DPDP Act Compliance

1. About the DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 ("DPDP Act") is India's comprehensive data protection legislation enacted on 11 August 2023 (Act No. 22 of 2023). It establishes a framework for the processing of digital personal data, defining the rights of Data Principals (individuals whose data is processed), the obligations of Data Fiduciaries (entities that determine the purpose and means of processing), and the enforcement powers of the Data Protection Board of India.

Security Brigade InfoSec Private Limited ("Security Brigade") is fully committed to complying with the DPDP Act and its subordinate rules as they are notified by the Central Government. This page describes how we fulfil our obligations as a Data Fiduciary and, in certain contexts, as a Data Processor acting on behalf of our clients.

This page supplements our comprehensive Privacy Policy and should be read alongside it.

2. Our Role as Data Fiduciary

Under the DPDP Act, Security Brigade acts as a "Data Fiduciary" when we collect and process digital personal data of individuals in India for our own purposes -- for instance, when processing website visitor data, enquiry form submissions, client contact information, employee data, and career applications.

When we perform cybersecurity assessments on our clients' systems and encounter personal data residing in those systems, we act as a "Data Processor" under the instructions of our client (the Data Fiduciary). In this capacity, we process personal data strictly as directed by the client and in accordance with the engagement agreement. We do not determine the purpose or means of processing such data independently.

As a Data Fiduciary, we are committed to processing personal data only for lawful purposes, implementing reasonable security safeguards, and respecting the rights of Data Principals as enumerated in the DPDP Act.

3. Lawful Grounds for Processing (Section 4)

Under the DPDP Act, personal data may only be processed for a lawful purpose for which the Data Principal has given consent, or for certain legitimate uses specified in the Act. We process personal data on the following grounds:

• Consent (Sec. 6): Where we collect personal data directly from you (such as through our website contact forms, newsletter subscriptions, or Lemon platform registration), we obtain your free, specific, informed, and unambiguous consent. Consent is obtained through clear affirmative action, and the purpose of processing is communicated to you in clear, plain language at the time of collection.
• Voluntary Provision of Data (Sec. 7(a)): Where you voluntarily provide your personal data to us for a specified purpose (such as submitting your CV for a job application or requesting a service proposal), we process it for that specified purpose.
• Performance of Obligations under Law (Sec. 7(b)): Where processing is necessary for compliance with applicable Indian law, including the Information Technology Act, 2000, the Companies Act, 2013, taxation laws, and regulatory directives from CERT-In, RBI, SEBI, or other competent authorities.
• Compliance with Court Order or Judgment (Sec. 7(c)): Where processing is required to comply with an order or judgment of a court or tribunal in India.
• Employment Purpose (Sec. 7(i)): For processing personal data of our employees as necessary for safeguarding the employer from loss or liability, prevention of corporate espionage, or for maintaining confidentiality of trade secrets.

4. Consent Management

In accordance with Section 6 of the DPDP Act, we adhere to the following consent principles:

• Notice Before Consent: Before collecting your personal data, we provide a clear and itemised notice describing the personal data to be collected, the purpose of processing, and the manner in which you may exercise your rights, including the right to withdraw consent and the procedure for filing grievances.
• Specific and Informed: Consent is sought separately for each distinct purpose of processing. We do not bundle consent for multiple unrelated purposes.
• Plain Language: All consent requests and privacy notices are presented in clear, plain English (and Hindi where applicable) to ensure comprehension.
• Easy Withdrawal: You may withdraw consent at any time by contacting our Grievance Officer at privacy@securitybrigade.com. Upon withdrawal, we will cease processing the relevant personal data as soon as practicable. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
• Record Keeping: We maintain auditable records of consent, including the content of the notice provided, the time and manner of consent, and any subsequent modifications or withdrawals.

5. Rights of Data Principals (Sections 11-14)

Under the DPDP Act, you have the following rights as a Data Principal:

• Right to Access Information (Sec. 11): You have the right to obtain a summary of the personal data we process about you, the processing activities undertaken, and the identities of all Data Fiduciaries and Data Processors with whom your data has been shared.
• Right to Correction and Erasure (Sec. 12): You have the right to request correction of inaccurate or misleading personal data, completion of incomplete data, and erasure of personal data that is no longer necessary for the purpose for which it was collected. Upon receiving a valid request, we will correct, complete, or erase the data and notify any Data Processors acting on our behalf.
• Right to Grievance Redressal (Sec. 13): You have the right to register a grievance with our designated Grievance Officer. We will acknowledge your grievance and provide a resolution within the timeframes prescribed by law. If you are not satisfied with our response, you may escalate to the Data Protection Board of India.
• Right to Nominate (Sec. 14): You have the right to nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity. We will honour validly executed nominations.

To exercise any of these rights, please contact our Grievance Officer using the details in Section 8 below. We may need to verify your identity before processing your request. Requests will be processed in accordance with the timeframes prescribed by the DPDP Act and any rules notified thereunder.

