SaaS Security & Compliance: India's DPDP Act + GDPR, What You Must Build In
Here is the short answer: under both India's Digital Personal Data Protection (DPDP) Act 2023 and the EU's GDPR, a SaaS that handles personal data must be able to prove — not just claim — that data is encrypted, access is role-restricted and logged, consent is captured and revocable, personal data can be exported and deleted on request, and a breach can be detected and reported on a clock (72 hours to regulators under GDPR and India's DPDP regime, and as little as 6 hours to India's CERT-In for cyber incidents). These are not legal formalities you bolt on before launch. They are architecture decisions — encryption model, data schema, audit pipeline, tenancy boundaries, region of hosting — that are brutally expensive to retrofit and nearly free to design in on day one. This guide is what we tell founders before they write the first migration: build the seven non-negotiables now, and compliance becomes a byproduct of good engineering rather than a fire drill before your first enterprise deal. (This is engineering and risk guidance from a software agency, written to be accurate — it is not legal advice. For a binding compliance opinion, retain a qualified privacy lawyer in your jurisdiction.)
Key takeaways
- DPDP and GDPR ask for the same seven capabilities: encryption, RBAC, immutable audit logs, consent management, data-subject request tooling, retention/deletion, and breach detection — all of which are day-one architecture decisions, not pre-launch paperwork.
- The penalties are company-ending: GDPR up to €20M or 4% of global turnover; India's DPDP up to ₹250 crore for weak security and ₹200 crore for failing to report a breach — and under DPDP, silence about a breach is its own offence.
- India runs two breach clocks: CERT-In demands incident reports within 6 hours, while the DPDP Board and GDPR work on a 72-hour timeline. Detection speed is the real bottleneck — you can't report what you never noticed.
- Data residency diverges: GDPR uses a whitelist (justify every export, SCCs), India uses a negative list (permissive by default), but RBI payment-localisation and enterprise buyer demands mean you should architect for region-pinned hosting early.
- Compliance built in is a sales advantage, not a tax — it passes enterprise security questionnaires in an afternoon; retrofitting it after launch is a multi-week re-platforming with permanent audit-history gaps.
Why should a founder care before product-market fit?
Two reasons, and neither is "because a lawyer said so." The first is risk. The second — the one that actually moves revenue — is trust. They compound.
On risk: the numbers are now large enough that a single mistake can end a company. GDPR's top tier is up to €20 million or 4% of global annual turnover, whichever is higher; European regulators issued roughly €1.2 billion in fines in 2025 and added over €600 million in just the first half of 2026. India's DPDP Act sets a maximum penalty of ₹250 crore (about $30M) for failing to implement reasonable security safeguards, and up to ₹200 crore for failing to report a breach. Crucially, under DPDP that breach-reporting penalty bites even if your security was fine — silence is its own offence.
On trust: every serious B2B buyer now sends a security questionnaire before signing. "Do you encrypt data at rest? Can you delete a user's data on request? Where is it hosted? Show me your access logs." If the honest answer is "we'd have to build that," you don't lose the deal politely — you lose it after weeks of back-and-forth, and you rebuild your data layer under deadline pressure. Founders who treated these as day-one architecture pass the questionnaire in an afternoon. That speed is a sales advantage, not a cost centre.
The trap is timing. Encryption strategy, audit logging, consent capture, and your hosting region are all foundational schema-and-infrastructure decisions. Retrofitting them after you have real customer data means migrations, re-encryption, downtime, and gaps in your audit trail you can never backfill. Pre-launch is the cheapest this work will ever be.
Non-negotiable engineering (not legal advice)
DPDP (India) and GDPR aren't paperwork you bolt on later — they're architecture decisions. Build them in from day one; retrofitting consent, audit logs, and data-residency is painful and risky. Confirm specifics with a qualified advisor.
What do DPDP and GDPR actually require — in plain English?
Strip away the legal language and both laws ask for the same handful of capabilities. The vocabulary differs (GDPR says "controller/processor/data subject"; DPDP says "Data Fiduciary/Data Processor/Data Principal") but the engineering obligations rhyme almost exactly.
Think of it as a contract between you and the people whose data you hold. You must collect data only with a lawful basis (usually consent), tell them clearly why, keep it secure, let them see/correct/delete it, not keep it forever, and own up quickly if it leaks. Everything below is the technical expression of that contract.
- Lawful basis & consent — you need a defensible reason to process data. Under DPDP, consent must be free, specific, informed, unambiguous, and as easy to withdraw as to give. GDPR allows other bases (contract, legitimate interest) but consent must meet the same bar.
- Purpose limitation & data minimisation — collect only what you need, for a stated purpose. Don't hoard "just in case." Every extra field is extra liability.
- Security safeguards — "reasonable" security: encryption, access control, and the ability to detect misuse. DPDP makes this a ₹250-crore-grade obligation; GDPR Article 32 demands "appropriate technical and organisational measures."
- Data-subject / Data-principal rights — users can request access, correction, erasure, and (under GDPR) portability. Your system must service these requests, not just promise to.
- Breach notification — detect, assess, and report on a clock. (Details below — this is where India and the EU diverge most.)
- Accountability — you must be able to *demonstrate* compliance: records of processing, consent logs, an audit trail. "We're careful" is not evidence; logs are.
- Cross-border transfer rules — where the data physically lives, and which laws follow it across borders.
The seven things you must build in from day one
This is the core checklist. Each maps directly to a clause in DPDP, GDPR, or both — but more importantly, each is a concrete engineering decision you make in the first weeks, not the last.
- 1. Encryption everywhere — TLS 1.2+ in transit (free, non-negotiable) and AES-256 at rest. Encrypt the database, backups, and file storage. For the most sensitive data (health, financial, secrets), encrypt specific fields at the application layer so even a leaked DB dump is ciphertext. Manage keys properly (a KMS / secrets manager), never hardcode them.
- 2. Role-Based Access Control (RBAC) — nobody, internal or external, sees data they don't need. Define roles, enforce least privilege, and in multi-tenant SaaS enforce hard tenant isolation (e.g. Postgres Row-Level Security) so Tenant A can never read Tenant B's rows. This is the #1 cause of cross-customer data leaks.
- 3. Immutable audit logs — record who accessed or changed what, and when. Append-only, tamper-evident, retained for a defined period. This is what proves accountability to a regulator and resolves "did someone touch this record?" instantly. You cannot backfill a log you never wrote.
- 4. Consent management — capture consent at the point of collection with a timestamp, version, and exact purpose; store it; and make withdrawal a first-class action that actually stops processing. Under DPDP's 2025 Rules, consent notices must be itemised and clear. A buried checkbox is not consent.
- 5. Data-subject request tooling — build the ability to export a user's complete data (portability) and to delete it (erasure) as actual functions, ideally self-service. When a deletion request arrives, you need a defined, logged flow — including cascading deletes and purging backups on a schedule.
- 6. Data retention & deletion policy in code — don't keep data forever. Define retention windows per data type and enforce them with automated jobs. "Delete after N days of inactivity" should be a scheduled task, not a manual cleanup someone forgets.
- 7. Breach detection & response runbook — you can't report what you can't detect. Wire up monitoring/alerting, and have a written runbook so that when an incident hits, the clock-driven notifications happen on time, not in a panic.
| Build in | Why it matters |
|---|---|
| Encryption (at rest + in transit) | Protects data even if something leaks |
| Role-based access control | Least-privilege; shrinks the blast radius |
| Audit logs | Who did what, when — trust + investigations |
| Consent + privacy controls | Lawful basis + user rights under DPDP/GDPR |
| Data residency options | Where data lives; cross-border rules |
| Breach detection + response | You must report fast |
| Data export + deletion | User rights: access, portability, erasure |
Build these in from day one
How fast must you report a breach — and to whom?
