Data Localization in India: RBI, DPDP and Where Data Must Live

Data localization in India means that certain categories of data must be stored on servers physically located within India. The rules are not uniform — they differ sharply by data type. Payment system data has a hard storage mandate under the Reserve Bank of India. Personal data under the Digital Personal Data Protection Act 2023 can leave India unless the Central Government restricts the destination country. Sector regulators like IRDAI add further layers. If your Indian company uses foreign cloud infrastructure, SaaS platforms, or offshore data centres, you are operating inside a patchwork of obligations that can trigger regulatory action if misread. This post explains each layer, maps your obligations, and gives you a practical path to compliance.

100%Payment system operators must store payment data exclusively in India (RBI Circular 2018)

What Data Localization Actually Means

Localization is the requirement that data be stored, and in some cases processed, within a defined geographic territory. It is not the same as data sovereignty (which concerns government access rights) and not the same as data residency (a vendor's commercial promise about server location). Localization is a legal obligation with regulatory teeth.

India has taken a sector-by-sector approach rather than a single economy-wide mandate. This matters because the compliance answer for a health-tech startup differs from that of a fintech differs from that of an HRMS vendor.

⚠️

WARNING

"Data residency" offerings from cloud providers — AWS India regions, Azure India Central, GCP Mumbai — satisfy localization requirements only if you verify that backups, logs, disaster recovery, and ML training pipelines also stay in-region. A primary database in Mumbai with automated backups replicating to Singapore is still a localization violation.

The RBI Payment Data Mandate

The clearest and most enforced localization rule in India is the Reserve Bank of India's directive on storage of payment system data. Issued in April 2018, it requires that all data related to payment systems — end-to-end transaction details, payment instructions, customer identifiers — be stored only in systems located in India.

Key points from the RBI's position (see rbi.org.in for the master direction on payment systems):

Scope: Applies to all Payment System Operators (PSOs) — card networks, prepaid instrument issuers, payment aggregators, payment gateways, UPI apps
Processing: Data can be processed abroad, but the data must be deleted from foreign systems after processing and the copy stored in India
Audit trail: RBI must have unfettered access to data and system for supervisory purposes
Enforcement: The RBI conducted compliance audits beginning 2018–2019 and major networks including Mastercard, American Express, and Diners Club faced restrictions on new customer onboarding for non-compliance

If you operate a payment aggregator, a lending app that passes payment instructions, or a UPI-linked product, the payment data stays in India — not as best practice, as law.

🚨

DANGER

If you are a payment aggregator or gateway and your infrastructure runs on a foreign cloud region without an India-primary storage configuration, you are in direct violation of the RBI circular. This is not a grey area.

The DPDP Act 2023: Cross-Border Transfer Rules

The Digital Personal Data Protection Act 2023 (DPDP Act), passed by Parliament and notified by the Ministry of Electronics and Information Technology (MeitY), takes a different and notably more permissive baseline on cross-border transfers compared to GDPR.

Under the DPDP Act, cross-border transfer of personal data is permitted by default — with one key mechanism: the Central Government may, by notification, restrict transfer to specific countries or territories. In other words, the DPDP Act does not impose a blanket localization requirement on personal data. Data can flow to the EU, the US, Singapore, or any other destination unless the Government publishes a restricted list.

What the DPDP Act does require regardless of where data is stored:

A valid consent or legitimate use basis for processing
Purpose limitation — data used only for the declared purpose
Data minimisation — only collect what is necessary
Retention limits — erase when purpose is complete
Security safeguards — appropriate technical and organisational measures
Data Principal rights — right to access, correction, erasure, grievance redressal

The penalty for failure to implement adequate security safeguards can be significant — MeitY has described these as among the highest in the DPDP framework. See meity.gov.in for the official act text and rules (Rules under DPDP Act are expected to be notified separately).

ℹ️

INFO

The DPDP Act introduces the concept of "Significant Data Fiduciaries" — entities processing large volumes of sensitive data or operating critical platforms may face additional obligations, including data localisation requirements that MeitY can impose by notification. Rules are pending as of mid-2026.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Sector-Specific Localization Rules

Beyond the RBI and DPDP Act, Indian sector regulators have issued their own data storage requirements.

Sector	Regulator	Key Rule	Status
Payment systems	RBI	All payment data must be stored only in India	Enforced since 2018
Insurance	IRDAI	Policyholder data must be stored in India; overseas storage requires IRDAI approval	Active
Health data	MoHFW / ABDM	Health records under the ABDM ecosystem must stay in India-hosted infrastructure	Active (for ABDM participants)
Telecom	TRAI / DoT	Certain subscriber and CDR data localisation requirements under discussion	Evolving
Capital markets	SEBI	Trading and investor data managed by market infrastructure institutions subject to SEBI guidelines; see sebi.gov.in	Active
Banking	RBI	Core banking data, account data subject to RBI's broad IT framework	Active

For insurance companies specifically, the Insurance Regulatory and Development Authority of India (IRDAI) has required that data related to Indian policyholders be stored within India. Companies in the insurtech space using foreign SaaS for policy administration or claims management need explicit IRDAI clearance or a structured data localisation architecture.

