The DPDP Act 2023 does not name penetration testing explicitly, but Section 8(5) requires every Data Fiduciary to take reasonable security safeguards to prevent personal data breach. Pentest is the standard evidence Indian and international auditors accept that reasonable security safeguards exist and operate. Penalty for breach due to failure of reasonable security safeguards is up to INR 250 crore. Significant Data Fiduciaries under Section 10 must additionally conduct periodic audits and DPIAs, where pentest is a standard component. CERT-In empanellment is a separate IT Act requirement and is not required for DPDP pentest unless your sector independently triggers it.
The Digital Personal Data Protection Act 2023 is in force. The Data Protection Board is establishing operations. The Rules 2025 are partly drafted, partly still in consultation. In this transition period, Indian SaaS startups face a real operational question: what does DPDP compliance actually require for pentest, and what evidence will defend the company if a breach happens or the Board investigates.
The honest answer: the Act does not use the word penetration testing. But the obligation under Section 8(5) to take reasonable security safeguards is in force, and reasonable security in 2026 industry practice includes pentest. If your company processes personal data and a breach happens, the Board will look at your security artifact pack. Pentest report + remediation evidence + retest log is the simplest defensible artifact in that pack.
At Cybersecify, our founder-led pentest engagements map findings to relevant DPDP Act sections where applicable, in addition to SOC 2 Trust Services Criteria and ISO 27001 Annex A controls. Both founders are based in Bengaluru. We understand the Indian regulatory environment and structure reports for defensibility under Board inspection. Startup Pentest (INR 74,999) for one-scope DPDP compliance evidence. Growth Pentest (INR 1,79,999) for two scopes, audit prep, and Letter of Attestation. We are India-anchored and serve AI-first and API-first SaaS startups globally.
This article walks through what DPDP Act actually requires (versus what vendors claim it requires), how pentest fits into the compliance evidence pack, and what changes if the draft Rules 2025 finalize as written.
Key Findings
- Section 8(5) of DPDP Act requires reasonable security safeguards. Pentest is the standard industry evidence that reasonable security exists. Penalty for breach due to failure is up to INR 250 crore.
- Significant Data Fiduciary (Section 10) status triggers periodic audits and DPIA obligations. Pentest is a standard component of both. SDF status is designated by central government based on volume, sensitivity, risk.
- CERT-In empanellment is not required for DPDP pentest. It is a separate IT Act requirement for specific sectors. Vendor marketing claiming otherwise is overreach.
- Breach notification timeline per draft Rules 2025 is 72 hours to the Board. Parallel to CERT-In 6-hour requirement which applies independently. Pentest evidence factors into both.
- Conservative compliance posture: annual pentest minimum, remediate Critical/High in 30 to 60 days, retain reports 7+ years for regulatory inspection.
What the DPDP Act Actually Requires
Three sections of the Act directly affect pentest decisions for Indian SaaS startups.
Section 8(5): Reasonable Security Safeguards
Every Data Fiduciary (any entity that determines purpose and means of processing personal data) must implement reasonable security safeguards to prevent personal data breach. The Act does not define reasonable in granular detail. The implementing Rules 2025 may provide more specificity once finalized.
In practice, reasonable security in 2026 Indian SaaS context includes:
- Access control: authentication, authorisation, least privilege, multi-factor where appropriate
- Vulnerability management: regular scanning, dependency monitoring, patch management
- Independent security testing: penetration testing by a third party with documented credentials
- Incident response: documented runbooks, breach detection, notification readiness
- Encryption: at rest and in transit for personal data
- Logging and monitoring: audit logs, anomaly detection, security event capture
Pentest is the artifact that demonstrates the third item, but it also surfaces gaps in the first, second, fifth, and sixth. A SaaS startup with no pentest evidence has no defensible answer to “did you implement reasonable security safeguards” if a breach happens.
Section 8(6): Breach Notification
When a personal data breach occurs, the Data Fiduciary must intimate the Data Protection Board and each affected Data Principal. The draft Rules 2025 specify 72 hours for Board notification after the Fiduciary becomes aware of the breach. The CERT-In direction of 28 April 2022 requires reporting cyber incidents to CERT-In within 6 hours, and applies independently to many of the same events.
Pentest reports factor into Section 8(6) defensibility in two ways:
- If a pentest identified the vulnerability that led to the breach and the company did not remediate it within a reasonable window, the report itself becomes evidence of failure to take reasonable security safeguards under Section 8(5). The penalty exposure compounds.
- If regular pentest cadence is documented with remediation logs, the company has evidence of proactive security program operation. This typically mitigates penalty exposure during Board investigation, because the regulator can see the company was operating a working security program even if a specific incident occurred.
The practical implication: pentest is not just preventive. It is defensive evidence for the worst-case scenario.
