India's Digital Personal Data Protection (DPDP) Act 2023 is the most significant data regulation India has seen. For engineering teams responsible for cloud infrastructure, it creates specific obligations around where data is stored and how it's processed. Getting this right from the start is far easier than retrofitting compliance later.
What the DPDP Act Requires
The Act governs the processing of "digital personal data" — any data that can identify an individual. For most technology companies, this includes user accounts, transaction records, behavioural data, and any analytics that can be linked to individuals.
Data localisation. The Act gives the Indian government the power to restrict cross-border data transfers for certain categories of data. While the full transfer restrictions are still being finalised through rules, the direction is clear: sensitive personal data will face restrictions on leaving India. Data fiduciary obligations. Any company processing personal data of Indian users is a "data fiduciary" and must implement reasonable security safeguards, establish a grievance mechanism, and be able to demonstrate compliance. Data principal rights. Users have rights to access, correct, and erase their personal data. Your infrastructure must support these operations — which means knowing exactly where data lives and being able to act on deletion requests.The Infrastructure Implications
For engineering teams, DPDP compliance is fundamentally an infrastructure and architecture question.
Where is your data stored? If you're using a global cloud provider, your data may be distributed across regions by default. Mumbai AWS region is technically in India, but data replication to Singapore or other regions for redundancy may create compliance issues as transfer restrictions are clarified. Who can access your data? Global cloud providers are subject to the laws of their home countries — US providers are subject to US government data requests. For Indian personal data, this creates a legal complexity that Indian-based providers do not have. Can you demonstrate data residency? Compliance isn't just about where data is stored — it's about being able to prove it. Your cloud provider needs to offer clear data residency guarantees and the documentation to support them.What "India Data Center" Actually Means
Not all "India presence" from cloud providers is equivalent.
Global hyperscalers operate India regions, but their control planes, management services, and billing systems are operated from overseas. Data stored in their India regions may still flow through overseas systems for management operations.
Indian cloud providers operate entirely within India's jurisdiction — control planes, management infrastructure, and customer data are all subject to Indian law. This is a materially different compliance posture.
For most Indian companies processing personal data of Indian users, an Indian cloud provider offers a cleaner compliance story — one that doesn't require explaining how a US-headquartered company's legal obligations interact with Indian data protection requirements.
Practical Steps for Engineering Teams
Audit your current data flows. Map where personal data enters your systems, where it's stored, where it's replicated, and what third-party services it's shared with. This audit is required for compliance and often reveals data storage you weren't aware of. Implement data classification. Not all data carries the same compliance weight. User emails and transaction records require more careful handling than anonymous analytics. Build data classification into your infrastructure from the start. Design for deletion. The right to erasure means your database schema, your backup strategy, and your data retention policies all need to support deletion of individual user records — including from backups. Document your security controls. Reasonable security safeguards are required. Document what you've implemented: encryption at rest and in transit, access controls, audit logging, incident response procedures. Choose infrastructure that simplifies compliance. An Indian cloud provider with clear data residency guarantees, AES-256 encryption, and compliance documentation makes the compliance conversation with auditors and enterprise customers much simpler.The Business Case for Compliance
DPDP compliance isn't just a legal obligation — it's a commercial advantage. Indian enterprise customers, particularly in BFSI and healthcare, are increasingly requiring data residency guarantees from their vendors. DPDP-compliant infrastructure is a sales enablement asset, not just a risk mitigation exercise.
Starting with compliant infrastructure is substantially cheaper than retrofitting compliance onto a system that was built without it.