based on volume/sensitivity, risk to rights, impact on sovereignty, electoral democracy, state security, or public order |
|
|
35
|
+
| **Specified purpose** | The purpose mentioned in the Data Fiduciary's notice for which the Data Principal provided personal data |
|
|
36
|
+
|
|
37
|
+
### Section 3 — Application (Territorial Scope)
|
|
38
|
+
The Act applies to:
|
|
39
|
+
- Processing of digital personal data **within India**, and
|
|
40
|
+
- Processing **outside India** if it relates to offering goods or services to individuals
|
|
41
|
+
located in India at the time the personal data is collected
|
|
42
|
+
|
|
43
|
+
Partial exemption: Processing under contracts with foreign entities of data of
|
|
44
|
+
Data Principals **not located in India** is exempt from most obligations (Section 17(g)).
|
|
45
|
+
|
|
46
|
+
---
|
|
47
|
+
|
|
48
|
+
## Chapter II — Obligations of Data Fiduciary (Sections 4–10)
|
|
49
|
+
|
|
50
|
+
### Section 4 — Grounds for Processing Personal Data
|
|
51
|
+
Two and only two lawful bases:
|
|
52
|
+
- **(a) Consent** as specified in Section 6
|
|
53
|
+
- **(b) Certain legitimate uses** as enumerated in Section 7
|
|
54
|
+
|
|
55
|
+
No other lawful basis exists. Processing outside these two grounds is unlawful.
|
|
56
|
+
|
|
57
|
+
### Section 5 — Notice to Data Principal
|
|
58
|
+
Before or at the time of requesting consent, Data Fiduciaries must provide a notice:
|
|
59
|
+
- In clear and plain language (implemented by Rule 3 of DPDP Rules 2025)
|
|
60
|
+
- As a standalone, independent document (not bundled in T&Cs)
|
|
61
|
+
- Containing: purposes; data categories; recipients; retention period; Data Principal rights; Board complaint mechanism; consent withdrawal procedure
|
|
62
|
+
|
|
63
|
+
**Key obligation:** Notice must be retrievable at any time from the Data Fiduciary's platform or website.
|
|
64
|
+
|
|
65
|
+
**Existing data (Section 5(2)):** For data collected before the Act's commencement but still being processed, Fiduciaries must provide a notice of the same content within prescribed time after the Act takes effect.
|
|
66
|
+
|
|
67
|
+
### Section 6 — Consent
|
|
68
|
+
Consent must be:
|
|
69
|
+
- **Free** — not conditioned on acceptance of services
|
|
70
|
+
- **Specific** — for a particular specified purpose
|
|
71
|
+
- **Informed** — given after receiving the Section 5 notice
|
|
72
|
+
- **Unconditional** — no conditions or coercion
|
|
73
|
+
- **Unambiguous** — expressed by clear affirmative action
|
|
74
|
+
|
|
75
|
+
**Section 6(3):** Consent may be given through a Consent Manager registered by the Board.
|
|
76
|
+
|
|
77
|
+
**Section 6(4):** Data Principals may withdraw consent at any time. Ease of withdrawal must match ease of giving consent. Prior processing remains lawful; post-withdrawal processing must stop.
|
|
78
|
+
|
|
79
|
+
**Section 6(5):** The burden of proving valid consent lies on the Data Fiduciary.
|
|
80
|
+
|
|
81
|
+
**Section 6(6):** Consent obtained in violation of these requirements is void.
|
|
82
|
+
|
|
83
|
+
### Section 7 — Certain Legitimate Uses (Closed List)
|
|
84
|
+
Eight enumerated legitimate uses where consent is NOT required:
|
|
85
|
+
|
|
86
|
+
1. Purpose the Data Principal voluntarily provided data for (unless specifically objected)
|
|
87
|
+
2. State benefits, subsidies, services, certificates, licenses, or permits
|
|
88
|
+
3. State functions under Indian law or interests of sovereignty/security/integrity
|
|
89
|
+
4. Legal obligation to disclose to State or its instrumentalities
|
|
90
|
+
5. Employment purposes or safeguarding employer against loss/liability — including prevention of corporate espionage, IP theft, and classified information leakage by employees
|
|
91
|
+
6. Disaster management per the Disaster Management Act, 2005
|
|
92
|
+
7. Medical emergencies and safeguarding individuals during disasters or epidemics
|
|
93
|
+
8. Other prescribed purposes as notified by Central Government
|
|
94
|
+
|
|
95
|
+
> **Precision note:** The employment category (Section 7(e)) covers both routine HR processing AND the employer's interest in preventing corporate espionage/IP theft by employees. These are part of a single clause — not separate categories. A prior version of this file incorrectly listed a duplicate "prevention of corporate espionage" as a ninth item; that entry has been removed.
