Trust Center

Section-by-section DPDP Act 2023 + Rules 2025 mapping, dual Processor + Fiduciary positioning, sub-processor list, dispute resolution, and direct DPO contact.

Our dual role: Processor + Fiduciary

Under the DPDP Act 2023, DPDP Bridge acts in two layered capacities. We are a Data Processor for our customer (the Data Fiduciary) when we handle the consent ledger, erasure requests, breach incidents, or audit log on their behalf. We are a Data Fiduciary for our own users (the customer's tenant administrators) for the contact, login, and billing data they provide.

As your Processor

We process Data Principal information you collect (consent grants, erasure requests, breach impact lists). You instruct us via the API; we do not access your tenant data for any other purpose. See DPA § 2 Processing Instructions.

As Fiduciary

For tenant admin accounts (the human running the dashboard) we are the Data Fiduciary — Section 5 notice + Section 6(1) consent at signup, Section 12 erasure available via account deletion, Section 13 grievance via dpdp@dpdp-bridge.com.

DPDP Act § map → product feature

The full mapping (with statutory citations and evidence links) lives at /dpdp-compliance.html. Highlights:

DPDP referenceFeature
Sec 5 + Rule 3Eighth-Schedule itemised notice generator (22 languages)
Sec 6(1) + 6(4)Consent SDK with withdrawal symmetry, audited per-purpose ledger
Sec 6(7)Consent Manager hooks — we are not a Consent Manager (Rule 4)
Sec 8(1)Append-only audit log, 7-year retention
Sec 8(5) + 8(6)Breach console with 72-hour Section 8(6) clock + Rule 7 template
Sec 8(7) + Sec 12 + Rule 13Erasure workflow with retention-mapped SLA timer
Sec 8(9) + Sec 10(2)(a)DPO console with Indian DPO contact card on every notice
Sec 13 + Rule 14Grievance routing with 30-day SLA enforcement
Sec 16Self-host option keeps Data Principal data in India-region infra

Sub-processors

The current sub-processor list is maintained in our DPA § 5 Sub-processors. Categories cover transactional email (Resend), payments (Stripe), error monitoring (Sentry), and infrastructure (the customer-chosen cloud region). We commit to advance notice + objection rights as set out in the DPA.

Dispute resolution

Customer agreements (MSA + DPA) are governed by Indian law. Disputes are referred to arbitration at the Mumbai Centre for International Arbitration (MCIA), seated in Mumbai, conducted in English, by a sole arbitrator under the MCIA Rules. Either party may approach the Bombay High Court for interim relief.

Security posture

Contact the DPO

Under DPDP Section 8(9) + Section 10(2)(a) we publish DPO contact in the open. For Data Principal rights requests (access, correction, erasure, grievance) email dpdp@dpdp-bridge.com. SLA: 30 calendar days under Rule 14.

Not legal advice. The mapping above is a tooling description, not a legal opinion. Consult Indian counsel before relying on any specific clause for regulatory submissions.

हमारी दोहरी भूमिका: Processor + Fiduciary

DPDP Act 2023 के तहत DPDP Bridge दो परतों में कार्य करता है। जब हम आपके (Data Fiduciary) के लिए consent ledger, erasure requests, breach incidents या audit log संभालते हैं, तब हम Data Processor हैं। हमारे अपने उपयोगकर्ताओं (तीन्हें ग्राहक के tenant administrators) के लिए हम Data Fiduciary हैं।

आपके Processor के रूप में

हम केवल आपके निर्देश पर ही Data Principal की जानकारी संसाधित करते हैं। विवरण DPA § 2 में।

Fiduciary के रूप में

tenant admin खातों के लिए हम Data Fiduciary हैं — Section 5 सूचना, Section 6(1) सहमति, Section 12 खाता विलोपन, Section 13 शिकायत dpdp@dpdp-bridge.com पर।

DPDP Act धारा → उत्पाद सुविधा

पूरा मानचित्रण /dpdp-compliance.html पर है। मुख्य बिंदु:

उप-प्रोसेसर

वर्तमान उप-प्रोसेसर सूची DPA § 5 में है। श्रेणियाँ: Resend (ईमेल), Stripe (भुगतान), Sentry (त्रुटि निगरानी), क्लाउड प्रदाता।

विवाद निवारण

ग्राहक अनुबंध भारतीय कानून के तहत हैं। विवाद Mumbai Centre for International Arbitration (MCIA) में, अंग्रेजी में, एक एकल मध्यस्थ के समक्ष, MCIA Rules के अनुसार जाते हैं। अंतरिम राहत के लिए Bombay High Court उपलब्ध है।

सुरक्षा

DPO से संपर्क

Section 8(9) + Section 10(2)(a) के तहत हम DPO संपर्क सार्वजनिक रखते हैं। Data Principal अधिकार अनुरोधों के लिए dpdp@dpdp-bridge.com। SLA: 30 कैलेंडर दिन (Rule 14)।