LEGAL FRAMEWORK

Cybersecurity Legal Resources

Plain-language legal resources for authorized security work, including rules of engagement, breach-notification templates, and CERT-In documentation.

Explicit Authorization Required

No penetration testing begins without signed Rules of Engagement (RoE) and NDA. MTA operates strictly under IT Act 2000 with Jaipur jurisdiction.

Written authorization mandatory (no exceptions)
Client must prove ownership of target systems
Testing windows strictly enforced
All client data deleted within 7 days post-engagement

01 / DOCUMENTS

Document Templates

MTA-ROE

Rules of Engagement

Defines scope, boundaries, and legal authorization for penetration testing.

Includes:

IP ranges and applications in scope
Testing windows and emergency contacts
Exclusions and prohibited actions
Data handling obligations

Public template available on request

MTA-DPDP-BREACH

DPDP Breach Notification Pack

Templates for personal data breach notifications under DPDP Act 2023.

Includes:

Data Principal notice (plain language)
DPB detailed report (72-hour)
Processor-to-Fiduciary alert (24-hour)

Mandatory for all engagements

MTA-CERT-IN

CERT-In Compliance Addendum

Compliance with CERT-In Directions 2022 for incident reporting.

Includes:

6-hour incident reporting requirement
180-day log retention in India
NTP synchronization
Cooperation obligations

Required for body corporates

02 / TIMELINE

DPDP Breach Notification Timeline

Step 1

Breach Detected

MTA as Processor identifies breach during testing

Detection

Step 2

24 Hours

MTA notifies Client/Fiduciary without undue delay

24h

Step 3

Without Undue Delay

Client notifies affected Data Principals

Immediate

Step 4

72 Hours

Client submits detailed report to DPB

72h

Important reminder

DPDP penalties can be significant, so breach roles and timelines should be confirmed in each engagement.

03 / COMPLIANCE

Compliance Requirements Matrix

Requirement	DPDP Act 2023	CERT-In 2022	IT Act 2000
Breach Notification	24h (Processor→Fiduciary), 72h (Fiduciary→DPB)	6 hours	N/A
Log Retention	Reasonable period	180 days	As prescribed
Data Deletion	Within 30 days post-termination	N/A	N/A
Encryption	Technical safeguard recommended	Required for sensitive data	Section 43

Request Legal Templates

All cybersecurity legal templates are available upon request. We review each request to ensure appropriate use.

1Submit request

2MTA review

3Template delivery

4Pre-engagement consultation

Request Templates

Documents Available

MTA-ROE Template

Word/PDF

MTA-DPDP-BREACH Templates

Word/PDF

MTA-CERT-IN Addendum

Word/PDF

MTA

Explicit Authorization Required

No penetration testing begins without signed Rules of Engagement (RoE) and NDA. MTA operates strictly under IT Act 2000 with Jaipur jurisdiction.

Written authorization mandatory (no exceptions)

Client must prove ownership of target systems

Testing windows strictly enforced

All client data deleted within 7 days post-engagement

Requirement

DPDP Act 2023

CERT-In 2022

IT Act 2000

Breach Notification

24h (Processor→Fiduciary), 72h (Fiduciary→DPB)

6 hours

N/A

Log Retention

Reasonable period

180 days

As prescribed

Data Deletion

Within 30 days post-termination

N/A

Encryption

Technical safeguard recommended

Required for sensitive data

Section 43