Short answer: Indian bfsi companies can deploy AI in mobile apps under DPDP compliance by running inference on-device — no personal data leaves the device, satisfying data localisation and purpose limitation without additional consent infrastructure.
Your legal team's read of the DPDP Act is that processing customer financial data through a US-based AI API requires a cross-border transfer justification your compliance team can't yet provide. Your product roadmap has five AI features queued.
The DPDP Act's cross-border transfer provisions are still being operationalized through subordinate rules, but the direction is clear. Waiting for final rules to ship AI features means your competitors move first. On-device processing sidesteps the transfer question entirely - data that never leaves the customer's device in India has no cross-border transfer to justify.
What decisions determine whether this project ships in 6 weeks or 18 months?
Four decisions determine whether your BFSI AI features clear legal review in weeks or wait in a queue for rules that haven't been finalized.
Data fiduciary obligation. Under DPDP, your organization is the data fiduciary for customer financial data. An on-device model that processes data on the customer's phone without transmitting it to your servers reduces your processing surface area. But the model itself was trained and is distributed by someone. Your legal team needs to assess whether the model provider is a data processor under the Act, and whether that relationship requires a contractual framework before the model is embedded in your app.
Purpose limitation. DPDP requires that personal data be processed only for the purpose for which consent was obtained. An on-device model that infers creditworthiness from transaction data is processing for a defined purpose. One that also infers behavioral patterns for cross-sell targeting is not - even if the data never leaves the device. The purpose boundary has to be defined in the model's configuration and in the consent language before the feature ships.
Data principal rights. Customers under DPDP have the right to access, correct, and erase their personal data. If your on-device model builds a local financial profile to support AI features, your app needs a mechanism for the customer to view that profile, request corrections, and delete it. The rights management interface has to be built alongside the AI feature, not added later when a customer files a request.
Consent architecture. DPDP consent must be specific to each processing purpose, clearly stated in plain language, and revocable at any time. The consent flow in your app has to be built to these requirements before any AI feature ships. A single "I agree to terms" checkbox at onboarding is not sufficient for purpose-specific AI processing of financial data.
Most teams spend 4-6 months discovering these decisions by building the wrong version first. A team that has shipped this before compresses that to 1 week.
On-Device AI vs. Cloud AI: What's the Real Difference?
| Factor | On-Device AI | Cloud AI |
|---|---|---|
| Data transmission | None — data never leaves the device | All inputs sent to external server |
| Compliance | No BAA/DPA required for inference step | Requires BAA (HIPAA) or DPA (GDPR) |
| Latency | Under 100ms on Neural Engine | 300ms–2s (network + server queue) |
| Cost at scale | Fixed — one-time integration | Variable — $0.001–$0.01 per query |
| Offline capability | Full functionality, no connectivity needed | Requires active internet connection |
| Model size | 1B–7B parameters (quantized) | Unlimited (GPT-4, Claude 3, etc.) |
| Data sovereignty | Device-local, no cross-border transfer | Depends on server region and DPA chain |
The right choice depends on your compliance constraints, query volume, and task complexity. Wednesday scopes this in the first week — before any code is written.
Why is Wednesday the right team for on-device AI?
We built Off Grid because we hit every one of these problems in production. Off Grid is the fastest-growing on-device AI application in the world, with 50,000+ users running it today.
It's open source, with 1,650+ stars on GitHub and contributors from across the world. It has been cited in peer-reviewed clinical research on offline mobile edge AI.
Every decision named above - model choice, platform, server boundary, compliance posture - we have made before, at scale, for real deployments.
How long does the integration take, and what does it cost?
The engagement is four sprints. Each sprint is fixed-price. Each sprint has a named deliverable your team can put on a roadmap.
Discovery (Week 1, $5K): We resolve the four decisions - model, platform, server boundary, compliance posture. Deliverable: a 1-page architecture doc your CTO can take to the board and your Privacy Officer can take to Legal.
Integration (Weeks 2-3, $5K-$10K): We ship the on-device model into your app behind a feature flag. Deliverable: a working build your QA team can test against real workflows.
Optimization (Weeks 4-5, $5K-$10K): We hit the performance and compliance targets from the discovery doc. Deliverable: benchmarks signed off by your team.
Production hardening (Week 6, $5K): Edge cases, OS version coverage, app store and compliance review readiness. Deliverable: shippable build.
4-6 weeks total. $20K-$30K total.
Money back if we don't hit the benchmarks. We have not had to refund.
"Wednesday Solutions' team is very methodical in their approach. They have a unique style of working. They score very well in terms of the scalability, stability, and security of what they build." - Sachin Gaikwad, Founder & CEO, Buildd
Is on-device AI right for your organization?
Worth 30 minutes? We'll walk you through what your version of the four decisions looks like, what a realistic scope and timeline would be for your app, and what your compliance posture and on-device target mean in practice.
You'll leave with enough to run a planning meeting next week. No pitch deck.
If we're not the right team, we'll tell you who is.
Book a call with the Wednesday team
Frequently Asked Questions
Q: How does on-device AI help bfsi companies comply with India's DPDP Act?
DPDP requires consent for processing personal data and restricts cross-border transfers. An on-device model processing data locally satisfies the transfer restriction structurally — data that never leaves the device has no cross-border transfer to consent to.
Q: Does DPDP require a Data Fiduciary to register AI processing?
Significant Data Fiduciaries must conduct DPIAs for high-risk processing. AI systems processing sensitive personal data — financial, health, or identity data — likely require a DPIA. On-device AI reduces DPIA scope because local processing eliminates third-party processor involvement.
Q: How long does DPDP-compliant on-device AI take for bfsi?
4–6 weeks. Consent and disclosure documentation required under DPDP runs in parallel with the build. Wednesday has shipped on-device AI for Indian fintech and healthcare and is familiar with DPDP requirements.
Q: What does DPDP-compliant on-device AI cost?
$20K–$30K across four fixed-price sprints, money back if benchmarks aren't met.
Q: Can on-device AI process Aadhaar or financial data under DPDP?
Processing sensitive personal data requires explicit consent and documented purpose. On-device processing reduces risk surface — data is processed locally, and only the inference result (not raw data) is used by the app.
Top comments (0)