Compliance

DPDP Rules 2025: Indian SaaS Compliance Checklist

DPDP Act 2023 and DPDP Rules 2025 compliance checklist for Indian SaaS: 9 steps, 72-hour breach notification, DPO rules, vendor DPAs. Penalties up to 250 cr.

AK
Ashok Kamat
Cybersecify
13 min read

DPDP Act compliance for SaaS platforms in India requires nine practical steps: granular consent management, a clear privacy notice, vendor data processing agreements, defined data retention periods, a 72-hour breach notification process, parental consent for users under 18, documented cross-border data flows, a Data Protection Officer if designated as a Significant Data Fiduciary, and a published grievance redressal mechanism. Penalties for non-compliance reach INR 250 crore per violation.

Key findings

  • DPDP Act applies to every SaaS that processes Indian user personal data, regardless of where the company is registered. No startup-size exemption. Section 3(b) extraterritorial reach catches non-Indian companies serving Indian customers.
  • Nine practical compliance steps scale from solo founder to Series B: consent management, privacy notice, vendor DPAs, retention periods, 72-hour breach notification process, parental consent for users under 18, cross-border data flow documentation, DPO if designated as a Significant Data Fiduciary, and published grievance redressal.
  • Maximum penalty is INR 250 crore per violation for failure to take reasonable security safeguards. INR 200 crore for failed breach notification and children’s data violations. INR 50 crore for any other provision breach. Penalties are graduated by violation type, not by company size.
  • Significant Data Fiduciary (SDF) designation is government-notified based on data volume, sensitivity, and risk to electoral democracy or public order. Most pre-Series B startups are not SDFs but should build practices that scale to the SDF bar (DPO, DPIAs, periodic independent audits).
  • A penetration test supports the Section 8 reasonable security safeguards obligation. A current pentest report demonstrates proactive identification and remediation of vulnerabilities. It is the cleanest evidence that you took reasonable steps before a breach.
  • Cross-border transfer is allowed by default, except to countries the Indian government notifies as restricted (no list published as of 2026). This is more permissive than GDPR’s adequacy-decision regime. Map your data flows now so you can migrate processing fast if a country gets restricted later.

Cybersecify is a founder-led Bengaluru-based security firm. We help AI-first and API-first SaaS startups build DPDP-ready security postures: data flow mapping, vendor DPA reviews, breach response playbooks, technical safeguards (pentest, external attack surface scans), and Series A audit preparation. A redacted sample pentest report shows the evidence format auditors and enterprise customers actually accept as proof of the Section 8 reasonable security safeguards obligation.

If you’re running a SaaS company in India, the Digital Personal Data Protection Act (DPDP Act) applies to you. Not eventually. Now. The Act received Presidential assent in August 2023, the rules are being finalized, and enforcement will follow. Startups that process personal data of Indian users, which is every SaaS company with Indian customers, need to comply.

The penalties go up to INR 250 crore. That’s not a typo. This isn’t a “we’ll deal with it later” regulation.

This post is a practical compliance checklist. No legal jargon walls. Just what you need to do, in what order, and what it actually means for your engineering and operations.

What Is the DPDP Act?

The Digital Personal Data Protection Act, 2023 is India’s first comprehensive data protection law. Think of it as India’s answer to GDPR, but tailored to Indian regulatory context.

Who it applies to: Any entity that processes digital personal data of individuals in India. If your SaaS product collects names, email addresses, phone numbers, or any data that identifies a person, you’re covered. It also applies if you process data of Indian citizens from outside India.

What it covers: How you collect, store, process, share, and delete personal data. Consent requirements, breach notification, children’s data, cross-border transfers, and grievance handling.

Key distinction from GDPR: The DPDP Act is narrower in some ways (it covers only digital personal data, not all personal data) but carries steep penalties and gives the government broad rulemaking authority through the Data Protection Board of India.

Key Terms You Need to Know

Before the checklist, here are four terms the Act uses everywhere. Learn these once and the rest makes sense.

TermWhat It MeansYou Are Probably This
Data PrincipalThe individual whose data is being processedYour users/customers
Data FiduciaryThe entity that determines the purpose and means of data processingYour company
Significant Data FiduciaryA Data Fiduciary handling large volumes of data or sensitive data, designated by the governmentLikely applies at Series B+ scale
Consent ManagerA registered entity that manages consent on behalf of Data PrincipalsA third-party service you may integrate

As a SaaS startup, you are the Data Fiduciary. Your users are the Data Principals. Everything in this checklist flows from that relationship.

