Compliant with India's Digital Personal Data Protection Act 2023.

Data Fiduciary Status

MERDOT Technologies acts as a Data Fiduciary under the DPDP Act 2023 with respect to personal data processed through the MIOS platform on its own infrastructure. Where MIOS is deployed on client-managed infrastructure (sovereign cloud or on-premise), the client institution acts as the Data Fiduciary for data within their environment, and MERDOT acts as a Data Processor.

What Personal Data MIOS Processes

MIOS is an intelligence monitoring platform that ingests publicly available information from open web sources, social platforms, and news networks. The nature of this data means it may include personal data about public figures, authors of public statements, and actors in information operations. MIOS processes this data for:

• Narrative threat detection and classification
• Influence network mapping and attribution analysis
• Coordinated inauthentic behavior detection
• Intelligence briefing generation for institutional clients

MIOS does not collect, store, or process sensitive personal data categories including biometric data, health data, financial data, or data about private individuals who are not public figures or relevant to an active intelligence function.

Data Principal Rights

Under the DPDP Act 2023, Data Principals (individuals whose data is processed) have the following rights, which MERDOT supports:

• Right to Access: Data Principals may request information about personal data held by MERDOT relating to them by contacting us at contact@merdot.com.
• Right to Correction: Requests to correct inaccurate personal data will be addressed within 30 days of receipt.
• Right to Erasure: Where applicable under the Act, requests for erasure of personal data will be processed in accordance with the Act's provisions and our retention obligations.
• Right to Grievance Redressal: Any grievance relating to data processing may be submitted to our Data Protection Officer at contact@merdot.com. We will acknowledge receipt within 72 hours and resolve within 30 days.

Cross-Border Data Transfers

MERDOT does not transfer personal data outside India as part of its default operations. For government and sovereign deployments, all data processing occurs within Indian jurisdiction on infrastructure specified in the applicable agreement. For managed private cloud deployments, data residency is specified in the Deployment Agreement and defaults to India.

Where cross-border transfer is required for a specific deployment (e.g., international institutional clients), such transfers are governed by the applicable provisions of the DPDP Act 2023 and any rules notified thereunder.

Security Measures

MERDOT implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. Key measures include AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, multi-factor authentication for all operator accounts, and immutable audit logging. Details are available in our Security Architecture documentation.

Data Breach Notification

In the event of a personal data breach, MERDOT will notify affected Data Principals and the Data Protection Board of India in accordance with the timelines and requirements specified in the DPDP Act 2023 and applicable rules.

Contact and Grievance Redressal

For any queries, requests, or grievances relating to MERDOT's data processing practices under the DPDP Act 2023, please contact: