India · DPDP Act 2023

DPDP Act Compliance for Indian Companies

India's Digital Personal Data Protection Act 2023 is now in force. AuditPath maps your obligations to controls, automates evidence collection, and keeps all your data in India.

Start DPDP compliance free

About

What is the DPDP Act?

The Digital Personal Data Protection Act 2023 (DPDP Act) is India's landmark data protection legislation, signed into law in August 2023. It establishes a comprehensive framework for how companies must collect, process, store, and delete the personal data of Indian residents. The Act applies to any entity — Indian or foreign — that processes digital personal data of individuals located in India, whether collected online or digitised from offline sources.

Unlike GDPR which applies only to EU residents, the DPDP Act has explicit extraterritorial reach: if your SaaS product serves Indian users, you are a Data Fiduciary under the Act regardless of where your servers are located. Non-compliance exposes you to penalties of up to ₹250 crore per breach — making early compliance investment a straightforward business decision.

Applicability

Who does it apply to?

The DPDP Act applies to any company that processes personal data of Indian residents — regardless of where the company or its servers are located.

SaaS companies

Any product with Indian users — from B2B tools to consumer apps.

Fintech

Payment platforms, lending apps, and wealth management tools processing Indian financial data.

Health tech

Telemedicine, health records, diagnostics, and insurance platforms.

E-commerce

Marketplaces and direct-to-consumer platforms with Indian customers.

HR & recruitment

Companies processing employee or candidate data of Indian residents.

EdTech

Platforms collecting personal data — including children's data — of Indian learners.

Obligations

Key obligations under the DPDP Act

Lawful purpose

Personal data may only be processed for a specific, clear, and lawful purpose that the data principal has consented to.

Consent

Consent must be free, specific, informed, unconditional, and unambiguous. Pre-ticked boxes and bundled consent are not valid.

Data minimisation

Only the personal data that is necessary for the stated purpose may be collected. Collecting additional data "just in case" is non-compliant.

Accuracy

Data Fiduciaries must take reasonable steps to ensure that personal data is accurate and up to date.

Storage limitation

Personal data must be deleted once the purpose for which it was collected has been fulfilled, unless retention is required by law.

Security safeguards

Reasonable security measures must be implemented to prevent data breaches. Breaches must be reported to the Data Protection Board and affected individuals.

Penalties

What non-compliance costs

The DPDP Act grants the Data Protection Board authority to impose significant financial penalties. Penalties are per violation and can be compounded for repeat offences.

₹250 crore

Data breach due to failure to implement adequate security safeguards

₹200 crore

Failure to notify the Data Protection Board or affected individuals of a breach

₹200 crore

Failure to fulfil obligations with respect to children's data

₹10,000

Failure of a data principal to comply with their duties under the Act

AuditPath

How AuditPath helps with DPDP compliance

AuditPath includes a dedicated DPDP Act framework that maps each legal obligation to an implementable control — then helps your team collect, organise, and present the evidence to demonstrate compliance.

Obligation-to-control mapping

Every DPDP Act requirement — consent management, breach notification, storage limitation — is mapped to a concrete control with implementation guidance and suggested evidence.

Evidence tracking

Upload policies, consent records, data flow diagrams, and DPIA reports against each control. Track status, set expiry dates, and get alerts before evidence lapses.

Compliance report

Generate a complete DPDP compliance report showing which obligations are met, which have gaps, and the evidence supporting each control — ready for internal review or external audit.

Your data stays in India

AuditPath runs entirely on AWS ap-south-1 (Mumbai). Your compliance data — control mappings, evidence files, audit reports — never leaves India. This matters both for DPDP Act compliance and for any enterprise customer or regulator that asks where your data resides.

Unlike Vanta or Drata which store data in the United States, AuditPath was built with Indian enterprises and the DPDP Act in mind from day one. Data residency is not a future roadmap item — it is the default.

FAQ

Common questions

When does the DPDP Act come into effect?

The DPDP Act was signed into law in August 2023. The central government is rolling out the rules and enforcement timeline in phases. Companies should begin compliance work now to avoid last-minute scrambles when enforcement notices are issued.

Does the DPDP Act apply if my company is outside India?

Yes. The Act applies to any entity that processes personal data of individuals located in India — regardless of where the company is headquartered or where its servers are hosted.

What is the difference between a Data Fiduciary and a Data Processor?

A Data Fiduciary determines the purpose and means of processing personal data (your company). A Data Processor processes personal data on behalf of a Fiduciary (e.g., your cloud vendor or analytics tool). Fiduciaries carry the primary compliance obligations.

Does AuditPath support both DPDP Act and SOC 2 simultaneously?

Yes. The Growth plan supports all three frameworks — SOC 2, ISO 27001, and DPDP Act — at the same time. Many controls overlap, so evidence collected for one framework often satisfies requirements in another.

Start DPDP compliance today

Free plan available. No credit card required. Your data stays in India from day one.

Start DPDP compliance free