ShieldMind processes Personal Data of Indian Data Principals as a Data Processor on behalf of Customer, who is the Data Fiduciary. This attestation describes our DPDPA-aligned practices. For an executed binding addendum to your MSA referencing this attestation, email bd@dtrasglobal.com.
'DPDPA' means the Digital Personal Data Protection Act 2023 of India.
'Data Principal', 'Data Fiduciary', 'Data Processor', 'Personal Data', 'Personal Data Breach', and 'Consent Manager' have the meanings ascribed to them under the DPDPA.
'Customer' is the Data Fiduciary; 'ShieldMind' acts as a Data Processor under Section 8(2) of the DPDPA, processing Personal Data only on Customer's documented instructions.
ShieldMind processes Personal Data of Indian Data Principals strictly on Customer's documented instructions for the purposes set out in the Master Services Agreement: endpoint security telemetry, DLP enforcement, shadow-IT discovery, AI-usage governance, and threat detection.
Customer represents and warrants that it has established a lawful basis under DPDPA Section 4 (consent or legitimate use) for each Processing activity it instructs ShieldMind to perform, and that the corresponding Notice under Section 5 has been provided to the Data Principal.
ShieldMind does not determine the purposes or means of Processing and therefore does not act as a Data Fiduciary with respect to Customer's Personal Data flows.
ShieldMind implements reasonable security safeguards as required by DPDPA Section 8(5) and the forthcoming Rules thereunder. These include, without limitation:
Encryption at rest using AES-256-GCM with per-row data encryption keys wrapped by a KEK held in AWS KMS or Azure Key Vault (Customer-controllable on request).
Encryption in transit using TLS 1.3 with modern cipher suites only; HSTS with includeSubDomains and preload set.
Multi-tenant logical isolation enforced at the application, database row-level-security, and per-tenant encryption layers; validated by a continuous tenant-isolation test suite.
Tamper-evident HMAC-chained audit logging covering all administrative access and data export events.
Quarterly disaster-recovery drills with documented RTO < 4 hours and RPO < 5 minutes (drill script at deploy/drill_restore.sh).
Annual third-party penetration testing and a continuously-running bug-bounty program (/legal/vulnerability-disclosure).
Personnel with production access undergo background checks and DPDPA + GDPR + HIPAA awareness training annually; access is revoked within 4 business hours of termination.
ShieldMind will notify Customer of any Personal Data Breach without undue delay and in no event later than 48 hours after becoming aware. The notification will include, to the extent then known: nature and categories of Personal Data affected; approximate number of Data Principals; likely consequences; measures taken; and contact for further information.
Customer remains responsible for notifying the Data Protection Board of India and affected Data Principals as required by Section 8(6) and forthcoming Rules. ShieldMind will provide reasonable assistance and information necessary for Customer to comply with those obligations.
ShieldMind provides self-service tooling at /dashboard/governance for Customer Admins to action Data Principal requests within Customer's tenant:
Right to information about Processing (Section 11) — supported via the Subject Access Request flow.
Right to correction and erasure (Section 12) — Customer Admins can edit or delete any Personal Data record; deletions cascade through audit log (with a tombstone retained for tamper-evidence) and replicas within 30 days.
Right to grievance redressal (Section 13) — ShieldMind's Grievance Officer (see Section 9) accepts grievances escalated through Customer.
Right to nominate (Section 14) — out of scope for ShieldMind as Data Processor; Customer handles in its own consent management.
Where a request is received directly by ShieldMind rather than Customer, ShieldMind will redirect the Data Principal to Customer's grievance channel and notify Customer within 48 hours.
Personal Data of Indian Data Principals is currently processed within India (Supabase Singapore region with Mumbai-region replicas planned) and at AWS us-east-1 and eu-west-1 for backup and disaster-recovery purposes.
Per DPDPA Section 16 and the forthcoming Notification by the Central Government, ShieldMind does not transfer Personal Data of Indian Data Principals to any country or territory restricted by such Notification. ShieldMind will update transfer mechanisms within 90 days of any Notification.
Customer may opt into India-residency-only deployment (no replication outside India) on the Enterprise plan; contact bd@dtrasglobal.com.
ShieldMind engages Sub-processors only with Customer's general written authorization, provided through Customer's acceptance of this attestation. The current Sub-processor list is published at /legal/sub-processors.
ShieldMind imposes data-protection obligations on its Sub-processors that are no less protective than those in this attestation. Customer may subscribe at /legal/subprocessor-notifications for 30-day prior notice of additions or replacements.
ShieldMind retains Personal Data only for the duration necessary to provide the contracted services or as required by applicable law. Default retention windows are configurable per Customer at /dashboard/governance/policy.
Upon termination of services, Customer may export all Personal Data via the dashboard; ShieldMind will delete all Personal Data and provide a Certificate of Destruction within 30 days, except where retention is required by law (e.g. records of consent under Section 7(5)).
ShieldMind's designated Grievance Officer for purposes of receiving complaints from Data Principals routed through Customer:
Name: Hariom Dhage
Email: bd@dtrasglobal.com
Address: DTRAS-G Solutions Private Limited, Manipal, Udupi, Karnataka 576104, India.
Acknowledgment of receipt within 3 business days; substantive response within the period prescribed by DPDPA Rules (currently anticipated as 7 business days from the time the Rules come into force).
ShieldMind does not knowingly process Personal Data of children (individuals under 18) as defined by DPDPA Section 9. Customer represents that the workforce population on which it deploys ShieldMind is composed of adults. If Customer instructs ShieldMind to process children's data (e.g. for an EdTech employee deployment that includes student devices), Customer must first obtain verifiable parental consent in accordance with Section 9 and must so notify ShieldMind.
This attestation is effective on 5 June 2026 and will be updated as the DPDPA Rules and Notifications are issued by the Central Government and Data Protection Board. Material changes will be announced via /legal/subprocessor-notifications and updated to this URL with a new 'Last updated' date.
Questions about this document? Email bd@dtrasglobal.com — we reply within 2 business days.