|
|
96
|
+
|
|
97
|
+
This list is **exhaustive**. No general "legitimate interests" balancing test.
|
|
98
|
+
|
|
99
|
+
### Section 8 — General Obligations of Data Fiduciary
|
|
100
|
+
Every Data Fiduciary must:
|
|
101
|
+
|
|
102
|
+
1. **Appoint Data Processors under contract** — valid written contract per Rule 16
|
|
103
|
+
2. **Ensure data quality** — accuracy, completeness, consistency for data used in decisions or shared with other Fiduciaries
|
|
104
|
+
3. **Implement security safeguards** — appropriate technical and organisational measures per Rule 7
|
|
105
|
+
4. **Erase data** when: purpose fulfilled; consent withdrawn; Data Principal exercises erasure right; retention no longer necessary
|
|
106
|
+
5. **Direct Processors to erase** data upon termination of processing engagement
|
|
107
|
+
6. **Notify personal data breach** to the Board without delay and in detail within 72 hours per Rule 6
|
|
108
|
+
7. **Grievance mechanism** — Establish effective, accessible grievance mechanism and respond within prescribed period
|
|
109
|
+
|
|
110
|
+
**Section 8(7) — Retention and Erasure:**
|
|
111
|
+
Data Fiduciaries must erase data from their systems and from Processors' systems upon:
|
|
112
|
+
- Withdrawal of consent (unless retention required by law)
|
|
113
|
+
- Purpose fulfilment
|
|
114
|
+
- Section 12(3) erasure request
|
|
115
|
+
|
|
116
|
+
### Section 9 — Processing of Children's Personal Data
|
|
117
|
+
**Age threshold:** Under 18 years.
|
|
118
|
+
|
|
119
|
+
**Section 9(1):** Verifiable parental/lawful guardian consent required before any child data processing.
|
|
120
|
+
|
|
121
|
+
**Section 9(2) — Prohibited processing (no exceptions unless prescribed):**
|
|
122
|
+
- Tracking or behavioural monitoring of children
|
|
123
|
+
- Targeted advertising directed at children
|
|
124
|
+
- Any processing likely to cause detrimental effect on child's well-being
|
|
125
|
+
|
|
126
|
+
**Section 9(3) — Exemptions:** May be prescribed for certain classes of Data Fiduciaries (health, safety, education, essential services).
