DPDPA Compliance — India

Sovereign communications built for India's *data protection era.*

The Digital Personal Data Protection Act 2023 — India's landmark privacy law — places obligations on every organisation that processes personal data of Indian residents. With full enforcement from May 2027 and sector regulators already mandating in-India data residency, the window to deploy sovereign communications infrastructure is now.

Book a compliance briefing → Download the DPDPA guide
In-India data residency RBI · SEBI · IRDAI aligned Significant Data Fiduciary ready
₹250Cr
Maximum penalty for failure to implement adequate security safeguards — the highest fine under the DPDPA, equivalent to approximately $30 million
72h
Window to notify the Data Protection Board of India and affected Data Principals of any personal data breach — regardless of severity or scale
May'27
Full DPDPA enforcement date — all Data Fiduciaries must be compliant. Sector regulators (RBI, SEBI, IRDAI) are already enforcing localisation today
1.4B
Data Principals in scope — making DPDPA one of the world's largest data protection frameworks by population, covering every Indian resident's digital personal data
India's data protection framework

The DPDPA introduces a simplified but powerful consent-and-security model with significant penalties.

Unlike the GDPR's six lawful bases, the DPDPA uses two: consent and legitimate uses. The architecture is simpler — but the penalties are not. And with sector regulators already enforcing data localisation, compliance is not a future obligation.

India — DPDPA 2023 · Act No. 22 of 2023

Digital Personal Data Protection Act, 2023

Signed into law on 11 August 2023 and operationalised through the Digital Personal Data Protection Rules 2025 (notified 13 November 2025), the DPDPA is India's first comprehensive digital personal data protection statute. It applies to any processing of digital personal data that occurs within Indian territory, or that relates to offering goods or services to individuals located in India. The Act is grounded in the Supreme Court's landmark Puttaswamy judgment (2017), which recognised the right to privacy as a fundamental right under Article 21 of the Constitution of India.

Authority: Data Protection Board of India (DPB) — established November 2025. Functions as adjudicator, not regulator. Appeals go to Telecom Disputes Settlement and Appellate Tribunal, then to the Supreme Court.

Lawful bases: Only two — consent (free, specific, informed, unconditional) and legitimate uses (Sec. 7: government functions, employment, medical emergencies, debt recovery, M&A, court orders). No equivalents to GDPR's legitimate interest or contractual necessity bases.

Data Fiduciary obligations: Notice before consent, data minimisation, accuracy, security safeguards, data deletion when purpose ends, grievance redressal mechanism, and processor contracts (Sec. 8).

Cross-border transfers (Sec. 16): Permitted to all countries unless the Central Government issues a blacklist order. As of May 2026, no countries have been blacklisted — but sector-specific localisation mandates from RBI, SEBI, and IRDAI already restrict financial data movement.

Data Principal rights: Right to access (Sec. 11), correction and erasure (Sec. 12), grievance redressal (Sec. 13), and nomination — designating a representative upon death or incapacity (Sec. 14).

Children's data (Sec. 9): Verifiable parental consent required for data principals under 18. Prohibition on tracking, behavioural monitoring, and targeted advertising directed at minors. No exceptions without Central Government approval.

Breach notification: All breaches — regardless of severity — must be notified to the DPB and affected Data Principals within 72 hours, including nature, extent, timing, location, and consequences of the breach.

Significant Data Fiduciaries (Sec. 10): Government-designated entities processing high-volume or sensitive data must appoint a DPO resident in India, conduct Data Protection Impact Assessments, maintain audit records, and undergo periodic audits.

DPDP Rules 2025 — Implementation Phases

The DPDP Rules 2025 notified on 13 November 2025 implement the DPDPA in three phases: Phase I (Nov 2025) — Data Protection Board constituted; Phase II (Nov 2026) — Consent Manager registration opens; registered intermediaries enable data principals to manage consent across multiple fiduciaries. Phase III (May 2027) — All core operational obligations become enforceable, including consent frameworks, security requirements, and grievance mechanisms. Organisations that begin sovereign deployment now complete their technical and architectural compliance before enforcement begins.

