Documentation/compliance/data-protection.md

# Data Protection

## Data Classification

| Classification | Examples | Handling |
|----------------|----------|----------|
| **Public** | Published license numbers, verification status | No restrictions |
| **Internal** | Processing statistics, workflow configurations | Staff access only |
| **Confidential** | Applicant personal data, documents | Role-based access |
| **Restricted** | Authentication credentials, encryption keys | System access only |

## Personal Data Inventory

| Data Category | Fields | Purpose | Retention |
|---------------|--------|---------|-----------|
| Identity | Name, Aadhaar (masked), photo | Applicant identification | License validity + 7 years |
| Contact | Email, phone, address | Communication | License validity + 7 years |
| Business | Business name, registration | License application | License validity + 7 years |
| Documents | Uploaded files | Verification | License validity + 7 years |
| Activity | Login times, actions | Audit | 7 years |

## Data Subject Rights

### Right to Access
Applicants can view all their personal data through the portal under "My Profile" and "My Applications."

### Right to Correction
Applicants can request corrections through the portal. Changes require verification for critical fields.

### Right to Erasure
Limited by legal retention requirements. Non-essential data can be erased upon request after license expiry.

### Right to Portability
Data export available in JSON and PDF formats through the portal.

## Data Security Controls

### Encryption

| State | Method |
|-------|--------|
| At Rest | AES-256 (database, files) |
| In Transit | TLS 1.3 |
| Backups | AES-256 with separate key |

### Access Control

- Role-based permissions
- Department-level data isolation
- Session timeout after inactivity
- Failed login lockout

### Anonymization

For analytics and reporting, personal identifiers are removed or pseudonymized.

## Breach Response

1. Detection and containment
2. Impact assessment
3. Notification to affected individuals (within 72 hours)
4. Notification to CERT-In (as required)
5. Root cause analysis
6. Remediation
docs: Rebuild documentation as enterprise-grade TLAS platform - Migrate from custom HTTP server to VitePress framework - Rename project to Tokenized License Approval System (TLAS) - Add comprehensive documentation for all stakeholders: - Business: Executive summary, value proposition, governance - Operations: Infrastructure, installation, monitoring, backup - Departments: User guide, workflows, verification, issuance - Developers: API reference, authentication, webhooks, SDKs - Compliance: OWASP, DPDP Act, IT Act, audit framework - Add modern theme with dark mode and full-text search - Update Dockerfile for VitePress build process Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-10 00:05:20 -04:00			`# Data Protection`

			`## Data Classification`

			`\| Classification \| Examples \| Handling \|`
			`\|----------------\|----------\|----------\|`
			`\| Public \| Published license numbers, verification status \| No restrictions \|`
			`\| Internal \| Processing statistics, workflow configurations \| Staff access only \|`
			`\| Confidential \| Applicant personal data, documents \| Role-based access \|`
			`\| Restricted \| Authentication credentials, encryption keys \| System access only \|`

			`## Personal Data Inventory`

			`\| Data Category \| Fields \| Purpose \| Retention \|`
			`\|---------------\|--------\|---------\|-----------\|`
			`\| Identity \| Name, Aadhaar (masked), photo \| Applicant identification \| License validity + 7 years \|`
			`\| Contact \| Email, phone, address \| Communication \| License validity + 7 years \|`
			`\| Business \| Business name, registration \| License application \| License validity + 7 years \|`
			`\| Documents \| Uploaded files \| Verification \| License validity + 7 years \|`
			`\| Activity \| Login times, actions \| Audit \| 7 years \|`

			`## Data Subject Rights`

			`### Right to Access`
			`Applicants can view all their personal data through the portal under "My Profile" and "My Applications."`

			`### Right to Correction`
			`Applicants can request corrections through the portal. Changes require verification for critical fields.`

			`### Right to Erasure`
			`Limited by legal retention requirements. Non-essential data can be erased upon request after license expiry.`

			`### Right to Portability`
			`Data export available in JSON and PDF formats through the portal.`

			`## Data Security Controls`

			`### Encryption`

			`\| State \| Method \|`
			`\|-------\|--------\|`
			`\| At Rest \| AES-256 (database, files) \|`
			`\| In Transit \| TLS 1.3 \|`
			`\| Backups \| AES-256 with separate key \|`

			`### Access Control`

			`- Role-based permissions`
			`- Department-level data isolation`
			`- Session timeout after inactivity`
			`- Failed login lockout`

			`### Anonymization`

			`For analytics and reporting, personal identifiers are removed or pseudonymized.`

			`## Breach Response`

			`1. Detection and containment`
			`2. Impact assessment`
			`3. Notification to affected individuals (within 72 hours)`
			`4. Notification to CERT-In (as required)`
			`5. Root cause analysis`
			`6. Remediation`