A Project by Meridian Bridge Strategy
Book Consultation
☁️

DPDP Compliance for SaaS Companies

Indian SaaS companies serve global clients but process employee and customer data locally. DPDP creates new obligations for B2B data processing, sub-processor chains, and international data flows.

54/100 Avg. Score
7 Analyzed
42 Gaps Found

The SaaS DPDP Dual Challenge

India’s SaaS sector — companies like Zoho, Freshworks, and Infosys — faces a unique dual challenge under DPDP. They must comply as Data Fiduciaries for their own employee and customer data, AND as Data Processors when handling their clients’ data on their platforms.

Fiduciary vs. Processor: The Role Confusion

When a Indian SaaS company stores customer support tickets on behalf of a client:

  • Client is the Data Fiduciary (they collected the customer data)
  • SaaS company is the Data Processor (they process data on behalf of the client)
  • But the SaaS company is also a Data Fiduciary for its own relationship with the client

This dual role creates overlapping compliance obligations that many SaaS companies haven’t mapped out. The processing agreement between client and SaaS provider must clearly delineate responsibilities.

Sub-Processor Chains

Most SaaS companies use their own SaaS tools — cloud hosting (AWS/GCP), email (SendGrid), analytics (Mixpanel), payment processing (Stripe). Each is a sub-processor in a chain. Under DPDP, the primary processor must ensure adequate security across the entire chain. A breach at any level is the platform’s liability.

The Global Client, Indian Data Problem

Indian SaaS companies often serve global clients whose Indian employees or Indian customers use the platform. This creates scenarios where:

  • A US company stores Indian employee HR data on an Indian SaaS platform
  • The data is processed in India but accessed from the US
  • The Indian SaaS company must comply with DPDP while the US company must comply with their own jurisdictional laws

Employee Data: The Overlooked Obligation

SaaS companies with Indian engineering teams process significant employee personal data — payroll, health insurance details, performance reviews, and internal communications. Under DPDP, employees are Data Principals with full rights, including the right to access everything the company has on them and the right to erasure (post-employment).

SaaS & IT Company Analyses

SaaS & IT

Freshworks

35

Freshworks' privacy policy, with a future effective date of July 2025, is primarily tailored for international laws like GDPR and CCPA. Despite having an Indian entity, the policy completely omits the DPDP Act 2023, broadly claims 'legitimate interests' for many processing activities, and lacks critical details on data retention and security measures (in the provided text), exposing its Indian operations to significant DPDP non-compliance risks.

⚠️ No explicit DPDP Act 2023 reference or compliance framework
⚠️ Broad use of 'legitimate interest' where DPDP requires consent
+6 more gaps detected
Feb 2026 View Report
SaaS & IT

CleverTap

42

CleverTap is clearly built for GDPR and CCPA compliance, but it currently ignores India's DPDP Act entirely. For a company with deep Indian roots, directing Indian users to the Bulgarian Data Protection Commission for complaints is a major regulatory oversight.

⚠️ No mention of India's DPDP Act 2023 — policy is stuck in 2021/GDPR mode
⚠️ Grievance redressal points to Bulgaria, not an Indian authority
+4 more gaps detected
Apr 2026 View Report
SaaS & IT

Infosys

47

Infosys's global privacy policy is extensive but lacks explicit alignment with India's DPDP Act 2023. Its broad use of 'legitimate interest' and vague data retention periods create significant DPDP compliance risks, alongside an incomplete framework for Data Principal rights and grievance escalation specific to India.

⚠️ No explicit DPDP Act 2023 reference
⚠️ Broad 'legitimate interest' use, not aligned with DPDP's specific uses
+4 more gaps detected
Mar 2026 View Report
SaaS & IT

Druva

58

Druva is technically secure but legally outdated for India's new law. Its reliance on 'browse-wrap' consent and vague retention timelines creates major compliance risks under the DPDP Act.

⚠️ Uses 'implied consent' by browsing—illegal under Section 6 of DPDP
⚠️ Broadly claims 'legitimate interests' for marketing purposes
+3 more gaps detected
Apr 2026 View Report
SaaS & IT

BrowserStack

62

BrowserStack is well-prepared for GDPR, which gives them a head start, but their 'take-it-or-leave-it' consent model and lack of India-specific grievance paths leave them exposed under the DPDP Act.

⚠️ Consent is bundled with account registration — not 'freely given' per Section 6
⚠️ Relies on GDPR 'Legitimate Interests' which doesn't map to DPDP's Section 7
+4 more gaps detected
Apr 2026 View Report
Technology

Google India

63

Google India scores 63/100, reflecting world-class privacy infrastructure hampered by a global-first approach. Indian users' data across Search, Gmail, Maps, YouTube, and Android flows to US infrastructure under US jurisdiction — creating the fundamental tension that DPDP was designed to address.

⚠️ Global privacy policy — no India-specific DPDP section
⚠️ Comprehensive data profile across 20+ Google services under one consent
+4 more gaps detected
Feb 2026 View Report
SaaS & IT

Zoho

72

Zoho scores the second highest at 72/100, reflecting its genuinely privacy-first culture. The company famously rejected advertising-based models, uses no third-party trackers, and publishes transparent sub-processor lists. The gaps are primarily around adapting its GDPR-centric framework to DPDP-specific requirements.

⚠️ No explicit DPDP Act 2023 reference — GDPR-focused
⚠️ India-specific provisions not separated from global policy
+3 more gaps detected
Feb 2026 View Report
📞 Free Consultation