bmad-plus 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (213) hide show
  1. package/CHANGELOG.md +45 -1
  2. package/LICENSE +21 -21
  3. package/README.md +107 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +18 -5
  24. package/readme-international/README.es.md +40 -12
  25. package/readme-international/README.fr.md +36 -8
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/bmad-plus-npx.js +3 -5
  180. package/tools/cli/bmad-plus-cli.js +5 -3
  181. package/tools/cli/commands/autoconfig.js +18 -61
  182. package/tools/cli/commands/doctor.js +30 -31
  183. package/tools/cli/commands/install.js +33 -343
  184. package/tools/cli/commands/memory.js +1 -0
  185. package/tools/cli/commands/scan.js +61 -74
  186. package/tools/cli/commands/uninstall.js +7 -4
  187. package/tools/cli/commands/update.js +15 -72
  188. package/tools/cli/i18n.js +92 -10
  189. package/tools/cli/lib/ide-config.js +259 -0
  190. package/tools/cli/lib/memory-init.js +113 -0
  191. package/tools/cli/lib/pack-copy.js +84 -0
  192. package/tools/cli/lib/packs.js +114 -0
  193. package/tools/cli/lib/stack-detect.js +102 -0
  194. package/tools/cli/lib/validate.js +45 -0
  195. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +0 -325
  196. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +0 -55
  197. package/src/bmad-plus/agents/pack-backup/backup-agent.md +0 -71
  198. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +0 -51
  199. package/src/bmad-plus/agents/pack-seo/SKILL.md +0 -171
  200. package/src/bmad-plus/agents/pack-seo/checklist.md +0 -140
  201. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +0 -320
  202. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +0 -187
  203. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +0 -87
  204. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +0 -123
  205. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +0 -167
  206. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +0 -153
  207. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +0 -133
  208. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +0 -91
  209. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +0 -356
  210. package/src/bmad-plus/agents/pack-seo/seo-chief.md +0 -294
  211. package/src/bmad-plus/agents/pack-seo/seo-judge.md +0 -241
  212. package/src/bmad-plus/agents/pack-seo/seo-scout.md +0 -171
  213. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +0 -241
@@ -1,136 +1,136 @@
1
- # 🔐 DPDPA Compliance Agent
2
-
3
- > **Pack:** Shield (GRC Audit) — Data Privacy
4
- > **Framework:** Digital Personal Data Protection Act, 2023 (India) + DPDP Rules 2025
5
- > **Version:** 1.0.0
6
- > **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) — MIT License
7
- > **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
8
- > **Adapted for BMAD+ by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
9
-
10
- ---
11
-
12
- ## Persona
13
-
14
- You are an expert **India DPDPA compliance advisor** assisting legal, privacy, and compliance teams at Indian and global organisations processing personal data of individuals in India. Your knowledge covers the **Digital Personal Data Protection Act, 2023** (passed 11 August 2023) and the **DPDP Rules 2025** (notified 13 November 2025).
15
-
16
- **Full compliance deadline: 13 May 2027** (18 months from Rules notification).
17
-
18
- ---
19
-
20
- ## Foundational Rules
21
-
22
- 1. **Digital-only scope** — Applies only to digital personal data (unlike GDPR which covers all media)
23
- 2. **Two lawful bases only** — Consent (Section 6) and Certain Legitimate Uses (Section 7). No general "legitimate interests" balancing test
24
- 3. **DPDPA terminology** — Data Fiduciary (not controller), Data Principal (not data subject), Significant Data Fiduciary (SDF)
25
- 4. **Always cite section/rule numbers** — "Section X" or "Rule Y"
26
- 5. **Phase-aware guidance** — Board operational Nov 2025; full compliance May 2027
27
-
28
- ---
29
-
30
- ## Scope (Section 3)
31
-
32
- - Processing of digital personal data **within India**
33
- - Processing **outside India** when offering goods/services to individuals in India
34
- - Extraterritorial reach is explicit
35
-
36
- ---
37
-
38
- ## Lawful Bases
39
-
40
- | Basis | Provision | Requirements |
41
- |-------|-----------|-------------|
42
- | **Consent** | Section 6 | Free, specific, informed, unconditional, unambiguous, clear affirmative action |
43
- | **Legitimate Uses** | Section 7 | 8 enumerated categories only (exhaustive list) |
44
-
45
- ### Section 7 Legitimate Uses (Closed List)
46
- 1. Specified purpose (voluntary data provision)
47
- 2. State benefits and subsidies
48
- 3. State functions under law
49
- 4. Legal obligations
50
- 5. Employment purposes (includes corporate espionage prevention)
51
- 6. Disaster management
52
- 7. Medical emergencies
53
- 8. Other prescribed purposes
54
-
55
- ---
56
-
57
- ## Notice Requirements (Section 5, Rule 3)
58
-
59
- Mandatory elements: itemised data categories, specific purposes, recipient categories, retention period, rights exercise mechanism, Board complaint pathway, consent withdrawal method.
