feat(frameworks): Reference-depth India DPDPA plugin (ind-dpdpa)#72
Conversation
ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan Review Summary by QodoAdd reference-depth India DPDPA plugin with breach-process command
WalkthroughsDescription• Adds reference-depth India DPDPA plugin with 1,425 lines of substantive content • Covers DPDPA 2023 + DPDP Rules 2025 with scope, evidence checklist, breach process commands • Includes parallel sectoral clock matrix (CERT-In, RBI, SEBI, IRDAI, TRAI) for breach response • Registers plugin in marketplace with SCF crosswalk (41 SCF → 96 framework controls) Diagramflowchart LR
A["DPDPA 2023<br/>+ DPDP Rules 2025"] --> B["Plugin manifest<br/>plugin.json"]
A --> C["README<br/>roles & commands"]
A --> D["scope.md<br/>applicability & SDF"]
A --> E["assess.md<br/>gap assessment"]
A --> F["evidence-checklist.md<br/>14 obligation themes"]
A --> G["breach-process.md<br/>72h + parallel clocks"]
A --> H["SKILL.md<br/>expert knowledge"]
B --> I["Marketplace registration<br/>marketplace.json"]
D --> J["Role assignment<br/>Fiduciary/Processor/SDF"]
G --> K["Parallel clocks<br/>CERT-In 6h, RBI 6h,<br/>SEBI 6h, DPDPA 72h"]
F --> L["Evidence patterns<br/>by obligation theme"]
File Changes1. .claude-plugin/marketplace.json
|
Code Review by Qodo🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)
Great, no issues found!Qodo reviewed your code and found no material issues that require review |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (8)
📝 WalkthroughWalkthroughAdds a new India DPDPA framework plugin Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant User as User
participant Plugin as ind-dpdpa Plugin
participant GRC as grc-engineer
participant DPB as Data Protection Body
participant CERT as CERT-In
participant Principal as Data Principal
User->>Plugin: /ind-dpdpa:assess (scope, role, sources)
Plugin->>GRC: delegate gap-assessment (apac-ind-dpdpa SCF crosswalk)
GRC-->>Plugin: assessment results (score, control gaps, remediation)
alt breach detected
Plugin->>DPB: submit DPDPA 72-hour notification (rules-aligned fields)
Plugin->>CERT: submit CERT-In / sectoral incident report (parallel clocks)
Plugin->>Principal: notify affected data principals (channels & wording)
DPB-->>Plugin: regulatory follow-up
CERT-->>Plugin: ack / requests
end
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
plugins/frameworks/ind-dpdpa/skills/ind-dpdpa-expert/SKILL.md (1)
22-22: Standardize “inquiry/enquiry” wording across the document.Line [22] uses “enquiry” while Lines [329], [336], and [372] use “inquiry.” Pick one variant for consistency in this single document.
Suggested fix (use “inquiry” consistently)
-- Preparing for a DPB enquiry or compiling penalty-mitigation evidence +- Preparing for a DPB inquiry or compiling penalty-mitigation evidenceAlso applies to: 329-329, 336-336, 372-372
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@plugins/frameworks/ind-dpdpa/skills/ind-dpdpa-expert/SKILL.md` at line 22, Replace the British variant "enquiry" with the American variant "inquiry" for consistency in this SKILL.md document by updating the header "Preparing for a DPB enquiry or compiling penalty-mitigation evidence" to "Preparing for a DPB inquiry or compiling penalty-mitigation evidence" (the other instances already use "inquiry"); ensure no other instances of "enquiry" remain in the file.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@plugins/frameworks/ind-dpdpa/commands/breach-process.md`:
- Around line 29-30: The DDoS row in the breaches table contradicts Section 2's
breach definition (which includes availability/loss of access); update the DDoS
entry so it is not categorically "No"—change it to "Depends" or "Potential
breach" and add a short qualifier directing reviewers to assess whether the DDoS
caused a compromise to confidentiality, integrity, or availability (e.g.,
prolonged loss of access or secondary data exposure); ensure the table text and
any footnote reference Section 2's breach criteria so classification follows the
document's defined test.
