If you’re running a SaaS company in India, the Digital Personal Data Protection Act (DPDP Act) applies to you. Not eventually. Now. The Act received Presidential assent in August 2023, the rules are being finalized, and enforcement will follow. Startups that process personal data of Indian users, which is every SaaS company with Indian customers, need to comply.
The penalties go up to INR 250 crore. That’s not a typo. This isn’t a “we’ll deal with it later” regulation.
This post is a practical compliance checklist. No legal jargon walls. Just what you need to do, in what order, and what it actually means for your engineering and operations.
What Is the DPDP Act?
The Digital Personal Data Protection Act, 2023 is India’s first comprehensive data protection law. Think of it as India’s answer to GDPR, but tailored to Indian regulatory context.
Who it applies to: Any entity that processes digital personal data of individuals in India. If your SaaS product collects names, email addresses, phone numbers, or any data that identifies a person, you’re covered. It also applies if you process data of Indian citizens from outside India.
What it covers: How you collect, store, process, share, and delete personal data. Consent requirements, breach notification, children’s data, cross-border transfers, and grievance handling.
Key distinction from GDPR: The DPDP Act is narrower in some ways (it covers only digital personal data, not all personal data) but carries steep penalties and gives the government broad rulemaking authority through the Data Protection Board of India.
Key Terms You Need to Know
Before the checklist, here are four terms the Act uses everywhere. Learn these once and the rest makes sense.
| Term | What It Means | You Are Probably This |
|---|---|---|
| Data Principal | The individual whose data is being processed | Your users/customers |
| Data Fiduciary | The entity that determines the purpose and means of data processing | Your company |
| Significant Data Fiduciary | A Data Fiduciary handling large volumes of data or sensitive data, designated by the government | Likely applies at Series B+ scale |
| Consent Manager | A registered entity that manages consent on behalf of Data Principals | A third-party service you may integrate |
As a SaaS startup, you are the Data Fiduciary. Your users are the Data Principals. Everything in this checklist flows from that relationship.
The DPDP Compliance Checklist
1. Consent Management
This is the foundation. Under the DPDP Act, you can only process personal data with the Data Principal’s free, specific, informed, unconditional, and unambiguous consent. That’s a high bar.
What you need to do:
- Implement granular consent. Don’t bundle consent for marketing emails with consent for data processing. Each purpose needs separate consent. A single “I agree to everything” checkbox won’t hold up.
- Make consent withdrawal as easy as giving it. If a user can opt in with one click, they must be able to opt out with one click. Burying the withdrawal option three menus deep is non-compliant.
- Record consent with timestamps. You need to prove when consent was given, for what purpose, and by whom. Store consent records with audit trails.
- Re-obtain consent if purpose changes. If you collected data for “service delivery” and now want to use it for “analytics,” you need fresh consent.
Exceptions to consent: The Act allows processing without consent for certain “legitimate uses,” including compliance with legal obligations, response to medical emergencies, and employment-related processing. Don’t stretch these exceptions. They’re narrow.
2. Privacy Notice
Before collecting any personal data, you must provide a clear notice to the Data Principal.
Your privacy notice must include:
- What personal data you collect
- The specific purpose of processing
- How the Data Principal can exercise their rights (access, correction, deletion, grievance)
- How to file a complaint with the Data Protection Board
Practical implementation: Update your privacy policy page. But also surface relevant notices at the point of data collection. A privacy policy link in the footer is necessary but not sufficient. When a user signs up, show them exactly what you’re collecting and why.
3. Data Processing Agreements with Vendors
If you use third-party services that process personal data on your behalf (cloud providers, analytics tools, payment processors, CRM systems), you need Data Processing Agreements (DPAs) with each of them.
What the DPA should cover:
- The vendor processes data only for the purposes you specify
- Security measures the vendor must maintain
- Breach notification obligations (the vendor must tell you, and you must tell the Board)
- Data deletion requirements when the contract ends
Most major cloud and SaaS vendors (AWS, Google Cloud, Stripe, HubSpot) already offer standard DPAs. Review them. Make sure they cover DPDP Act requirements specifically, not just GDPR.