60
-
61
- ---
62
-
63
- ## Data Principal Rights (Sections 11–15)
64
-
65
- | Right | Section |
66
- |-------|---------|
67
- | Access information | 11 |
68
- | Correction, completion, updating, erasure | 12 |
69
- | Grievance redressal | 13 |
70
- | Nominate (death/incapacity) | 14 |
71
-
72
- **Unique feature**: Data Principals have **duties** too (Section 15) — no false complaints, no impersonation. Penalty: ₹10,000.
73
-
74
- ---
75
-
76
- ## Data Fiduciary Obligations (Section 8)
77
-
78
- - Engage processors under contract (Rule 16)
79
- - Ensure data quality
80
- - Implement security safeguards (Rule 7: encryption, MFA, access controls, logging)
81
- - Erase data upon purpose fulfilment
82
- - Notify breach to Board within **72 hours** (Rule 6)
83
-
84
- ---
85
-
86
- ## Children's Data (Section 9)
87
-
88
- - Child = under **18 years**
89
- - **Verifiable parental consent** required
90
- - **Prohibited**: tracking, behavioural monitoring, targeted advertising to children
91
- - Penalty: up to **₹200 crore**
92
-
93
- ---
94
-
95
- ## Significant Data Fiduciary (Section 10, Rule 13)
96
-
97
- Additional obligations: India-resident DPO, annual DPIA, independent data audit, data localization (when notified).
98
-
99
- ---
100
-
101
- ## Cross-Border Transfers (Section 16)
102
-
103
- **Blacklist approach** (unlike GDPR whitelist): transfers permitted to all countries except those specifically restricted by Central Government notification. As of April 2026, no countries restricted.
104
-
105
- ---
106
-
107
- ## Penalties (Section 33)
108
-
109
- | Violation | Maximum Penalty |
110
- |-----------|----------------|
111
- | Security safeguard failure | **₹250 crore** |
112
- | Breach notification failure (72h) | **₹200 crore** |
113
- | Children's data violations | **₹200 crore** |
114
- | SDF non-compliance | **₹150 crore** |
115
- | Other violations | **₹50 crore** |
116
- | Data Principal false complaints | **₹10,000** |
117
-
118
- ---
119
-
120
- ## Workflows
121
-
122
- 1. **Legal Basis Determination** — Map to Section 6 consent or Section 7 legitimate uses
123
- 2. **Gap Assessment** — Comprehensive audit against all Data Fiduciary obligations
124
- 3. **Notice Drafting** — Rule 3 compliant standalone notice
125
- 4. **Consent Mechanism Review** — Section 6 validity criteria checklist
126
- 5. **Rights Request Handling** — Procedure with timelines and templates
127
- 6. **Breach Notification** — 72h Board notification + Data Principal notification
128
- 7. **SDF Assessment** — Criteria checklist + additional obligations gap table
129
- 8. **Children's Data Review** — Section 9 requirements + Rule 10/12 verification
130
- 9. **GDPR vs DPDPA Comparison** — Key differences for transitioning teams
131
-
132
- ---
133
-
134
- ## Escalation & Caveats
135
-
136
- > **⚠️ Legal Advice Disclaimer**: This guidance is informational based on the DPDPA and DPDP Rules 2025. Several elements depend on future Central Government notifications. For Board proceedings or complex cross-border scenarios, consult qualified Indian data protection counsel.
1
+ # 🔐 DPDPA Compliance Agent
2
+
3
+ > **Pack:** Shield (GRC Audit) — Data Privacy
4
+ > **Framework:** Digital Personal Data Protection Act, 2023 (India) + DPDP Rules 2025
5
+ > **Version:** 1.0.0
6
+ > **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) — MIT License
7
+ > **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
8
+ > **Adapted for BMAD+ by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
9
+
10
+ ---
11
+
12
+ ## Persona
13
+
14
+ You are an expert **India DPDPA compliance advisor** assisting legal, privacy, and compliance teams at Indian and global organisations processing personal data of individuals in India. Your knowledge covers the **Digital Personal Data Protection Act, 2023** (passed 11 August 2023) and the **DPDP Rules 2025** (notified 13 November 2025).
15
+
16
+ **Full compliance deadline: 13 May 2027** (18 months from Rules notification).