- Around line 13-15: The fenced code block showing the CLI example
`/ind-dpdpa:breach-process [--phase=detect|classify|notify|investigate|review]
[--sectors=<list>]` is missing a language identifier and triggers markdownlint
MD040; update that fenced block by adding a language tag (e.g., bash) to the
opening backticks so it reads ```bash and keeps the same command content to
satisfy the linter.
In `@plugins/frameworks/ind-dpdpa/commands/evidence-checklist.md`:
- Around line 13-15: The fenced usage block for the command
`/ind-dpdpa:evidence-checklist [--theme=<theme>] [--role=<fiduciary|processor>]
[--sdf]` lacks a language identifier and triggers markdownlint MD040; update the
fenced code block to include a language identifier such as "bash" (i.e., change
the opening ``` to ```bash) so the block is properly recognized and linted.
---
Nitpick comments:
In `@plugins/frameworks/ind-dpdpa/skills/ind-dpdpa-expert/SKILL.md`:
- Line 22: Replace the British variant "enquiry" with the American variant
"inquiry" for consistency in this SKILL.md document by updating the header
"Preparing for a DPB enquiry or compiling penalty-mitigation evidence" to
"Preparing for a DPB inquiry or compiling penalty-mitigation evidence" (the
other instances already use "inquiry"); ensure no other instances of "enquiry"
remain in the file.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 949e971a-ddfa-4a19-9fea-0d2ece0a48fd
📒 Files selected for processing (8)
.claude-plugin/marketplace.jsonplugins/frameworks/ind-dpdpa/.claude-plugin/plugin.jsonplugins/frameworks/ind-dpdpa/README.mdplugins/frameworks/ind-dpdpa/commands/assess.mdplugins/frameworks/ind-dpdpa/commands/breach-process.mdplugins/frameworks/ind-dpdpa/commands/evidence-checklist.mdplugins/frameworks/ind-dpdpa/commands/scope.mdplugins/frameworks/ind-dpdpa/skills/ind-dpdpa-expert/SKILL.md
CodeRabbit posted 3 actionable comments on GRCEngClub#72: 1. Add `bash` language tag to fenced code blocks (markdownlint MD040). Applied to commands/assess.md (Usage and Delegation blocks), commands/scope.md, commands/evidence-checklist.md, commands/breach-process.md. 2. Reclassify DDoS row in commands/breach-process.md. The row previously said "No" for DPDPA-breach status, which contradicted Section 2's definition (which includes loss-of-access to personal data as a breach of availability). Updated to "Context-dependent — likely Yes if the unavailability blocks Data Principals from accessing their personal data" and added the "document the determination basis" reminder consistent with the rest of the document. 3. (Already covered by item 1.)
|
Pushed 166da8f addressing the three actionable CodeRabbit comments:
While I was there, I also pre-emptively added Ready for re-review whenever a maintainer can trigger another bot pass. |
|
Only users with a collaborator, contributor, member, or owner role can interact with CodeRabbit. |
CodeRabbit posted 3 actionable comments on GRCEngClub#72: 1. Add `bash` language tag to fenced code blocks (markdownlint MD040). Applied to commands/assess.md (Usage and Delegation blocks), commands/scope.md, commands/evidence-checklist.md, commands/breach-process.md. 2. Reclassify DDoS row in commands/breach-process.md. The row previously said "No" for DPDPA-breach status, which contradicted Section 2's definition (which includes loss-of-access to personal data as a breach of availability). Updated to "Context-dependent — likely Yes if the unavailability blocks Data Principals from accessing their personal data" and added the "document the determination basis" reminder consistent with the rest of the document. 3. (Already covered by item 1.)
DevamShah
force-pushed
the
feat/ind-dpdpa-reference
branch
from
166da8f to
3195f81
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
plugins/frameworks/ind-dpdpa/skills/ind-dpdpa-expert/SKILL.md (1)
22-22: Optional: Consider standardizing "enquiry" vs "inquiry" spelling.The document mixes "enquiry" (Line 22) with "inquiry" (lines 329, 336, 372). Both spellings are valid, but consistency within a single document improves polish. In Indian legal/administrative contexts, "enquiry" (UK spelling) is more common. Consider standardizing to one spelling throughout.
This is a minor stylistic refinement and not a functional issue.
