The Digital Personal Data Protection Act, 2023 (DPDPA) is no longer a "coming soon" regulation. The rules are notified, the Data Protection Board is stood up, and enforcement has begun. For Indian SaaS companies storing customer personal data — which is effectively every Indian SaaS — the question has moved from "do we need to comply" to "how fast can we close the biggest gaps".
The penalty math is unforgiving. A single instance of "failure to implement reasonable security safeguards" exposes a company to up to ₹250 crore. For a ₹40 crore ARR SaaS, that is 6x annual revenue on a single finding. The largest Indian SaaS funding rounds have been wiped out for less.
This post is the 30-day path. The six controls most Indian SaaS companies miss today, with the exact cloud-layer changes needed on AWS to close each one. A checklist you can hand to your engineering lead on Monday and expect results by the end of May.
DPDPA in one paragraph (for engineering teams)
DPDPA regulates how organisations ("Data Fiduciaries") collect, process, store, and transfer the "Digital Personal Data" of individuals in India ("Data Principals"). It requires explicit, informed, itemised consent; data minimisation; retention limits; breach notification; and it creates new rights for individuals — access, correction, erasure, grievance redressal. Compliance is not optional and is not relative to the size of your company. A 20-person seed-stage startup handling 1,000 user records has the same legal obligations as a listed enterprise, just at smaller potential penalty scale.
The penalty ceiling, broken down
| Violation | Max penalty |
|---|---|
| Failure to take reasonable security safeguards | ₹250 crore |
| Failure to notify breach (Board + Data Principals) | ₹200 crore |
| Non-fulfilment of obligations re: children's data | ₹200 crore |
| Non-fulfilment of obligations of Significant Data Fiduciary | ₹150 crore |
| Non-compliance with a direction of the Data Protection Board | ₹50 crore |
| Breach by Data Principal (false claims, spam filing) | ₹10,000 |
The Data Protection Board may impose these penalties in aggregate; they are per-breach ceilings, not annual caps. A quarter of reported US GDPR enforcement fines have landed above ₹40 crore equivalent. DPDPA enforcement is not yet at that rhythm, but the regulator has signalled intent to prioritise consumer-facing tech companies and SaaS handling financial/health data.
The six controls most Indian SaaS miss
Control 1 — Explicit, granular consent capture (not pre-ticked boxes)
DPDPA demands consent that is "free, specific, informed, unconditional and unambiguous with a clear affirmative action." Blanket "I agree to the terms" checkboxes do not meet this. Pre-ticked opt-ins for marketing communication do not meet this. Bundling data-processing consent with service-signup consent does not meet this.
Cloud-layer fix (AWS): log every consent event in a tamper-evident audit trail. We recommend a dedicated consent_events DynamoDB table with stream capture to S3 via Kinesis, with S3 Object Lock in Compliance mode. The immutability is the evidence — you need to prove, six months later, the exact moment a specific Data Principal gave or withdrew consent.
Control 2 — Data retention with automated purge
Data must be erased "as soon as reasonable to assume that the specified purpose is no longer being served." In practice, this means every PII field in your database needs a documented retention period and a scheduled purge process. Most Indian SaaS we audit have never set retention — user records live forever, even for churned accounts.
Cloud-layer fix: DynamoDB TTL for event-sourced data, RDS stored procedures for relational PII, and S3 Lifecycle policies for file uploads. The harder architectural pattern — one we implement in our DPDP Act checklist — is separating PII columns into a dedicated table so purge is a targeted DELETE, not a destructive schema change.
Control 3 — Breach detection, containment, and notification within 72 hours
The DPDPA rules use the phrase "as soon as possible" for breach notification, but the Data Protection Board is moving toward a 72-hour norm modelled on GDPR Article 33. The operational gap we see: Indian SaaS detects breaches weeks after they happen, because nobody has wired alerts on the signals that matter.
Cloud-layer fix: GuardDuty + Security Hub + a CloudWatch alarm on any IAM role assuming new permissions, any S3 bucket going public, any RDS snapshot being shared cross-account, any EC2 instance profile being modified. Route to PagerDuty or Opsgenie with a 15-minute acknowledgement SLA. The detection is the half; the documented 72-hour notification playbook with legal on speed-dial is the other half.
Control 4 — Data Protection Officer / Grievance Officer appointment
Only Significant Data Fiduciaries must appoint a DPO. But every Data Fiduciary must publish a "grievance mechanism" and name a contact who can respond to Data Principal rights requests. In practice, a single email inbox monitored by a single human counts — as long as requests are logged, tracked, and resolved within the statutory timelines (30 days for most rights).
Operational fix: a dedicated privacy@ inbox routed to a ticketing system (Zendesk, HelpScout, or a Jira project), with SLA enforcement and monthly reporting. Your privacy policy must list this contact. Most Indian SaaS privacy policies we audit still list a founder's personal email — that breaks at the first scale-up or personnel change.
Control 5 — Cross-border data transfer documentation
DPDPA uses a negative-list model. Transfers are permitted unless the Central Government specifically restricts a destination country. This is less restrictive than many companies feared, but it still requires documentation — for every cross-border data flow, you need to record what data, where it goes, why , and what safeguards apply.
