DPDP Compliance

Aligned with India's Digital Personal Data Protection Act 2023.

Merdot Technologies and the MIOS Pinaka platform are designed and operated in alignment with India's Digital Personal Data Protection (DPDP) Act 2023. This page explains how we approach our obligations as a Data Fiduciary and how we support the rights of Data Principals.

This page describes our compliance posture. It is not a claim of formal certification by any authority · last reviewed 1 January 2025.

Our obligations

How Merdot approaches the DPDP Act.

Three principles shape how personal data moves through the platform · from what we collect to how long we keep it.

Purpose limitation

Personal data processed by MIOS is used only for the specific intelligence functions described in the applicable Institutional Deployment Agreement. No personal data is used for secondary purposes without explicit authorization.

Data minimization

MIOS collects and retains only the personal data necessary for its stated intelligence function. The Merdot AI analyst operates primarily at the network, narrative and aggregate level · not at an individual-surveillance level.

Storage limitation

Personal data is retained only for as long as required for the stated purpose. Retention periods are configurable per deployment and governed by the applicable agreement and data-classification requirements.

What the DPDP Act is

The Digital Personal Data Protection Act 2023 is India's framework for how personal data is collected, used and protected. It defines the duties of a Data Fiduciary · the party that decides why and how personal data is processed · and the rights of a Data Principal, the individual the data is about. It rests on lawful purpose, consent where required, minimization, and accountable handling.

Our Data Fiduciary status

Merdot Technologies acts as a Data Fiduciary with respect to personal data processed through MIOS on its own infrastructure. Where MIOS is deployed on client-managed infrastructure · sovereign cloud or on-premise · the client institution acts as the Data Fiduciary for data within their environment, and Merdot acts as a Data Processor.

Scope of processing

What personal data MIOS processes.

MIOS is an intelligence monitoring platform that ingests publicly available information from open web sources, social platforms and news networks. The nature of this data means it may include personal data about public figures, authors of public statements and actors in information operations.

MIOS does not collect, store or process sensitive personal-data categories including biometric data, health data or financial data · nor data about private individuals who are not public figures or relevant to an active intelligence function.

This data is processed for:

  • Narrative threat detection and classification
  • Influence network mapping and attribution analysis
  • Coordinated inauthentic behavior detection
  • Intelligence briefing generation for institutional clients

Your rights

Data Principal rights.

Under the DPDP Act 2023, individuals whose data is processed have the following rights, which Merdot supports.

Right to access

Data Principals may request information about the personal data Merdot holds relating to them by writing to our Data Protection Officer.

Right to correction

Requests to correct inaccurate or incomplete personal data are addressed within 30 days of receipt.

Right to erasure

Where applicable under the Act, requests to erase personal data are processed in line with the Act's provisions and our lawful retention obligations.

Grievance redressal

Any grievance about data processing may be raised with our Data Protection Officer. We aim to acknowledge receipt within 72 hours and resolve within 30 days.

Consent & lawful basis

Where the Act requires consent, it is obtained for a specific, lawful purpose and can be withdrawn. For the public-source intelligence functions MIOS performs on behalf of institutions, processing rests on the lawful basis set out in the applicable Deployment Agreement and, where relevant, legitimate legal uses recognised under the Act.

Cross-border data transfers

Merdot does not transfer personal data outside India as part of its default operations. For government and sovereign deployments, all processing occurs within Indian jurisdiction. Where a specific deployment requires cross-border transfer, it is governed by the applicable provisions of the DPDP Act 2023 and any rules notified thereunder.

Security measures

Merdot applies appropriate technical and organizational measures against unauthorized access, disclosure, alteration or destruction · including encryption at rest and in transit, role-based access controls, multi-factor authentication for operator accounts, and audit logging. More detail lives in our Security overview.

Security architecture

Data breach notification

In the event of a personal-data breach, Merdot will notify affected Data Principals and the Data Protection Board of India in accordance with the timelines and requirements specified in the DPDP Act 2023 and applicable rules.

Grievance redressal

Reach our Data Protection Officer.

For any query, request or grievance relating to Merdot's data-processing practices under the DPDP Act 2023 · including questions about your rights as a Data Principal · contact our Data Protection Officer directly.

Contact

Data Protection Officer

Merdot Technologies

Ahmedabad, Gujarat, India
Contact@merdot.com

We aim to acknowledge grievances within 72 hours and resolve them within 30 days.

This page reflects Merdot's current compliance posture under the DPDP Act 2023 and does not constitute legal advice or a claim of certification by any regulator. Specific obligations, retention periods and data-residency commitments for an institutional deployment are set out in the applicable Deployment Agreement.