India's four-layer compliance stack

DPDPA sits on top of sector regulators that already mandate in-India data residency.

India's compliance challenge is unique globally: a single sovereign communications deployment must satisfy the DPDPA and three major sector regulators simultaneously. One architecture satisfies all four.

DPDPA / DPB

Digital Personal Data Protection Act

Applies to all sectors processing digital personal data. Consent, security safeguards, breach notification, children's data protection, and Data Principal rights — enforced by the Data Protection Board from May 2027. Penalties up to ₹250 crore per violation.

RBI

Reserve Bank of India

Payment System Data Storage directive (2018, enforced 2019): all payment system data — including full end-to-end transaction data — must be stored exclusively in India. Applies to banks, NBFCs, payment aggregators, card networks, and all RBI-regulated entities. No exceptions.

SEBI

Securities and Exchange Board of India

Critical financial market data — credit risk data, market trading data, client data, and audit records — must remain on systems located in India. Applies to exchanges, brokers, custodians, and all SEBI-regulated market infrastructure institutions. Data sovereignty is already enforced.

IRDAI

Insurance Regulatory and Development Authority

Policy data, claim records, and customer personal data for India's 500 million+ insurance customers must be stored on India-based systems. Applies to all insurers and intermediaries. Cross-border transfer of policyholder data requires regulatory approval.

Obligation mapping

The platform addresses every DPDPA section structurally.

Every obligation that touches communications infrastructure is addressed at the platform level — architecture first, documentation second.

Section
DPDPA Requirement
Architectural Response
Status
Sec. 5–6
Notice & consent
Consent is obtained through clear, affirmative action before data collection begins. Privacy notice presented independently — not bundled with terms. Covers data categories, purposes, rights, and grievance contact. Available in all 22 Eighth Schedule languages.
✓ Met
Sec. 7
Legitimate uses
Government deployments operating under Sec. 7 legitimate-use provisions (state functions, public order, national security) are explicitly supported. The platform architecture satisfies the security and access-control requirements for state instrumentalities processing under Sec. 7 without consent.
✓ Met
Sec. 8
Security safeguards
End-to-end encryption on every channel by default. Access controls with regular audit trails. Data backups ensuring processing continuity. Encrypted at rest. ISO 27001:2022 certified. Retention logs for breach detection held minimum one year. Satisfies the highest security safeguard standard — the ₹250 crore penalty category.
✓ Met
Sec. 8
72-hour breach notification
Zero-knowledge architecture means no breach of communications content is possible at the operator level — only the communicating parties hold decryption keys. For infrastructure-level incidents, the platform generates complete breach documentation automatically — nature, extent, affected principals, and mitigation — for DPB submission within the 72-hour window.
✓ Met
Sec. 9
Children's data (under 18)
No tracking, behavioural monitoring, or targeted advertising is performed by the platform — on any user, including minors. Processing is strictly delivery-only. The platform performs no content classification, sentiment analysis, or profiling. Satisfies Sec. 9's categorical prohibition without requiring separate configuration.
✓ Met
Sec. 10
Significant Data Fiduciary obligations
Full SDF documentation package included: Data Protection Impact Assessment template, audit-ready security architecture records, DPO appointment support, and compliance reporting framework. The platform's open-source, independently auditable codebase satisfies the periodic audit requirement for government-designated SDFs.
↑ Supported
Sec. 11–12
Access, correction & erasure rights
Data Principal requests for access to personal data summaries, correction of inaccuracies, and erasure are fulfilled through platform administration tools. Full response within reasonable statutory timeframes. Erasure is complete and verifiable — no hidden copies retained on operator infrastructure.
✓ Met
Sec. 16
Cross-border transfer restrictions
Sovereign hosting inside India eliminates cross-border transfer exposure for internal communications. No data of Indian residents is transferred abroad. For communications with international counterparties, the federated architecture ensures each server processes only its own users' data — encrypted transit, no DPDPA-triggering transfer. Future blacklist orders have zero impact on in-country deployments.
✓ Met
Sec. 8 + RBI/SEBI
Sector-specific localisation
A single sovereign deployment satisfies DPDPA Sec. 16 and all three sector-regulator localisation mandates simultaneously: RBI payment data storage, SEBI critical financial data, and IRDAI policyholder records — without separate compliance programmes for each regulator.
✓ Met
Significant Data Fiduciaries