|
|
127
|
+
|
|
128
|
+
**Penalty:** Maximum ₹200 crore per violation. One of the highest penalty tiers.
|
|
129
|
+
|
|
130
|
+
### Section 10 — Additional Obligations of Significant Data Fiduciaries
|
|
131
|
+
|
|
132
|
+
**Designation:** Central Government notifies entities as SDFs based on:
|
|
133
|
+
- Volume and sensitivity of data processed
|
|
134
|
+
- Risk of harm to Data Principals' rights
|
|
135
|
+
- Impact on India's sovereignty, integrity, security
|
|
136
|
+
- Risk to electoral democracy or public order
|
|
137
|
+
|
|
138
|
+
**Additional obligations (beyond Section 8):**
|
|
139
|
+
- **India-based Data Protection Officer** — individual resident in India; sole Board representative; Data Principal grievance contact
|
|
140
|
+
- **Annual Data Protection Impact Assessment (DPIA)** — evaluates compliance, Data Principal rights exercise, safeguard adequacy, large-scale processing risks
|
|
141
|
+
- **Annual independent data audit** — by qualified external auditor; report submitted to the Board
|
|
142
|
+
- **Data localization** — specified data categories must remain within India (when notified)
|
|
143
|
+
- **Comply with any other prescribed measures** as directed by government
|
|
144
|
+
|
|
145
|
+
---
|
|
146
|
+
|
|
147
|
+
## Chapter III — Rights and Duties of Data Principal (Sections 11–15)
|
|
148
|
+
|
|
149
|
+
### Section 11 — Right to Access Information
|
|
150
|
+
Data Principals may request, and Data Fiduciaries must provide (within prescribed period):
|
|
151
|
+
- Summary of personal data being processed
|
|
152
|
+
- Description of the processing activities (purpose, legal basis, duration)
|
|
153
|
+
- Identities and contact details of all Data Fiduciaries and Processors holding or processing the data
|
|
154
|
+
- Description of personal data shared with each recipient
|
|
155
|
+
|
|
156
|
+
### Section 12 — Right to Correction, Completion, Updating, and Erasure
|
|
157
|
+
Data Principals may:
|
|
158
|
+
- **(12(1)(a))** Request correction of inaccurate or misleading personal data
|
|
159
|
+
- **(12(1)(b))** Request completion of incomplete personal data
|
|
160
|
+
- **(12(1)(c))** Request updating of outdated personal data
|
|
161
|
+
- **(12(3))** Request erasure of personal data no longer necessary for the specified purpose
|
|
162
|
+
|
|
163
|
+
**Limitations on erasure (Section 12(4)):**
|
|
164
|
+
Data Fiduciaries may refuse erasure where:
|
|
165
|
+
- Retention necessary for the specified purpose
|
|
166
|
+
- Retention required by law (statutory record-keeping)
|
|
167
|
+
- Retention necessary to enforce/defend legal rights or claims
|
|
168
|
+
|
|
169
|
+
### Section 13 — Right of Grievance Redressal
|
|
170
|
+
- Data Principals must have access to an effective grievance mechanism provided by the Data Fiduciary or Consent Manager
|
|
171
|
+
- Mechanism must be accessible, responsive, and as prescribed by rules
|
|
172
|
+
- Data Fiduciaries must respond within the prescribed timeframe
|
|
173
|
+
- **Mandatory exhaustion:** Data Principals must exhaust the Fiduciary's grievance mechanism before filing a complaint with the Data Protection Board
|
|
174
|
+
|
|
175
|
+
### Section 14 — Right to Nominate
|
|
176
|
+
Data Principals may nominate an individual to exercise their Section 11, 12, and 13 rights in the event of:
|
|
177
|
+
- Death of the Data Principal, or
|
|
178
|
+
- Incapacity (defined as unsoundness of mind or infirmity of body rendering the Principal unable to exercise rights)
|
|
179
|
+
|
|
180
|
+
Nominees exercise rights as if they were the Data Principal.
|
|
181
|
+
|
|
182
|
+
### Section 15 — Duties of Data Principal
|
|
183
|
+
Data Principals must:
|
|
184
|
+
- Comply with all applicable laws when exercising rights
|
|
185
|
+
- Not register false or frivolous complaints with Fiduciaries or the Board
|
|
186
|
+
- Not furnish false particulars or suppress material information
|
|
187
|
+
- Not impersonate another individual
|
|
188
|
+
- Not misuse their rights to harass Data Fiduciaries
|
|
189
|
+
|
|
190
|
+
Breach of these duties: penalty up to **₹10,000** (personal liability).
|
|
191
|
+
|
|
192
|
+
---
|
|
193
|
+
|
|
194
|
+
## Chapter IV — Special Provisions (Sections 16–17)
|
|
195
|
+
|
|
196
|
+
### Section 16 — Transfer of Personal Data Outside India
|
|
197
|
+
**Mechanism: Blacklist approach**
|
|
198
|
+
|
|
199
|
+
Data Fiduciaries may transfer personal data outside India to **any country or territory**, EXCEPT those specifically **notified by the Central Government as restricted**.
|
|
200
|
+
|
|
201
|
+
**Current status (April 2026):** No countries have been notified. All transfers currently permitted.
|
|
202
|
+
|
|
203
|
+
**Government notification power:** Central Government may restrict transfers based on national security concerns, weak data protection frameworks, public policy considerations. Monitor MeitY Official Gazette.