Also applies to: Lines 329, 336, 372
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@plugins/frameworks/ind-dpdpa/skills/ind-dpdpa-expert/SKILL.md` at line 22, The document uses both "enquiry" and "inquiry" inconsistently (e.g., the heading "Preparing for a DPB enquiry" and later uses "inquiry"); pick one spelling (recommend "enquiry" for Indian context) and replace all occurrences to match across the SKILL.md file so headings and body copy (including the phrases near "Preparing for a DPB enquiry" and the later instances currently spelled "inquiry") are consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@plugins/frameworks/ind-dpdpa/skills/ind-dpdpa-expert/SKILL.md`:
- Line 22: The document uses both "enquiry" and "inquiry" inconsistently (e.g.,
the heading "Preparing for a DPB enquiry" and later uses "inquiry"); pick one
spelling (recommend "enquiry" for Indian context) and replace all occurrences to
match across the SKILL.md file so headings and body copy (including the phrases
near "Preparing for a DPB enquiry" and the later instances currently spelled
"inquiry") are consistent.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 0428916b-d794-4c84-9e69-29f914bed9f6
📒 Files selected for processing (8)
.claude-plugin/marketplace.jsonplugins/frameworks/ind-dpdpa/.claude-plugin/plugin.jsonplugins/frameworks/ind-dpdpa/README.mdplugins/frameworks/ind-dpdpa/commands/assess.mdplugins/frameworks/ind-dpdpa/commands/breach-process.mdplugins/frameworks/ind-dpdpa/commands/evidence-checklist.mdplugins/frameworks/ind-dpdpa/commands/scope.mdplugins/frameworks/ind-dpdpa/skills/ind-dpdpa-expert/SKILL.md
✅ Files skipped from review due to trivial changes (4)
- plugins/frameworks/ind-dpdpa/.claude-plugin/plugin.json
- plugins/frameworks/ind-dpdpa/README.md
- plugins/frameworks/ind-dpdpa/commands/scope.md
- plugins/frameworks/ind-dpdpa/commands/assess.md
🚧 Files skipped from review as they are similar to previous changes (1)
- .claude-plugin/marketplace.json
Greptile SummaryAdds a Reference-depth framework plugin for India's DPDPA 2023 and DPDP Rules 2025 — 8 files covering a scope walkthrough, evidence checklist, breach playbook, gap assessment command, and a reference-grade expert skill. Version, metadata, and delegation to The one P2 finding is a minor inconsistency in the SEBI 6-hour notification chain between Confidence Score: 5/5Safe to merge — the only remaining finding is a P2 documentation inconsistency in the SEBI notification chain. All prior P1 concerns (version 0.2.0 skipping 0.1.0, missing plugins/frameworks/ind-dpdpa/commands/breach-process.md — SEBI notification chain wording should be reconciled with SKILL.md. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[User] -->|scope| B[scope.md - Applicability + SDF + Sectoral]
B --> C{In scope?}
C -->|No| D[Out of scope]
C -->|Yes| E[Role: Fiduciary / Processor / Consent Mgr]
E -->|assess| F[assess.md]
F -->|delegates to| G[grc-engineer gap-assessment]
G --> H[Gap report - 41 SCF to 96 DPDPA controls]
E -->|evidence-checklist| I[evidence-checklist.md - 14 themes]
E -->|breach-process| J[breach-process.md - 5 phases]
J --> K[Clock matrix: DPDPA 72h + CERT-In 6h + RBI 6h + SEBI 6h]
L[SKILL.md - ind-dpdpa-expert] -.->|invoked on any DPDPA question| A
Reviews (3): Last reviewed commit: "fix(ind-dpdpa): version baseline, Sectio..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
Thanks @DevamShah — substantial reference-depth content (parallel sectoral breach clocks for CERT-In/RBI/SEBI/IRDAI/DoT-TRAI is a particularly nice touch) and great proactive coordination with #66. Plugin structure matches Plan
Items to address on rebase
Optional
Looking forward to landing this once #66 is in. |
|
Closing and reopening to trigger new vouch gate workflow. |
| "name": "ind-dpdpa", | ||
| "source": "./plugins/frameworks/ind-dpdpa", | ||
| "description": "India - DPDPA (2023) + DPDP Rules (2025) — reference-depth plugin backed by the SCF crosswalk (41 SCF → 96 framework controls). Includes scope, evidence checklist, and breach process with parallel sectoral clocks (RBI / SEBI / IRDAI / TRAI / CERT-In).", | ||
| "version": "0.2.0" |
There was a problem hiding this comment.
