DPDP Act 2023 — Our Posture
Section-by-section, how we meet each obligation. Not aspirational — every link goes to a live page or operational process.
The Digital Personal Data Protection Act 2023 is the foundational law governing how organisations in India handle personal data. Below is how Maitro meets each material obligation. If something here is wrong or out of date, email our Grievance Officer and we'll fix it (it's not for marketing — it's a working spec).
| Section | Topic | Our posture |
|---|---|---|
| §5 | Lawful processing | Every data category has a named lawful basis (see /legal/privacy section 1). |
| §6 | Consent | Consent requirements and withdrawal path are documented at /trust/consent. Wire the live consent ledger before production. |
| §7 | Legitimate use without consent | Listed only when a data category uses legitimate_use or another permitted basis in the venture config. |
| §8(2) | Notice of purpose | The privacy page lists purpose, basis, retention, and sharing for each configured data category. |
| §8(6) | Reasonable security | Security controls are published at /trust/breach from venture config. Do not claim a control until it is live. |
| §9 | Children (under 18) | Verified guardian consent flow — see /trust/under-18. |
| §10 | Significant Data Fiduciary | See /trust/dpo for DPO appointment and DPIA cadence. |
| §11 | Notice / Privacy Policy | Plain-language privacy policy at /legal/privacy. Updates notified 7 days in advance. |
| §13 | Grievance Officer | Named officer with email, SLA, and escalation tree at /legal/grievance. |
| §14 | Data Subject Rights | Rights request form surfaces live at /trust/dsr. The consuming app must implement the API endpoint before production. |
| §17(2) | Cross-border restrictions | India-only by default. Any cross-border transfer requires new consent + listed in privacy policy. |
What we don't do (yet)
- Annual DPIA publication — add only after the venture has a reviewed DPIA publication process
- External audit attestation — add only after a signed audit report or regulator-facing attestation exists
How to challenge our posture
If you believe Maitro is not meeting any obligation listed above, email the Grievance Officer at privacy@maitro.tech with the section number and your evidence. We will respond within 7 days. Reasoned disagreement is welcome.