6. Our Obligations as Data Fiduciary (Section 8)

As a Data Fiduciary under the DPDP Act, Security Brigade undertakes the following obligations:

• Purpose Limitation: We process personal data only for the specific, lawful purpose for which it was collected and communicated to you. We do not process personal data for purposes beyond what is reasonably necessary and has been consented to.
• Data Minimisation: We collect only such personal data as is necessary for the stated purpose. Our data collection forms are designed to request only essential information.
• Accuracy: We make reasonable efforts to ensure that the personal data we process is complete, accurate, and not misleading. We provide mechanisms for Data Principals to update their information.
• Storage Limitation: Personal data is retained only for the period necessary to fulfil the purpose of processing. Upon expiry of the retention period, data is securely deleted. Where data is retained for legal compliance purposes, it is retained for the minimum period required by law.
• Reasonable Security Safeguards (Sec. 8(4)): We implement appropriate technical and organisational measures to protect personal data against unauthorised access, use, modification, disclosure, or destruction. As a CERT-In empanelled cybersecurity firm, we apply enterprise-grade security controls including encryption (AES-256 at rest, TLS 1.2+ in transit), role-based access control, multi-factor authentication, and comprehensive audit logging. For details, refer to our Security Policy.
• Breach Notification (Sec. 8(6)): In the event of a personal data breach, we will notify the Data Protection Board of India and each affected Data Principal in such form and manner as prescribed. We will also comply with CERT-In's mandatory incident reporting requirements (6-hour notification window under the April 2022 directive).
• Erasure Upon Purpose Fulfilment (Sec. 8(7)): When the purpose for which personal data was collected has been fulfilled and the data is no longer necessary for that purpose, we erase the personal data unless retention is required by law.

7. Cross-Border Transfer of Personal Data (Section 16)

The DPDP Act permits the transfer of personal data outside India to any country that has not been specifically restricted by the Central Government through notification. Security Brigade operates offices in India, the United Kingdom, the United States, and Singapore.

As of the date of this page, no specific country restrictions have been notified by the Central Government. We monitor government notifications and will update our practices immediately upon any notification restricting transfers to jurisdictions where we operate.

Regardless of the DPDP Act's permissive framework, we apply the same rigorous security safeguards to personal data regardless of where it is processed. Where our EU/UK clients' data is involved, we additionally comply with GDPR cross-border transfer requirements. See our GDPR Compliance page for details.

8. Grievance Officer

In compliance with Section 13 of the DPDP Act and Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we have designated the following Grievance Officer:

Grievance Officer
Security Brigade InfoSec Private Limited
Registered Office: Mumbai, Maharashtra, India
Email: privacy@securitybrigade.com
Response time: Acknowledgement within 48 hours; resolution within the period prescribed by law

If you are not satisfied with our response to your grievance, you may escalate your complaint to the Data Protection Board of India, once constituted and operationalised under the DPDP Act.

9. Handling of Vulnerability Data and Client Systems Data

A significant portion of Security Brigade's work involves penetration testing, vulnerability assessments, and security audits of our clients' systems. During the course of these assessments, our testing teams may incidentally encounter personal data residing in the client's databases, applications, or network infrastructure.

In such cases:

• We act as a Data Processor under the instructions of the client (the Data Fiduciary).
• We do not extract, copy, or retain personal data encountered in client systems beyond what is strictly necessary to evidence a vulnerability finding.
• Where personal data must be referenced in a finding (e.g., to demonstrate a data exposure vulnerability), we redact or mask the data to the maximum extent possible while still demonstrating the finding.
• All assessment data is stored in encrypted, access-controlled environments and is deleted upon expiry of the engagement retention period.
• Our engagement agreements include specific provisions addressing data processing responsibilities, consistent with the DPDP Act requirements for Data Processors.

10. Duties of Data Principals (Section 15)

The DPDP Act recognises that Data Principals also have certain duties. When providing personal data to Security Brigade, you are expected to:

• Comply with applicable laws when exercising your rights under the Act.
• Provide accurate and complete personal data and not impersonate another person.
• Not file false or frivolous grievances or complaints with the Data Protection Board.
• Furnish any verifiably authentic information as may be required for the purpose for which the data is being processed.

11. Relationship with Other Laws

This compliance framework operates alongside our obligations under other Indian laws governing data and cybersecurity, including:

• The Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures) Rules, 2011.
• CERT-In directions dated 28 April 2022 on reporting of cyber security incidents.
• Sector-specific regulations from RBI (cybersecurity framework for banks), SEBI (CSCRF for market intermediaries), IRDAI (information security guidelines for insurers), and TRAI as applicable.
• The Indian Contract Act, 1872, and the Companies Act, 2013, for contractual and corporate governance obligations.

Where our clients are based in the EU/UK, we additionally comply with the GDPR. See our GDPR Compliance page for details.

12. Updates to This Page

The DPDP Act framework is evolving. The Central Government is expected to notify subordinate rules addressing specific operational requirements. We will update this page as new rules, notifications, and guidance are issued. Material updates will be reflected in the "Last updated" date above.

13. Contact

For questions about our DPDP Act compliance or to exercise your rights as a Data Principal:

Grievance Officer
Security Brigade InfoSec Private Limited
Email: privacy@securitybrigade.com
Phone: Available upon request
Registered Office: Mumbai, Maharashtra, India

India Sales: in.sales@securitybrigade.com