The DPDP Compliance Checklist

This is the foundation. Under the DPDP Act, you can only process personal data with the Data Principal’s free, specific, informed, unconditional, and unambiguous consent. That’s a high bar.

What you need to do:

  • Implement granular consent. Don’t bundle consent for marketing emails with consent for data processing. Each purpose needs separate consent. A single “I agree to everything” checkbox won’t hold up.
  • Make consent withdrawal as easy as giving it. If a user can opt in with one click, they must be able to opt out with one click. Burying the withdrawal option three menus deep is non-compliant.
  • Record consent with timestamps. You need to prove when consent was given, for what purpose, and by whom. Store consent records with audit trails.
  • Re-obtain consent if purpose changes. If you collected data for “service delivery” and now want to use it for “analytics,” you need fresh consent.

Exceptions to consent: The Act allows processing without consent for certain “legitimate uses,” including compliance with legal obligations, response to medical emergencies, and employment-related processing. Don’t stretch these exceptions. They’re narrow.

2. Privacy Notice

Before collecting any personal data, you must provide a clear notice to the Data Principal.

Your privacy notice must include:

  • What personal data you collect
  • The specific purpose of processing
  • How the Data Principal can exercise their rights (access, correction, deletion, grievance)
  • How to file a complaint with the Data Protection Board

Practical implementation: Update your privacy policy page. But also surface relevant notices at the point of data collection. A privacy policy link in the footer is necessary but not sufficient. When a user signs up, show them exactly what you’re collecting and why.

3. Data Processing Agreements with Vendors

If you use third-party services that process personal data on your behalf (cloud providers, analytics tools, payment processors, CRM systems), you need Data Processing Agreements (DPAs) with each of them.

What the DPA should cover:

  • The vendor processes data only for the purposes you specify
  • Security measures the vendor must maintain
  • Breach notification obligations (the vendor must tell you, and you must tell the Board)
  • Data deletion requirements when the contract ends

Most major cloud and SaaS vendors (AWS, Google Cloud, Stripe, HubSpot) already offer standard DPAs. Review them. Make sure they cover DPDP Act requirements specifically, not just GDPR.

4. Data Retention and Deletion

The DPDP Act requires you to delete personal data once the purpose of processing is fulfilled and retention is no longer necessary.

What you need to do:

  • Define retention periods for each data category. User account data, payment records, support tickets, analytics data. Each should have a documented retention period tied to a business or legal requirement.
  • Implement automated deletion. Manual deletion doesn’t scale. Build or configure automated purging for data that’s past its retention period.
  • Delete data when a user withdraws consent or requests erasure. The Act gives Data Principals the right to erasure. You need a process that executes this within a reasonable timeframe.
  • Don’t forget backups. Data sitting in your backup system is still personal data. Your deletion process needs to account for backup retention cycles.

5. Breach Notification (72 Hours)

This is one of the strictest requirements. If you experience a personal data breach, you must notify the Data Protection Board of India within 72 hours of becoming aware of the breach. You must also notify affected Data Principals.

What you need in place before a breach happens:

  • Incident response plan with a data breach playbook specifically addressing DPDP notification requirements
  • Breach detection capabilities. You can’t notify within 72 hours if you don’t detect the breach for 3 months. Logging, monitoring, and alerting are prerequisites.
  • Pre-drafted notification templates for the Board and for affected users
  • A designated person responsible for breach notification decisions

72 hours is tight. If your incident response process involves “figuring it out when it happens,” you will miss the deadline. Practice with tabletop exercises.

6. Children’s Data

If your product could be used by anyone under 18, the DPDP Act has specific requirements.

Requirements:

  • Verifiable parental consent before processing data of anyone under 18
  • No behavioral tracking or targeted advertising directed at children
  • No processing that could cause harm to a child’s well-being

Practical note: Even if your SaaS product targets businesses, if there’s any possibility a user under 18 could create an account (think freemium products, educational tools, collaboration platforms), you need age verification and parental consent mechanisms.

The government may exempt certain categories of Data Fiduciaries from verifiable parental consent requirements through rules. Watch for updates, but build for the stricter standard until exemptions are confirmed.

