A one-paragraph DPDP Act 2023 primer
The Digital Personal Data Protection Act, 2023 is India's first horizontal data protection statute. It was notified by the Ministry of Electronics and Information Technology in August 2023 and the operative rules and the Data Protection Board are being phased in. The Act regulates the processing of digital personal data of data principals (the people whose data it is) by data fiduciaries (who decide why and how data is processed) and data processors (who process data on a fiduciary's instructions). Penalties run up to ₹250 crore per contravention.
For AI analytics specifically, the Act does not single out machine learning as a separate regime. The same lawfulness, consent, security, and breach rules apply whether the processing is a SQL query, a Power BI dashboard, or a large language model translating English into a query. What changes is the surface area: AI vendors often touch more systems and more data classes than a single-purpose tool, so the diligence needs to be tighter.
Fiduciary or processor - which is the AI vendor?
This distinction shapes the whole contract. A data fiduciary decides the purpose and means of processing. A data processor processes on the fiduciary's instructions and only for those purposes. When KolossusAI reads your customer ledger from Tally to answer a finance question your team asked, you are the fiduciary and we are the processor. We do not decide what to do with your data; we execute the queries you authorise.
The processor model is the right one for analytics vendors. Vendors that quietly become fiduciaries by training models on your data, by reselling derived analytics, or by aggregating across customers without contracts that say so, take on fiduciary obligations they have not declared and you may not have consented to. Read the data processing addendum before you read the marketing page.
Significant Data Fiduciaries (a higher-duty class the Board may designate based on volume, sensitivity, or risk) attract extra obligations including a Data Protection Officer based in India, periodic Data Protection Impact Assessments, and independent audits. If you operate at that scale, your AI vendor contracts must contemplate those duties.
The seven duties that actually bite
The Act does not have a single AI clause. It has seven general duties that each map onto a concrete vendor requirement. The table below is the operating cheat sheet.
| Duty | What it means | What an AI vendor must do |
|---|---|---|
| Notice and consent passthrough | Consent must be specific, informed, unambiguous, and available in English plus the eighteen scheduled Indian languages on request. | Not collect consent for you, but allow consent withdrawals to flow end to end through the vendor's systems. |
| Purpose limitation | Data collected for one purpose cannot be used for another without fresh consent. | Never use customer data to fine-tune a shared model, even if buried in terms - the original consent did not cover it. |
| Data minimisation | Process only the data necessary for the stated purpose. | Read the rows needed at query time rather than extracting your full ledger to a multi-tenant warehouse. |
| Retention limits | Personal data must be erased once the purpose is served, unless the law requires retention. | Name a retention period in the contract and provide deletion proof you can verify. |
| Security safeguards | Reasonable security including encryption, access controls, and audit trails. | Carry credible evidence (ISO 27001, SOC 2) and document the control set in the addendum. |
| Breach notification | Fiduciary must notify the Data Protection Board and affected principals as soon as practicable. | Commit to a fast processor-to-fiduciary clock (24 hours is becoming standard in India). |
| Processor obligations under contract | Section 8(2) requires every processing to be backed by a valid contract. | Sign a clean DPDP-specific processing addendum, not a recycled GDPR DPA. |
Cross-border transfer and the negative list
Earlier drafts of Indian privacy law leaned toward strict data localisation. The DPDP Act 2023 took a lighter stance: personal data can flow out of India unless the destination is on a Central Government negative list. As of writing the negative list has not been notified, so transfers to most countries are permitted, but the framework lets the Government restrict specific destinations later, and sectoral rules (RBI for payment data, IRDAI for insurance, the SPDI rules for sensitive personal data classes under the IT Act) can impose stricter localisation.
