Privacyv1.0 · Updated 2026-05-08 · 7 pages

DPDP Act 2023 Control Map

Mapping of WorkSwarm's controls to India's Digital Personal Data Protection Act, 2023 - consent, DSR, breach notification, and data fiduciary obligations.

Prepared by Data Protection Officer, WorkSwarm, Inc.

Contents

  1. About This Document
  2. 1. Section 4 - Grounds for Processing
  3. 2. Section 8 - Rights of Data Principal
  4. 3. Section 9 - Obligations of Data Fiduciary
  5. 4. Section 12 - Data Breach Notification
  6. 5. Section 16 - Cross-border Transfer
  7. 6. Section 10 - Significant Data Fiduciary
  8. 7. Contact

About This Document

This document maps WorkSwarm's data protection controls to India's Digital Personal Data Protection Act, 2023 (DPDP Act). It demonstrates how WorkSwarm, as a data processor, supports data fiduciaries (customers) in meeting their obligations under the Act. WorkSwarm offers a DPDP Act compliance addendum as part of its standard Data Processing Agreement.

1. Section 4 - Grounds for Processing

The DPDP Act requires lawful grounds for processing digital personal data.
RequirementWorkSwarm Implementation
Consent (Section 6)WorkSwarm provides consent management tooling: capture, storage, withdrawal, and audit trail of consent. Consent records timestamped and tamper-evident.
Legitimate uses (Section 7)Customer (data fiduciary) determines legitimate use. WorkSwarm processes data strictly per customer instructions under the DPA.
Notice (Section 5)WorkSwarm provides tooling for customers to issue notices to data principals. Multi-language support (Hindi, English, and 8 regional languages).

2. Section 8 - Rights of Data Principal

The DPDP Act grants data principals specific rights that must be fulfilled within prescribed timelines.
RightDPDP Act RequirementWorkSwarm Implementation
Right to access (8.1)Summary of personal data and processing activitiesAutomated DSR portal. Data principal can request summary via self-service. Response within 48 hours (automated) or 30 days (complex).
Right to correction (8.3)Correction of inaccurate or incomplete dataIn-product correction tools. API for programmatic correction. Audit trail of all corrections maintained.
Right to erasure (8.4)Erasure when consent is withdrawn or purpose fulfilledAutomated erasure pipeline: identify all instances, cryptographic deletion, backup purge within 90 days. Erasure certificate provided.
Right to grievance redressal (8.6)Respond to grievances within prescribed periodDedicated grievance officer contact. Acknowledgment within 48 hours. Resolution within 30 days per prescribed timeline.
Right to nominate (8.7)Nominate another person to exercise rightsNomination management in DSR portal. Identity verification for nominee. All nominee actions logged.

3. Section 9 - Obligations of Data Fiduciary

WorkSwarm supports data fiduciaries (customers) in meeting their obligations.
ObligationWorkSwarm Support
Data accuracy (9.3)Data validation tools, synchronization APIs, rectification workflows. Customers control data accuracy; WorkSwarm provides tooling.
Data retention limits (9.6)Customer-configurable retention periods. Automated deletion at expiry. Retention policy dashboard with compliance monitoring.
Reasonable security safeguards (9.4)AES-256-GCM encryption, MFA, RBAC, audit logging, pen testing, vulnerability management. Full security posture in Security Overview report.
Consent withdrawal handling (9.2)Automated consent withdrawal processing. Data processing halted immediately upon withdrawal. Erasure initiated per customer policy.
Grievance officer appointment (9.7)WorkSwarm's designated grievance officer details available in DPA. Customers can configure their own grievance workflow in-product.

4. Section 12 - Data Breach Notification

The DPDP Act requires notification to the Data Protection Board and affected data principals.
RequirementWorkSwarm Implementation
Notification to DPB (12.1)WorkSwarm notifies customer (data fiduciary) within 4 hours of confirming a breach. Customer responsible for DPB notification per prescribed form and timeline.
Notification to data principals (12.2)WorkSwarm assists with data principal notification: provides affected user lists, breach description templates, communication channel support.
Breach documentationFull incident documentation maintained: timeline, scope, root cause, remediation, post-mortem. Available for regulatory examination.

5. Section 16 - Cross-border Transfer

The DPDP Act permits transfer to countries notified by the Central Government and restricts transfer to others.
ControlImplementation
India-first data residencyDefault deployment region: Mumbai and Hyderabad. All data pinned to India at write time.
Cross-border transfer controlsTransfer to non-notified countries blocked at storage layer. Customer-configurable transfer policies.
Government notification trackingWorkSwarm tracks Central Government notifications on permitted transfer destinations. Automatic policy updates when new countries are notified.
Sovereign cloud optionDeployment on MeghRaj / NIC Cloud for government customers requiring sovereign data handling.

6. Section 10 - Significant Data Fiduciary

For customers designated as Significant Data Fiduciaries (SDF), WorkSwarm provides additional support.
  • Data Protection Impact Assessment (DPIA) support: Technical documentation, risk assessment data, and processing activity records for customer DPIAs.
  • Periodic audit support: Evidence packages for auditor review. Compliance posture letters signed by CISO.
  • India-based DPO support: WorkSwarm's DPO is India-resident per SDF requirements.
  • Algorithmic audit support: AI decision documentation, bias evaluation results, and explainability reports for customer's algorithmic audits.

7. Contact

For DPDP Act-specific inquiries or compliance addendum requests: Data Protection Officer: dpo@workswarm.ai Grievance Officer: grievance@workswarm.ai Trust Center: trust@workswarm.ai

Disclaimer:This document is provided for informational purposes and represents WorkSwarm's current security posture and planned controls. Legal templates are provided as starting points and should be reviewed by your legal counsel before execution. Certification timelines are targets and subject to change based on auditor availability and assessment outcomes.

DPDP Act 2023 Control Map

7 pages · PDF