Your Indian startup has global users: staying DPDP-compliant in both directions
At a glance
DPDP applies to an Indian startup with global users in two directions. Inward: the Act reaches processing of Indian users’ data wherever in the world it happens, including by a foreign entity. Outward: sending Indian users’ data to foreign tools or team members is generally allowed under DPDP’s “negative list” model — no destination is currently restricted — so long as your ordinary DPDP safeguards travel with the data. Neither direction is fully settled yet.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to an Indian startup operating with users or infrastructure outside India; it is not formal legal advice.
On this page
- Does DPDP apply to a foreign company serving Indian users?
- Sending your Indian users’ data overseas — what’s actually restricted
- Using foreign SaaS tools for Indian customer data
- The two-way checklist
- FAQ
The situation
A startup with users in more than one country runs into DPDP from two angles at once. There’s the question of whether the Act reaches you at all if part of your operation sits outside India, and there’s the separate question of whether you’re allowed to send your Indian users’ data to tools, vendors or teams abroad. They get conflated often enough that it’s worth answering them one at a time.
Does DPDP apply to a foreign company serving Indian users?
Yes — the Act reaches processing outside India if it’s connected to offering goods or services to people in India, similar in spirit to how GDPR reaches into other countries. DPDP isn’t limited to entities incorporated or operating from within India. If your processing of personal data is in connection with offering goods or services to Data Principals located in India, the Act applies to that processing regardless of where your company or its servers are based. The flip side matters too: if your Indian startup genuinely has zero Indian users — every Data Principal is abroad — DPDP’s hold on that specific data is narrower, though you’d then be looking at whichever data protection law those users’ countries apply instead. The moment any of your users are in India, their data is squarely inside DPDP’s scope.
Sending your Indian users’ data overseas — what’s actually restricted
DPDP uses a “negative list” model, not a whitelist — transfers are generally allowed unless the government specifically restricts a destination, and so far none has been. Section 16 lets the central government notify countries or territories where transferring personal data outside India is either prohibited or allowed only under specified conditions. As of this writing, no country or territory has actually been notified as restricted — the default, permissive baseline is what applies. This is a genuine and common point of confusion: an earlier draft of the framework floated a “positive list” (approved-destinations-only) model, but that isn’t what the enacted Section 16 does. Don’t build your cross-border strategy around a restricted-country list that doesn’t exist yet.
What sending data abroad does not get you out of is DPDP’s ordinary obligations. Wherever your Indian users’ data is processed — your own servers, a foreign cloud region, an offshore team — the notice, consent, security, retention and breach-notification duties you owe as the Data Fiduciary travel with it. You stay accountable for what happens to it, including what a foreign processor does with it on your instructions.
Using foreign SaaS tools for Indian customer data
Generally fine under the current default — but the responsibility for what the vendor does with the data stays with you. AWS, Google Cloud, Salesforce, Dropbox and similar foreign-headquartered tools aren’t barred from holding Indian personal data under the current negative-list default. What matters is the same as any processor relationship: you (the Data Fiduciary) remain accountable for the security, purpose-limitation and retention of that data, so contractual safeguards with the vendor and genuine oversight of how they handle it matter more than which country their data centre sits in.
One tier to watch: if you’re a Significant Data Fiduciary (a government-notified status, not something you self-declare into), you can separately be required to keep specified categories of data within India regardless of the general cross-border rule. That’s a distinct, class-specific restriction layered on top of Section 16 — not yet notified for any data class, but worth tracking if your scale or data sensitivity puts you plausibly in SDF territory.
The two-way checklist
Work both directions, not just the one that feels more urgent.
- Map where your Indian users’ data actually goes — which vendors, which regions, which team locations.
- Confirm none of those destinations are government-restricted — currently none are, but this is the one item on this list that can change with a single notification.
- Keep DPDP’s core safeguards attached to the data wherever it’s processed — notice, consent, security, retention limits, breach reporting — not just where your headquarters happens to sit.
- Don’t assume DPDP compliance satisfies another jurisdiction’s law, or vice versa. If you have users outside India, their local law (GDPR and others) may apply independently.
- Watch this space. The restricted-country list and SDF localisation rules are both still open; a notification on either would change what’s allowed.
FAQ
Does DPDP apply to my startup if my servers are outside India? Yes, if you’re processing personal data of people located in India, or offering goods or services to them — the Act’s reach follows the users, not where your infrastructure sits.
Can I use AWS or Google Cloud for Indian customer data? Generally yes, under the current default. No country has been notified as a restricted destination under Section 16. You stay responsible for how the vendor handles the data on your behalf.
Is DPDP’s cross-border rule the same as GDPR’s? Similar in spirit (extra-territorial reach), different in mechanism. DPDP uses a negative list — transfers are allowed unless a destination is specifically restricted — rather than GDPR’s adequacy/whitelist-style model. No destinations are currently restricted under DPDP.
What if my Indian startup has zero Indian users — does DPDP still apply? DPDP’s hold on that specific data is much narrower if none of your Data Principals are in India, but you’d then need to check whichever data protection laws apply in the countries your users actually are in.
Related reading
- Are you a Significant Data Fiduciary? — the tier that can carry an additional, class-specific data-localisation duty.
- DPDP vs the old IT Act / SPDI Rules — how the compliance baseline changed for any business handling Indian personal data.
- How to collect personal data compliantly under DPDP — the notice-and-consent duties that travel with your data wherever it’s processed.
- Data retention and erasure under DPDP — the retention duty that applies regardless of where data is stored.
Reviewed by Confidential Dispatch Editorial Team
Last updated 10 July 2026
Not legal advice.