A Project by Meridian Bridge Strategy
Book Consultation
Fintech

Upstox β†—

Ready Score 50/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
πŸ“… 23 Feb 2026

Executive Summary

Upstox, handling investment data for 1Cr+ users, scores 50/100 on DPDP readiness. Like Zerodha and Groww, SEBI compliance provides a baseline, but DPDP adds consent granularity and data rights requirements beyond what securities regulation demands. API trading users create additional data governance challenges.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference β€” relies on SEBI and IT Act
  • Investment behavior data retention undefined
  • Ratan Tata-backed platform but no Tata ecosystem data governance mentioned
  • No Data Protection Board grievance escalation
  • API trading data handling for algo traders not addressed
  • Nomination rights under Section 14 absent

βœ… Strengths

  • SEBI regulatory compliance
  • Two-factor authentication for account access
  • Encryption of financial data
  • Grievance officer with SEBI SCORES escalation
  • Clear data categories tied to regulatory requirements

Overview

Upstox is India’s second-largest discount brokerage by active users, processing equity, derivatives, and mutual fund transactions. Like other brokerages, it faces the SEBI-DPDP dual compliance challenge, but its emphasis on API-first trading creates additional data considerations for algorithmic trading users.

Key DPDP Concerns

API Trading Data

Upstox’s API platform is popular with algo traders who generate massive volumes of automated trades. This creates:

  • High-frequency trading data patterns (strategy IP)
  • API authentication tokens (security credentials)
  • Automated portfolio management data

Under DPDP, API-generated data is still personal data if linked to an identifiable person. Algo traders’ strategies, reflected in their trading patterns, may constitute sensitive commercial information requiring enhanced protection.

SEBI-DPDP Dual Compliance

Same challenge as Groww and Zerodha β€” SEBI mandates minimum data requirements while DPDP adds maximum retention and enhanced rights.

Recommendations

  1. Address API trading data under DPDP β€” Acknowledge algo traders’ data as potentially commercially sensitive
  2. Create SEBI-DPDP compliance matrix for transparent regulatory mapping
  3. Add Data Protection Board escalation alongside SEBI SCORES
  4. Implement Section 14 nomination β€” Critical for investment platforms
  5. Define non-regulatory data retention beyond SEBI minimums

How Does Your Policy Compare?

πŸ” Run Your Free DPDP Audit β†’

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
πŸ“ž Free Consultation