From ind-dpdpa
India DPDPA — applicability, role assignment, SDF trigger walkthrough, sectoral overlay
How this command is triggered — by the user, by Claude, or both
Slash command
/ind-dpdpa:scopeThe summary Claude sees in its command listing — used to decide when to auto-load this command
# India DPDPA Scope Determines whether DPDPA applies, what role the entity holds, whether Significant Data Fiduciary (SDF) thresholds are at risk, and which sectoral regulators overlay obligations on top of DPDPA. Run this **before** `/ind-dpdpa:assess`. The assessment behaves differently depending on the role and SDF status. ## Usage If `--section` is omitted, the command walks the full decision tree. ## 1. Territorial and material applicability (Section 3) Answer in order. The first **No** to a hard requirement breaks scope. ### 1.1 Is processing of digital personal data involved...
Determines whether DPDPA applies, what role the entity holds, whether Significant Data Fiduciary (SDF) thresholds are at risk, and which sectoral regulators overlay obligations on top of DPDPA.
Run this before /ind-dpdpa:assess. The assessment behaves differently depending on the role and SDF status.
/ind-dpdpa:scope [--section=applicability|role|sdf|cross-border|sectoral|exemptions]
If --section is omitted, the command walks the full decision tree.
Answer in order. The first No to a hard requirement breaks scope.
DPDPA covers personal data in digital form, or in non-digital form digitised subsequently. Purely paper-based processing that is never digitised is out of scope.
If neither is true → out of scope. Stop here.
If neither is true → out of scope. Stop here.
The extra-territorial trigger is broader than it appears. Indicators that the trigger is engaged for an entity outside India:
The monitoring of behaviour trigger that GDPR has is not a standalone DPDPA trigger — DPDPA hooks on offering goods or services. However, monitoring as a service offered to Indian users (e.g. an analytics product whose buyers monitor Indian-resident users) is in scope via the offering-of-services route.
If a full exemption applies, scope ends. Most commercial processing does not qualify for any of these exemptions, and the burden is on the Fiduciary to demonstrate it does.
Output of step 1: APPLICABLE / NOT APPLICABLE / PARTIALLY EXEMPT (with the exempt subset clearly identified).
Determine the entity's primary role. Note that an organisation can hold multiple roles for different processing activities.
The entity is a Data Fiduciary if it decides the purpose and means of processing — what data, what it's used for, how, with whom shared.
Indicators:
The entity is a Data Processor if it processes personal data on behalf of a Fiduciary under contract, acting on the Fiduciary's instructions.
Indicators:
A Processor that decides to use the data for its own purpose (analytics on aggregated trends, model training, monetisation) becomes a Fiduciary for that processing — irrespective of contract wording.
A registrable entity that manages consents on behalf of Data Principals. Consent Managers register with the Data Protection Board under the DPDP Rules 2025 conditions and are accountable to the Principal, not the Fiduciary.
Most organisations are not Consent Managers — this role is specific.
Common pattern: an organisation is a Fiduciary for its own customers, a Processor for a partner's data flowing through its systems, and engages many Processors. Each role-relationship is governed independently.
Output of step 2: per processing activity, the entity is Fiduciary / Processor / Consent Manager / Joint.
The Central Government may notify a Fiduciary as an SDF based on these factors. Even before designation, prudent organisations assess proximity to the triggers and prepare proportionally.
Organisations in this typical zone start SDF preparation now, not after notification:
If proximate to SDF triggers, plan for:
Output of step 3: SDF status notified / likely candidate / not proximate / unclear — re-assess.
DPDPA's default is permissive — transfer outside India is allowed unless the Central Government has notified the destination as restricted.
For each destination, record the destination country and the data category transferred.
The list is published by the Central Government and updated by gazette notification. Query the latest gazette / MeitY notification at posture-determination time. The plugin does not vendor the list.
Even when DPDPA permits the transfer, sectoral rules may require domestic storage:
The strictest binding rule wins.
