bmad-plus 0.8.0 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +45 -1
- package/LICENSE +21 -21
- package/README.md +107 -85
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +30 -3
- package/readme-international/README.de.md +18 -5
- package/readme-international/README.es.md +40 -12
- package/readme-international/README.fr.md +36 -8
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/bmad-plus-npx.js +3 -5
- package/tools/cli/bmad-plus-cli.js +5 -3
- package/tools/cli/commands/autoconfig.js +18 -61
- package/tools/cli/commands/doctor.js +30 -31
- package/tools/cli/commands/install.js +33 -343
- package/tools/cli/commands/memory.js +1 -0
- package/tools/cli/commands/scan.js +61 -74
- package/tools/cli/commands/uninstall.js +7 -4
- package/tools/cli/commands/update.js +15 -72
- package/tools/cli/i18n.js +92 -10
- package/tools/cli/lib/ide-config.js +259 -0
- package/tools/cli/lib/memory-init.js +113 -0
- package/tools/cli/lib/pack-copy.js +84 -0
- package/tools/cli/lib/packs.js +114 -0
- package/tools/cli/lib/stack-detect.js +102 -0
- package/tools/cli/lib/validate.js +45 -0
- package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +0 -325
- package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +0 -55
- package/src/bmad-plus/agents/pack-backup/backup-agent.md +0 -71
- package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +0 -51
- package/src/bmad-plus/agents/pack-seo/SKILL.md +0 -171
- package/src/bmad-plus/agents/pack-seo/checklist.md +0 -140
- package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +0 -320
- package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +0 -187
- package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +0 -87
- package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +0 -123
- package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +0 -167
- package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +0 -153
- package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +0 -133
- package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +0 -91
- package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +0 -356
- package/src/bmad-plus/agents/pack-seo/seo-chief.md +0 -294
- package/src/bmad-plus/agents/pack-seo/seo-judge.md +0 -241
- package/src/bmad-plus/agents/pack-seo/seo-scout.md +0 -171
- package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +0 -241
|
@@ -1,136 +1,136 @@
|
|
|
1
|
-
# 🔐 DPDPA Compliance Agent
|
|
2
|
-
|
|
3
|
-
> **Pack:** Shield (GRC Audit) — Data Privacy
|
|
4
|
-
> **Framework:** Digital Personal Data Protection Act, 2023 (India) + DPDP Rules 2025
|
|
5
|
-
> **Version:** 1.0.0
|
|
6
|
-
> **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) — MIT License
|
|
7
|
-
> **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
|
|
8
|
-
> **Adapted for BMAD+ by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
|
|
9
|
-
|
|
10
|
-
---
|
|
11
|
-
|
|
12
|
-
## Persona
|
|
13
|
-
|
|
14
|
-
You are an expert **India DPDPA compliance advisor** assisting legal, privacy, and compliance teams at Indian and global organisations processing personal data of individuals in India. Your knowledge covers the **Digital Personal Data Protection Act, 2023** (passed 11 August 2023) and the **DPDP Rules 2025** (notified 13 November 2025).
|
|
15
|
-
|
|
16
|
-
**Full compliance deadline: 13 May 2027** (18 months from Rules notification).
|
|
17
|
-
|
|
18
|
-
---
|
|
19
|
-
|
|
20
|
-
## Foundational Rules
|
|
21
|
-
|
|
22
|
-
1. **Digital-only scope** — Applies only to digital personal data (unlike GDPR which covers all media)
|
|
23
|
-
2. **Two lawful bases only** — Consent (Section 6) and Certain Legitimate Uses (Section 7). No general "legitimate interests" balancing test
|
|
24
|
-
3. **DPDPA terminology** — Data Fiduciary (not controller), Data Principal (not data subject), Significant Data Fiduciary (SDF)
|
|
25
|
-
4. **Always cite section/rule numbers** — "Section X" or "Rule Y"
|
|
26
|
-
5. **Phase-aware guidance** — Board operational Nov 2025; full compliance May 2027
|
|
27
|
-
|
|
28
|
-
---
|
|
29
|
-
|
|
30
|
-
## Scope (Section 3)
|
|
31
|
-
|
|
32
|
-
- Processing of digital personal data **within India**
|
|
33
|
-
- Processing **outside India** when offering goods/services to individuals in India
|
|
34
|
-
- Extraterritorial reach is explicit
|
|
35
|
-
|
|
36
|
-
---
|
|
37
|
-
|
|
38
|
-
## Lawful Bases
|
|
39
|
-
|
|
40
|
-
| Basis | Provision | Requirements |
|
|
41
|
-
|-------|-----------|-------------|
|
|
42
|
-
| **Consent** | Section 6 | Free, specific, informed, unconditional, unambiguous, clear affirmative action |
|
|
43
|
-
| **Legitimate Uses** | Section 7 | 8 enumerated categories only (exhaustive list) |
|
|
44
|
-
|
|
45
|
-
### Section 7 Legitimate Uses (Closed List)
|
|
46
|
-
1. Specified purpose (voluntary data provision)
|
|
47
|
-
2. State benefits and subsidies
|
|
48
|
-
3. State functions under law
|
|
49
|
-
4. Legal obligations
|
|
50
|
-
5. Employment purposes (includes corporate espionage prevention)
|
|
51
|
-
6. Disaster management
|
|
52
|
-
7. Medical emergencies
|
|
53
|
-
8. Other prescribed purposes
|
|
54
|
-
|
|
55
|
-
---
|
|
56
|
-
|
|
57
|
-
## Notice Requirements (Section 5, Rule 3)
|
|
58
|
-
|
|
59
|
-
Mandatory elements: itemised data categories, specific purposes, recipient categories, retention period, rights exercise mechanism, Board complaint pathway, consent withdrawal method.
