Quick Summary
- 1DPDP Rules were notified in November 2025 with phased deadlines: Consent Manager registration by November 2026, core technical obligations by May 2027.
- 2Compliance is a build problem — consent capture, data residency, audit logging, breach workflows, minimization and right-to-erasure all require architecture changes.
- 3Building it in from day one costs ~₹10–25 lakh for a typical B2B SaaS; retrofitting the same capabilities typically runs 3–5x more.
- 4Penalties for security-safeguard failures reach ₹250 crore per instance — a graded schedule applies to other violations.
Most Indian SaaS founders have read a legal summary of the Digital Personal Data Protection Act. Very few have read it the way an engineer must: as a list of systems that either exist in your product or don't. The DPDP Act, 2023 and the DPDP Rules notified on 13 November 2025 create obligations that no privacy policy can satisfy — they require code, schemas, infrastructure decisions and operational runbooks.
The clock is now specific. Consent Manager registration under Rule 4 takes effect one year from notification (November 2026), and the core technical rules — notice standards, reasonable security safeguards, breach notification, and retention-and-erasure triggers — commence eighteen months out, by May 2027. If your platform processes personal data of users in India, 2026 is the year this gets built.
At ZANISS SOFTWARES we've helped SaaS teams scope exactly this work. Here's what the Act actually demands from engineering, the architecture patterns that satisfy it, and — because someone has to say it — what it costs to retrofit versus build in from the start.
What DPDP actually requires — technically, not legally
Strip away the legal language and the Act resolves into six engineering deliverables:
1. Consent capture and lifecycle management. Consent must be free, specific, informed, unconditional, and given through a clear affirmative action — per purpose, not as a blanket "I agree." Users must be able to review and withdraw consent as easily as they gave it. That means: a consent data model (who consented to what purpose, when, via which notice version), APIs to check consent state before processing, and withdrawal flows that actually stop downstream processing.
2. Data residency and transfer controls. The DPDP framework allows cross-border transfers by default except to government-restricted countries — but Significant Data Fiduciaries face localisation requirements for specified data categories, and enterprise customers increasingly demand Indian residency contractually. You need to know, at the infrastructure level, exactly where every copy of personal data lives — including backups, analytics pipelines and third-party SaaS tools.
3. Audit logging. When the Data Protection Board asks what happened, "we checked the application logs" is not an answer. You need tamper-evident logs of consent events, data access, erasure actions and administrative operations — retained and searchable.
4. Breach notification workflows. On becoming aware of a personal data breach, you must intimate affected users and the Data Protection Board without delay, and provide the Board a detailed report within 72 hours. Seventy-two hours is an engineering SLA: it requires detection, scoping ("whose data, which fields"), user contact channels and a rehearsed runbook — none of which can be invented during an incident.
5. Data minimization and retention triggers. Collect only what the stated purpose needs, and erase when the purpose is served or consent is withdrawn. The Rules add concrete triggers — specified classes of platforms must erase personal data after three years of user inactivity, with advance notice to the user. "Erase" includes logs, backups within your rotation window, and data shared with processors.
6. Right to erasure and data principal rights. Users can demand access, correction and erasure, with grievance redressal on defined timelines. Engineering translation: a rights-request queue, identity verification, and erasure that actually traverses every store where the user's data lives — the hardest part of the entire Act for most architectures.
Penalties scale to ₹250 crore per instance for failure to maintain reasonable security safeguards leading to a breach. This is not a GDPR-style percentage-of-revenue fine you can model as cost of doing business; it's an existential number for most Indian SaaS companies.
Consent-management architecture patterns
Three patterns cover most SaaS situations:
Pattern A — Consent as a first-class service. A dedicated consent service owning the consent ledger: append-only records of (user, purpose, notice version, action, timestamp, channel). Every processing pathway queries it — synchronously for user-facing flows, via cached claims for high-volume paths. This is the pattern we recommend for multi-product companies and anyone who may qualify as a Significant Data Fiduciary.
Pattern B — Consent columns done properly. Smaller products can embed consent state in the user store — but per purpose, versioned, with history preserved. The failure mode is the single marketing_consent boolean overwritten in place: it cannot answer "what had the user consented to on the date of processing," which is exactly the question a regulator asks.
Pattern C — Registered Consent Manager integration. The Rules create registered Consent Managers — Board-registered platforms through which users can manage consent across fiduciaries. B2C products at scale should design their consent APIs now so that plugging into this ecosystem in 2027 is an integration, not a rebuild.
Whichever pattern you choose, the notice itself is versioned content: you must be able to prove which notice text a user saw. Store notice versions like you store contract versions.
Data residency: AWS Mumbai vs global regions
For Indian SaaS on AWS, the residency decision is more nuanced than "move everything to ap-south-1":
Full Indian residency (AWS Mumbai + Hyderabad). Primary data, backups and DR all within India — Mumbai (ap-south-1) as primary, Hyderabad (ap-south-2) for DR. Cleanest posture for government, BFSI and health customers, and future-proof against SDF localisation mandates. Cost note: Mumbai compute runs marginally higher than us-east-1 for some instance families, but the differential has narrowed and is rarely decisive.