Section 10: Significant Data Fiduciary
The central government may designate any Data Fiduciary as a Significant Data Fiduciary based on:
- Volume of personal data processed
- Sensitivity of the data
- Risk of harm to Data Principals
- Impact on the sovereignty and integrity of India
- Impact on electoral democracy
- Impact on security of the State
- Impact on public order
SDFs have additional obligations:
- Appoint a Data Protection Officer (DPO) based in India
- Conduct Data Protection Impact Assessments (DPIA) for high-risk processing
- Conduct periodic data audits
- Implement additional measures as prescribed by Rules
Pentest is a standard component of both the periodic audit and the DPIA evidence. SDF candidates should plan for:
- Annual pentest minimum, scoped against systems processing significant data
- Pentest specifically referenced in the DPIA evidence pack for high-risk processing
- Reports retained for at least 7 years for regulatory inspection
- Remediation logs maintained alongside reports
Smaller SaaS startups that are not yet SDF-designated should still plan as if they might be. Designation criteria are broad, and growth in user base or data sensitivity can trigger SDF status without warning.
What CERT-In Empanellment Does and Does Not Cover
CERT-In empanellment is a separate framework from DPDP. It comes from the Information Technology Act 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. Empanellment is required for:
- Government departments and public sector undertakings
- Banks (RBI directive)
- NBFCs (RBI directive)
- Insurance companies (IRDAI directive)
- Telecom operators (DoT directive)
- Power sector entities (CEA / CERC directives)
- Critical Information Infrastructure designated under Section 70 of the IT Act
For most private SaaS startups, even those serving enterprise customers, CERT-In empanellment is not required for either DPDP Act compliance or general security evidence. Vendor marketing that conflates CERT-In empanellment with DPDP compliance is incorrect. The two are separate regimes with separate triggering conditions.
What DPDP Section 8(5) requires is reasonable security safeguards. What that requires in practice is competent independent security testing. A non-empanelled vendor with credentialed testers (OSCP, CREST, CompTIA PenTest+) and named methodology (PTES, OWASP WSTG v5.0) is acceptable evidence. The pentest report is the artifact, not the empanellment certificate.
Read when you do not need a CERT-In empanelled vendor for the full decision framework.
Mapping Pentest Findings to DPDP Risk
Cybersecify Growth Pentest report includes a section that maps findings to DPDP Act sections where applicable. The most common mappings:
| Finding category | DPDP Act mapping | Risk if unremediated |
|---|---|---|
| Authentication or authorisation bypass exposing personal data | Section 8(5) reasonable security; Section 8(6) breach exposure | Up to INR 250 crore on breach; failure of reasonable safeguards |
| Multi-tenancy boundary violation between Data Principals | Section 8(5); potentially Section 6 (consent scope) | Cross-tenant data exposure = personal data breach |
| Children’s data exposed via unauthenticated endpoint | Section 9 children’s data violation | Up to INR 200 crore; specific category penalty |
| Missing or broken audit logging | Section 8(5) reasonable security; impedes Section 8(6) breach detection | Reduces breach detection capability; affects Board defensibility |
| Sensitive personal data in client-side bundles or debug output | Section 8(5); potentially Section 5 notice scope | Reasonable security failure plus potential notice obligation issues |
The mapping is not a legal opinion. It is the operational view of how a finding could surface during Board investigation. We work with the company’s legal team or external counsel on actual compliance posture.
Planning Your DPDP Compliance Pentest Cadence
Conservative posture for 2026 Indian SaaS:
Annual pentest minimum. Scoped against systems processing personal data. If you are SDF-designated or candidate for designation, structure the engagement to also satisfy DPIA pentest evidence.
Remediate Critical and High findings within 30 to 60 days. Document the timeline, the engineering work, and the verified retest. This is the evidence that distinguishes “we tested” from “we tested and acted.”
Retain reports and remediation logs for at least 7 years. The Data Protection Board may inspect during breach investigation. Old reports are useless if they cannot be produced.
Update pentest scope as the product changes. New payment integration, new API surface, new user role system, expansion into children’s services (Section 9 triggers). All warrant scope expansion or re-test.
Document risk acceptance for findings not remediated. Low and informational findings can stay open. Critical or High findings staying open without compensating controls or risk acceptance documentation is the highest exposure category under Section 8(5).
What to Do Next
If your SaaS processes personal data of Indian Data Principals and your last pentest is older than 9 months, or you do not have a pentest report at all, address that now. The Act is in force. The Rules will finalize on a timeline you do not control. Section 8(5) obligation is current, not future.
Cybersecify Growth Pentest (INR 1,79,999) covers two scopes (typically web app + API), maps findings to DPDP Act sections + SOC 2 Trust Services Criteria + ISO 27001 Annex A, includes audit prep evidence, free retest within 30 days, and Letter of Attestation. For Significant Data Fiduciary candidates, we can scope the engagement to satisfy DPIA pentest component within the same engagement.
For the cost breakdown, see pentest cost in India 2026. For SOC 2 audit alignment alongside DPDP, see SOC 2 pentest requirements 2026. For the empanellment decision specifically, see when you do not need a CERT-In empanelled vendor.
Book a discovery call to scope your DPDP-aligned pentest. We will walk through your data flows, SDF candidacy assessment, and report structure before quoting.
The Act will not wait for the Rules to clarify. Section 8(5) is in force. The pentest report is the artifact that answers it.