Most privacy laws draw a clean line between who collects data and who processes it. India’s Digital Personal Data Protection Act 2023 does not always make that line easy to locate. A SaaS company processing client data operates as a data processor. The same company handling its own employee records or account data is a data fiduciary. Different role, different obligation set, same organisation.
The DPDP Rules 2025, notified on November 13, 2025, make this difference legally consequential. Under the DPDP Act Schedule, penalties for non-compliance can reach ₹250 crore per violation, and the data fiduciary carries primary liability.
This guide breaks down what DPDPA for IT and SaaS companies means across both roles: obligations, risk areas and where to begin.
Are you a data fiduciary, a data processor, or both?
This is the key question for any IT or SaaS company testing its DPDP compliance position.
- An entity that determines the purpose and means of processing personal data is a data fiduciary.
- An entity that processes data on a fiduciary’s instructions is a data processor. The important point: both roles can apply to the same company at the same time, depending on the data flow.
A cloud SaaS company, for example, processes its firm clients’ end-user data as a data processor. But it determines the purpose of processing for its own employee data and account-level data, making it a fiduciary for those flows. Each flow needs to be mapped and classified independently.
Getting this wrong can be a major compliance mistake under DPDPA. Data fiduciaries remain primarily liable to the Data Protection Board of India (DPBI) even when a breach occurs at the processor level. That liability does not transfer simply because a contract exists.
5 DPDPA obligations every IT and SaaS company must address
The DPDP Rules 2025 define what compliance looks like across both roles. Here is what IT and SaaS companies need to act on:
Consent and notice architecture
As a data fiduciary, you must provide a plain-language privacy notice before collecting personal data. Consent has to be free, specific, informed at any time. For SaaS companies that are using customer data for model training etc. – a separate consent is required for each secondary purpose. Relying on bundled terms is not sufficient.
Data processing agreements (DPAs)
DPDPA requires every data fiduciary to engage processors only through a valid contract. As a SaaS vendor, you must also maintain a current sub-processor list and notify your enterprise customers before adding new sub-processors. Uncontrolled sub-processing is among the highest-risk areas for early enforcement action.
Security safeguards and log retention
DPDP Rules 2025 (Rule 6) need you to have encryption, access controls, audit logging and continuous monitoring. Logs covering personal data access must be kept for atleast a year.
Breach notification
DPDP Rules 2025 (Rule 7) need the Data Protection Board and affected people to be alerted after a personal data breach. The alert must be in plain language and include what data was exposed and how you can seek follow-up. According to the DPDP Act Schedule, failing to alert can lead to a penalty of up to ₹200 crore per incident.
Data principal rights management
Individuals have the right to access, correct and request removal of their personal data. Requests must be addressed within 90 days. IT and SaaS companies need a functional mechanism for managing these requests at scale and a grievance officer or contact point for escalations.
Cross-border transfers and sub-processor risk
For Indian IT services companies and global SaaS providers with Indian users, cross-border data routing adds a further compliance layer.
Under the DPDP Rules 2025, data transfers to countries on the MeitY whitelist are allowed without any additional safeguards. Transfer impact assessments for non-whitelisted destinations by Significant Data Fiduciaries (SDFs). SaaS companies processing personal data through US, UK or EU cloud infrastructure should audit those flows ahead of enforcement.
Industry observers highlighted a specific complexity in the analysis of the DPDP Rules 2025, i.e. many companies are both data processors under DPDP and data controllers under GDPR or CCPA for the same data flows. Contracts should be designed to explicitly cover each regulatory obligation.
The compliance window
The DPDP Rules 2025 came into force on November 13, 2025. The Consent Manager framework becomes operational in November 2026. Full compliance, including consent, privacy notices and security obligations, is required by May 13, 2027, per the DPDP Rules 2025 enforcement timeline.
The DPDP Act Schedule provides for penalties of up to ₹250 crore per contravention for failures relating to security safeguards and children’s data. These are per-violation figures. When there are multiple violations across data flows, the total exposure increases a lot.
For DPDPA for IT and SaaS companies, 2026 is the year to operationalise, not just plan. Organisations with documented, auditable compliance programmes in place before May 2027 will be better prepared when enforcement begins.
Conclusion
DPDPA for IT and SaaS companies goes beyond just a privacy policy update. It needs you to map data flows, establish processor contracts, build consent architecture and implement security controls that are audit-ready.
CyberNX’s DPDPA for IT and SaaS companies services map their data fiduciary and processor roles, test gaps against the DPDP Rules 2025 and build a compliance programme designed for the enforcement ahead. If your firm processes personal data of people in India, connect with us to begin your DPDPA compliance assessment today.
DPDPA for IT and SaaS Companies FAQs
Does DPDPA apply to foreign SaaS companies with Indian users?
Yes, it does. Any company that processes personal data in regard to offering goods or services to people in India have to comply, regardless of where it is incorporated or where its servers are located.
What is the difference between a data fiduciary and a data processor under DPDPA?
A data fiduciary determines the purpose and means of processing personal data. A data processor acts on the fiduciary’s instructions. SaaS companies frequently hold both roles simultaneously for different data flows and must comply with the obligations attached to each role separately.
Can SaaS companies use customer data for AI model training under DPDPA?
Not without explicit, purpose-specific consent. The DPDP Act requires separate consent for secondary purposes such as model training, product improvement and benchmarking. Relying on pseudonymised or aggregated data as a workaround is not legally sufficient under the current framework.
If a data breach occurs at the processor level, who is liable?
The data fiduciary is primarily liable to the Data Protection Board of India and to affected people, even if the breach started with the processor. This makes responsibility on processor contracts and sub-processor oversight a critical part of DPDPA compliance for IT and SaaS companies.




