In short: DPDP cross-border data transfer India rules under the Digital Personal Data Protection Act 2023 and the Rules notified in 2025 restrict where SaaS companies can send personal data. Transfers are permitted only to countries the Central Government approves; transfers to blocked or unspecified countries are prohibited. Founders must audit data flows now.
Key points
- The Digital Personal Data Protection Act 2023 (DPDP Act) and the Rules notified in 2025 together govern how Indian personal data may leave India — there is no blanket free-flow of data to any destination.
- The Central Government will publish an allowlist of countries or territories to which personal data may be transferred; transfers outside that list are not permitted.
- The Rules impose additional conditions on Data Fiduciaries (your SaaS company) before a cross-border transfer can lawfully occur, including maintaining a record of the transfer and ensuring the recipient protects the data consistently with the Act.
- Significant Data Fiduciaries — a higher-risk category designated by the government — face stricter obligations, which may include data localisation requirements for certain categories of data.
- Non-compliance can attract financial penalties from the Data Protection Board of India; penalty amounts are tiered and set out in the Act’s Schedule.
- The DPDP Rules 2025 were notified but, as of mid-2026, several implementation details (including the final allowlist of permitted countries) were still being finalised — founders should monitor the Ministry of Electronics and Information Technology (MeitY) portal for updates.
What the DPDP Act actually says about transferring data outside India
Section 16 of the DPDP Act 2023 is the key provision. It empowers the Central Government to restrict transfers of digital personal data to countries or territories it specifies by notification.
The default position is a permitted-unless-blocked model at the Act level, but the Rules add a positive obligation: Data Fiduciaries must ensure any recipient outside India protects the personal data to a standard consistent with the Act’s principles.
Practically, once the government publishes its list of restricted or permitted destinations, SaaS founders will need to check every third-party sub-processor, cloud region, and analytics tool against that list.
What are the DPDP Rules 2025 requirements for cross-border transfers?
The Rules (notified by MeitY in 2025) operationalise Section 16. Key requirements include:
Contractual and technical safeguards: You must have binding arrangements with overseas recipients that obligate them to handle data consistently with the Act and to notify you of any breach.
Record-keeping: Maintain records of what data is transferred, to whom, in which country, and for what purpose. Regulators can ask for these records during an inquiry.
Data Principal rights travel with the data: Even after transfer, Indian users (Data Principals) retain their rights — access, correction, erasure, and grievance redressal. Your recipient must be capable of honouring those rights or you must handle them on behalf of the recipient.
Note: The exact text of specific rules should be verified directly against the Rules as notified in the Official Gazette, since drafts circulated before notification sometimes differ from the final text.
Data localisation: who does it apply to?
Pure data localisation — a legal requirement to store data only within India — is not a blanket rule under the DPDP Act for all companies. However, the Act gives the government power to impose localisation on Significant Data Fiduciaries (SDFs) for specific categories of sensitive data.
An SDF is a Data Fiduciary designated by the Central Government based on factors such as the volume of data processed, sensitivity of data, national security implications, and risk to electoral democracy. Designation is done by notification.
If your SaaS platform is designated an SDF, you face additional obligations that can include: mandatory Data Protection Officer appointment, data protection impact assessments, and potentially localisation mandates for defined data categories. Check MeitY notifications regularly if you process large volumes of Indian user data.
Comparing key obligations: standard Data Fiduciary vs Significant Data Fiduciary
| Obligation | Standard Data Fiduciary | Significant Data Fiduciary (SDF) |
|---|---|---|
| Cross-border transfer restrictions | Must comply with government-notified country list and safeguard obligations | Same, plus possible localisation mandate for designated data categories |
| Data Protection Officer (DPO) | Not mandatory (but advisable) | Mandatory; must be based in India |
| Data Protection Impact Assessment | Not mandatory under base rules | Mandatory for high-risk processing activities |
| Consent Manager obligations | Must use a registered Consent Manager if relying on consent | Same, with higher accountability |
| Periodic audit | Not specified | Required; to be conducted by an independent auditor |
Practical steps for SaaS founders right now
Step 1 — Map your data flows
List every service, API, cloud region, analytics platform, and support tool that receives personal data of Indian users. Note the country of the data centre or headquarters for each.
Step 2 — Identify your legal basis for processing and transfer
The DPDP Act recognises consent and certain legitimate uses as bases for processing. Ensure the same legal basis covers the transfer, not just the initial collection.
Step 3 — Review contracts with sub-processors
Your Data Processing Agreements (DPAs) with vendors must be updated to reflect DPDP Act obligations — particularly breach notification timelines and the obligation to support Data Principal rights.
Step 4 — Watch the MeitY allowlist
The Central Government’s list of permitted or restricted countries is the single most important external variable. Subscribe to MeitY notifications at meity.gov.in and the Official Gazette at egazette.gov.in.
Step 5 — Build a grievance mechanism
Indian users must be able to raise complaints. Appoint a Grievance Officer (or designate a point of contact) and publish their details in your Privacy Policy. This is a mandatory disclosure under the Act.
For related plain-language guides on Indian privacy law and startup compliance, see the Law for You section at The Courtroom, which covers concepts from consent to contracts in accessible language.
What about existing transfers before the Rules took effect?
The Act and Rules include transitional provisions. Data Fiduciaries that were already processing data before the Rules came into force are generally given a window to achieve compliance. The exact transition period should be verified against the Rules as notified, since MeitY may prescribe different timelines for different categories of fiduciaries.
Do not assume your existing architecture is grandfathered indefinitely. Begin gap analysis now so you have time to restructure cloud infrastructure, renegotiate vendor contracts, and update privacy notices before any hard deadline passes.
Penalties for non-compliance
The DPDP Act’s Schedule sets out a tiered penalty framework enforced by the Data Protection Board of India. Penalties for failing to comply with cross-border transfer obligations, or for failing to implement reasonable security safeguards, can run into crores of rupees. The Board has adjudicatory powers and can also impose directions to cease processing.
Penalties are not automatic — the Board follows an inquiry process — but the financial exposure is significant enough that compliance investment is clearly worthwhile for any growth-stage SaaS company.
Frequently asked questions
Can an Indian SaaS company store all its data on AWS US-East or Google Cloud US?
Not without first checking the government’s notified list of permitted countries. The DPDP Act requires the Central Government to specify which countries are permissible destinations for personal data. Until that list is finalised and published, founders should take a cautious approach, audit their cloud regions, and structure contracts so they can pivot storage locations quickly if a US region is not on the permitted list. Verify the current status on the MeitY website before making infrastructure decisions.
Does the DPDP Act apply to a SaaS company incorporated outside India that serves Indian users?
Yes. The DPDP Act has extra-territorial reach: it applies to the processing of digital personal data of individuals within India, regardless of where the Data Fiduciary is incorporated or located. A foreign SaaS company with Indian users must comply with the Act’s obligations, including cross-border transfer rules, consent requirements, and grievance redressal obligations.
What is the difference between a Data Fiduciary and a Data Processor under the DPDP Act?
A Data Fiduciary decides the purpose and means of processing personal data — typically the SaaS company itself. A Data Processor processes data on behalf of and under the instructions of a Data Fiduciary — for example, a cloud infrastructure provider or analytics vendor. Primary compliance obligations (consent, notices, grievance officer, cross-border safeguards) sit with the Data Fiduciary. Data Processors must contractually agree to process data only as instructed and to meet security standards specified by the Fiduciary.
This article is for general information only and is not legal advice. Laws change; verify against the primary sources cited and consult a qualified advocate for your situation.