Output of step 4: per data flow, posture compliant / requires sectoral approval / prohibited under sectoral rule / prohibited under DPDPA notification.
Identify which sectoral regulators apply to the entity. Each adds parallel obligations.
| Sector trigger | Regulator | Add to compliance map |
|---|---|---|
| ☐ Operates as a bank, NBFC, payment system operator, account aggregator | RBI | IT Governance MD 2023; Cyber Security Framework; 6-hour incident reporting; payment-system data localisation |
| ☐ Operates as a stock exchange, broker, investment advisor, MII, mutual fund, AIF | SEBI | CSCRF; 6-hour incident reporting; resilience standards |
| ☐ Operates as an insurer, broker, web aggregator | IRDAI | Information and Cyber Security Guidelines 2023; incident reporting per current circulars |
| ☐ Operates a telecom network, ISP, OTT-comms-as-a-service | DoT, TRAI | Indian Telecommunications Act 2023; Telecom Cyber Security Rules 2024; lawful interception; subscriber data |
| ☐ Operates digital health services, ABDM-linked services, hospital information system at scale | NHA, MoH&FW | ABDM data policy; Health Data Management Policy; ABHA consent flows |
| ☐ Operates Critical Information Infrastructure | NCIIPC | CII directions; incident reporting to NCIIPC |
| ☐ Operates VPN, cloud, data centre services at scale | CERT-In, MeitY | Direction 20(3)/2022 — KYC retention 5 years, log retention 180 days India-side, 6-hour incident reporting |
| ☐ Cross-listed or operates in EU / UK / Singapore / California | GDPR / UK GDPR / PDPA / CCPA | Build the multi-jurisdiction stricter-of matrix |
Output of step 5: sectoral matrix listing each regulator that applies and the operating-rule that binds.
If yes to any, Section 9 obligations apply: verifiable parental consent, no behavioural tracking of children, no targeted advertising at children. Penalty exposure up to ₹200 crore.
If the service is "not for children" but in practice reachable by them, design the verifiable-parental-consent flow as a default — not as an edge case.
Produce a structured summary covering:
| Field | Value |
|---|---|
| Entity | |
| Applicability | APPLICABLE / NOT APPLICABLE / PARTIALLY EXEMPT |
| Role(s) per processing activity | Fiduciary / Processor / Consent Manager / Joint |
| SDF status | Notified / likely candidate / not proximate / unclear |
| Children's data exposure | Yes / No (default-assume Yes if reachable) |
| Cross-border destinations | |
| Restricted-territory issues | None / |
| Sectoral regulators in play | None / RBI / SEBI / IRDAI / DoT / NHA / NCIIPC / CERT-In / multi |
| Highest-stakes obligation theme | Security / Children / SDF / Breach / Cross-border / Notice-Consent |
| Recommended next command | /ind-dpdpa:assess --scope=<theme> --role=<role> |
This summary feeds /ind-dpdpa:assess and /ind-dpdpa:evidence-checklist. Re-run scope when:
This is engineering and assessment guidance only. Not legal advice. Confirm scope determinations with qualified counsel before treating any output as definitive.
npx claudepluginhub vantainc/claude-grc-engineering --plugin ind-dpdpa5plugins reuse this command
First indexed Jul 10, 2026
/scopePre-flight scope gate: deterministically verifies assets (hosts, URLs, CIDRs, regexes) against an engagement's scope.md before any active testing. Deny-wins, default-deny.
/scopeEnforces explicit scope boundaries before starting work, prompting the user to define what's in and out of scope to prevent feature creep. Accepts a project or feature name.
/scopeEstimates GitHub issue complexity before development — surfaces affected files, blast radius, dependency risks, and decomposition recommendations.
/scopeExecutes upgrade procedures defined in an upgrade.md file, automating dependency and migration steps.
/scopeAuthors a task-level or phase-level scope contract (alignment.md) through a structured four-field conversation about goals, results, success criteria, and non-goals.
/scopeScopes a vague request into an MVP boundary with must/should/won't categories and a non-empty cut list.