Does the DPDP Act apply to SaaS companies based outside India?

Yes. Section 3(b) extends the DPDP Act to any entity processing personal data in connection with offering goods or services to Data Principals in India, regardless of where the processing occurs. If your platform has Indian users, the Act applies.

Is a SaaS company a Data Fiduciary or a Data Processor?

Usually both. You are a Data Fiduciary for your own business data, such as customer accounts, billing, and employee records. You are a Data Processor when you handle data on behalf of your B2B clients. Each role carries different obligations.

Do SaaS Data Processors need to obtain consent directly from end users?

No. The duty to obtain consent sits with the Data Fiduciary, which is your client. As a processor you must provide the technical means for your client to obtain, record, and manage consent in line with the Act.

Can a SaaS company store Indian user data on overseas servers?

Yes, for now. Section 16 permits cross-border transfer to all countries except any the Central Government restricts, and no restricted list has been notified yet. Significant Data Fiduciaries may face additional localisation requirements.

What is the penalty if a SaaS company suffers a data breach?

Direct penalties under the Act apply to Data Fiduciaries, up to ₹250 crore for failure to implement reasonable security safeguards. As a processor your exposure is mainly contractual through the data processing agreement, plus reputational and client-retention risk.

When does DPDP enforcement begin for SaaS companies?

The Consent Manager registration window closes in November 2026 and full enforcement, including penalties, is expected from May 2027. Aim for operational compliance well before those dates to leave room for testing.

Industry Guides

DPDP Compliance for SaaS Companies in India (2026)

How SaaS companies meet the DPDP Act 2023 in India: the dual Data Fiduciary and Data Processor roles, data processing agreements, cross-border transfers, and a compliance checklist.

12 min read 27 May 2026

Why a SaaS Platform Sits in Two Roles at Once

If your SaaS platform processes the personal data of users in India, the DPDP Act 2023 applies to you, whether you are headquartered in Bengaluru or Berlin. The Consent Manager registration window closes in November 2026 and full enforcement is expected from May 2027. The compliance window is short.

The complexity is structural, not procedural. Under the DPDP Act, two roles matter. The Data Fiduciary determines the purpose and means of processing. The Data Processor processes data on behalf of a fiduciary. Most businesses fall cleanly into one role. SaaS companies do not.

Consider a B2B HR platform serving 200 Indian companies. It is a Data Fiduciary for its own data: account details, billing, usage analytics, and the records of its own staff. It is a Data Processor for its clients’ data: the employee records and payroll details that customers upload and manage through the platform. Two sets of obligations run through the same infrastructure, often touching the same database tables.

The Section 8 Accountability Chain

Section 8(1) sets a principle that SaaS founders cannot contract around: a Data Fiduciary is responsible for complying with the Act for any processing it undertakes or that is undertaken on its behalf by a Data Processor, irrespective of any agreement to the contrary.

For a SaaS company this creates a layered structure. Your B2B client is the Data Fiduciary for the personal data its users entrust to it. You are a Data Fiduciary for your own data collection, and fully liable for that. If client data is breached on your servers, the legal consequences flow to the client, but the contractual and reputational consequences land on you.

Section 8(2) permits a Data Fiduciary to engage a processor only under a valid contract. That makes the data processing agreement a legal requirement, not a formality.

The Seven Core DPDP Obligations for SaaS Companies

Section 6 requires that personal data be processed for a lawful purpose, after consent that is free, specific, informed, unconditional, and unambiguous. For your direct sign-ups, you need granular, purpose-specific consent before collecting personal data. A blanket “I agree to the terms” checkbox does not meet the standard. For client data in your processor role, your client obtains consent from their end users, but your platform must give them the means to do it: consent capture, purpose-specific controls, and auditable consent records.

A related requirement often gets overstated. The privacy notice and consent request must be available in English or any language listed in the Eighth Schedule of the Constitution, in a form the Data Principal understands. The Act does not mandate that every consent flow ship in all 22 scheduled languages at once. It mandates that the Data Principal can understand the request in their language. If you serve users across India, build the capability to present notices and consent in the languages your users actually read.

2. Privacy notice

Under Section 5, every Data Fiduciary must give a clear privacy notice before or at the time of collecting personal data. The notice must state the personal data collected and the purpose, how Data Principals exercise their rights, how to complain to the Data Protection Board, and the contact details of the Data Protection Officer or designated contact. For your processor role, clients need to configure and customise notices within your platform rather than rely on one static notice for every use case.

3. Data processing agreements

Section 8(2) allows processors to be engaged only under a valid contract. For every B2B relationship you need a data processing agreement that sets out the scope of processing, sub-processor provisions, breach notification obligations, data deletion on termination, and the security measures you apply. If you serve multiple verticals, expect to maintain more than one template. An NBFC client’s requirements under RBI rules differ from an e-commerce client’s.

4. Security safeguards and breach notification

Section 8(5) requires reasonable security safeguards to prevent a personal data breach. This obligation has teeth: the Act sets its highest penalty, up to ₹250 crore, for a failure of safeguards that results in a breach. For a SaaS platform, reasonable safeguards include encryption in transit and at rest, role-based access controls with audit trails, regular security testing, an incident response plan, and tenant isolation that prevents one client’s data leaking into another’s.

Under Section 8(6), a personal data breach must be reported to the Data Protection Board and affected Data Principals. The DPDP Rules set the detailed report deadline at 72 hours. The full sequence, including the parallel CERT-In obligation, is in the breach notification timeline guide.

5. Data Principal rights

The Act grants Data Principals enforceable rights: access to a summary of their data and the processing, correction and erasure, grievance redressal within the prescribed timeline, and the right to nominate another person to act on their behalf. In the processor role, the challenge is building infrastructure that lets your clients fulfil these rights for their own end users through your platform. That means APIs, self-service portals, and workflows that handle access, correction, and erasure at scale.

