A Project by Meridian Bridge Strategy
☁️

DPDP Compliance for SaaS Companies

Learn how Indian SaaS companies should handle customer, employee, support and processor data under DPDP.

54/100 Avg. Score
7 Analyzed
42 Gaps Found

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Now replace the sandwich shop with your SaaS & IT company. Where does personal data enter? Where does it sit? Who else touches it?

SaaS & IT DPDP Self-Check

Start here to understand why DPDP is relevant to SaaS & IT. Before any other task, first understand how personal data moves through the business.

What is SaaS & IT?

In this context, SaaS and IT means cloud products, software platforms, IT services, support desks, product analytics, customer success, employee systems and vendor tools that collect or process customer, user, employee and client data.

Start the self-check Book a 20-minute clarity call

Children's data

  • Do you collect age, class, school, parent details or learning progress?
  • Can you separate child, parent and guardian data?
  • Do you know which users are under 18?

Consent

  • Can you prove where consent came from?
  • Is consent collected before data is used for the stated purpose?
  • Can consent be withdrawn without breaking the entire account flow?

Tracking and profiling

  • Do you track usage, performance, attention, behavior or drop-offs?
  • Is any of this used for ads, recommendations or nudges?
  • Are analytics tools collecting user identifiers?

Vendors and SDKs

  • Which CRMs, email tools, payment tools, analytics tools and support tools receive personal data?
  • Do contracts say they process data only on your instructions?
  • Can you delete or export data from each vendor?

Retention

  • What happens when the service ends?
  • What happens when a user leaves?
  • What data is kept for certificates, invoices, disputes or regulatory records?

First action

  • Map one user journey from sign-up to completion.
  • Mark where data is collected, stored, shared, used for communication and deleted.

If this self-check exposed more than three unclear answers, the next useful step is a DPDP data journey map.

Book a DPDP clarity call

SaaS & IT Company Analyses

SaaS & IT

Freshworks

35

Freshworks' privacy policy, with a future effective date of July 2025, is primarily tailored for international laws like GDPR and CCPA. Despite having an Indian entity, the policy completely omits the DPDP Act 2023, broadly claims 'legitimate interests' for many processing activities, and lacks critical details on data retention and security measures (in the provided text), exposing its Indian operations to significant DPDP non-compliance risks.

⚠️ No explicit DPDP Act 2023 reference or compliance framework
⚠️ Broad use of 'legitimate interest' where DPDP requires consent
+6 more gaps detected
Feb 2026 View Report
SaaS & IT

CleverTap

42

CleverTap is clearly built for GDPR and CCPA compliance, but it currently ignores India's DPDP Act entirely. For a company with deep Indian roots, directing Indian users to the Bulgarian Data Protection Commission for complaints is a major regulatory oversight.

⚠️ No mention of India's DPDP Act 2023 — policy is stuck in 2021/GDPR mode
⚠️ Grievance redressal points to Bulgaria, not an Indian authority
+4 more gaps detected
Apr 2026 View Report
SaaS & IT

Infosys

47

Infosys's global privacy policy is extensive but lacks explicit alignment with India's DPDP Act 2023. Its broad use of 'legitimate interest' and vague data retention periods create significant DPDP compliance risks, alongside an incomplete framework for Data Principal rights and grievance escalation specific to India.

⚠️ No explicit DPDP Act 2023 reference
⚠️ Broad 'legitimate interest' use, not aligned with DPDP's specific uses
+4 more gaps detected
Mar 2026 View Report
SaaS & IT

Druva

58

Druva is technically secure but legally outdated for India's new law. Its reliance on 'browse-wrap' consent and vague retention timelines creates major compliance risks under the DPDP Act.

⚠️ Uses 'implied consent' by browsing—illegal under Section 6 of DPDP
⚠️ Broadly claims 'legitimate interests' for marketing purposes
+3 more gaps detected
Apr 2026 View Report
SaaS & IT

BrowserStack

62

BrowserStack is well-prepared for GDPR, which gives them a head start, but their 'take-it-or-leave-it' consent model and lack of India-specific grievance paths leave them exposed under the DPDP Act.

⚠️ Consent is bundled with account registration — not 'freely given' per Section 6
⚠️ Relies on GDPR 'Legitimate Interests' which doesn't map to DPDP's Section 7
+4 more gaps detected
Apr 2026 View Report
Technology

Google India

63

Google India scores 63/100, reflecting world-class privacy infrastructure hampered by a global-first approach. Indian users' data across Search, Gmail, Maps, YouTube, and Android flows to US infrastructure under US jurisdiction — creating the fundamental tension that DPDP was designed to address.

⚠️ Global privacy policy — no India-specific DPDP section
⚠️ Comprehensive data profile across 20+ Google services under one consent
+4 more gaps detected
Feb 2026 View Report
SaaS & IT

Zoho

72

Zoho scores the second highest at 72/100, reflecting its genuinely privacy-first culture. The company famously rejected advertising-based models, uses no third-party trackers, and publishes transparent sub-processor lists. The gaps are primarily around adapting its GDPR-centric framework to DPDP-specific requirements.

⚠️ No explicit DPDP Act 2023 reference — GDPR-focused
⚠️ India-specific provisions not separated from global policy
+3 more gaps detected
Feb 2026 View Report

Frequently asked questions

Does DPDP apply if our SaaS only serves international clients?

If you process personal data within India, the law applies. Even if your customers are abroad, any data processing activity happening on Indian servers or by Indian employees must follow DPDP standards.

Are we a Data Fiduciary or a Data Processor for our B2B clients?

In most SaaS models, your client is the Data Fiduciary because they decide why data is collected. Your company is the Data Processor, meaning you must follow the Fiduciary's instructions and maintain security.

How do we handle data deletion requests for data stored in cold backups?

You must have a process to ensure that if a backup is restored, the deleted user's data is not re-added to your live database. You should document that the data is put beyond use until the backup is overwritten.

Book clarity call