# Ethics & Data Protection Compliance ## 🛡️ DPDP Act 2023 Compliance Statement **Sentinel Scam Honeypot** is designed with privacy-by-design principles, fully compliant with India's **Digital Personal Data Protection Act, 2023**. --- ## ⚠️ Important Disclaimers ### 1. No Real Personal Data Collection - All victim profiles are **synthetically generated** - No real Aadhaar, PAN, or bank details are stored - Phone numbers in demos are fake/anonymized ### 2. Sandbox Mode ```python SANDBOX_MODE = True # All operations are simulated ANONYMIZE_LOGS = True # PII is automatically redacted SYNTHETIC_DATA_ONLY = True # Only fake data used ``` ### 3. Honeypot Purpose This system is designed to: - ✅ Engage scammers in time-wasting conversations - ✅ Extract scammer-provided intelligence (their UPIs, phones, URLs) - ✅ Generate threat reports for law enforcement - ❌ NOT collect real victim data - ❌ NOT store personal information --- ## 📋 Data Handling Policies ### What We Collect (From Scammers) | Data Type | Purpose | Retention | |-----------|---------|-----------| | Scammer phone numbers | Fraud reporting | 90 days | | Scammer UPI IDs | Bank freeze recommendation | 90 days | | Phishing URLs | Safe Browsing reports | 90 days | | Conversation logs | Training & analysis | Anonymized | ### What We DON'T Collect - ❌ Real victim personal data - ❌ Bank account passwords - ❌ Aadhaar/PAN numbers (real) - ❌ Location data from real users --- ## 🔒 Security Measures 1. **API Key Authentication**: All endpoints require `x-api-key` 2. **Rate Limiting**: 60 requests/minute per IP 3. **Audit Logging**: All access logged for SOC2 compliance 4. **Data Encryption**: TLS 1.3 in transit --- ## 📜 Legal Framework Alignment ### DPDP Act 2023 - **Section 4**: Purpose limitation - data used only for scam detection - **Section 6**: Consent not required for fraud prevention - **Section 17**: Security safeguards implemented ### IT Act 2000 - **Section 43A**: Reasonable security practices followed - **Section 72A**: No disclosure of personal data ### CERT-In Guidelines - Threat intelligence format follows STIX 2.1 - Incident reporting compatible with CERT-In portal --- ## 🎓 Research Ethics ### Institutional Approval For academic deployments: - IRB/Ethics committee approval recommended - Informed consent for any human participant studies - Data anonymization before publishing ### Responsible Disclosure - Extracted intelligence shared only with: - Law enforcement (NCRP, Cyber Cells) - Banks (for UPI freeze recommendations) - Telecom (TRAI for phone blocking) --- ## 📞 Contact For data protection inquiries: - **Email**: privacy@sentinel-honeypot.in (simulated) - **DPO**: Data Protection Officer (to be appointed for production) --- ## ✅ Compliance Checklist - [x] Synthetic data only - [x] No real PII collection - [x] Audit trail maintained - [x] Rate limiting enabled - [x] API authentication required - [x] CERT-In compatible exports - [x] Purpose limitation documented - [x] Security measures implemented --- *Last Updated: January 2026* *Version: 2.0.0*