7. Cross-Border Data Transfer

The DPDP Act allows transfer of personal data outside India, except to countries specifically restricted by the Central Government via notification.

What this means practically:

  • You can transfer data to countries not on the restricted list without additional safeguards (unlike GDPR’s Standard Contractual Clauses)
  • The government will publish a list of restricted countries. As of early 2026, this list has not been finalized
  • Keep your data flow documentation updated so you know exactly where personal data goes

Action items:

  • Map all cross-border data flows (cloud hosting regions, third-party SaaS tools, CDNs, analytics services)
  • Document which countries your data transits through or is stored in
  • Monitor MeitY notifications for the restricted country list
  • Ensure you can migrate data processing if a country you use gets restricted

8. Data Protection Officer (for Significant Data Fiduciaries)

If the government designates you as a Significant Data Fiduciary, you must appoint a Data Protection Officer (DPO) based in India.

Significant Data Fiduciary obligations also include:

  • Conducting a Data Protection Impact Assessment (DPIA)
  • Periodic data audits by an independent auditor
  • Additional reporting to the Data Protection Board

Who gets designated? The government will designate entities based on volume and sensitivity of data processed, risk to Data Principals, and other factors. Large B2C SaaS companies, fintech platforms, healthtech companies, and edtech companies with millions of users are likely candidates.

If you’re a Series A startup with 10,000 users, you’re probably not a Significant Data Fiduciary today. But build your data practices as if you could be. It’s cheaper to maintain good practices than to retrofit them under regulatory pressure.

9. Grievance Redressal Mechanism

Every Data Fiduciary must have a process for Data Principals to raise grievances about data processing.

Requirements:

  • Publish the contact details of a person or team responsible for handling grievances
  • Respond to grievances within a timeframe prescribed by the rules (expected to be 30 days or less)
  • If the Data Principal is not satisfied, they can escalate to the Data Protection Board

Implementation: A dedicated email address (privacy@yourcompany.com), a form on your website, and an internal SLA for response. This doesn’t need to be complicated, but it does need to exist and actually work.

Penalties

The DPDP Act doesn’t do graduated warnings. The penalties are designed to hurt.

ViolationMaximum Penalty
Failure to take reasonable security safeguards to prevent data breachINR 250 crore
Failure to notify the Board and affected Data Principals of a breachINR 200 crore
Non-compliance with obligations regarding children’s dataINR 200 crore
Non-compliance with any other provision of the ActINR 50 crore
Failure by Data Principal to comply with their duties (frivolous complaints, false information)INR 10,000

These are maximum penalties. The Data Protection Board will consider factors like the nature and severity of the violation, whether it was a first offense, and what mitigation steps were taken. But “we didn’t know” is not a defense, and “we’re a startup” is not a mitigating factor under the Act.

For context, INR 250 crore is roughly USD 30 million. That’s enough to shut down most startups several times over.

What to Do First: Priority Order

You don’t need to do everything at once. Here’s a practical sequencing for a startup that’s starting from scratch.

Month 1: Foundations

  1. Audit your data flows. What personal data do you collect, where does it go, who has access, how long do you keep it?
  2. Update your privacy policy to meet DPDP Act notice requirements
  3. Set up a grievance mechanism. Dedicated email, published on your website, internal process documented.
  1. Implement granular consent management in your product’s signup and data collection flows
  2. Review and update vendor DPAs. Start with your top 5 vendors by data volume.
  3. Define data retention periods for each category of personal data

Month 3: Security and Response

  1. Build your breach notification process. Playbook, templates, designated owner, 72-hour timeline.
  2. Implement technical controls. Encryption, access controls, logging, monitoring. If you haven’t had a penetration test, now is the time.
  3. Conduct a tabletop exercise simulating a data breach to test your notification process

Month 4: Documentation and Ongoing

  1. Document everything. Policies, procedures, consent records, vendor agreements, retention schedules, impact assessments.
  2. Train your team. Everyone who handles personal data needs to understand the basics of DPDP compliance.
  3. Set up a review cycle. Quarterly reviews of your data practices, consent mechanisms, and vendor compliance.

How Penetration Testing Supports DPDP Compliance

The DPDP Act requires Data Fiduciaries to implement “reasonable security safeguards” to prevent data breaches. The Act doesn’t specify exactly what “reasonable” means, but a penetration test is one of the clearest ways to demonstrate that you’ve actively tested your defenses.

