Trust Center
Our dual role: Processor + Fiduciary
Under the DPDP Act 2023, DPDP Bridge acts in two layered capacities. We are a Data Processor for our customer (the Data Fiduciary) when we handle the consent ledger, erasure requests, breach incidents, or audit log on their behalf. We are a Data Fiduciary for our own users (the customer's tenant administrators) for the contact, login, and billing data they provide.
As your Processor
We process Data Principal information you collect (consent grants, erasure requests, breach impact lists). You instruct us via the API; we do not access your tenant data for any other purpose. See DPA § 2 Processing Instructions.
As Fiduciary
For tenant admin accounts (the human running the dashboard) we are the Data Fiduciary — Section 5 notice + Section 6(1) consent at signup, Section 12 erasure available via account deletion, Section 13 grievance via dpdp@dpdp-bridge.com.
DPDP Act § map → product feature
The full mapping (with statutory citations and evidence links) lives at /dpdp-compliance.html. Highlights:
| DPDP reference | Feature |
|---|---|
| Sec 5 + Rule 3 | Eighth-Schedule itemised notice generator (22 languages) |
| Sec 6(1) + 6(4) | Consent SDK with withdrawal symmetry, audited per-purpose ledger |
| Sec 6(7) | Consent Manager hooks — we are not a Consent Manager (Rule 4) |
| Sec 8(1) | Append-only audit log, 7-year retention |
| Sec 8(5) + 8(6) | Breach console with 72-hour Section 8(6) clock + Rule 7 template |
| Sec 8(7) + Sec 12 + Rule 13 | Erasure workflow with retention-mapped SLA timer |
| Sec 8(9) + Sec 10(2)(a) | DPO console with Indian DPO contact card on every notice |
| Sec 13 + Rule 14 | Grievance routing with 30-day SLA enforcement |
| Sec 16 | Self-host option keeps Data Principal data in India-region infra |
Sub-processors
The current sub-processor list is maintained in our DPA § 5 Sub-processors. Categories cover transactional email (Resend), payments (Stripe), error monitoring (Sentry), and infrastructure (the customer-chosen cloud region). We commit to advance notice + objection rights as set out in the DPA.
Dispute resolution
Customer agreements (MSA + DPA) are governed by Indian law. Disputes are referred to arbitration at the Mumbai Centre for International Arbitration (MCIA), seated in Mumbai, conducted in English, by a sole arbitrator under the MCIA Rules. Either party may approach the Bombay High Court for interim relief.
Security posture
- Production data at rest: AES-256 (managed by the cloud provider).
- Data in transit: TLS 1.2+ enforced, HSTS preload, modern cipher suite.
- Authentication: bcrypt password hashing, 7-day JWT, optional API key per tenant.
- Per-tenant secrets: HMAC dpToken signing (rotation endpoint v2).
- Webhook outbound: HMAC-signed, idempotent dispatch log, 15-minute backlog alerting.
- Audit log: append-only, 7-year retention, never co-mingled across tenants.
Contact the DPO
Under DPDP Section 8(9) + Section 10(2)(a) we publish DPO contact in the open. For Data Principal rights requests (access, correction, erasure, grievance) email dpdp@dpdp-bridge.com. SLA: 30 calendar days under Rule 14.
हमारी दोहरी भूमिका: Processor + Fiduciary
DPDP Act 2023 के तहत DPDP Bridge दो परतों में कार्य करता है। जब हम आपके (Data Fiduciary) के लिए consent ledger, erasure requests, breach incidents या audit log संभालते हैं, तब हम Data Processor हैं। हमारे अपने उपयोगकर्ताओं (तीन्हें ग्राहक के tenant administrators) के लिए हम Data Fiduciary हैं।
आपके Processor के रूप में
हम केवल आपके निर्देश पर ही Data Principal की जानकारी संसाधित करते हैं। विवरण DPA § 2 में।
Fiduciary के रूप में
tenant admin खातों के लिए हम Data Fiduciary हैं — Section 5 सूचना, Section 6(1) सहमति, Section 12 खाता विलोपन, Section 13 शिकायत dpdp@dpdp-bridge.com पर।
DPDP Act धारा → उत्पाद सुविधा
पूरा मानचित्रण /dpdp-compliance.html पर है। मुख्य बिंदु:
- Sec 5 + Rule 3 — आठवीं अनुसूची की 22 भाषाओं में सूचना जनरेटर
- Sec 6(1) + 6(4) — Consent SDK, वापसी सममिति, प्रति-उद्देश्य audit ledger
- Sec 6(7) — Consent Manager hooks (हम Consent Manager नहीं हैं — Rule 4)
- Sec 8(5) + 8(6) — 72-घंटे का breach console, Rule 7 टेम्पलेट
- Sec 12 + Rule 13 — retention-मैप्ड SLA के साथ erasure workflow
- Sec 10(2)(a) — हर सूचना पर भारत-स्थित DPO संपर्क कार्ड
- Sec 13 + Rule 14 — 30-दिन SLA के साथ शिकायत प्रबंधन
उप-प्रोसेसर
वर्तमान उप-प्रोसेसर सूची DPA § 5 में है। श्रेणियाँ: Resend (ईमेल), Stripe (भुगतान), Sentry (त्रुटि निगरानी), क्लाउड प्रदाता।
विवाद निवारण
ग्राहक अनुबंध भारतीय कानून के तहत हैं। विवाद Mumbai Centre for International Arbitration (MCIA) में, अंग्रेजी में, एक एकल मध्यस्थ के समक्ष, MCIA Rules के अनुसार जाते हैं। अंतरिम राहत के लिए Bombay High Court उपलब्ध है।
सुरक्षा
- विश्राम पर डेटा: AES-256।
- पारगमन में डेटा: TLS 1.2+, HSTS।
- प्रमाणीकरण: bcrypt पासवर्ड हैश, 7-दिन JWT।
- Webhook: HMAC-हस्ताक्षरित, idempotent dispatch log।
- Audit log: केवल-जोड़, 7-वर्ष अवधारण।
DPO से संपर्क
Section 8(9) + Section 10(2)(a) के तहत हम DPO संपर्क सार्वजनिक रखते हैं। Data Principal अधिकार अनुरोधों के लिए dpdp@dpdp-bridge.com। SLA: 30 कैलेंडर दिन (Rule 14)।