Aligned with India's Digital Personal Data Protection Act 2023.
Merdot Technologies and the MIOS Pinaka platform are designed and operated in alignment with India's Digital Personal Data Protection (DPDP) Act 2023. This page explains how we approach our obligations as a Data Fiduciary and how we support the rights of Data Principals.
This page describes our compliance posture. It is not a claim of formal certification by any authority · last reviewed 1 January 2025.
Our obligations
How Merdot approaches the DPDP Act.
Three principles shape how personal data moves through the platform · from what we collect to how long we keep it.
Purpose limitation
Personal data processed by MIOS is used only for the specific intelligence functions described in the applicable Institutional Deployment Agreement. No personal data is used for secondary purposes without explicit authorization.
Data minimization
MIOS collects and retains only the personal data necessary for its stated intelligence function. The Merdot AI analyst operates primarily at the network, narrative and aggregate level · not at an individual-surveillance level.
Storage limitation
Personal data is retained only for as long as required for the stated purpose. Retention periods are configurable per deployment and governed by the applicable agreement and data-classification requirements.
What the DPDP Act is
The Digital Personal Data Protection Act 2023 is India's framework for how personal data is collected, used and protected. It defines the duties of a Data Fiduciary · the party that decides why and how personal data is processed · and the rights of a Data Principal, the individual the data is about. It rests on lawful purpose, consent where required, minimization, and accountable handling.
Our Data Fiduciary status
Merdot Technologies acts as a Data Fiduciary with respect to personal data processed through MIOS on its own infrastructure. Where MIOS is deployed on client-managed infrastructure · sovereign cloud or on-premise · the client institution acts as the Data Fiduciary for data within their environment, and Merdot acts as a Data Processor.
Scope of processing
What personal data MIOS processes.
MIOS is an intelligence monitoring platform that ingests publicly available information from open web sources, social platforms and news networks. The nature of this data means it may include personal data about public figures, authors of public statements and actors in information operations.
MIOS does not collect, store or process sensitive personal-data categories including biometric data, health data or financial data · nor data about private individuals who are not public figures or relevant to an active intelligence function.
This data is processed for:
- Narrative threat detection and classification
- Influence network mapping and attribution analysis
- Coordinated inauthentic behavior detection
- Intelligence briefing generation for institutional clients
Your rights
Data Principal rights.
Under the DPDP Act 2023, individuals whose data is processed have the following rights, which Merdot supports.
Right to access
Data Principals may request information about the personal data Merdot holds relating to them by writing to our Data Protection Officer.
Right to correction
Requests to correct inaccurate or incomplete personal data are addressed within 30 days of receipt.
Right to erasure
Where applicable under the Act, requests to erase personal data are processed in line with the Act's provisions and our lawful retention obligations.
Grievance redressal
Any grievance about data processing may be raised with our Data Protection Officer. We aim to acknowledge receipt within 72 hours and resolve within 30 days.
Consent & lawful basis
Where the Act requires consent, it is obtained for a specific, lawful purpose and can be withdrawn. For the public-source intelligence functions MIOS performs on behalf of institutions, processing rests on the lawful basis set out in the applicable Deployment Agreement and, where relevant, legitimate legal uses recognised under the Act.
Cross-border data transfers
Merdot does not transfer personal data outside India as part of its default operations. For government and sovereign deployments, all processing occurs within Indian jurisdiction. Where a specific deployment requires cross-border transfer, it is governed by the applicable provisions of the DPDP Act 2023 and any rules notified thereunder.
Security measures
Merdot applies appropriate technical and organizational measures against unauthorized access, disclosure, alteration or destruction · including encryption at rest and in transit, role-based access controls, multi-factor authentication for operator accounts, and audit logging. More detail lives in our Security overview.
Security architectureData breach notification
In the event of a personal-data breach, Merdot will notify affected Data Principals and the Data Protection Board of India in accordance with the timelines and requirements specified in the DPDP Act 2023 and applicable rules.
Grievance redressal
Reach our Data Protection Officer.
For any query, request or grievance relating to Merdot's data-processing practices under the DPDP Act 2023 · including questions about your rights as a Data Principal · contact our Data Protection Officer directly.
Contact
Data Protection Officer
Merdot Technologies
We aim to acknowledge grievances within 72 hours and resolve them within 30 days.
This page reflects Merdot's current compliance posture under the DPDP Act 2023 and does not constitute legal advice or a claim of certification by any regulator. Specific obligations, retention periods and data-residency commitments for an institutional deployment are set out in the applicable Deployment Agreement.