This is where founders get caught out, because India effectively has two clocks running at once, and one of them is the tightest in the world.
Under GDPR, you notify the relevant supervisory authority within 72 hours of becoming aware of a breach that risks people's rights, and notify affected individuals "without undue delay" if the risk is high. One regulator, one clock, well-understood.
India is stricter and more fragmented. Under the DPDP framework, you must notify the Data Protection Board "without delay" and affected Data Principals, with detail expected promptly. Separately — and this is the trap — CERT-In's 2022 directions require reporting a wide range of cyber incidents (not just personal-data breaches: ransomware, DDoS, unauthorised access, and more) within 6 hours of noticing them. A single ransomware event in India can therefore trigger a 6-hour CERT-In filing AND a DPDP Board notification. Many teams know the 72-hour number and miss the 6-hour one entirely.
The engineering takeaway is the same regardless of jurisdiction: detection speed is everything. A clock you can't start (because you didn't notice the breach) is a clock you've already lost. Invest in monitoring, alerting, and a pre-written incident runbook with named owners and templated notifications. The difference between a contained incident and a reportable catastrophe is usually how fast you saw it.
Where must the data live? Residency and cross-border transfers
"Where is your data hosted?" is now a standard procurement question, and the two regimes answer it very differently — which directly shapes your cloud architecture.
GDPR uses a positive-list (whitelist) model: you may transfer personal data out of the EU/EEA only to countries deemed "adequate," or with safeguards in place such as Standard Contractual Clauses (SCCs). The burden is on you to justify every export.
India's DPDP Act inverts this with a negative-list (blacklist) model under Section 16: transfers are permitted to all countries except any the government specifically restricts — and as of mid-2026, no restricted-country list has been published. So DPDP is, by default, more permissive on general cross-border transfer than GDPR. Note one important consequence: legacy GDPR-style SCC clauses are not the mechanism DPDP cares about, so a DPA written purely for the EU does not automatically satisfy India.
Two caveats that override the defaults. First, sectoral localisation can be far stricter than the privacy law itself — most notably RBI's rule that payment data be stored in India. If you touch Indian payments, you may need in-country storage regardless of DPDP. Second, enterprise buyers increasingly demand regional hosting (EU data in the EU, India data in India) contractually, even when the law doesn't strictly require it. The practical design answer is to architect for region-pinned hosting early — choosing a cloud and data model that lets you place data in a specific region per tenant — so you can satisfy whichever residency demand lands on you without re-platforming.
What does "build it in" actually look like in the stack?
None of this requires exotic technology. A modern, well-chosen stack gives you most of it nearly for free — the value is in the design discipline, not the tooling budget. Here is the pattern we build for SaaS clients, framed by capability so it's portable to any stack.
The point is that each of these is a decision made once, early, at the schema and infrastructure layer — and then it's just there. Bolting any of them on after launch costs an order of magnitude more and leaves gaps (especially in audit history) you can never fully close.
- Encryption: TLS terminated at the edge; database and storage encryption on by default (managed Postgres/cloud storage give you this); field-level encryption in the app layer for the few truly sensitive fields; keys in a managed KMS.
- Access & tenancy: RBAC enforced server-side (never trust the client); Postgres Row-Level Security for hard multi-tenant isolation; service-role keys kept server-side only.
- Audit & consent: an append-only audit table or log stream capturing actor, action, target, timestamp; a consent table versioning every grant/withdrawal with purpose and timestamp.
- Rights & retention: export and delete implemented as real, tested endpoints with cascading deletes; scheduled retention jobs that purge expired data and roll backups.
- Detection: centralised logging + alerting on anomalous access; an incident runbook checked into the repo with the 6h/72h templates ready to send.
- Residency: cloud region chosen deliberately per market; data model that supports placing a tenant's data in a chosen region.