4. Data Retention and Deletion
The DPDP Act requires you to delete personal data once the purpose of processing is fulfilled and retention is no longer necessary.
What you need to do:
- Define retention periods for each data category. User account data, payment records, support tickets, analytics data. Each should have a documented retention period tied to a business or legal requirement.
- Implement automated deletion. Manual deletion doesn’t scale. Build or configure automated purging for data that’s past its retention period.
- Delete data when a user withdraws consent or requests erasure. The Act gives Data Principals the right to erasure. You need a process that executes this within a reasonable timeframe.
- Don’t forget backups. Data sitting in your backup system is still personal data. Your deletion process needs to account for backup retention cycles.
5. Breach Notification (72 Hours)
This is one of the strictest requirements. If you experience a personal data breach, you must notify the Data Protection Board of India within 72 hours of becoming aware of the breach. You must also notify affected Data Principals.
What you need in place before a breach happens:
- Incident response plan with a data breach playbook specifically addressing DPDP notification requirements
- Breach detection capabilities. You can’t notify within 72 hours if you don’t detect the breach for 3 months. Logging, monitoring, and alerting are prerequisites.
- Pre-drafted notification templates for the Board and for affected users
- A designated person responsible for breach notification decisions
72 hours is tight. If your incident response process involves “figuring it out when it happens,” you will miss the deadline. Practice with tabletop exercises.
6. Children’s Data
If your product could be used by anyone under 18, the DPDP Act has specific requirements.
Requirements:
- Verifiable parental consent before processing data of anyone under 18
- No behavioral tracking or targeted advertising directed at children
- No processing that could cause harm to a child’s well-being
Practical note: Even if your SaaS product targets businesses, if there’s any possibility a user under 18 could create an account (think freemium products, educational tools, collaboration platforms), you need age verification and parental consent mechanisms.
The government may exempt certain categories of Data Fiduciaries from verifiable parental consent requirements through rules. Watch for updates, but build for the stricter standard until exemptions are confirmed.
7. Cross-Border Data Transfer
The DPDP Act allows transfer of personal data outside India, except to countries specifically restricted by the Central Government via notification.
What this means practically:
- You can transfer data to countries not on the restricted list without additional safeguards (unlike GDPR’s Standard Contractual Clauses)
- The government will publish a list of restricted countries. As of early 2026, this list has not been finalized
- Keep your data flow documentation updated so you know exactly where personal data goes
Action items:
- Map all cross-border data flows (cloud hosting regions, third-party SaaS tools, CDNs, analytics services)
- Document which countries your data transits through or is stored in
- Monitor MeitY notifications for the restricted country list
- Ensure you can migrate data processing if a country you use gets restricted
8. Data Protection Officer (for Significant Data Fiduciaries)
If the government designates you as a Significant Data Fiduciary, you must appoint a Data Protection Officer (DPO) based in India.
Significant Data Fiduciary obligations also include:
- Conducting a Data Protection Impact Assessment (DPIA)
- Periodic data audits by an independent auditor
- Additional reporting to the Data Protection Board
Who gets designated? The government will designate entities based on volume and sensitivity of data processed, risk to Data Principals, and other factors. Large B2C SaaS companies, fintech platforms, healthtech companies, and edtech companies with millions of users are likely candidates.
If you’re a Series A startup with 10,000 users, you’re probably not a Significant Data Fiduciary today. But build your data practices as if you could be. It’s cheaper to maintain good practices than to retrofit them under regulatory pressure.
9. Grievance Redressal Mechanism
Every Data Fiduciary must have a process for Data Principals to raise grievances about data processing.
Requirements:
- Publish the contact details of a person or team responsible for handling grievances
- Respond to grievances within a timeframe prescribed by the rules (expected to be 30 days or less)
- If the Data Principal is not satisfied, they can escalate to the Data Protection Board
Implementation: A dedicated email address (privacy@yourcompany.com), a form on your website, and an internal SLA for response. This doesn’t need to be complicated, but it does need to exist and actually work.
