docs: Rebuild documentation as enterprise-grade TLAS platform
- Migrate from custom HTTP server to VitePress framework - Rename project to Tokenized License Approval System (TLAS) - Add comprehensive documentation for all stakeholders: - Business: Executive summary, value proposition, governance - Operations: Infrastructure, installation, monitoring, backup - Departments: User guide, workflows, verification, issuance - Developers: API reference, authentication, webhooks, SDKs - Compliance: OWASP, DPDP Act, IT Act, audit framework - Add modern theme with dark mode and full-text search - Update Dockerfile for VitePress build process Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Mahi
64
Documentation/compliance/data-protection.md
Normal file
64
Documentation/compliance/data-protection.md
Normal file
@@ -0,0 +1,64 @@
|
||||
# Data Protection
|
||||
|
||||
## Data Classification
|
||||
|
||||
| Classification | Examples | Handling |
|
||||
|----------------|----------|----------|
|
||||
| **Public** | Published license numbers, verification status | No restrictions |
|
||||
| **Internal** | Processing statistics, workflow configurations | Staff access only |
|
||||
| **Confidential** | Applicant personal data, documents | Role-based access |
|
||||
| **Restricted** | Authentication credentials, encryption keys | System access only |
|
||||
|
||||
## Personal Data Inventory
|
||||
|
||||
| Data Category | Fields | Purpose | Retention |
|
||||
|---------------|--------|---------|-----------|
|
||||
| Identity | Name, Aadhaar (masked), photo | Applicant identification | License validity + 7 years |
|
||||
| Contact | Email, phone, address | Communication | License validity + 7 years |
|
||||
| Business | Business name, registration | License application | License validity + 7 years |
|
||||
| Documents | Uploaded files | Verification | License validity + 7 years |
|
||||
| Activity | Login times, actions | Audit | 7 years |
|
||||
|
||||
## Data Subject Rights
|
||||
|
||||
### Right to Access
|
||||
Applicants can view all their personal data through the portal under "My Profile" and "My Applications."
|
||||
|
||||
### Right to Correction
|
||||
Applicants can request corrections through the portal. Changes require verification for critical fields.
|
||||
|
||||
### Right to Erasure
|
||||
Limited by legal retention requirements. Non-essential data can be erased upon request after license expiry.
|
||||
|
||||
### Right to Portability
|
||||
Data export available in JSON and PDF formats through the portal.
|
||||
|
||||
## Data Security Controls
|
||||
|
||||
### Encryption
|
||||
|
||||
| State | Method |
|
||||
|-------|--------|
|
||||
| At Rest | AES-256 (database, files) |
|
||||
| In Transit | TLS 1.3 |
|
||||
| Backups | AES-256 with separate key |
|
||||
|
||||
### Access Control
|
||||
|
||||
- Role-based permissions
|
||||
- Department-level data isolation
|
||||
- Session timeout after inactivity
|
||||
- Failed login lockout
|
||||
|
||||
### Anonymization
|
||||
|
||||
For analytics and reporting, personal identifiers are removed or pseudonymized.
|
||||
|
||||
## Breach Response
|
||||
|
||||
1. Detection and containment
|
||||
2. Impact assessment
|
||||
3. Notification to affected individuals (within 72 hours)
|
||||
4. Notification to CERT-In (as required)
|
||||
5. Root cause analysis
|
||||
6. Remediation
|
||||
Reference in New Issue
Block a user