Cross-border data transfer is one of the most commercially significant aspects of the DPDP Act for Indian tech companies. Cloud-first startups, SaaS platforms, and global enterprises operating in India all face the same question: where can data travel, and under what conditions? The short answer today is "almost anywhere, with appropriate contracts" -but that answer can change once the Central Government publishes its notified list.
This blog completes the DPDP series. For the wider compliance programme, see our 90-day roadmap. For vendor management -which sits next to cross-border transfer in any practical implementation -see the supplier control steps within the roadmap.
1. What Section 16 Says
Section 16 of the DPDP Act permits the Central Government to restrict the transfer of personal data to certain countries or territories by way of a notified list. Until that restricted list is published, transfers are generally permitted -but subject to ongoing monitoring of regulatory guidance.
The Act also enables the government to notify certain countries as permitted destinations for data transfer, effectively creating a whitelist approach. At the time of writing, the final Rules and the restricted list have not been fully notified, meaning the practical landscape is somewhere between "open by default" and "ready to tighten on short notice."
The Central Government's notification of restricted and permitted transfer territories is one of the most critical pending developments under DPDP. Build your compliance programme to adapt quickly. Architectures that can switch cloud regions on a quarter's notice are vastly more resilient than architectures locked into a single overseas region.
2. What This Means in Practice Today
If you use global cloud providers (AWS, Azure, GCP)
Most Indian companies process and store data on global cloud infrastructure. Under current DPDP provisions, transfers to these providers are generally permissible -subject to the eventual restricted list. The practical tasks:
- Know exactly where your data regions are configured (us-east-1, eu-west-1, ap-south-1, etc.)
- Ensure your cloud contracts include appropriate data processing terms
- Configure data residency settings where available for sensitive categories
- Architect your application so a region change is operationally feasible -not a six-month migration project
If you are (or might become) a Significant Data Fiduciary
SDFs -companies processing large volumes of personal data or sensitive categories -face additional scrutiny on transfers. The government may impose stricter conditions including data localisation for SDFs in certain contexts. Review your classification status and prepare accordingly. If you process tens of millions of data principals' records, or operate in a sector with sovereignty concerns (electoral, health, payments), assume SDF designation is at least possible and architect for it.
If you use SaaS vendors based overseas
Every SaaS tool that touches Indian personal data is potentially a cross-border transfer. The common offenders:
| Category | Examples | Data Type |
|---|---|---|
| CRM | Salesforce, HubSpot | Customer profile, contact |
| Marketing automation | Mailchimp, Klaviyo | Email, behavioural profile |
| Analytics | Mixpanel, Amplitude, GA4 | Behavioural, device, location |
| HR platforms | Workday, Darwinbox | Employee records |
| Support tools | Zendesk, Intercom | Conversation, identity |
| Error monitoring | Sentry, Datadog | User context in stack traces |
Audit every SaaS vendor processing Indian user data. Ensure Data Processing Agreements address cross-border transfer compliance, sub-processor disclosure, and breach notification timelines back to you.
3. Sensitive Data -Extra Caution
Certain categories of data warrant heightened protection. While the DPDP Act does not enumerate "sensitive personal data" as explicitly as GDPR does, the following categories deserve extra care when transferred internationally:
- Financial data -RBI rules require localisation of payment system data. SEBI imposes its own requirements on broker and investor data.
- Health data -sectoral regulation under DISHA and the National Digital Health Mission imposes localisation expectations.
- Children's data -Section 9 of the DPDP Act mandates verifiable parental consent and prohibits behavioural tracking. Cross-border processing of children's data should be additionally scrutinised.
- Government and electoral data -sovereignty concerns make these subject to localisation under sector-specific rules.
For these categories: evaluate whether processing can occur within India, apply additional contractual protections with overseas vendors, and monitor regulatory guidance for localisation requirements.