Penalties
The DPDP Act doesn’t do graduated warnings. The penalties are designed to hurt.
| Violation | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent data breach | INR 250 crore |
| Failure to notify the Board and affected Data Principals of a breach | INR 200 crore |
| Non-compliance with obligations regarding children’s data | INR 200 crore |
| Non-compliance with any other provision of the Act | INR 50 crore |
| Failure by Data Principal to comply with their duties (frivolous complaints, false information) | INR 10,000 |
These are maximum penalties. The Data Protection Board will consider factors like the nature and severity of the violation, whether it was a first offense, and what mitigation steps were taken. But “we didn’t know” is not a defense, and “we’re a startup” is not a mitigating factor under the Act.
For context, INR 250 crore is roughly USD 30 million. That’s enough to shut down most startups several times over.
What to Do First: Priority Order
You don’t need to do everything at once. Here’s a practical sequencing for a startup that’s starting from scratch.
Month 1: Foundations
- Audit your data flows. What personal data do you collect, where does it go, who has access, how long do you keep it?
- Update your privacy policy to meet DPDP Act notice requirements
- Set up a grievance mechanism. Dedicated email, published on your website, internal process documented.
Month 2: Consent and Agreements
- Implement granular consent management in your product’s signup and data collection flows
- Review and update vendor DPAs. Start with your top 5 vendors by data volume.
- Define data retention periods for each category of personal data
Month 3: Security and Response
- Build your breach notification process. Playbook, templates, designated owner, 72-hour timeline.
- Implement technical controls. Encryption, access controls, logging, monitoring. If you haven’t had a penetration test, now is the time.
- Conduct a tabletop exercise simulating a data breach to test your notification process
Month 4: Documentation and Ongoing
- Document everything. Policies, procedures, consent records, vendor agreements, retention schedules, impact assessments.
- Train your team. Everyone who handles personal data needs to understand the basics of DPDP compliance.
- Set up a review cycle. Quarterly reviews of your data practices, consent mechanisms, and vendor compliance.
How Penetration Testing Supports DPDP Compliance
The DPDP Act requires Data Fiduciaries to implement “reasonable security safeguards” to prevent data breaches. The Act doesn’t specify exactly what “reasonable” means, but a penetration test is one of the clearest ways to demonstrate that you’ve actively tested your defenses.
Where pentesting connects to DPDP:
- Section on security safeguards: A pentest report demonstrates you’ve proactively identified and remediated vulnerabilities before they could lead to a breach
- Breach prevention: The best way to handle the 72-hour breach notification requirement is to not have a breach in the first place. Pentesting finds the holes before attackers do.
- Due diligence evidence: If a breach does occur, a recent pentest report showing you invested in security testing strengthens your case that you took “reasonable” measures
- Vendor risk: If your customers are assessing your DPDP compliance as a vendor, a pentest report is standard evidence they’ll request
A pentest alone doesn’t make you DPDP-compliant. But DPDP compliance without a pentest leaves a significant gap in your “reasonable security safeguards” argument.
Get Started
Not sure where you stand? Security on Demand gives you 4 hours of founder-led assessment for INR 9,999. We’ll map your current state against DPDP requirements and give you a prioritized gap list. Full refund if you don’t continue. Continue with us, and the fee comes off the price.
Need a pentest for DPDP compliance evidence? Check our pentest plans. The Startup plan (INR 74,999) covers one scope in 7 days. The Growth plan (INR 1,79,999) covers two scopes with SOC 2 + ISO 27001 audit prep included.
Want a quick external check right now? Run your domain through Open EASD for free. It checks your SSL configuration, DNS security, email authentication, exposed ports, and more. Takes 2 minutes and shows you what’s publicly visible.
For a full view of how we help with compliance readiness, see our audit and compliance services.
The DPDP Act is not going away. The rules are being finalized, the Data Protection Board is being set up, and enforcement will follow. The startups that prepare now will spend less, stress less, and have a compliance posture that doubles as a sales advantage when enterprise customers ask about data protection. The ones that wait will scramble.