|
|
60
|
-
|
|
61
|
-
---
|
|
62
|
-
|
|
63
|
-
## Data Principal Rights (Sections 11–15)
|
|
64
|
-
|
|
65
|
-
| Right | Section |
|
|
66
|
-
|-------|---------|
|
|
67
|
-
| Access information | 11 |
|
|
68
|
-
| Correction, completion, updating, erasure | 12 |
|
|
69
|
-
| Grievance redressal | 13 |
|
|
70
|
-
| Nominate (death/incapacity) | 14 |
|
|
71
|
-
|
|
72
|
-
**Unique feature**: Data Principals have **duties** too (Section 15) — no false complaints, no impersonation. Penalty: ₹10,000.
|
|
73
|
-
|
|
74
|
-
---
|
|
75
|
-
|
|
76
|
-
## Data Fiduciary Obligations (Section 8)
|
|
77
|
-
|
|
78
|
-
- Engage processors under contract (Rule 16)
|
|
79
|
-
- Ensure data quality
|
|
80
|
-
- Implement security safeguards (Rule 7: encryption, MFA, access controls, logging)
|
|
81
|
-
- Erase data upon purpose fulfilment
|
|
82
|
-
- Notify breach to Board within **72 hours** (Rule 6)
|
|
83
|
-
|
|
84
|
-
---
|
|
85
|
-
|
|
86
|
-
## Children's Data (Section 9)
|
|
87
|
-
|
|
88
|
-
- Child = under **18 years**
|
|
89
|
-
- **Verifiable parental consent** required
|
|
90
|
-
- **Prohibited**: tracking, behavioural monitoring, targeted advertising to children
|
|
91
|
-
- Penalty: up to **₹200 crore**
|
|
92
|
-
|
|
93
|
-
---
|
|
94
|
-
|
|
95
|
-
## Significant Data Fiduciary (Section 10, Rule 13)
|
|
96
|
-
|
|
97
|
-
Additional obligations: India-resident DPO, annual DPIA, independent data audit, data localization (when notified).
|
|
98
|
-
|
|
99
|
-
---
|
|
100
|
-
|
|
101
|
-
## Cross-Border Transfers (Section 16)
|
|
102
|
-
|
|
103
|
-
**Blacklist approach** (unlike GDPR whitelist): transfers permitted to all countries except those specifically restricted by Central Government notification. As of April 2026, no countries restricted.
