Overview
Zoho is India’s most prominent SaaS company, offering 55+ business applications to 100M+ users globally. Uniquely among Indian tech companies, Zoho has built its brand around privacy — refusing advertising models, rejecting third-party trackers, and investing in data centers across India. While its privacy practices are among the best, specific DPDP alignment is needed.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ✅
Zoho’s consent framework is strong:
- Clear, layered privacy notices for each product
- Purpose-specific data collection with transparent explanations
- Most processing based on contractual necessity (B2B SaaS)
- Cookie consent with granular controls
Minor gap: DPDP’s specific consent language not adopted — Zoho uses GDPR terminology.
Section 7 — Certain Legitimate Uses ✅
Zoho’s B2B model means most processing is:
- Contractual necessity (providing the software service)
- Customer instruction (B2B data processing agreement)
- Legal compliance
This aligns well with DPDP’s legitimate use framework.
Section 8 — Obligations of Data Fiduciary ✅
Gold standard:
- SOC 2 Type II certified
- ISO 27001 compliance
- Annual privacy audits
- No third-party data brokers or advertising trackers
- Zero advertising business model
- Documented incident response procedures
Section 9 — Data Retention ✅
Well-documented retention with clear policies:
- Account data: retained during subscription + 30 days post-cancellation
- Backup data: purged within 90 days of account closure
- Audit logs: defined retention periods
- Marketing data: consent-based with easy opt-out
Minor gap: India-specific retention requirements not called out separately.
Section 11 — Rights of Data Principal ✅
Strong rights implementation:
- Data export available for all products
- Account deletion with defined timelines
- Data portability in standard formats
- Access requests handled through documented process
Gap: No DPDP Section 14 nomination mechanism.
Section 12 — Right of Grievance Redressal ⚠️
Zoho has a global privacy team reachable by email. However:
- India-specific grievance officer not designated
- Data Protection Board not referenced (references EU/US authorities)
- No India-specific escalation path
Section 16 — Cross-Border Data Transfer ⚠️
Zoho has India data centers and offers India data residency to customers. However:
- Default data location for Indian users may include US/EU data centers
- Cross-border transfer is managed through GDPR-aligned Standard Contractual Clauses
- DPDP’s cross-border framework (government-notified countries) may differ from GDPR’s adequacy decisions
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | Low | Strong baseline practices |
| Security and privacy | Very Low | Industry-leading practices |
| DPDP-specific compliance | Medium | Needs GDPR-to-DPDP mapping |
| Cross-border data | Low-Medium | India data centers available |
| Data principal rights | Low | Already comprehensive |
Why Zoho Is the Benchmark
Zoho demonstrates what privacy-first actually means:
| Practice | Zoho | Industry Typical |
|---|---|---|
| Third-party trackers | Zero | 10-50+ per page |
| Advertising model | None | Core revenue for many |
| Sub-processor transparency | Published list | Hidden or vague |
| Data portability | All products | Limited or none |
| Privacy audits | Annual, third-party | Rare |
Recommendations
- Create DPDP-specific addendum — Map existing GDPR compliance to DPDP requirements for Indian users
- Designate India Grievance Officer — DPDP requires a specific grievance redressal mechanism
- Reference Data Protection Board — Include DPB as escalation alongside EU/US privacy authorities
- Implement Section 14 nomination — Add nomination mechanism for data principal rights
- Guarantee India data residency — Make India data center the default for Indian users/customers