High-volume data processors face elevated obligations. The platform is the foundation.

The Central Government designates Significant Data Fiduciaries based on processing volume, sensitivity, national security risk, and impact on Data Principal rights. SDFs face obligations beyond standard Data Fiduciaries — and the platform is designed to be their compliance backbone.

Who becomes an SDF

Significant Data Fiduciary designation applies to organisations processing personal data at scale, with systemic risk potential.

Indian IT/BPO firms processing global client data, financial institutions handling millions of transactions, healthcare platforms managing patient records, and government-linked digital platforms are all candidates for SDF designation. SDFs face four obligations beyond standard compliance:

Data Protection Officer

DPO must be resident in India, appointed by the Board of Directors, and serve as point of contact for both Data Principals and the Data Protection Board.

Data Protection Impact Assessment

Formal DPIA required before beginning high-risk processing activities. Must cover risks to Data Principal rights and mitigation measures — similar to GDPR Art. 35 but India-specific in scope.

Periodic Data Audits

Independent audits of data processing activities, security measures, and compliance posture. The platform's open-source, auditable architecture makes audit preparation straightforward.

Data residency in India

One sovereign deployment. Four regulators satisfied. Zero transfer risk.

India's data protection landscape is uniquely multi-layered. The DPDPA's Sec. 16 cross-border transfer regime is still evolving — no blacklist has been issued — but the risk is already real: sector regulators have been enforcing localisation for years. The Reserve Bank of India's 2018 payment data directive, SEBI's financial data localisation requirements, and IRDAI's policyholder data rules are active, enforceable obligations today.

The core compliance problem is the same across all four frameworks: foreign-headquartered cloud platforms remain subject to foreign jurisdiction regardless of where their servers are located. A US-headquartered messaging platform operating servers in Mumbai is still subject to US law — meaning US authorities can compel production of data held in India. This creates cross-border transfer exposure that no contractual arrangement eliminates.

SCOVR resolves this at the architectural level. The platform is deployed on infrastructure entirely within India, under Indian law, with no foreign parent. Communications between Indian government ministries, regulated financial entities, IT companies, and healthcare providers never leave India. For communications with international counterparties — overseas clients, foreign governments, global partners — the federated architecture keeps Indian users' data on Indian servers, with only encrypted message transit crossing borders.

Enforcement is approaching fast. With Phase III enforcement beginning May 2027, organisations that begin sovereign deployment now complete their technical compliance before the Data Protection Board begins active enforcement. Organisations using foreign cloud platforms for internal communications face cross-border transfer exposure under both DPDPA and sector-specific regulations — and the window to restructure before enforcement is narrowing.
Sovereign platform — DPDPA data residency

In-India hosting by default

All data — messages, files, voice, call metadata, user records, audit logs — stored on servers physically inside India. No cross-border transfer occurs. RBI, SEBI, IRDAI, and DPDPA obligations satisfied simultaneously.

Blacklist-proof architecture

Whatever countries the Central Government eventually blacklists under Sec. 16, sovereign hosting means no personal data of Indian residents is transferred anywhere. Future regulatory changes have zero impact on compliant deployments.