|
|
204
|
+
|
|
205
|
+
**Operational guidance:**
|
|
206
|
+
- Transfers permitted to all countries absent a notification
|
|
207
|
+
- Apply contractual safeguards with recipients regardless
|
|
208
|
+
- Do not assume permanent unrestricted status; plan for potential future restrictions
|
|
209
|
+
- Sensitive data categories: apply enhanced protection even when transfer is technically permitted
|
|
210
|
+
|
|
211
|
+
### Section 17 — Exemptions
|
|
212
|
+
Exemptions from Chapters II, III, and Section 16:
|
|
213
|
+
|
|
214
|
+
| # | Category | Scope of Exemption |
|
|
215
|
+
|---|----------|-------------------|
|
|
216
|
+
| (a) | Legal rights enforcement | Processing to enforce legal rights or claims, or defend legal proceedings |
|
|
217
|
+
| (b) | Judicial/regulatory functions | Courts, tribunals, regulatory/supervisory bodies in official capacity |
|
|
218
|
+
| (c) | Law enforcement | Prevention, detection, investigation, prosecution of offences |
|
|
219
|
+
| (d) | State security (notified) | State instrumentalities notified by Central Government — sovereignty, integrity, security, public order, friendly foreign relations |
|
|
220
|
+
| (e) | Financial defaults | Financial institutions processing data when individual has defaulted on loan repayment |
|
|
221
|
+
| (f) | Research and statistics | Research, archiving, statistical processing — provided individual identity cannot be inferred (anonymisation/pseudonymisation required) |
|
|
222
|
+
| (g) | Extra-territorial / foreign contracts | Processing outside India of non-resident Data Principals under contracts with foreign entities |
|
|
223
|
+
| (h) | Voluntarily provided (notified) | Data voluntarily provided for notified public benefit purposes |
|
|
224
|
+
| (i) | Partial state exemptions | State processing exempt from erasure/correction rights in specific circumstances |
|
|
225
|
+
| (j) | Startups and small entities | Central Government may exempt notified classes from sub-sections of Sections 5, 8, 10, 11 |
|
|
226
|
+
|
|
227
|
+
---
|
|
228
|
+
|
|
229
|
+
## Chapter V — Data Protection Board of India (Sections 18–26)
|
|
230
|
+
|
|
231
|
+
### Section 18 — Establishment
|
|
232
|
+
Creates the Data Protection Board of India as a **body corporate** with perpetual succession; power to acquire/hold/dispose property; to contract; to sue and be sued.
|
|
233
|
+
|
|
234
|
+
### Section 19 — Composition
|
|
235
|
+
- **Chairperson** — Appointed by Central Government; expertise in data governance, IT, cyber law, public administration
|
|
236
|
+
- **Members** — Notified number; appointed by Central Government; similar qualification criteria
|
|
237
|
+
|
|
238
|
+
### Section 20–21 — Tenure and Removal
|
|
239
|
+
Fixed terms; removal possible only for misconduct, incapacity, or insolvency.
|
|
240
|
+
|
|
241
|
+
### Section 22–23 — Officers, Employees, and Public Servant Status
|
|
242
|
+
Board members and officers are **deemed public servants** under Indian Penal Code — enabling criminal liability for breach of duty.
|
|
243
|
+
|
|
244
|
+
### Section 24 — Chairperson's Powers
|
|
245
|
+
Executive and administrative powers of the Chairperson including agenda-setting, proceedings management.
|
|
246
|
+
|
|
247
|
+
### Section 25 — Powers and Functions of the Board
|
|
248
|
+
- Receive and adjudicate complaints from Data Principals
|
|
249
|
+
- Investigate personal data breaches
|
|
250
|
+
- Issue financial penalties
|
|
251
|
+
- Issue binding compliance directions
|
|
252
|
+
- Facilitate alternate dispute resolution
|
|
253
|
+
- Accept voluntary undertakings from Data Fiduciaries
|
|
254
|
+
|
|
255
|
+
### Section 26 — Procedure
|
|
256
|
+
Board establishes hearing rules including evidence presentation, witness examination, and natural justice (right to be heard, impartial adjudication).
|
|
257
|
+
|
|
258
|
+
---
|
|
259
|
+
|
|
260
|
+
## Chapter VI — Appeals and ADR (Sections 27–32)
|
|
261
|
+
|
|
262
|
+
### Section 27 — Appeal to TDSAT
|
|
263
|
+
Orders of the Board may be appealed to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** within prescribed period.