4. Building a Transfer-Ready Architecture
Know your data flows
Map every cross-border data flow in your organisation. Document for each:
- What data categories are transferred
- To which countries
- To which vendors or subsidiaries
- Under what contractual protections
- What purpose the transfer serves
Maintain this in a register you can produce on demand. Update it whenever you onboard a new vendor or change a cloud region.
Use Data Processing Agreements
For every vendor receiving Indian personal data overseas, have a DPA that specifies:
- The vendor's role as Data Processor
- Categories of data processed
- Security standards the vendor must maintain
- Sub-processor approval requirements
- Breach notification requirements back to you (typically 24-72 hours)
- Audit rights and assistance obligations
- Data return or deletion obligations at end of relationship
Configure data residency where possible
Major cloud providers offer regional data residency configurations. For highly sensitive data, configure Indian or compliant-territory regions. This may add latency but reduces transfer risk significantly. For SaaS vendors, ask explicitly whether they offer Indian or regional data hosting -increasingly common as DPDP becomes more visible.
Plan for vendor swap
Treat overseas vendor lock-in as a regulatory risk. The vendors least exposed to regulatory pivots are the ones where you have an alternative, in or near India, that you could switch to within a defined timeframe. Even if you never need to, the optionality is what protects you.
5. What To Watch For
- The Government's notification of restricted transfer territories -a public announcement could require immediate remediation. Maintain a watch on official notifications.
- SDF classification thresholds -if you cross the threshold, transfer rules tighten. Track your data volumes and demographic reach.
- Sector-specific regulations -RBI, IRDAI, MoHFW, and other regulators may impose layered requirements on top of DPDP. The toughest applicable rule controls.
- Bilateral or multilateral data transfer agreements -India may negotiate country-level transfer frameworks similar to EU adequacy decisions. Such agreements would simplify compliance for transfers to listed countries.
- Court interpretations -early DPDP enforcement cases will set practical precedent on cross-border issues. The first major case will likely come from the financial or health sectors.
Cross-border transfer compliance under DPDP is a moving target while the Rules are pending. Build a flexible programme: know your flows now, maintain strong contractual protections, configure for regional residency where it matters, and stay close to regulatory updates. Companies that build for adaptability will be fine; companies that build for "compliance as it stood last quarter" will scramble each time a notification drops.
Need to map your cross-border data flows?
SecComply maps every overseas data flow in your organisation, reviews the DPAs that protect them, and builds the transfer register that satisfies the Board. We track DPDP regulatory updates so you do not have to.
Book a transfer review call โFAQ
Generally yes, at present. Section 16 permits the Central Government to restrict transfers to specific countries via a notified list. Until that list is published, transfers to global cloud providers like AWS, Azure, and GCP -including their US and EU regions -are generally permissible. The position can change once the restricted list is notified, so monitor regulatory updates and configure your architecture to switch regions if needed.
Not universally -the DPDP Act does not impose blanket data localisation. However, sectoral regulators (RBI for payment data, IRDAI for insurance, MoHFW for health) impose localisation requirements within their domains, and Significant Data Fiduciaries may face stricter rules. Check sectoral rules alongside DPDP; the toughest applicable requirement controls.
A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the Central Government based on factors including volume and sensitivity of personal data processed, risk to data principals, and impact on sovereignty and electoral integrity. SDFs face additional obligations including appointing a Data Protection Officer, conducting data protection impact assessments, and stricter transfer rules. The thresholds and designations are still being defined through rules.
Start with the data inventory from your DPDP mapping exercise. For each data flow, capture: data categories involved, source system, destination country and vendor, contractual basis (DPA in place), and purpose. Maintain this in a register that you can produce on demand. Update it whenever you onboard a new vendor or change a cloud region.
Each overseas vendor processing Indian personal data should have a Data Processing Agreement (DPA) with: a clear statement of the vendor's role as Data Processor, the categories of data processed, security standards required, sub-processor approval requirements, breach notification timelines back to you, audit rights, and data return or deletion obligations at end of relationship. The DPA is your contractual proof that the transfer is protected.