Terms of Service
1. Acceptance and capacity
By creating a tenant or using the SDK you agree to these terms. If you accept on behalf of a company you represent that you are at least 18 years old and have authority to bind that company. The acceptance forms a binding contract under Section 10 of the Indian Contract Act, 1872 (lawful consideration, free consent, lawful object).
2. Service description
DPDP Bridge is a Data-Fiduciary-side compliance middleware for the Indian DPDP Act 2023 and the DPDP Rules 2025. The service consists of (a) a notice and consent SDK that emits Eighth-Schedule itemised notices and captures Section 6 consent; (b) an erasure workflow with a configurable SLA timer; (c) a 72-hour breach notification module; (d) a DPO console with grievance routing; (e) compliance reports in JSON, Markdown and PDF; (f) a tamper-evident audit ledger retained for 7 years.
The service is not a registered Consent Manager under Section 6(7) of the Act and Rule 4 of the Rules. We expose Section 6(7) hooks for tenants who wish to plug a registered Consent Manager.
3. Subscription and billing
Plans are Starter at USD 199 / month and Pro at USD 499 / month, billed in advance via Stripe. Indian customers may opt for INR pricing at our published exchange rate (subject to GST as applicable). Both plans include a 14-day free trial. Cancellation takes effect at the end of the current billing period; you remain responsible for fees accrued up to that date.
We may revise pricing on 30 days' written notice for the next billing period. Mid-cycle increases will not apply to the running term.
4. Acceptable use
You agree that you will not, and will not permit any third party to:
- Use the service to circumvent the DPDP Act or Rules. The platform is built to support compliance. Using it to manufacture sham consent, fabricate audit entries, or evade Section 8(6) breach reporting is a material breach and may be reported to the Data Protection Board.
- Reverse-engineer, decompile or disassemble the service except to the extent expressly permitted by applicable law.
- Evade the rate limits, attempt to access another tenant's data, or probe the infrastructure for vulnerabilities outside our coordinated disclosure programme.
- Use the service to host malware or to facilitate unlawful processing.
- Process the personal data of children in violation of Section 9 (use the children-specific configuration of the SDK if your product is in scope).
- Resell, sublicense or white-label the service without a separate written agreement.
We may suspend the service on notice for material breach, and on no notice for ongoing breaches that risk regulator action against other customers.
5. Customer responsibilities
- You are the Data Fiduciary for personal data routed through our APIs and SDK; you set the lawful basis under Section 4 and the retention period under Rule 13.
- You must keep API keys secret and rotate them on suspected compromise via
POST /tenant/api-key. - You must publish a Section 5 itemised notice and a grievance officer contact (Section 8(9)) on your own product surface; the SDK helps draft these but does not publish them on your behalf.
- If designated a Significant Data Fiduciary under Section 10 you must appoint an India-based DPO and complete a DPIA — the Pro plan includes the DPIA template.
6. Compliance disclaimer
DPDP Bridge is a compliance tooling platform, not legal advice. Use of the product does not by itself guarantee compliance with the DPDP Act, Rules, or any Data Protection Board interpretation. Statutory references in the product or this document are provided for convenience; you must engage Indian legal counsel for binding interpretations and before relying on any DPDP Bridge output for regulatory submissions or in response to a Board inquiry.
7. Service level
We target 99.5% monthly uptime. SLA credits on request for verified outages exceeding the threshold, capped at one month of fees per quarter. The DPO and breach modules are designed so that customer-initiated 72-hour clocks continue to run during platform outages; you remain responsible for completing notification.
8. Limitation of liability
To the maximum extent permitted by law, our aggregate liability under these terms is capped at the fees you paid in the 12 months preceding the claim. We are not liable for indirect, incidental, consequential, special or punitive damages, including regulatory penalties imposed on you by the Data Protection Board of India or any other authority, lost profits, or loss of business goodwill, even if we were advised of the possibility of such damages.
Nothing in this clause excludes liability for fraud, gross negligence, wilful misconduct, or any liability that cannot be excluded under applicable law.
9. Indemnity
You agree to indemnify, defend and hold us harmless from any third-party claim arising from (a) your use of the service in violation of these terms or applicable law; (b) the lawful basis for your processing of personal data; (c) your failure to publish a compliant Section 5 notice or to honour a Section 12 erasure request; (d) any breach of Section 9 in respect of children's data.
10. Termination
Either party may terminate for material uncured breach with 30 days' written notice. On termination we will, on request submitted within 30 days, export your tenant data in JSON, after which we will delete it subject to legal hold and the 7-year compliance-record retention period in our Privacy Notice.
11. Governing law
These terms are governed by the laws of the Republic of India, including the Indian Contract Act, 1872, the Information Technology Act, 2000, the DPDP Act 2023, and the DPDP Rules 2025. The United Nations Convention on Contracts for the International Sale of Goods does not apply.
12. Dispute resolution
Any dispute arising out of or in connection with these terms, including any question regarding their existence, validity or termination, will be referred to and finally resolved by arbitration administered by the Mumbai Centre for International Arbitration (MCIA) under the MCIA Rules in force at the time of reference. The seat of arbitration is Mumbai, India; the language is English; the tribunal will consist of one arbitrator unless the dispute exceeds USD 1,000,000 in which case three arbitrators will be appointed under the MCIA Rules.
Subject to the arbitration clause above, the courts at Mumbai have exclusive jurisdiction for interim relief, anti-suit injunctions, and the enforcement of any arbitral award.
13. Notices
Notices to us must be sent to hi@dpdp-bridge.com with a copy to the postal address printed on each invoice. Notices to you may be sent to the email address on your account or via in-product banner.
14. Miscellaneous
These terms (together with the DPA at /dpa.html and the Privacy Notice at /privacy.html) constitute the entire agreement between the parties and supersede prior negotiations. If any provision is held unenforceable the remainder will continue in effect. We may assign these terms to an affiliate or in connection with a merger or sale; you may not assign without our prior written consent.