Compliance as a competitive edge, not a tax
The framing that wins is this: every one of these controls is also a feature your enterprise buyers are willing to pay for. "We encrypt at rest, isolate every tenant with Row-Level Security, log every access immutably, and can delete or export your data on demand" is a sentence that closes deals. The same architecture that keeps a regulator satisfied is the architecture that survives a security questionnaire and an enterprise legal review.
Done right, the marginal cost of building this in on day one is small — it's mostly disciplined decisions about your schema, your hosting region, and your access model, made before you have data to migrate. Done late, it's a multi-week re-platforming project with irrecoverable gaps in your audit history and a deal stalled while you scramble. The merit case is unambiguous: build it in now.
This is exactly the kind of foundation we architect into the SaaS products we build — senior engineers, AI-accelerated delivery, a fixed written quote after a free scoping call, and you own 100% of the code. If you're scoping a new SaaS and want the data layer, tenancy model, and compliance posture designed correctly from the first migration, a short scoping call is the cheapest way to get it right the first time.
A final, honest caveat: this guide is accurate engineering and risk guidance, not legal advice, and privacy law is moving fast (India's DPDP Rules 2025 phase in substantive obligations through May 2027). Treat your lawyer and your architect as a pair — the lawyer tells you what the law requires for your specific business; the architect makes sure the software can actually prove it.
Frequently asked questions
Is the India DPDP Act in force yet, and when do I have to comply?
The DPDP Act 2023 and its implementing DPDP Rules 2025 were notified on 13 November 2025, with compliance phased in. The Data Protection Board was established immediately; consent-manager provisions take effect around November 2026; and most substantive obligations (consent notices, breach reporting, data-principal rights, security safeguards) become enforceable about 18 months from notification — roughly May 2027. That window is your build runway, not a reason to wait: the architecture takes longer to retrofit than the deadline allows.
Does GDPR apply to my SaaS if I'm based in India (or the US)?
Very likely yes, if you have any EU users. GDPR is extraterritorial — it applies to any organisation, anywhere, that offers goods or services to people in the EU/EEA or monitors their behaviour. Location of your company or servers is irrelevant; what matters is whose data you process. A Chennai- or US-based SaaS with EU customers is squarely in scope, which is why most serious SaaS products design to GDPR as the baseline and layer DPDP and other regimes on top.
What's the single most expensive thing to retrofit later?
Audit logging, closely followed by your encryption and tenancy model. You can't backfill an audit trail — any access that happened before you started logging is simply invisible forever, and that gap is exactly what a regulator or enterprise auditor asks about. Encryption-at-rest and multi-tenant isolation are nearly free on day one but become painful migrations (re-encrypting live data, restructuring the schema) once you have real customers. Build all three before launch.
Do I need to store Indian users' data inside India?
Not as a blanket rule under the DPDP Act itself — India uses a negative-list model, so transfers abroad are allowed unless the government restricts a specific country, and as of mid-2026 no such list exists. The big exception is sectoral rules: RBI requires payment data to be stored in India, and some enterprise buyers contractually demand in-country hosting. The safe design is to architect for region-pinned hosting so you can place data in India (or the EU) per tenant when a rule or a customer requires it.
How much does it cost to build a SaaS with this baked in versus adding it later?
Built in from day one, robust security and compliance foundations add very little to the project cost — they're mostly disciplined architecture decisions. A custom SaaS MVP with this foundation typically runs around $3,000–$6,000 (₹1.5–2.5 lakh) with us, versus the $25k–$200k+ traditional agencies charge. Retrofitting later is where it gets expensive: re-encryption, schema migration, downtime, and unrecoverable audit gaps, often costing several times more than building it correctly the first time. A free scoping call is the fastest way to get a fixed written quote for doing it right.
Have a project in mind?
We design, build, and ship software end-to-end — with a fixed, written quote after a free scoping call.