| Layer | Default position | Practical effect on AI vendors |
|---|---|---|
| DPDP Act default | Transfers permitted unless destination is on the (yet-unnotified) negative list. | Cross-border LLM calls to OpenAI or Anthropic are currently lawful by default but must be disclosed. |
| Sectoral overlay - RBI | Payment data must be stored only in India. | Vendor cannot route payment ledgers through a US-hosted LLM under any wrapper. |
| Sectoral overlay - IRDAI | Policyholder data localisation guidance applies. | Insurance customers should require India-resident inference end to end. |
| Sectoral overlay - SPDI rules | Sensitive personal data (passwords, financial info, health, biometrics) carries extra duties. | Vendor must constrain the data classes that ever leave the boundary, not just the volume. |
For AI vendors this matters because the underlying language models often run in the United States or the European Union. A vendor that quietly forwards your customer data to OpenAI or Anthropic to interpret a question is conducting a cross-border transfer. That is currently lawful by default but the vendor must disclose it, the customer should contractually constrain it, and a sectoral rule may forbid it for your data classes regardless.
Breach notification timelines and what they cost
A "personal data breach" under the Act is broad: any unauthorised processing or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access. Once the fiduciary becomes aware, notification to the Data Protection Board must follow as soon as practicable and to affected principals in a manner the rules will specify. The widely-discussed 72-hour clock comes from the Board's expected reporting window and from the CERT-In Direction of April 2022 (which separately requires reporting cyber incidents to CERT-In within six hours).
The practical implication for AI vendor contracts: the processor must notify the fiduciary fast. A 24-hour processor-to-fiduciary clock is becoming standard in Indian contracts so the fiduciary can meet its own onward obligations. If a vendor offers a 72-hour processor clock, you have lost most of your reporting window before you even know.
The vendor diligence checklist for an Indian RFP
Ten questions worth putting in writing before you sign. If a vendor cannot answer any of them in the same email, that is your first finding.
- Where is data stored at rest? Confirm whether an India-resident option is available and which deployment shapes it covers.
- Where is data processed in transit? Map every hop and identify what crosses the border, language model calls included.
- Are LLM calls inside that answer? Many vendors omit model inference from the residency claim. Make them put it in writing.
- Is customer data ever used to train a shared model? The honest answer is no. Anything else is a purpose-limitation problem.
- What is the named retention period and the deletion proof? A number in days plus a verifiable deletion artefact, not a sentence in the FAQ.
- What is the breach notification SLA in hours? Push for 24 hours from processor to fiduciary. 72 hours leaves you no window.
- Who is the named DPO or grievance officer for India? Real name, Indian contact address, escalation path. Not a generic privacy@ mailbox.
- Will the vendor sign a DPDP-specific processing addendum? A recycled GDPR DPA is not enough. Section 8(2) requires DPDP-specific terms.
- What are the audit and access rights? You or your auditors must be able to inspect controls on reasonable notice.
- What is the sub-processor list and change process? Current list, change-notification window, right to object before a change takes effect.
How KolossusAI handles each requirement
KolossusAI is built around the processor role. Three deployment shapes - managed cloud in India, single-tenant private cloud in your AWS or Azure account, and fully on-premise - let you pick the residency profile your sector and data classes require.
- Notice and consent. You stay the consent collector. Our APIs surface withdrawal events so honoured deletions propagate end to end.
- Purpose limitation. Customer data is never used to train any shared model. The contract names this explicitly.
- Data minimisation. Source-system reads pull only the rows needed to answer the active question. We do not stage your ledger in a multi-tenant warehouse.
- Retention limits. Named retention period and a deletion artefact you can verify on contract end.
- Security safeguards. Encryption in transit and at rest, role-based access, full query audit log, ISO 27001 alignment documented.
- Breach notification. 24-hour processor-to-fiduciary clock written into the addendum so your own onward window stays intact.
- Processor contract. DPDP-specific addendum, India grievance officer with a published contact, current sub-processor list, audit rights.
See our security page for the controls and the privacy policy for the principal-facing commitments. If your sector has stricter rules (RBI for financial services, IRDAI for insurance, SPDI for legacy sensitive personal data), the on-premise deployment shape removes cross-border concerns entirely.