DPDP §8 Compliance Statement

DCS processes personal data only with the consent of the Data Principal (you), or under a legitimate use specified in §7 of the Act. Consent is captured at account signup (free Memory tier) and at each material change of processing purpose. Withdrawal of consent is processed within 30 days; see Privacy Policy §7.

DCS engages a defined list of Data Processors (Cloudflare, Render, Supabase, OpenAI, Resend), each operating under a written Data Processing Agreement. The full list is at Privacy Policy §4. DCS remains accountable for processor compliance and audits each annually.

Personal data is processed only for the specific, defined purposes listed in Privacy Policy §3. We do not repurpose data without renewed consent. AI model training on user data is explicitly excluded.

DCS makes reasonable efforts to maintain data accuracy:

• User-controlled correction: Users may correct profile data at any time via the API or by emailing [email protected].
• Memory immutability with audit trail: R+2 cryptographic receipts cannot be modified in place (by design — that's their security property). However, a logical delete marker is supported, and the underlying content is not used in any downstream decision-making after the marker is set.
• Source-of-truth designation: When two systems hold conflicting data, our identity layer (the on-chain Agent SBT) is the canonical source.

DCS implements technical, organizational, and cryptographic safeguards substantially above DPDP's minimum:

• Encryption at rest: AES-256 for all persistent storage (Postgres + pgvector).
• Encryption in transit: TLS 1.3 minimum across all service-to-service and user-to-service links.
• Cryptographic auditability: Every data operation generates an Ed25519-signed R+2 receipt. Any access or modification is independently verifiable by a Data Principal, regulator, or auditor without trusting our internal logs.
• Access controls: Role-based access controls (RBAC) on all production systems. All access is logged with timestamp, identity, and operation.
• Air-gap option: For Sovereign-tier customers (govt + defence), the entire stack runs in air-gapped mode with no outbound connectivity.
• Vulnerability response: Coordinated disclosure policy at dcslabs.ai/security; we honor 90-day disclosure windows (negotiable for safety-critical issues).

In the event of a personal data breach affecting Data Principals located in India:

• DCS will notify the Data Protection Board of India within 72 hours of becoming aware, per §8(6) and the upcoming DPDP Rules.
• DCS will notify affected Data Principals directly within 72 hours via the contact email on file.
• Notification will include: nature of the breach, categories of data affected, expected consequences, mitigation steps, and contact for further information.
• A post-incident report will be published at dcsai.ai/blog within 14 days (with sensitive operational details redacted).

Personal data is deleted within 30 days of any of the following:

• The Data Principal withdraws consent.
• The Data Principal is reasonably likely to have ceased to use the services and is no longer required for legal compliance.
• The purpose for which the data was collected has been served and retention is no longer required.

Cryptographic R+2 receipts in the audit chain remain available for legal-compliance purposes (per RTI Act §4(1)(b)(xvi) requirements when applicable). The underlying personal content referenced by those receipts is deleted; only the cryptographic hash and metadata remain, which cannot be reversed to recover the personal data.