Cloud-layer fix: a data-flow register as code (we maintain ours in a single YAML file checked into the security repo). For AWS specifically: document every S3 cross-region replication rule, every RDS read replica in a foreign region, every analytics pipeline that ships CURs to a global BigQuery instance. The register must be reviewed quarterly and updated whenever a new third-party processor is onboarded.
Control 6 — Children's data handling
Data of individuals under 18 gets materially stricter treatment. Parental consent is required. Targeted advertising to children is banned. Behavioural monitoring is restricted. For edtech and gaming companies, this is a large operational lift. For B2B SaaS, the question is subtler — your product might not target children, but what if your customers onboard users under 18 (HR SaaS, healthtech, coaching platforms)?
Operational fix: a signup-time age declaration field, consent capture flow that branches based on declared age, and an explicit policy on what happens if age is undeclared. The cloud-layer piece is that these events live in the same tamper-evident consent audit trail as Control 1.
A pattern study: the gaps we found in an Indian healthtech audit
Healthtech SaaS, 70 engineers, Series B, ap-south-1 primary, processing Electronic Health Records. When we ran the DPDPA-aligned cloud security audit in February 2026, the findings were illustrative of the typical mid-market exposure:
- Control 1 — Consent: consent checkbox existed on signup, but consent events were not logged anywhere after the initial UI interaction. Evidence gap.
- Control 2 — Retention: patient records retained indefinitely on production RDS. No purge mechanism, no stated retention period, churned customer data still in live tables 14 months after contract termination.
- Control 3 — Breach detection: GuardDuty enabled but not routed to any alerting tier. Median alert-to-acknowledgement time in a tabletop exercise: 6 days.
- Control 4 — Grievance mechanism: privacy policy listed the founder's personal Gmail. No ticketing, no SLA enforcement, no audit trail of rights requests.
- Control 5 — Cross-border transfers: two analytics pipelines shipping pseudonymised EHR data to us-east-1 Snowflake. No documented basis, no data-flow register, no vendor DPA signed.
- Control 6 — Children's data: paediatric records represented 22% of the database. No age-gating, no parental consent workflow, no differentiated handling.
Remediation plan we delivered: a 30-day sprint (exactly what's described below), priced at ₹1.8 lakh for the Secure module engagement. Post-implementation audit at day 60 closed 5 of 6 controls; the sixth (full paediatric consent workflow rebuild) slid to a 90-day plan because it required product design work outside cloud infrastructure. Total penalty exposure reduction the company could document to its insurance carrier: ₹250 crore ceiling per control closed.
The 30-day sprint plan
Week 1 — diagnose. Run a PII inventory: every field in every production database that qualifies as Digital Personal Data. Pair with a data-flow audit — where does each field go (backups, logs, analytics, third-party processors)? Output: a single living document that every engineer on the team can read.
Week 2 — quick wins. Fix Control 2 (retention) and Control 5 (cross-border register). These are the two lowest-effort items with clear compliance trails. Retention is a database change + a scheduled job; the register is a YAML file.
Week 3 — detection. Stand up GuardDuty, Security Hub, and CloudWatch alarms per Control 3. Write the breach notification playbook. Run a tabletop exercise. Document the results.
Week 4 — consent + governance. Ship the consent audit trail (Control 1) and the grievance mechanism (Control 4). Update the public privacy policy. Publish the DPO/grievance officer contact. If you handle children's data (Control 6), add the age-gating flow.
This is not a full compliance programme — a full programme includes ongoing DPIAs, vendor risk reviews, internal audit cadence, and board-level reporting. But the 30-day sprint above will close the penalty exposure for the six controls that the Data Protection Board is likeliest to examine first.
The board-level conversation this enables
One benefit of closing the six controls above that doesn't get enough attention: it reframes the DPDPA conversation at board level. Without documented controls, "are we DPDPA-compliant?" is a question the CTO fields with uncomfortable hedges. With documented controls — consent audit trails, retention policies, breach playbooks, data-flow registers — the answer is factual: "We have closed six of the six highest-exposure controls as of ${date}. Residual risk lives in areas X, Y, Z with a remediation roadmap through ${quarter}."
Insurance carriers have started asking for the same evidence before underwriting cyber liability for Indian SaaS. Two of our customers renewed policies with DPDPA-aligned evidence packs and reported 15–22% premium reduction in the first post-renewal cycle. The controls pay for themselves in the year they ship.
Free DPDPA compliance checklist
We publish a full checklist — 47 items across the six controls above, mapped to AWS services, with the exact IAM policies and Terraform modules we use. It's a lead magnet on the site; no salesperson calls, no upsell, just the document.
Download DPDPA checklist → aicloudstrategist.com/downloads/
Our Secure module
If you'd rather have someone run the 30-day sprint alongside your engineering team, our Secure module is built for exactly this. Cloud security audit ₹1,00,000–₹2,00,000, DPDPA-aligned, with a 30-day implementation sprint included. First three customers at ₹40,000 under our launch cohort offer.
Start your free 24-hour Cloud Security Audit → aicloudstrategist.com/audit.html
Founder-led by Anushka B. AICloudStrategist advises Indian mid-market SaaS and fintech on cloud security and cost. DPDPA content here is operational, not legal counsel — we partner with external law firms for regulatory interpretation. See how we prove what we claim.
AICloudStrategist · Founder-led. Enterprise-reviewed. · Written by Anushka B, Founder.
Top comments (0)