Where pentesting connects to DPDP:

  • Section on security safeguards: A pentest report demonstrates you’ve proactively identified and remediated vulnerabilities before they could lead to a breach
  • Breach prevention: The best way to handle the 72-hour breach notification requirement is to not have a breach in the first place. Pentesting finds the holes before attackers do.
  • Due diligence evidence: If a breach does occur, a recent pentest report showing you invested in security testing strengthens your case that you took “reasonable” measures
  • Vendor risk: If your customers are assessing your DPDP compliance as a vendor, a pentest report is standard evidence they’ll request

A pentest alone doesn’t make you DPDP-compliant. But DPDP compliance without a pentest leaves a significant gap in your “reasonable security safeguards” argument.

Get Started

Not sure where you stand? Book a free 30-min discovery call with the founders. We will map your current state against DPDP requirements and give you a prioritized gap list. No payment, no commitment. For ongoing execution, our Security Retainer (INR 24,999/month) covers 10 hours of founder-led work per month.

Need a pentest for DPDP compliance evidence? Check our pentest plans. The Startup plan (INR 74,999) covers one scope in 7 days. The Growth plan (INR 1,79,999) covers two scopes with SOC 2 + ISO 27001 audit prep included.

Want a quick external check right now? Run your domain through Open EASD for free. It checks your SSL configuration, DNS security, email authentication, exposed ports, and more. Takes 2 minutes and shows you what’s publicly visible.

For a full view of how we help with compliance readiness, see our audit and compliance services.

The DPDP Act is not going away. The rules are being finalized, the Data Protection Board is being set up, and enforcement will follow. The startups that prepare now will spend less, stress less, and have a compliance posture that doubles as a sales advantage when enterprise customers ask about data protection. The ones that wait will scramble.

Frequently Asked Questions

What is the DPDP Act?

The Digital Personal Data Protection Act, 2023 is India's first dedicated digital personal data protection law. It governs how Data Fiduciaries (organizations) collect, process, store, share, and delete personal data of Data Principals (individuals) located in India. The Act received Presidential assent in August 2023 and applies to any entity processing digital personal data of individuals in India, regardless of whether the entity is registered in India. It also applies extraterritorially to processing of Indian personal data outside India when the processing is in connection with offering goods or services to Data Principals in India. Penalties go up to INR 250 crore per violation, enforced by the Data Protection Board of India (DPBI).

What are the penalties for DPDP Act non-compliance?

The Act sets graduated maximum penalties by violation type. INR 250 crore for failure to take reasonable security safeguards to prevent a data breach. INR 200 crore for failure to notify the Data Protection Board and affected Data Principals of a breach. INR 200 crore for non-compliance with obligations regarding children's data. INR 50 crore for non-compliance with any other provision of the Act. INR 10,000 for a Data Principal failing to comply with their own duties (frivolous complaints, false information). These are maximum penalties; the DPBI considers nature, severity, first-offence status, and mitigation when adjudicating. We don't know is not a defence. We are a startup is not a mitigating factor under the Act.

Does the DPDP Act apply to startups?

Yes. There are no exemptions based on company size, revenue, or stage. Every entity that processes digital personal data of individuals in India is a Data Fiduciary and must comply. For most SaaS startups this means consent management, privacy notices, vendor Data Processing Agreements (DPAs), retention periods, breach notification readiness, and grievance redressal from the day you collect your first Indian user's email. Startups designated as Significant Data Fiduciaries (SDFs) face additional obligations: mandatory Data Protection Officer based in India, Data Protection Impact Assessments, and periodic independent audits. SDF designation is government-notified based on data volume, sensitivity, and risk; most pre-Series B startups are not SDFs but should build practices that scale.

What is the difference between DPDP and GDPR?

Both share a consent and breach-notification spine but diverge on scope, rights, enforcement, and penalties. DPDP covers only digital personal data; GDPR covers all personal data including paper records. GDPR grants broader Data Subject rights (data portability, restriction of processing, automated decision-making protections); DPDP rights are narrower. DPDP penalties cap at INR 250 crore per violation; GDPR caps at 4 percent of global annual turnover or EUR 20 million whichever is higher. DPDP is enforced by the Data Protection Board of India; GDPR is enforced by national supervisory authorities across EU member states. Indian SaaS serving EU users needs to comply with both. See our dedicated [DPDP Act vs GDPR comparison](/blog/dpdp-act-vs-gdpr-indian-saas/) for the full side-by-side.