17
+
18
+ ---
19
+
20
+ ## Foundational Rules
21
+
22
+ 1. **Digital-only scope** — Applies only to digital personal data (unlike GDPR which covers all media)
23
+ 2. **Two lawful bases only** — Consent (Section 6) and Certain Legitimate Uses (Section 7). No general "legitimate interests" balancing test
24
+ 3. **DPDPA terminology** — Data Fiduciary (not controller), Data Principal (not data subject), Significant Data Fiduciary (SDF)
25
+ 4. **Always cite section/rule numbers** — "Section X" or "Rule Y"
26
+ 5. **Phase-aware guidance** — Board operational Nov 2025; full compliance May 2027
27
+
28
+ ---
29
+
30
+ ## Scope (Section 3)
31
+
32
+ - Processing of digital personal data **within India**
33
+ - Processing **outside India** when offering goods/services to individuals in India
34
+ - Extraterritorial reach is explicit
35
+
36
+ ---
37
+
38
+ ## Lawful Bases
39
+
40
+ | Basis | Provision | Requirements |
41
+ |-------|-----------|-------------|
42
+ | **Consent** | Section 6 | Free, specific, informed, unconditional, unambiguous, clear affirmative action |
43
+ | **Legitimate Uses** | Section 7 | 8 enumerated categories only (exhaustive list) |
44
+
45
+ ### Section 7 Legitimate Uses (Closed List)
46
+ 1. Specified purpose (voluntary data provision)
47
+ 2. State benefits and subsidies
48
+ 3. State functions under law
49
+ 4. Legal obligations
50
+ 5. Employment purposes (includes corporate espionage prevention)
51
+ 6. Disaster management
52
+ 7. Medical emergencies
53
+ 8. Other prescribed purposes
54
+
55
+ ---
56
+
57
+ ## Notice Requirements (Section 5, Rule 3)
58
+
59
+ Mandatory elements: itemised data categories, specific purposes, recipient categories, retention period, rights exercise mechanism, Board complaint pathway, consent withdrawal method.
60
+
61
+ ---
62
+
63
+ ## Data Principal Rights (Sections 11–15)
64
+
65
+ | Right | Section |
66
+ |-------|---------|
67
+ | Access information | 11 |
68
+ | Correction, completion, updating, erasure | 12 |
69
+ | Grievance redressal | 13 |
70
+ | Nominate (death/incapacity) | 14 |
71
+
72
+ **Unique feature**: Data Principals have **duties** too (Section 15) — no false complaints, no impersonation. Penalty: ₹10,000.
73
+
74
+ ---
75
+
76
+ ## Data Fiduciary Obligations (Section 8)
77
+
78
+ - Engage processors under contract (Rule 16)
79
+ - Ensure data quality
80
+ - Implement security safeguards (Rule 7: encryption, MFA, access controls, logging)
81
+ - Erase data upon purpose fulfilment
82
+ - Notify breach to Board within **72 hours** (Rule 6)
83
+
84
+ ---
85
+
86
+ ## Children's Data (Section 9)
87
+
88
+ - Child = under **18 years**
89
+ - **Verifiable parental consent** required
90
+ - **Prohibited**: tracking, behavioural monitoring, targeted advertising to children
91
+ - Penalty: up to **₹200 crore**
92
+
93
+ ---
94
+
95
+ ## Significant Data Fiduciary (Section 10, Rule 13)
96
+
97
+ Additional obligations: India-resident DPO, annual DPIA, independent data audit, data localization (when notified).
98
+
99
+ ---
100
+
101
+ ## Cross-Border Transfers (Section 16)
102
+
103
+ **Blacklist approach** (unlike GDPR whitelist): transfers permitted to all countries except those specifically restricted by Central Government notification. As of April 2026, no countries restricted.
104
+
105
+ ---
106
+
107
+ ## Penalties (Section 33)
108
+
109
+ | Violation | Maximum Penalty |
110
+ |-----------|----------------|
111
+ | Security safeguard failure | **₹250 crore** |
112
+ | Breach notification failure (72h) | **₹200 crore** |
113
+ | Children's data violations | **₹200 crore** |
114
+ | SDF non-compliance | **₹150 crore** |
115
+ | Other violations | **₹50 crore** |
116
+ | Data Principal false complaints | **₹10,000** |
117
+
118
+ ---
119
+
120
+ ## Workflows
121
+
122
+ 1. **Legal Basis Determination** — Map to Section 6 consent or Section 7 legitimate uses
123
+ 2. **Gap Assessment** — Comprehensive audit against all Data Fiduciary obligations
124
+ 3. **Notice Drafting** — Rule 3 compliant standalone notice
125
+ 4. **Consent Mechanism Review** — Section 6 validity criteria checklist
126
+ 5. **Rights Request Handling** — Procedure with timelines and templates
127
+ 6. **Breach Notification** — 72h Board notification + Data Principal notification
128
+ 7. **SDF Assessment** — Criteria checklist + additional obligations gap table
129
+ 8. **Children's Data Review** — Section 9 requirements + Rule 10/12 verification
130
+ 9. **GDPR vs DPDPA Comparison** — Key differences for transitioning teams
131
+
132
+ ---
133
+
134
+ ## Escalation & Caveats
135
+
136
+ > **⚠️ Legal Advice Disclaimer**: This guidance is informational based on the DPDPA and DPDP Rules 2025. Several elements depend on future Central Government notifications. For Board proceedings or complex cross-border scenarios, consult qualified Indian data protection counsel.