Cross-Border Data Transfer Under the DPDP Act: What Indian SMEs on Foreign SaaS Should Check Now
Most Indian SMEs move personal data abroad every day through tools like AWS, Google Workspace and HubSpot. Here is what the DPDP Act's cross-border transfer rules actually require, and the short list of things to sort before May 2027.
If your company runs on Google Workspace, stores customer records in an AWS region in Singapore, or pushes leads into a US-hosted CRM, you are already moving personal data across India''s borders. Cross-border data transfer under the DPDP Act is not a future problem for large multinationals. It is a live question for almost every Indian SME that touches foreign software, and the good news is that India''s approach is more permissive than most people assume.
Here is what the rules say, what they do not say, and the short list of things worth checking before the core obligations bite.
What the DPDP Act actually says about sending data abroad
The relevant provision is Section 16 of the Digital Personal Data Protection Act, 2023, now operationalised by Rule 15 of the DPDP Rules, 2025 (notified 13 November 2025). Together they set up what lawyers call a "negative list" or blacklist model.
In plain terms: a Data Fiduciary may transfer personal data to any country outside India, except to countries or territories the Central Government specifically restricts by notification. Transfer is the default. Prohibition is the exception, and it only applies once the government publishes a list.
As of mid-2026, no such restricted-country list has been notified. So today, transfers to the US, EU, Singapore, and everywhere else are broadly permitted under the Act. That is a deliberate departure from the model most Indian founders know from Europe.
Why this is friendlier than GDPR (and where the catch is)
Under GDPR, sending personal data outside the EU is presumptively difficult. You need an adequacy decision, Standard Contractual Clauses, or another safeguard before data can leave. The burden sits on the exporter to justify every transfer.
India flips that. There is no adequacy assessment, no mandatory SCCs, and no transfer impact assessment baked into Rule 15. If the destination is not on a restricted list, you can transfer. For an SME already leaning on foreign cloud and SaaS, that removes a large compliance headache before it starts.
The catch is twofold. First, the government can add a country to the restricted list at any time, and a notification could take effect quickly. A vendor stack that is fine today could need rerouting later. Second, Rule 15 carries a condition: where the Central Government specifies requirements about making personal data available to a foreign State or entities under its control, the Data Fiduciary must meet them. That is aimed at situations where a foreign government could compel access to Indian citizens'' data. It is worth watching how this is applied in practice.
Sectoral localization still overrides everything
This is the part SMEs miss most often. The DPDP Act''s relaxed default does not switch off sector-specific rules that already demand data stay in India.
The clearest example is the Reserve Bank of India''s 2018 payment-data localisation directive, which requires payment system data to be stored only in India. SEBI and IRDAI have their own storage expectations for regulated entities. Where these apply, they are stricter than the DPDP Act and they prevail. A fintech that assumes Rule 15 lets it store card data in a US region is reading only half the rulebook.
So the real test is not "does DPDP allow this transfer?" It is "does DPDP and my sector regulator allow this transfer?" For a plain SaaS or D2C business with no RBI, SEBI, or IRDAI overlay, the answer is usually straightforward. For regulated players, the sectoral rule is the binding constraint.
What to check before May 2027
The substantive obligations, including notice, consent, data-principal rights, and breach notification within roughly 72 hours, take full effect around 13 May 2027. Cross-border transfer sits inside that broader compliance picture, because consent and notice have to cover where data goes. A few practical steps:
Map your data flows. List every tool that holds customer, employee, or user personal data and note where each one stores it. Most SMEs are surprised by how many vendors sit outside India once they actually write it down. Our DPDP compliance checklist is a decent starting frame for this exercise.
Fix the notice, not the plumbing. Because transfers are broadly allowed, you rarely need to move data back to India. What you do need is a privacy notice that honestly tells data principals their information may be processed outside the country, and consent that reflects it. This is a documentation task more than an engineering one.
Tighten vendor contracts. The DPDP Act makes you, the Data Fiduciary, responsible even when a foreign processor handles the data. Your agreements with cloud and SaaS providers should require them to protect the data, help you respond to data-principal requests, and tell you promptly about breaches. This overlaps directly with the work in our vendor compliance playbook.
Watch the restricted list. Assign someone to track government notifications so a future blacklist entry does not strand a critical vendor. Globally, regulators are moving faster than ever; EU authorities now field hundreds of breach notifications a day and issue penalties almost weekly, and India''s Data Protection Board is built as a fully digital body designed for exactly that pace.
The bottom line for Indian SMEs
Cross-border data transfer under the DPDP Act is one of the easier parts of the law to get right, provided you do not fall into the two traps: assuming the permissive default overrides sector rules, and forgetting that your notice and consent still have to disclose foreign processing. For most SMEs, compliance here is about knowing where your data lives and saying so clearly, not about repatriating servers.
If you want help mapping your vendor stack against the DPDP Act and your sector''s localisation rules, our DPDP compliance services and DPO support are built for exactly this.
This article is general guidance for Indian businesses and is not legal advice. Rules and government notifications can change; confirm specifics for your situation before acting. To get started, work through our free compliance checklist or get in touch for a tailored review.
Get help implementing this
Turn this reading into a compliance plan.
Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.
Book a free 30-minute consultation