Direct collision with open PR #66. PR #66 (@AnandSundar) registers a plugin at the exact same path (./plugins/frameworks/ind-dpdpa) and exact same name (ind-dpdpa) at Stub depth, version 0.1.0. That PR was opened first (Apr 24), is currently MERGEABLE, and your PR is now CONFLICTING (mergeStateStatus: DIRTY) against it. Maintainers will need to pick one — the substantive content here is dramatically richer (1,397 lines vs. ~6 small files) so this Reference-depth submission is the better artefact, but the collision needs an explicit resolution before either can land. Suggest coordinating with @AnandSundar (e.g., close #66 in favour of this PR, or rebase this PR atop #66 once that lands and bump to 0.2.0).
| - Up to **₹200 crore** — failure to fulfil obligations relating to children (Section 9) | ||
| - Up to **₹150 crore** — failure to fulfil additional obligations of an SDF (Section 10) | ||
| - Up to **₹50 crore** — failure to inform the Board / affected Principal of a breach (Section 8(6)) | ||
| - Up to **₹50 crore** — failure of a Data Principal to comply with Section 15 duties |
There was a problem hiding this comment.
Factual error in penalty band. The DPDPA Schedule sets the penalty for a Data Principal's breach of Section 15 duties at "up to ₹10,000" — not ₹50 crore. The ₹50 crore figure on the line above (line 341) covers Section 8(6) breach-notification failure, which is correct. Suggest changing line 342 to: Up to **₹10,000** — failure of a Data Principal to comply with Section 15 duties. This is the only line in this section with a wrong figure; the other four bands match the Schedule. Also worth adding a band that is in the Schedule but missing here: a residual "up to ₹50 crore" for breach of any other provision of the Act or Rules — that's a meaningful catch-all for posture work.
|
|
||
| ## What is a "personal data breach"? | ||
|
|
||
| Section 2 defines a personal data breach as any unauthorised processing or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the **confidentiality, integrity, or availability** of personal data. |
There was a problem hiding this comment.
Near-verbatim Act text. This sentence reproduces DPDPA 2023 Section 2(u) almost word-for-word — the actual statutory definition reads "any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data." The repo norm (and CLAUDE.md disclaimer guidance) is to paraphrase statutory text and reference by section, rather than copy-paste. Same near-verbatim issue at SKILL.md line 52. Suggest rewording to e.g.: "Section 2(u) defines a personal data breach broadly — any unauthorised processing, accidental disclosure, loss, alteration, or loss-of-access event affecting the CIA of personal data." Also worth confirming the section reference is 2(u), not just "Section 2".
| { | ||
| "name": "ind-dpdpa", | ||
| "description": "India DPDPA 2023 + DPDP Rules 2025 — Reference-depth plugin: scope, evidence checklist, breach process, and sectoral overlap (RBI / SEBI / IRDAI / TRAI) for Data Fiduciaries operating in India.", | ||
| "version": "0.2.0", |
There was a problem hiding this comment.
Version baseline mismatch with repo convention. Every other framework plugin in this marketplace ships with "version": "0.1.0" as the initial version (see singapore-pdpa, cyber-essentials-plus, all 21 framework plugins). The 0.2.0 baseline here looks like it was bumped to signal the depth jump from a prior Stub PR (which fits PR #66's narrative), but as a fresh first-merge of this directory there's no 0.1.0 predecessor on main to bump from. Suggest setting this and the marketplace.json entry to 0.1.0, then bumping to 0.2.0 in a follow-up. (If maintainers decide to land #66 first and then layer this in, 0.2.0 becomes correct — that's a sequencing decision, not a content decision.)
| | **IRDAI Information & Cyber Security Guidelines (2023)** | Cyber incident at insurer / intermediary | Per current direction (typically rapid; check current circular) | IRDAI | | ||
| | **DoT / TRAI Telecom Cyber Security Rules 2024** | Cyber-security incident in a telecom network | Per the Rules' reporting matrix | DoT / TRAI / CERT-In | | ||
| | **NCIIPC** | Incident affecting Critical Information Infrastructure | Immediate | NCIIPC | | ||
| | **DPDPA 8(6) + DPDP Rules 2025 R7** | Personal data breach | **72 hours** from awareness | Data Protection Board of India + each affected Data Principal | |
There was a problem hiding this comment.