Split architecture. Personal data of Indian data principals pinned to Indian regions; anonymized or aggregated analytics processed globally. Requires a disciplined data classification layer and careful review of what your telemetry actually contains — "anonymized" analytics with user IDs in event payloads is neither.
Global with transfer governance. Legally viable today for non-SDFs (transfers are permitted except to restricted countries), but re-architecting later is exactly the retrofit premium this article warns about. If your roadmap includes enterprise Indian customers, their procurement teams will ask for residency before the regulator does.
The residency question is inseparable from tenant isolation — if you can't say cleanly where one tenant's data lives, you can't pin it to a region. Our multi-tenant SaaS architecture post covers the isolation models that make per-tenant residency practical. Also audit your sub-processors: your CRM, support desk, email provider and error tracker all hold personal data. DPDP obligations follow the data, and your contracts with processors must reflect that. Pair this with our cloud solutions for region-pinning and DR design.
DPDP compliance: build-in vs retrofit cost (India, 2026)
| Compliance Capability | Price Range | Best For |
|---|---|---|
| Consent capture & lifecycle | ₹2–5 L vs ₹8–20 L | Per-purpose ledger, versioned notices, withdrawal flows |
| Data residency | ₹1.5–4 L vs ₹10–35 L | Region pinning, backup/DR relocation, sub-processor audit |
| Audit logging | ₹2–4 L vs ₹6–15 L | Append-only stream, tamper evidence, indexed search |
| Right to erasure | ₹2–5 L vs ₹8–25 L | Cross-store erasure engine, rights-request queue |
| Breach notification | ₹1–3 L vs ₹4–10 L | Detection, scoping queries, runbook, templates |
| Data minimization & retention | ₹1.5–4 L vs ₹5–15 L | Classification, TTL and inactivity triggers |
| Total | ₹10–25 L vs ₹41 L–1.2 Cr | Full DPDP readiness for a typical B2B SaaS |
Planning a Website? Don't Overpay or Underbuild
Most businesses overspend on features they don't need — or underspend and rebuild within a year. We help you scope it right from day one.
Audit logging and the 72-hour breach clock
Design the audit system around the questions a regulator or enterprise customer will ask:
- Who accessed this user's data, when and under what authorization?
- Show me every consent event for this user.
- When was erasure executed, and across which systems?
Practical implementation: an append-only audit stream (Kinesis/Kafka or even a locked-down audit table) with hash-chaining or storage-level immutability (S3 Object Lock) for tamper evidence, 3–7 year retention, and indexed search. Log data about actions, not copies of personal data — an audit log full of PII becomes its own liability.
For the breach SLA, the runbook needs to exist before the incident: detection alerting wired to a named on-call owner; a scoping query capability ("which users, which fields, what window"); pre-drafted notification templates in plain language; and a tested channel to reach affected users. Teams that rehearse this once a year meet the 72-hour report comfortably. Teams that don't, don't.
Retrofit vs build-in: what it costs
Indicative ranges for a typical B2B SaaS (10–50 person engineering org). Build-in = capability designed in during initial development; retrofit = adding it to a live, revenue-serving product. See the cost table above.
Ranges are indicative for scoping conversations, not quotations; complexity of data estate and number of sub-processors dominate the variance. The pattern, however, is stable across every project we've scoped: retrofitting costs 3–5x more than building in, because retrofit work includes archaeology (finding every place personal data flows), migration of live data and regression risk on revenue-serving systems.
There's also a due-diligence angle founders underestimate: DPDP readiness now appears on investor and acquirer technical checklists, alongside security posture and scalability. Our startup technical due diligence post covers how these reviews actually score it.
Common mistakes: treating DPDP as a legal-only checklist
The policy-first fallacy. A beautifully drafted privacy policy describing consent flows that don't exist in the product is worse than nothing — it's documented non-compliance.
The single boolean. One consent flag, overwritten on change, satisfying no per-purpose or point-in-time requirement. The most common finding in our reviews.
Erasure that isn't. Deleting the user row while their PII persists in logs, backups, analytics events, search indexes and the support desk. Map every store personal data touches; erasure is a graph traversal, not a DELETE statement.
Ignoring sub-processors. Your compliance boundary includes every third-party tool that holds user data. An Indian-residency architecture with a US-hosted support tool full of customer PII is not an Indian-residency architecture.
Waiting for enforcement. The phased deadlines look generous until you plot the engineering work against them. Consent infrastructure, residency migration and erasure engines are quarters of work, not sprints — and enterprise customers are already asking in RFPs, ahead of the regulator.
No named owner. Legal owns the interpretation; engineering owns the build. Projects fail in the gap. Appoint a technical compliance owner even if you're nowhere near Significant Data Fiduciary thresholds.
Working with us
We scope, build and audit DPDP-ready SaaS platforms end-to-end — consent services, residency architecture, erasure engines and breach runbooks. Pair this with our IT consulting and multi-tenant SaaS architecture guides, then contact us for a DPDP readiness assessment.
Pro Insight
Planning a cloud-native platform? Let's review your architecture for free.
At ZANISS SOFTWARES, we don't just build websites — we build growth systems.
- ✓SEO-first architecture
- ✓Conversion-focused design
- ✓High-speed performance
- ✓Scalable, future-proof code
📩 Response within 24 hours
