DPDP Compliance for SaaS Companies
Indian SaaS companies serve global clients but process employee and customer data locally. DPDP creates new obligations for B2B data processing, sub-processor chains, and international data flows.
The SaaS DPDP Dual Challenge
India’s SaaS sector — companies like Zoho, Freshworks, and Infosys — faces a unique dual challenge under DPDP. They must comply as Data Fiduciaries for their own employee and customer data, AND as Data Processors when handling their clients’ data on their platforms.
Fiduciary vs. Processor: The Role Confusion
When a Indian SaaS company stores customer support tickets on behalf of a client:
- Client is the Data Fiduciary (they collected the customer data)
- SaaS company is the Data Processor (they process data on behalf of the client)
- But the SaaS company is also a Data Fiduciary for its own relationship with the client
This dual role creates overlapping compliance obligations that many SaaS companies haven’t mapped out. The processing agreement between client and SaaS provider must clearly delineate responsibilities.
Sub-Processor Chains
Most SaaS companies use their own SaaS tools — cloud hosting (AWS/GCP), email (SendGrid), analytics (Mixpanel), payment processing (Stripe). Each is a sub-processor in a chain. Under DPDP, the primary processor must ensure adequate security across the entire chain. A breach at any level is the platform’s liability.
The Global Client, Indian Data Problem
Indian SaaS companies often serve global clients whose Indian employees or Indian customers use the platform. This creates scenarios where:
- A US company stores Indian employee HR data on an Indian SaaS platform
- The data is processed in India but accessed from the US
- The Indian SaaS company must comply with DPDP while the US company must comply with their own jurisdictional laws
Employee Data: The Overlooked Obligation
SaaS companies with Indian engineering teams process significant employee personal data — payroll, health insurance details, performance reviews, and internal communications. Under DPDP, employees are Data Principals with full rights, including the right to access everything the company has on them and the right to erasure (post-employment).
SaaS & IT Company Analyses
Freshworks
Freshworks' privacy policy, with a future effective date of July 2025, is primarily tailored for international laws like GDPR and CCPA. Despite having an Indian entity, the policy completely omits the DPDP Act 2023, broadly claims 'legitimate interests' for many processing activities, and lacks critical details on data retention and security measures (in the provided text), exposing its Indian operations to significant DPDP non-compliance risks.
Infosys
Infosys scores 61/100 due to mature global privacy practices built for GDPR/CCPA. However, as India's second-largest employer in tech with 230K+ employees, its DPDP obligations extend to employee data processing — a dimension its global policy doesn't specifically address.
Google India
Google India scores 63/100, reflecting world-class privacy infrastructure hampered by a global-first approach. Indian users' data across Search, Gmail, Maps, YouTube, and Android flows to US infrastructure under US jurisdiction — creating the fundamental tension that DPDP was designed to address.
Zoho
Zoho scores the second highest at 72/100, reflecting its genuinely privacy-first culture. The company famously rejected advertising-based models, uses no third-party trackers, and publishes transparent sub-processor lists. The gaps are primarily around adapting its GDPR-centric framework to DPDP-specific requirements.