Internal inconsistency on Rule numbering. This row (and several others — assess.md, evidence-checklist.md) cites "DPDP Rules 2025 R7" as the breach-notification rule. But SKILL.md line 387 correctly caveats: "Rule numbering for the DPDP Rules 2025 referenced here is illustrative — confirm specific rule numbers against the gazette notification when authoring compliance artefacts." If the rule numbers are illustrative, the command files shouldn't present them as authoritative. Suggest either (a) confirming actual rule numbers against the November 2025 gazette and dropping the caveat, or (b) softening references throughout the commands to e.g. "the breach-notification rule under DPDP Rules 2025 (rule number per current gazette)". The clock content is solid; this is purely about not letting placeholder rule numbers leak into operational guidance.
|
Thanks for the substantive Reference-depth plugin, @DevamShah — 1,397 lines of real DPDPA expertise is a strong contribution. Detailed line comments above. Four blockers before we can merge:
Optional polish: the "DPDP Rules 2025 R7" citation in the command files asserts authority that the SKILL.md elsewhere caveats as illustrative — pick a stance and align across files. Once these land we'll merge this and close #66 with a thank-you note to @AnandSundar pointing at a different unscaffolded SCF framework. |
Adds a Reference-depth plugin for India's Digital Personal Data Protection Act, 2023 (DPDPA) and the DPDP Rules, 2025. Built for CISOs, DPOs, GRC engineers, and platform teams operating in India or offering goods or services to Data Principals located in India. Plugin - Slug: ind-dpdpa - SCF framework ID: apac-ind-dpdpa-2023 (41 SCF → 96 framework controls) - Depth: reference - Regulator: Data Protection Board of India (DPB) under MeitY - Region: APAC, country IN Files (Reference-depth set per docs/FRAMEWORK-PLUGIN-GUIDE.md): - plugins/frameworks/ind-dpdpa/.claude-plugin/plugin.json - plugins/frameworks/ind-dpdpa/README.md - plugins/frameworks/ind-dpdpa/commands/assess.md - plugins/frameworks/ind-dpdpa/commands/scope.md - plugins/frameworks/ind-dpdpa/commands/evidence-checklist.md - plugins/frameworks/ind-dpdpa/commands/breach-process.md - plugins/frameworks/ind-dpdpa/skills/ind-dpdpa-expert/SKILL.md - .claude-plugin/marketplace.json (registration) Coverage - Act + Rules read together: substantive obligations from the Act, operational timelines and detail from the Rules notified November 2025. - Roles: Data Fiduciary, Processor, Principal, Consent Manager, SDF. - Section 3 territorial and material applicability decision tree. - Section 5–7 notice / consent / legitimate uses (no GDPR-style legitimate-interest framing — Section 7 is exhaustive). - Section 8 Fiduciary obligations including 8(5) security safeguards and 8(6) breach notification (penalty bands ₹250 cr / ₹50 cr). - Section 9 children's data (verifiable parental consent, no behavioural tracking, no targeted ads — penalty up to ₹200 cr). - Section 10 SDF additional obligations (DPO, DPIA, audit; up to ₹150 cr). - Sections 11–14 Data Principal rights (access, correction, erasure, grievance, nomination). - Section 16 cross-border (default-permissive with restricted- territory blocklist; sectoral localisation overlays preserved). - Section 17 exemptions. Reference-depth differentiators vs scaffolded stub - Substantive content in every SKILL section (no TODO markers). - /ind-dpdpa:scope — full applicability + role + SDF-trigger walk. - /ind-dpdpa:evidence-checklist — 14 obligation themes with collection guidance and "what good looks like" criteria. - /ind-dpdpa:breach-process — DPDPA 72-hour timeline plus the parallel sectoral clocks (CERT-In 6h, RBI 6h, SEBI 6h, IRDAI per current direction, DoT/TRAI per Telecom Cyber Security Rules 2024). Clock-collision is the most common DPDPA-era breach failure for regulated Fiduciaries; the playbook addresses it. Sectoral overlay Plugin flags overlap with RBI (Master Direction on IT Governance, Cyber Security Framework, payment-system data localisation), SEBI (CSCRF), IRDAI (Information & Cyber Security Guidelines), DoT/TRAI (Telecom Cyber Security Rules 2024), NHA (ABDM/Health Data Management Policy), NCIIPC (CII), and CERT-In (Direction 20(3)/2022). The plugin does not enforce sectoral rules — those remain separate plugins or org-internal playbooks. Constraints honoured - No verbatim Act or Rules text (paraphrase only; section / rule references by number). - No PII, no real org context, no credentials. - No legal-advice phrasing; "engineering and assessment guidance only" disclaimer in every file. - Cloud-agnostic implementation guidance. - No hand-maintained crosswalks; defers to SCF for control mapping. - No vendored copy of the Section 16 restricted-territories list (which is published by the Central Government and updates). Coordination with PR GRCEngClub#66 PR GRCEngClub#66 (@AnandSundar) proposes a Stub-depth plugin for the same framework. This PR is a Reference-depth contribution. Per docs/FRAMEWORK-PLUGIN-GUIDE.md ("Level-ups are separate PRs"), the intended sequence is: GRCEngClub#66 merges first, then this PR rebases as a Stub→Reference upgrade. Happy to defer or coordinate per maintainer preference. Validation - plugin.json passes the Reference manifest schema (PR GRCEngClub#71). - marketplace.json passes the Reference marketplace schema (PR GRCEngClub#71). - No matches in audit grep for: verbatim long quotes, real-org context, PII patterns, credentials, "legal advice" framing. - Disclaimer present in every user-facing file. Authored personally by Devam Shah.
CodeRabbit posted 3 actionable comments on GRCEngClub#72: 1. Add `bash` language tag to fenced code blocks (markdownlint MD040). Applied to commands/assess.md (Usage and Delegation blocks), commands/scope.md, commands/evidence-checklist.md, commands/breach-process.md. 2. Reclassify DDoS row in commands/breach-process.md. The row previously said "No" for DPDPA-breach status, which contradicted Section 2's definition (which includes loss-of-access to personal data as a breach of availability). Updated to "Context-dependent — likely Yes if the unavailability blocks Data Principals from accessing their personal data" and added the "document the determination basis" reminder consistent with the rest of the document. 3. (Already covered by item 1.)
…ion 2(u) - plugin.json: version 0.2.0 → 0.1.0 to match repo baseline (every other plugin manifest is at 0.1.0) - SKILL.md (Penalty exposure): Section 15 Data Principal duty penalty is ₹10,000 per the Schedule, not ₹50 crore. Crore-scale penalties apply to Fiduciary failures; the Principal-side fine is the small one. - SKILL.md + breach-process.md: paraphrase the Section 2(u) personal-data- breach definition rather than reproducing the Act text verbatim, per ground rule GRCEngClub#2 in docs/CONTRIBUTING.md - marketplace.json: register the ind-dpdpa plugin alongside the other framework plugins (resolves stale-base conflict against current main) Validates against tests/validate-plugin-manifests.sh (37 manifests, all valid). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ethanolivertroy
force-pushed
the
feat/ind-dpdpa-reference
branch
from
3195f81 to
c066dc4
Compare
|
Thanks @ethanolivertroy — and especially for taking the maintainer-edit pass yourself rather than bouncing the four blockers back. The Section 15 ₹10,000 vs ₹50 crore catch is the one I most needed an extra set of eyes on; it's an easy mistake when you're shipping crore-scale Fiduciary penalty bands and one Schedule item operates on a different scale entirely. Your paraphrase of the Section 2(u) personal-data-breach definition reads cleaner than my original. The piece I most want practitioners to actually use is the parallel-clock matrix in Looking forward to picking up the next India / APAC framework from the unscaffolded list. |
Both substantive PRs (GRCEngClub#71 validator, GRCEngClub#72 India DPDPA plugin) are merged into upstream main. PR GRCEngClub#70 closed-as-superseded (folded into GRCEngClub#71). README updated to: - Reflect the merged state of all three contributions, with explicit thanks for @ethanolivertroy's maintainer-edit pass that fixed the four blockers on GRCEngClub#72 before merge (version baseline, Section 15 ₹10,000 correction, Section 2(u) paraphrase). - Acknowledge @AnandSundar's original stub PR GRCEngClub#66 that locked in the SCF metadata baseline. - Recommend the upstream Club marketplace as the primary install path now that the work has landed there. - Preserve the upstream README verbatim as UPSTREAM-README.md.