No US CLOUD Act exposure

US-headquartered cloud and messaging providers are subject to US legal orders regardless of server location. A self-hosted deployment with no US parent eliminates this exposure entirely — for government, regulated financial entities, and enterprise users equally.

Atmanirbhar communications

Fully self-reliant communications infrastructure — hosted in India, operated under Indian law, independent of foreign platforms. Aligned with India's digital sovereignty priorities and Atmanirbhar Bharat vision for technology self-reliance.

International federation without transfer

India's IT sector communicates globally. The federated open-standard architecture allows Indian organisations to communicate with international counterparties while keeping Indian users' data on Indian servers. Each organisation runs its own server — encrypted transit only crosses borders.

Federation model — India's IT sector
Govt. Ministry@secretary:nic.gov.in
↔ communicates with
Indian Bank@cto:sbi.co.in
← messages stay on Indian servers →
Global Client@director:client.uk
← E2EE federation · Indian data stays in India →
Communications categories

Every DPDPA-regulated communications category — addressed.

Messaging, video conferencing, file sharing, and data hosting: four categories of personal data processing that trigger DPDPA and sector-regulator obligations, addressed by a single sovereign platform.

Secure messaging

Every message is encrypted end-to-end before leaving the sender's device. No server operator — including the platform — can read message content. Personal data in messages: names, financial details, health information, government IDs — all protected within India's sovereign infrastructure.

Sec. 8Sec. 16RBI

Video conferencing

Encrypted voice and video calls hosted on sovereign Indian infrastructure. Meeting content never stored on foreign servers. Communications between government ministries, banks, regulators, and regulated entities — all within India's digital borders, satisfying both DPDPA and sector mandates.

Sec. 8Sec. 16SEBI

Secure file sharing

Financial reports, policy documents, patient records, and government files are shared within encrypted channels on sovereign servers. Role-based access ensures only authorised recipients retrieve files. No foreign platform operator processes or stores the data — satisfying IRDAI, RBI, and SEBI file storage requirements.

Sec. 8IRDAISec. 16

Data hosting

All data — messages, files, recordings, user profiles, audit logs — stored on Indian infrastructure under Indian law. DPDPA Sec. 16 compliance, RBI payment data residency, SEBI financial data localisation, and IRDAI policyholder storage — all satisfied by a single deployment architecture.

Sec. 16RBISEBIIRDAI
Compliance documentation

DPDPA-ready documentation — included with every deployment.

Architectural compliance is the foundation. Documentation, audit trails, and DPB-ready reporting complete the picture for every Data Fiduciary and Significant Data Fiduciary.

DPDPA

Data Fiduciary Compliance Pack

Pre-built notice templates in English and Eighth Schedule languages, consent management framework, data minimisation architecture evidence, grievance redressal mechanism setup, and processor contract templates aligned with DPDPA Sec. 8 requirements.

SDF Ready

Significant Data Fiduciary Package

Full SDF compliance documentation: Data Protection Impact Assessment template, DPO appointment framework, security audit records, open-source codebase for independent audit verification, and ongoing compliance reporting dashboard for periodic DPB submissions.

ISO 27001

Certified Security Framework

Platform and operations certified to ISO/IEC 27001:2022 — providing internationally recognised evidence of the security safeguards required under DPDPA Sec. 8. Satisfies the technical standard for the ₹250 crore security safeguard penalty category and supports SEBI's cyber security framework requirements.

Frequently asked questions

DPDPA questions Indian compliance teams ask most often.

Specific answers to the Digital Personal Data Protection Act questions legal, compliance, and technology teams across India ask most often.

