Skip to content
checkDPDP

Industry guide · #6 most exposed · High risk

DPDP Act for SaaS in India

B2B SaaS companies are typically Data Processors for their customers, but increasingly Data Fiduciaries for their own marketing site, support inbox, telemetry and trial signups. DPDP creates joint accountability — your customer's consent log is only as good as yours, and your DPAs to AWS / GCP / Stripe / OpenAI are the documentary chain you must produce.

Penalty exposure cap

₹150 cr

Most findings sit in the ₹50 cr band. SDF designation possible for very large SaaS; otherwise ₹150 cr is the realistic ceiling for a stacked enforcement action.

Realistic effort

80–200 hrs (4–10 weeks)

Eng lead + Privacy / Legal lead + CS lead

Annual budget

₹2–10 lakh / yr for CMP, vendor management, audit

Tooling + DPO retainer + audit

Sector regulators

CERT-In · Sector-specific (depends on customer mix)

Stack on top of DPDP — comply with both

Why this industry

How DPDP hits SaaS differently

SaaS rarely faces a catastrophic security finding, but is exposed across many small surfaces — trial signups, marketing analytics, sales-enablement tools, support tickets, OpenAI calls. Cumulative gap risk is significant; the dominant cost is DPA chase + India residency selection for the enterprise customer pipeline.

What you must do

Specific DPDP obligations for this sector

Section 8 joint accountability

Data Processing Addendums to every sub-processor

AWS, GCP, Stripe, OpenAI, Anthropic, Datadog, Sentry — every external service touching customer data needs a DPA on file.

Section 8

Customer-facing DPA template

Your customers will ask for your DPA in their procurement process. Have one ready that matches DPDP language, not just GDPR.

Section 16

India residency option for enterprise customers

BFSI/health/regulated customers will require India-resident processing. Plan ap-south-1 / asia-south-1 deployments.

Section 6

Consent on the marketing site

Trial signups, demo requests, gated downloads, analytics — all need consent like any other Indian site.

Section 11

DSR fulfilment SLA + tooling

Customers ask you to fulfil their end-user DSRs. Build the tenant-scoped delete/export pipeline before the first enterprise contract.

What to ship

Minimum control set + realistic time to land each

Effort estimates assume an in-house engineer + an external CMP/DPO partner where indicated. Cumulative time gets you to a defensible posture; full SDF maturity adds 1–2 quarters on top.

  1. 1

    Sub-processor inventory (live, public page)

    1 week · Checklist

  2. 2

    Customer-facing DPA aligned to DPDP

    1 week legal

  3. 3

    India region deployment option

    1–4 sprints depending on multi-region maturity

  4. 4

    Consent banner on marketing site

    1 day · Banner builder

  5. 5

    Tenant-scoped DSR pipeline (export, delete, rectify)

    2–4 weeks engineering

  6. 6

    Itemised privacy notice with sub-processor list link

    2 days · Notice template

  7. 7

    SOC 2 / ISO 27001 mapping to Section 8 safeguards

    4–8 weeks (or use existing certification)

What goes wrong

Real-world enforcement scenarios

Customer requests sub-processor list before signing

Have it public. The ones with the list close enterprise deals faster.

OpenAI / Anthropic processes customer data with no DPA

Section 8 joint liability + customer churn. File the DPAs; both vendors publish them.

Customer's end-user asks for deletion via your customer

Section 11 — fulfil tenant-scoped delete within 30 days. Build the pipeline now.

Close these first

The three highest-impact gaps for this sector

  1. 1

    No public sub-processor list

    Publish a /sub-processors page — table with name, purpose, location.

    Open the fix →
  2. 2

    Customer DPA template is GDPR-only

    Add DPDP-specific clauses (Section 8, breach windows, India residency).

    Open the fix →
  3. 3

    No tenant-scoped delete pipeline

    2–4 week engineering sprint — design now, ship before the first DPDP audit ask.

    Open the fix →

See your sector-specific score in 60 seconds

Calculate your SaaS risk →Run a free site scan

SaaS · FAQ

Sector-specific questions, answered

Are we a Data Processor or a Data Fiduciary?

Both — Processor for your customers' end-user data, Fiduciary for your own marketing site, trial signups and employees.

Do we need a DPO for SaaS?

Mandatory only if designated SDF (rare for mid-market SaaS), but enterprise customers will expect a named privacy contact regardless.

Is OpenAI a sub-processor?

Yes if you send customer data to it. Sign the OpenAI DPA, add it to your sub-processor list, notify customers.

Compare across sectors

Other industries' DPDP exposure

BFSI & Fintech

Critical

Highest DPDP exposure of any Indian sector — payment data, KYC, credit profiles all in scope.

Diagnostic Labs & Pathology Chains

Critical

Patient PII + lab results + Aadhaar-linked KYC — the most stacked DPDP exposure of any sub-sector inside healthcare.

Healthtech & Pharma

Critical

Health data is the highest-sensitivity category — DPDP overlaps with ABDM and the Clinical Establishments rules.