Data Localisation Requirements in India Under the DPDPA

Foreign companies entering India typically operate global cloud architectures — centralised data lakes, multi-region processing clusters, and SaaS platforms that route data through the most efficient infrastructure regardless of geography. India's data localisation landscape fundamentally challenges this model. The RBI's 2018 directive requires payment system operators to store end-to-end transaction data exclusively in India. The foreign leg of a cross-border transaction may be processed abroad, but the data must be deleted from foreign systems and returned to India within 24 hours. This is not a DPDPA requirement — it is a standalone mandate that has been enforced since 2018.

The DPDPA adds a second layer. While it does not impose blanket localisation, it empowers the Central Government to restrict transfers to specific countries or entities at any time through a negative-list notification. This creates a future-proofing obligation: organisations must build infrastructure that can absorb new restrictions without architectural redesign. The combination of existing sectoral mandates, the DPDPA's latent restriction power, and the practical reality that data mapping across Indian operations is complex means that localisation is not a compliance afterthought. It is the foundational infrastructure decision that determines every subsequent operational choice.

RBI Payment Data Localisation

All payment system operators — banks, card networks, fintech companies, and payment aggregators — must store end-to-end transaction data exclusively within India. This includes payment-sensitive data (PIN, CVV, OTP), transaction records, and customer profiles used in payment flows. The foreign leg of cross-border transactions may be temporarily processed abroad but must be deleted from foreign systems and repatriated within 24 hours.

DPDPA Negative-List Framework

The DPDPA permits cross-border transfers to all jurisdictions except those specifically restricted by Central Government notification. As of the current regulatory status, no negative list has been published — but the power exists and can be exercised at any time. Organisations must build transfer infrastructure that can absorb new restrictions without requiring architectural redesign.

IRDAI Insurance Data Residency

Insurance companies and intermediaries operating in India must maintain policyholder data, claims records, and underwriting information within Indian data centres. This requirement applies to both domestic insurers and foreign reinsurers processing Indian policyholder data. Cross-border analytics are permitted but the primary data repository must remain within Indian jurisdiction.

SEBI Market Infrastructure Obligations

Market infrastructure institutions regulated by SEBI face data governance obligations that include local storage of transaction records, customer data, and trading activity logs. SEBI's cybersecurity framework requires vulnerability assessments by CERT-In empanelled auditors and mandates that critical system data remain within Indian infrastructure.

Cloud Architecture Compliance

Foreign companies must adopt India-first cloud architectures — utilising local regions (AWS Mumbai/Hyderabad, Azure Central India, GCP Mumbai) to satisfy localisation requirements. Data categorisation is essential: payment data, insurance data, and market data each carry different localisation obligations. A single global data lake architecture will not satisfy Indian requirements.

Audit and Certification Requirements

Financial and payment operators must submit System Audit Reports from CERT-In empanelled auditors to verify compliance with localisation directives. These audits examine data flow logs, storage architecture, access controls, and cross-border transfer mechanisms. Non-compliance findings can trigger regulatory action independent of the DPDPA enforcement framework.

Building an India-First Data Architecture

The practical challenge for foreign companies is not understanding individual localisation requirements — it is building infrastructure that satisfies all of them simultaneously without creating operational silos. The recommended approach is a layered data classification framework. First, categorise all data processed in connection with Indian operations: payment data (RBI-regulated), insurance data (IRDAI-regulated), market data (SEBI-regulated), and general personal data (DPDPA-regulated). Each category carries different storage, processing, and transfer obligations. Second, deploy a local key management service (KMS) so that even data accessed from global systems remains encrypted under Indian-managed keys. Third, implement automated data flow monitoring that flags any transfer to a jurisdiction that may appear on a future DPDPA negative list. Fourth, establish a regulatory change management process that can absorb new localisation requirements within defined implementation timelines. The objective is not to create a hermetically sealed Indian data environment. It is to build an architecture that is compliant by design — one that treats localisation as an infrastructure feature rather than a compliance bolt-on.

Data localisation in India is not a single rule. It is a layered architecture of sectoral mandates, constitutional authority, and latent government power. The foreign company that treats it as a checkbox will discover it is a structural requirement.

Does the DPDPA require all data to be stored in India?

No. The DPDPA adopts a permissive approach to cross-border transfers — data may flow to any jurisdiction unless the Central Government specifically restricts it through a negative-list notification under Section 16. However, sector-specific regulators (RBI, IRDAI, SEBI) impose hard localisation requirements for financial, insurance, and market data that operate independently of the DPDPA.

What are the RBI data localisation requirements for payment data?

The RBI mandates that all payment system operators store end-to-end transaction data exclusively within India. This includes payment-sensitive data (PIN, CVV, OTP), transaction records, and customer profiles. The foreign leg of cross-border transactions may be temporarily processed abroad, but the data must be deleted from foreign systems and repatriated to India within 24 hours.

How should foreign companies prepare for the DPDPA negative list?

Foreign companies should build transfer infrastructure that can absorb new restrictions without architectural redesign. This includes maintaining comprehensive data flow inventories, deploying India-first cloud regions, implementing automated transfer monitoring, and establishing regulatory change management processes that can operationalise new restrictions within defined timelines.

Can a foreign company use global cloud infrastructure to process Indian data?

It depends on the data category. General personal data governed solely by the DPDPA may be processed globally (subject to future negative-list restrictions). However, RBI-regulated payment data must be stored in India. IRDAI-regulated insurance data must reside in Indian data centres. SEBI-regulated market data carries its own storage obligations. Foreign companies must classify their data and deploy infrastructure that satisfies each applicable regime.

Get Your Data Localisation Compliance Architecture

Our Data Localisation Toolkit includes a sectoral classification matrix, cloud architecture compliance checklist, RBI localisation audit framework, and negative-list readiness protocol — designed for foreign companies deploying data infrastructure in India.