Does DPDPA require data to be stored inside India?+
The DPDPA itself does not include an explicit data localisation mandate — earlier draft bills did, but it was removed from the final Act. Sec. 16 allows cross-border transfers to all countries unless the Central Government issues a blacklist order (no countries have been blacklisted yet). However, this only tells half the story. Sector regulators — RBI, SEBI, IRDAI — already mandate in-India storage for financial and insurance data. And the blacklist could arrive at any time. A sovereign SCOVR deployment inside India satisfies DPDPA Sec. 16 and all sector-specific localisation mandates simultaneously, and is immune to future blacklist orders regardless of which countries are eventually listed.
Does DPDPA apply to organisations outside India that process data of Indian residents?+
Yes. The DPDPA has extraterritorial scope: it applies to any processing of digital personal data that occurs outside India if it is "in connection with any activity related to offering of goods or services to Data Principals within the territory of India." International companies with Indian customers, employees, or users are in scope — regardless of where their servers are located. This creates a clear compliance obligation for multinational organisations to address how they handle the personal data of their Indian users. A sovereign SCOVR deployment in India is the most direct path to compliance for communications involving Indian residents' data.
How does SCOVR handle the DPDPA's 72-hour breach notification requirement?+
The platform's zero-knowledge architecture means a breach of communications content is architecturally impossible at the operator level — only the communicating parties hold decryption keys, so there is nothing for an attacker to read even if they access the server infrastructure. For infrastructure-level incidents (server access, configuration failures), the platform generates a complete incident report automatically: nature of the breach, categories of data affected, estimated number of Data Principals affected, timing, location, and immediate mitigation steps. This documentation is ready for DPB submission within the 72-hour window without manual assembly.
What is the difference between a Data Fiduciary and a Significant Data Fiduciary under DPDPA?+
Every organisation that determines the purpose and means of processing personal data is a Data Fiduciary, and must comply with all standard DPDPA obligations (consent, notice, security safeguards, Data Principal rights, breach notification). A Significant Data Fiduciary is a Data Fiduciary designated by the Central Government based on processing volume, sensitivity of data, risk to Data Principal rights, or national security implications. SDFs face three additional obligations: appointing a Data Protection Officer resident in India, conducting Data Protection Impact Assessments before high-risk processing, and submitting to periodic independent audits. SCOVR provides the technical documentation foundation for both standard and SDF compliance.
How does the platform serve India's IT and BPO sector, which processes global client data?+
India's IT and BPO sector faces a unique compliance challenge: they process personal data on behalf of clients in the EU, UK, US, and across the Gulf — each with their own data protection frameworks — while simultaneously being subject to DPDPA as Indian entities. The federated architecture addresses this directly. Indian IT firms can deploy SCOVR on Indian infrastructure, keeping their own communications and internal processing data in India (DPDPA compliant). When communicating with global clients, the federation model ensures each party's server processes only its own users' data, with encrypted transit between servers. No Indian personal data is transferred to foreign servers. No foreign client data is stored on Indian servers without appropriate safeguards. The open-standard protocol enables interoperability across any jurisdiction's sovereign deployment.
How does the DPDPA compare to the GDPR — and does GDPR compliance transfer to India?+
The DPDPA and GDPR share philosophical roots — both are grounded in principles of purpose limitation, data minimisation, security, and Data Principal/Subject rights — but their architectures differ significantly. The GDPR has six lawful bases; the DPDPA has two (consent and legitimate uses). The GDPR mandates DPOs for certain controllers; DPDPA requires DPOs only for Significant Data Fiduciaries. The GDPR explicitly defines sensitive data categories; the DPDPA does not. The GDPR includes a Right to be Forgotten; the DPDPA has a right to erasure with retention exceptions. GDPR compliance does not automatically satisfy DPDPA — but an organisation with strong GDPR practices will find DPDPA substantially familiar. The key gap is the sector-specific localisation requirements from RBI, SEBI, and IRDAI, which have no GDPR equivalent and require sovereign in-India hosting to satisfy.

Sovereign communications for India's data protection era.

Book a private briefing with our India compliance team. We will design a deployment that satisfies DPDPA, RBI, SEBI, and IRDAI — architecturally sovereign and enforcement-ready — before May 2027.

Book a compliance briefing → Download the DPDPA guide