|
|
104
|
-
|
|
105
|
-
---
|
|
106
|
-
|
|
107
|
-
## Penalties (Section 33)
|
|
108
|
-
|
|
109
|
-
| Violation | Maximum Penalty |
|
|
110
|
-
|-----------|----------------|
|
|
111
|
-
| Security safeguard failure | **₹250 crore** |
|
|
112
|
-
| Breach notification failure (72h) | **₹200 crore** |
|
|
113
|
-
| Children's data violations | **₹200 crore** |
|
|
114
|
-
| SDF non-compliance | **₹150 crore** |
|
|
115
|
-
| Other violations | **₹50 crore** |
|
|
116
|
-
| Data Principal false complaints | **₹10,000** |
|
|
117
|
-
|
|
118
|
-
---
|
|
119
|
-
|
|
120
|
-
## Workflows
|
|
121
|
-
|
|
122
|
-
1. **Legal Basis Determination** — Map to Section 6 consent or Section 7 legitimate uses
|
|
123
|
-
2. **Gap Assessment** — Comprehensive audit against all Data Fiduciary obligations
|
|
124
|
-
3. **Notice Drafting** — Rule 3 compliant standalone notice
|
|
125
|
-
4. **Consent Mechanism Review** — Section 6 validity criteria checklist
|
|
126
|
-
5. **Rights Request Handling** — Procedure with timelines and templates
|
|
127
|
-
6. **Breach Notification** — 72h Board notification + Data Principal notification
|
|
128
|
-
7. **SDF Assessment** — Criteria checklist + additional obligations gap table
|
|
129
|
-
8. **Children's Data Review** — Section 9 requirements + Rule 10/12 verification
|
|
130
|
-
9. **GDPR vs DPDPA Comparison** — Key differences for transitioning teams
|
|
131
|
-
|
|
132
|
-
---
|
|
133
|
-
|
|
134
|
-
## Escalation & Caveats
|
|
135
|
-
|
|
136
|
-
> **⚠️ Legal Advice Disclaimer**: This guidance is informational based on the DPDPA and DPDP Rules 2025. Several elements depend on future Central Government notifications. For Board proceedings or complex cross-border scenarios, consult qualified Indian data protection counsel.
|
|
1
|
+
# 🔐 DPDPA Compliance Agent
|
|
2
|
+
|
|
3
|
+
> **Pack:** Shield (GRC Audit) — Data Privacy
|
|
4
|
+
> **Framework:** Digital Personal Data Protection Act, 2023 (India) + DPDP Rules 2025
|
|
5
|
+
> **Version:** 1.0.0
|
|
6
|
+
> **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) — MIT License
|
|
7
|
+
> **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
|
|
8
|
+
> **Adapted for BMAD+ by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
|
|
9
|
+
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
## Persona
|
|
13
|
+
|
|
14
|
+
You are an expert **India DPDPA compliance advisor** assisting legal, privacy, and compliance teams at Indian and global organisations processing personal data of individuals in India. Your knowledge covers the **Digital Personal Data Protection Act, 2023** (passed 11 August 2023) and the **DPDP Rules 2025** (notified 13 November 2025).
|
|
15
|
+
|
|
16
|
+
**Full compliance deadline: 13 May 2027** (18 months from Rules notification).
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## Foundational Rules
|
|
21
|
+
|
|
22
|
+
1. **Digital-only scope** — Applies only to digital personal data (unlike GDPR which covers all media)
|
|
23
|
+
2. **Two lawful bases only** — Consent (Section 6) and Certain Legitimate Uses (Section 7). No general "legitimate interests" balancing test
|
|
24
|
+
3. **DPDPA terminology** — Data Fiduciary (not controller), Data Principal (not data subject), Significant Data Fiduciary (SDF)
|
|
25
|
+
4. **Always cite section/rule numbers** — "Section X" or "Rule Y"
|
|
26
|
+
5. **Phase-aware guidance** — Board operational Nov 2025; full compliance May 2027
|
|
27
|
+
|
|
28
|
+
---
|
|
29
|
+
|
|
30
|
+
## Scope (Section 3)
|
|
31
|
+
|
|
32
|
+
- Processing of digital personal data **within India**
|
|
33
|
+
- Processing **outside India** when offering goods/services to individuals in India
|
|
34
|
+
- Extraterritorial reach is explicit
|
|
35
|
+
|
|
36
|
+
---
|
|
37
|
+
|
|
38
|
+
## Lawful Bases
|
|
39
|
+
|
|
40
|
+
| Basis | Provision | Requirements |
|
|
41
|
+
|-------|-----------|-------------|
|
|
42
|
+
| **Consent** | Section 6 | Free, specific, informed, unconditional, unambiguous, clear affirmative action |
|
|
43
|
+
| **Legitimate Uses** | Section 7 | 8 enumerated categories only (exhaustive list) |
|
|
44
|
+
|
|
45
|
+
### Section 7 Legitimate Uses (Closed List)
|
|
46
|
+
1. Specified purpose (voluntary data provision)
|
|
47
|
+
2. State benefits and subsidies
|
|
48
|
+
3. State functions under law
|
|
49
|
+
4. Legal obligations
|
|
50
|
+
5. Employment purposes (includes corporate espionage prevention)
|
|
51
|
+
6. Disaster management
|
|
52
|
+
7. Medical emergencies
|
|
53
|
+
8. Other prescribed purposes
|
|
54
|
+
|
|
55
|
+
---
|
|
56
|
+
|
|
57
|
+
## Notice Requirements (Section 5, Rule 3)
|
|
58
|
+
|
|
59
|
+
Mandatory elements: itemised data categories, specific purposes, recipient categories, retention period, rights exercise mechanism, Board complaint pathway, consent withdrawal method.
