Overview
Druva is a heavy hitter in the cloud data protection space. They help companies back up their data so it doesn’t get lost or hacked. Because they handle massive amounts of info—from your work emails to your IP address—they are what the law calls a Data Fiduciary.
In plain English, a Data Fiduciary is the entity that decides why and how your data is used. They are the ones responsible if things go sideways. You are the Data Principal—the person the data actually belongs to.
If you use Druva at work, they have your info. If you just visit their website, they have your info. Let’s see if their policy protects you under India’s new rules.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
This is where Druva hits a major roadblock. Their policy relies on what we call “bundled” or “implied” consent.
What the policy says: “By using or accessing the Sites or services in any manner, you acknowledge that you accept the practices and policies outlined in this Policy…”
What the law requires: The DPDP Act says consent must be “affirmative.” This means you have to actively click a button or check a box. You can’t just say “because you’re here, you agree.”
The problem:
- It’s “take it or leave it.”
- There’s no Notice provided in multiple languages (as required by the Act).
- You can’t agree to the service but opt-out of the marketing tracking at the start.
Section 7 — Certain Legitimate Uses ⚠️
The law allows companies to process data without a “yes” from you in very specific cases, like medical emergencies or employment.
What the policy says: Druva claims “legitimate interests” for things like “conducting its business,” “marketing analysis,” and “billing.”
What the law requires: India’s DPDP Act is much stricter than Europe’s GDPR. “Legitimate use” in India is mostly for voluntary data sharing or government functions.
The problem: Druva is using a “Global” standard that doesn’t fit the new Indian rules. Marketing your products to a user isn’t a “Legitimate Use” that bypasses consent in India.
Section 8 — Obligations of Data Fiduciary ✅
This is Druva’s strongest suit. Since they are a security company, they take the “protection” part of data protection seriously.
What the policy says: They use “logical data segregation, data encryption in flight and at rest, network security… and regular third-party penetration testing.”
What the law requires: Section 8 says a company must take reasonable security safeguards to prevent a data breach.
The problem: While their tech is great, the law also requires them to notify the Data Protection Board and the user if a breach happens. Druva’s policy mentions notifying users, but it hasn’t been updated to mention the Indian authorities.
Section 9 — Data Retention 🔴
How long does a company get to keep your “digital ghost” after you leave?
What the policy says: “Druva will retain data… as required by law… [and] to pursue legitimate business interests.”
What the law requires: As soon as the purpose of the data is over (e.g., you close your account), the company must erase it.
The problem: “Legitimate business interests” is a giant loophole. It’s too vague. Under DPDP, if you aren’t using the service, they shouldn’t keep your personal identifiers just because they might want to “conduct audits” indefinitely.
Section 11 — Rights of Data Principal ⚠️
The DPDP Act gives you “superpowers” over your data.
What the policy says: They list rights like “Access” and “Rectify” (fix) for EU and California residents.
What the law requires: Indian users now have the right to:
- Erasure: Demand your data be deleted.
- Nomination: The right to pick someone to manage your data if you pass away or are incapacitated.
The problem: Druva’s policy doesn’t mention Nomination at all. If an Indian business owner uses Druva, their policy needs to explain how their employees can exercise these specific Indian rights.
Section 12 — Right of Grievance Redressal ⚠️
If you’re unhappy with how your data is handled, who do you call?
What the policy says: They provide an email: privacy@druva.com.
What the law requires: You must have an easy way to complain. If the company doesn’t solve it, you have a right to go to the Data Protection Board of India.
The problem: Druva doesn’t mention the Board. For a regular person, if the email support ignores them, they might think that’s the end of the road. It isn’t.
Section 16 — Cross-Border Data Transfer ✅
What the policy says: Data may be sent to the U.S. and other countries. They use “Standard Contractual Clauses.”
What the law requires: Data can be sent abroad unless the Indian government specifically puts a country on a “negative list.”
The problem: Currently, this is fine, but Druva will need to stay agile as the Indian government releases its “restricted countries” list.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Validity | High | ”Browse-wrap” consent could be declared invalid, halting data processing. |
| Regulatory Fines | Medium | Failure to provide notice in local languages is a technical violation. |
| Data Retention | High | Keeping data for “business interests” leads to over-retention penalties. |
| User Rights | Medium | Missing the “Right to Nominate” is a clear gap in Section 11 compliance. |
Recommendations
If you are a business owner looking at Druva’s policy (or your own), here is the “to-do” list:
- Stop “Implicit” Consent: Use a clear pop-up that asks for a “Yes” before collecting any data.
- Add the Nomination Right: Update your policy to let users name a person to handle their data rights later.
- Define Deletion: Don’t say “as long as necessary.” Say “Data is deleted 30 days after account termination.”
- Mention the DPB: Tell your users they can escalate complaints to the Data Protection Board of India.
- Multilingual Notice: If you have users across India, provide your privacy summary in the languages they speak.