|
|
264
|
+
|
|
265
|
+
### Section 28 — TDSAT Orders Executable as Civil Decree
|
|
266
|
+
TDSAT orders have the force of a civil court decree — enforceable through civil execution proceedings.
|
|
267
|
+
|
|
268
|
+
### Section 29 — Alternate Dispute Resolution
|
|
269
|
+
Board may facilitate mediation/conciliation between Data Principals and Data Fiduciaries.
|
|
270
|
+
|
|
271
|
+
### Section 30 — Voluntary Undertaking
|
|
272
|
+
Data Fiduciaries may offer voluntary undertakings to remedy violations. Board may accept. Breach of voluntary undertaking: penalty up to **₹50 crore**.
|
|
273
|
+
|
|
274
|
+
### Section 31 — Limitation for Filing Complaint
|
|
275
|
+
Prescribed time limits for Data Principals to file complaints after becoming aware of a violation.
|
|
276
|
+
|
|
277
|
+
### Section 32 — Protection of Actions Taken in Good Faith
|
|
278
|
+
Board members and staff protected from civil/criminal liability for good faith actions.
|
|
279
|
+
|
|
280
|
+
---
|
|
281
|
+
|
|
282
|
+
## Chapter VII — Penalties (Sections 33–34)
|
|
283
|
+
|
|
284
|
+
### Section 33 — Financial Penalties
|
|
285
|
+
**Penalty Schedule:**
|
|
286
|
+
|
|
287
|
+
| Violation | Maximum Penalty |
|
|
288
|
+
|-----------|----------------|
|
|
289
|
+
| Failure to implement reasonable security safeguards (Section 8(3)) | ₹250 crore |
|
|
290
|
+
| Failure to notify personal data breach to Board (Section 8(6)/Rule 6) | ₹200 crore |
|
|
291
|
+
| Violation of children's data obligations (Section 9) | ₹200 crore |
|
|
292
|
+
| SDF non-compliance with additional obligations (Section 10) | ₹150 crore |
|
|
293
|
+
| Breach of voluntary undertaking (Section 30) | ₹50 crore |
|
|
294
|
+
| Other violations | ₹50 crore |
|
|
295
|
+
| Data Principal duty violation (false complaints, impersonation) | ₹10,000 |
|
|
296
|
+
|
|
297
|
+
**Section 33(2) — Seven factors for penalty determination:**
|
|
298
|
+
1. Nature and gravity of the violation
|
|
299
|
+
2. Scale of impact on Data Principals
|
|
300
|
+
3. Frequency (first-time vs. repeated)
|
|
301
|
+
4. Promptness of remediation and cooperation
|
|
302
|
+
5. Proportionality to violator's financial condition
|
|
303
|
+
6. Intentionality vs. negligence
|
|
304
|
+
7. Other prescribed factors
|
|
305
|
+
|
|
306
|
+
### Section 34 — Crediting of Penalties
|
|
307
|
+
All penalty amounts credited to the Consolidated Fund of India.
|
|
308
|
+
|
|
309
|
+
---
|
|
310
|
+
|
|
311
|
+
## Chapter VIII — Miscellaneous (Sections 35–44)
|
|
312
|
+
|
|
313
|
+
### Section 35 — Power to Make Rules
|
|
314
|
+
Central Government has plenary power to make rules to carry out the provisions of the Act. Rules subject to Parliament laying (approval/modification by Parliament if tabled).
|
|
315
|
+
|
|
316
|
+
### Section 36–44
|
|
317
|
+
Cover: power to give directions; delegation to officers; protection from legal proceedings against the Board; amendments to other laws (IT Act 2000, RTI Act 2005); maintenance of confidentiality; publication of Board procedures; interpretation provisions; repeal and savings.
|
|
318
|
+
|
|
319
|
+
**Notable:** Section 43 and 44 amend the **Information Technology Act, 2000** — removing IT Act's data protection provisions (Sections 43A and 72A) and replacing them with DPDPA. This clarifies that DPDPA is the lex specialis for digital personal data; IT Act no longer applies to personal data protection.
|