6. Cross-border data transfer

Section 16 permits transfer of personal data outside India to all countries except any the Central Government restricts. No restricted list has been notified yet. Prepare for the possibility by documenting every cross-border flow, ensuring agreements with international sub-processors carry DPDP-aligned clauses, and building the option to localise storage if you are later designated a Significant Data Fiduciary. Global cloud infrastructure in regions such as AWS Mumbai is permitted under the current framework. Track government notifications, because restrictions can be imposed.

Section 6(6) is demanding for SaaS architectures: when a Data Principal withdraws consent, the Data Fiduciary must, within a reasonable time, stop processing and cause its processors to stop. For a platform, withdrawal must propagate across sub-processors and integrated services, erasure must be verifiable with an audit trail, and retention must be tied to a documented purpose rather than kept “just in case.”

This is harder when your clients operate in regulated sectors. An NBFC on your platform may hold RBI-mandated retention obligations, such as keeping KYC records for years after account closure, that collide with an erasure request. Section 8(7), the Legal Obligation Override, governs that clash. The mechanics are covered in the RBI and DPDP retention conflict guide.

Three Scenarios SaaS Teams Hit in Practice

Multi-tenant isolation. A CRM platform stores data for 500 Indian businesses. A breach in one tenant triggers the notification obligation. The affected client is the Data Fiduciary, but the platform must detect the breach within the 72-hour window, identify exactly which tenants are affected, notify them so they can meet their own obligations, and provide forensic evidence. Weak isolation that lets a breach spread across tenants turns one incident into liability owed to every affected client.

Analytics and usage tracking. Most platforms collect usage data for product work. If any of it is personal data, through IP addresses, device identifiers, or user IDs, you need purpose-specific consent for analytics, a separate consent option rather than a bundled “accept all,” and the option to process analytics in anonymised form where you can, which removes the data from the Act’s scope.

The sub-processor chain. A typical stack uses cloud hosting, email delivery, payment processing, analytics, and support tools. Each is a sub-processor. Accountability does not shrink because of sub-processing. Your agreements must cascade through the chain, and you must keep a current register of every sub-processor handling personal data. A personal data inventory is where that register starts.

A DPDP Compliance Checklist for SaaS Companies

#	Action	Priority
1	Run a personal data inventory across the platform, including sub-processors	Critical
2	Classify your role, Fiduciary or Processor, for each processing activity	Critical
3	Deploy privacy notices in the languages your users read	High
4	Implement granular, purpose-specific consent capture with auditable records	Critical
5	Update or create data processing agreements for every B2B contract	High
6	Build rights-fulfilment workflows for access, correction, erasure, and grievance	High
7	Implement breach detection and the 72-hour notification procedure	Critical
8	Document cross-border transfers and sub-processor relationships	Medium
9	Appoint a contact person, or a Data Protection Officer if designated a Significant Data Fiduciary	High
10	Run a mock audit of consent flows, breach response, and rights fulfilment	High

Penalty Exposure for SaaS Companies

The Act sets penalties per contravention, not per record. The amounts are large enough to threaten a mid-market SaaS business.

Contravention	Maximum penalty
Failure to implement reasonable security safeguards	₹250 crore
Failure to notify the Board of a breach	₹200 crore
Breach of obligations relating to children’s data	₹200 crore
Failure to meet other Data Fiduciary obligations	₹50 crore

In the processor role your direct exposure under the Act is lower, since penalties fall mainly on Data Fiduciaries. The contractual liability through your agreements, the reputational damage, and the loss of enterprise clients can be just as serious. For a closer look at how penalties stack, see the penalty calculator.

Building Compliance Into the Product

DPDP compliance for a SaaS company is not a one-time project. It is product infrastructure. Consent capture, storage, and withdrawal belong in the platform, both for your direct users and as a configurable feature for clients. Rights fulfilment needs APIs and workflows that resolve requests within the prescribed timelines. Every processing activity, consent event, and rights request needs a logged audit trail, because regulators ask for proof, not policy. Breach detection and notification need to run on the 72-hour clock without a manual scramble.

ConsentOS is built for this. It provides consent management, rights-fulfilment workflows, compliance audit trails, and breach notification tracking that a SaaS company can run alongside its existing stack. For platforms serving regulated sectors, the Legal Obligation Override resolves the specific conflict between DPDP erasure rights and sector-specific retention mandates. To see where you stand today, run the free Compliance Vault Assessment, or compare options on the comparison page.

Know where you stand on DPDP compliance

Run the free Compliance Vault Assessment for a gap report scored against your DPDP Act 2023 obligations, or model your penalty exposure.

Start Free Assessment Calculate Penalty Exposure

Resources

Continue Reading

Related DPDP Act 2023 guidance from the ConsentOS knowledge base.

Regulatory Updates

DPDP Act 2023 Compliance Deadlines & Enforcement Dates (India)

The DPDP Act 2023 enforcement calendar. Rules notification, Consent Manager registration, and the data principal response deadlines Indian businesses must track.

5 min read

Implementation Guides

DPDP Privacy Notice: 22 Languages & Mandatory Disclosures (India)

What a DPDP Act 2023 privacy notice must disclose, the 22 languages you must support on request, and a compliant template you can adapt for your business.

11 min read

Data Principal Rights

DPDP Act 2023: All 8 Data Principal Rights with Templates (India)

The DPDP Act 2023 grants data principals eight enforceable rights, from access to erasure to grievance redress. Each carries a mandatory response deadline you must meet.

7 min read