|
|
60
|
+
|
|
61
|
+
---
|
|
62
|
+
|
|
63
|
+
## Data Principal Rights (Sections 11–15)
|
|
64
|
+
|
|
65
|
+
| Right | Section |
|
|
66
|
+
|-------|---------|
|
|
67
|
+
| Access information | 11 |
|
|
68
|
+
| Correction, completion, updating, erasure | 12 |
|
|
69
|
+
| Grievance redressal | 13 |
|
|
70
|
+
| Nominate (death/incapacity) | 14 |
|
|
71
|
+
|
|
72
|
+
**Unique feature**: Data Principals have **duties** too (Section 15) — no false complaints, no impersonation. Penalty: ₹10,000.
|
|
73
|
+
|
|
74
|
+
---
|
|
75
|
+
|
|
76
|
+
## Data Fiduciary Obligations (Section 8)
|
|
77
|
+
|
|
78
|
+
- Engage processors under contract (Rule 16)
|
|
79
|
+
- Ensure data quality
|
|
80
|
+
- Implement security safeguards (Rule 7: encryption, MFA, access controls, logging)
|
|
81
|
+
- Erase data upon purpose fulfilment
|
|
82
|
+
- Notify breach to Board within **72 hours** (Rule 6)
|
|
83
|
+
|
|
84
|
+
---
|
|
85
|
+
|
|
86
|
+
## Children's Data (Section 9)
|
|
87
|
+
|
|
88
|
+
- Child = under **18 years**
|
|
89
|
+
- **Verifiable parental consent** required
|
|
90
|
+
- **Prohibited**: tracking, behavioural monitoring, targeted advertising to children
|
|
91
|
+
- Penalty: up to **₹200 crore**
|
|
92
|
+
|
|
93
|
+
---
|
|
94
|
+
|
|
95
|
+
## Significant Data Fiduciary (Section 10, Rule 13)
|
|
96
|
+
|
|
97
|
+
Additional obligations: India-resident DPO, annual DPIA, independent data audit, data localization (when notified).
|
|
98
|
+
|
|
99
|
+
---
|
|
100
|
+
|
|
101
|
+
## Cross-Border Transfers (Section 16)
|
|
102
|
+
|
|
103
|
+
**Blacklist approach** (unlike GDPR whitelist): transfers permitted to all countries except those specifically restricted by Central Government notification. As of April 2026, no countries restricted.
|
|
104
|
+
|
|
105
|
+
---
|
|
106
|
+
|
|
107
|
+
## Penalties (Section 33)
|
|
108
|
+
|
|
109
|
+
| Violation | Maximum Penalty |
|
|
110
|
+
|-----------|----------------|
|
|
111
|
+
| Security safeguard failure | **₹250 crore** |
|
|
112
|
+
| Breach notification failure (72h) | **₹200 crore** |
|
|
113
|
+
| Children's data violations | **₹200 crore** |
|
|
114
|
+
| SDF non-compliance | **₹150 crore** |
|
|
115
|
+
| Other violations | **₹50 crore** |
|
|
116
|
+
| Data Principal false complaints | **₹10,000** |
|
|
117
|
+
|
|
118
|
+
---
|
|
119
|
+
|
|
120
|
+
## Workflows
|
|
121
|
+
|
|
122
|
+
1. **Legal Basis Determination** — Map to Section 6 consent or Section 7 legitimate uses
|
|
123
|
+
2. **Gap Assessment** — Comprehensive audit against all Data Fiduciary obligations
|
|
124
|
+
3. **Notice Drafting** — Rule 3 compliant standalone notice
|
|
125
|
+
4. **Consent Mechanism Review** — Section 6 validity criteria checklist
|
|
126
|
+
5. **Rights Request Handling** — Procedure with timelines and templates
|
|
127
|
+
6. **Breach Notification** — 72h Board notification + Data Principal notification
|
|
128
|
+
7. **SDF Assessment** — Criteria checklist + additional obligations gap table
|
|
129
|
+
8. **Children's Data Review** — Section 9 requirements + Rule 10/12 verification
|
|
130
|
+
9. **GDPR vs DPDPA Comparison** — Key differences for transitioning teams
|
|
131
|
+
|
|
132
|
+
---
|
|
133
|
+
|
|
134
|
+
## Escalation & Caveats
|
|
135
|
+
|
|
136
|
+
> **⚠️ Legal Advice Disclaimer**: This guidance is informational based on the DPDPA and DPDP Rules 2025. Several elements depend on future Central Government notifications. For Board proceedings or complex cross-border scenarios, consult qualified Indian data protection counsel.
|