When does DPDP Act enforcement begin?

The Act received Presidential assent in August 2023. The substantive obligations are law now. The delegated rules (DPDP Rules) under Section 40 are being finalised by MeitY; once notified, they will operationalise specific timelines (consent format, breach notification window, SDF designation criteria, audit cycles). Treat the absence of finalised rules as a transition window, not an exemption. The Data Protection Board of India is being constituted, and enforcement actions will follow once it is fully operational. Startups that prepare now will pay less, stress less, and have a compliance posture that doubles as a sales advantage when enterprise customers ask. Startups that wait will scramble.

Do I need a Data Protection Officer (DPO) for DPDP?

Only if you are designated a Significant Data Fiduciary (SDF). For most pre-Series B SaaS startups the answer is no. The DPO requirement triggers based on government notification under Section 10, which considers volume and sensitivity of data processed, risk to Data Principals, risk to electoral democracy, public order, security of the state, and other notified factors. Large B2C SaaS, fintech, healthtech, edtech, and telecom-adjacent businesses are likely SDF candidates at scale. If you are not an SDF, name a grievance officer (Section 8(11)) who handles Data Principal grievances and publish their contact details. The grievance officer can be an existing employee with a clear escalation path; they do not need to be a dedicated hire.

What are the 72-hour breach notification rules under DPDP?

Section 8(6) requires Data Fiduciaries to notify the Data Protection Board and affected Data Principals on becoming aware of a personal data breach. The 72-hour window has been the practitioner expectation (matching GDPR Article 33), and the final timeline will be specified by the DPDP Rules when notified. To operate as if 72 hours applies, you need detection capability (logging, monitoring, alerting), a documented incident response plan with a DPDP breach playbook, pre-drafted notification templates for the Board and affected users, a designated person responsible for breach decisions, and quarterly tabletop exercises. The clock starts at awareness, not at incident occurrence; the difference matters when MTTD is poor. See our [DPDP breach response playbook](/blog/dpdp-act-data-breach-response-playbook/) for the templates.

What does a DPDP vendor Data Processing Agreement (DPA) need to cover?

Six minimum elements. One, the vendor processes personal data only for the purposes you (the Data Fiduciary) specify. Two, the vendor maintains documented security safeguards proportionate to risk. Three, the vendor notifies you of any breach without undue delay so you can meet your Section 8(6) obligation to the Board. Four, the vendor returns or deletes personal data on contract termination per your instruction. Five, the vendor permits audit and inspection rights. Six, the vendor obtains your consent before engaging sub-processors and binds them to equivalent terms. Most major SaaS vendors (AWS, GCP, Azure, Stripe, HubSpot) already offer standard DPAs; review them for DPDP specificity, not just GDPR coverage. Insist on a DPDP addendum if the standard DPA only references GDPR or CCPA.

Does DPDP apply to non-Indian SaaS companies serving Indian users?

Yes. Section 3(b) gives the Act extraterritorial reach: it applies to processing of digital personal data outside India if the processing is in connection with offering goods or services to Data Principals in India. A US-based SaaS with Indian customers must comply. A UK SaaS serving Indian B2B customers must comply. Compliance pathway is the same as for India-registered entities: consent management, privacy notice, vendor DPAs, breach notification, grievance redressal. Foreign entities can designate an Indian representative for grievance handling, similar to GDPR Article 27. There is no minimum-volume exemption; one Indian user is enough to trigger applicability.

What consent withdrawal rules apply under DPDP?

Section 6(4) gives Data Principals the right to withdraw consent at any time, with the same ease as giving consent. If a user can opt in with one click, they must be able to opt out with one click. Burying withdrawal three menus deep is non-compliant. On withdrawal, you must stop processing unless you have an alternative lawful basis (legitimate use, legal obligation). You must also notify processors and sub-processors who hold the data to stop processing. You must delete the data if there is no continuing lawful basis and no retention obligation. The withdrawal must take effect within a reasonable time; practitioner standard is 30 days or less, matching the grievance redressal window. Document every withdrawal request, the action taken, and the timestamp; auditors and the Board will ask.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Ashok Kamat on LinkedIn.

Share this article
DPDP Actcompliancedata protectionstartup securityIndiaprivacy