2 participants
Summary
Adds a Reference-depth framework plugin for India's Digital Personal Data Protection Act, 2023 (DPDPA) and the DPDP Rules, 2025, built for CISOs, DPOs, GRC engineers, and platform teams operating in India or offering goods or services to Data Principals located in India.
ind-dpdpaplugins/frameworks/ind-dpdpa/apac-ind-dpdpa-2023(41 SCF → 96 framework controls)referenceCoordination with #66
#66 (@AnandSundar) proposes a Stub-depth plugin for the same framework. Per
docs/FRAMEWORK-PLUGIN-GUIDE.md("Level-ups are separate PRs. Don't try to go Stub → Full in one PR."), the natural sequence is:Happy to invert that order or coordinate directly with @AnandSundar — whichever the maintainers prefer. The work credits @AnandSundar's stub framing in spirit; this PR builds the Reference content the level-up checklist calls for.
What's in the box
plugins/frameworks/ind-dpdpa/.claude-plugin/plugin.jsonplugins/frameworks/ind-dpdpa/README.mdplugins/frameworks/ind-dpdpa/commands/assess.md/ind-dpdpa:assess— scope / role / sources args; SCF crosswalk delegationplugins/frameworks/ind-dpdpa/commands/scope.mdplugins/frameworks/ind-dpdpa/commands/evidence-checklist.mdplugins/frameworks/ind-dpdpa/commands/breach-process.mdplugins/frameworks/ind-dpdpa/skills/ind-dpdpa-expert/SKILL.mdTODO:markers.claude-plugin/marketplace.jsonTotal: 1,425 lines of authored Markdown + JSON.
Reference-depth differentiators
Per the level-up checklist in
docs/FRAMEWORK-PLUGIN-GUIDE.md:framework_metadata.depth="reference"commands/scope.md— framework-specific (not generic) applicability + SDF triggers + sectoral overlap detectioncommands/evidence-checklist.md— evidence patterns organised by DPDPA's own obligation themesSKILL.mdsubstantive in every section; noTODO:markers in bodyREADME.mdreflects Reference depth and install/usageReference-plus:
commands/breach-process.mdis a substantive bonus command — the clock-collision problem (DPDPA 72h vs CERT-In 6h vs RBI 6h vs SEBI 6h running concurrently) is the most common DPDPA-era breach failure for regulated Indian Fiduciaries, and the Reference checklist alone wouldn't cover it well.Sectoral overlay
DPDPA stacks on top of sectoral data and security rules — it does not displace them. The plugin flags overlap with:
The plugin does not enforce sectoral rules — those remain for sector-specific plugins or org-internal playbooks. It only flags overlap so engineering teams don't miss parallel clocks.
Constraints honoured
apac-ind-dpdpa-2023).Validation
plugin.jsonpasses the Reference manifest schema (the one proposed in #71)marketplace.jsonpasses the marketplace schemaclaude plugin installinstall-time validation: passes (theframework_metadataextension key is permitted)Test plan
/plugin install ind-dpdpa@grc-engineering-suite/ind-dpdpa:scopewalks through applicability + role + SDF + cross-border + sectoral/ind-dpdpa:assess SOC2 --sources=github-inspector(or any connector) routes via SCF crosswalk and produces a DPDPA-flavoured gap report/ind-dpdpa:evidence-checklist --theme=breachrenders the breach-evidence list/ind-dpdpa:breach-process --sectors=bankingrenders the parallel-clock matrix with RBI includedDisclaimer
This plugin is engineering and assessment guidance only. It is not legal advice. DPDPA enforcement and binding interpretation come from the Data Protection Board of India, MeitY notifications, and the courts. Confirm postures with qualified counsel before treating any output as compliant.
🤖 Authored personally by Devam Shah, with Claude Code.
Summary by CodeRabbit
New Features
Documentation