Decision Flow: Where Must This Data Live?

graph TD
    A[Data classification required] --> B{Is it payment system data?}
    B -->|Yes| C[Store only in India
RBI Mandate 2018]
    B -->|No| D{Is it insurance / health
or SEBI market data?}
    D -->|Yes| E[Check sector regulator rule
IRDAI / ABDM / SEBI]
    E --> F{Sector rule requires
India storage?}
    F -->|Yes| G[Store in India
Sector compliance required]
    F -->|No or unclear| H[Apply DPDP Act baseline]
    D -->|No| H
    H --> I{Is destination country
on restricted list?}
    I -->|Yes - restricted| J[Block transfer
Store in India]
    I -->|No - permitted| K[Transfer allowed
with DPDP safeguards]
    K --> L[Consent + purpose
+ security controls
must still apply]
    G --> M[Document architecture
for audit readiness]
    C --> M
    J --> M

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style I fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style J fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style K fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style L fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style M fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

Data Categories vs Localization Requirements

xychart-beta
    title "Data Category Localization Stringency"
    x-axis ["Payment Data", "Insurance Data", "Health-ABDM", "SEBI Market", "General Personal", "HR and Employee"]
    y-axis "Localization Stringency 0-10" 0 --> 10
    bar [10, 8, 9, 7, 4, 3]

Data Residency vs Data Sovereignty vs Data Localization

These three terms are frequently conflated:

Data residency is a commercial or contractual arrangement — a cloud provider's commitment that your primary data will not leave a named geography. This is enforceable via contract but has no direct legal status.

Data localization is a statutory or regulatory requirement mandating that specific data types be stored within national borders. Violation triggers regulatory penalties, not just breach of contract.

Data sovereignty is broader — it concerns which government has legal authority to compel disclosure, access, or interception of data. The US CLOUD Act, for example, allows US authorities to compel US-headquartered cloud providers to hand over data regardless of where it is physically stored. An India-region bucket with AWS is locally resident but not fully sovereign from US jurisdiction.

For most Indian compliance purposes, localization (the storage requirement) is the operative concept. Sovereignty becomes relevant when you are handling data for government contracts, defence-adjacent sectors, or critical national infrastructure.

💡

TIP

If you use AWS, GCP, or Azure for localization compliance, validate three things: (1) your primary region is ap-south-1 / asia-south1 / Central India, (2) cross-region replication is disabled or restricted to India-only pairs, (3) managed service logs and ML training sets are also region-pinned. Run this as part of your cloud security posture review.

What This Means for Indian Companies Using Foreign SaaS

Foreign SaaS is a large source of unrecognised localization exposure for Indian companies. Common blind spots:

CRM and Sales tools — tools like Salesforce, HubSpot, Zoho (India-hosted) store customer PII. If your customers are Indian data principals, you need to verify the data processing addendum (DPA) and storage region.

HR and Payroll SaaS — employee data (which is personal data under DPDP) flowing to servers in Ireland, the US, or Singapore is permissible under the current DPDP baseline (no restricted country list yet), but that can change by notification.

Payment processing — this is the clearest risk. If your payment gateway, aggregator, or UPI service provider routes transaction data through foreign infrastructure even briefly (and does not delete it after processing), you are exposed to RBI enforcement.

Cloud-based analytics and AI — sending Indian customer data to foreign AI APIs for training or inference may not violate localization law today, but it is worth documenting as a data flow and revisiting once DPDP Rules and Significant Data Fiduciary criteria are notified.

Backup and DR — organisations that use local primary storage but replicate backups offshore create a localization gap that regulators have specifically called out.

Practical Compliance Approach

A structured data localization compliance programme for an Indian SMB or mid-market company should cover these steps:

Step 1: Data Flow Mapping Map every data category you collect, where it is stored, and which vendor handles it. Identify payment data, personal data, and sector-specific data categories explicitly.

Step 2: Classify Against Regulatory Buckets Apply the decision flow above. Payment data gets the strictest treatment. Sector data gets its regulator's rule. General personal data gets the DPDP baseline.

Step 3: Architecture Review Confirm that your cloud configuration matches the classification output. Check primary storage regions, backup destinations, replication rules, and third-party processor agreements.

Step 4: Vendor Due Diligence For every SaaS vendor handling regulated data, obtain a written DPA that confirms Indian-region storage for applicable categories. Reject or remediate vendors that cannot confirm this.

Step 5: Document and Audit Maintain records of your data flows, storage architecture, and DPAs. The DPDP Act's accountability principle and the RBI's audit access requirement both depend on documentation.

Step 6: Security Controls Localization without security is incomplete compliance. Run vulnerability assessments on your India-hosted infrastructure. Bachao.AI, built by Dhisattva AI Pvt Ltd, automates the VAPT process so you can identify security gaps alongside your localization review — start with a free VAPT scan.

🛡️

SECURITY

Data stored in India is not automatically secure data. Localization satisfies regulatory geography requirements but does nothing to protect against SQL injection, misconfigured S3 buckets, exposed API keys, or insider threats. Localization compliance and security compliance must be addressed together.

The Evolving Regulatory Landscape

India's data localization framework is not static. Key developments to watch:

DPDP Rules: MeitY is expected to notify the DPDP Rules that will define Significant Data Fiduciaries, specify additional obligations, and potentially publish the restricted-country list for cross-border transfers. Monitor meity.gov.in for updates.
RBI's Digital Payments Guidelines: The RBI continues to issue updates to its master directions on payment systems. Any company in the payments ecosystem should treat rbi.org.in as a primary compliance source.
Telecom Act 2023: The Telecom Act introduces new data handling provisions for telecom infrastructure; sector rules are being developed.
CERT-In Directions: CERT-In's 2022 directions on cybersecurity incident reporting include logging and system-access requirements that interact with localization architecture — logs stored offshore raise compliance questions.

🎯Key Takeaway

India's data localization rules are multi-layered: payment data has a hard India-only storage mandate under RBI; personal data under DPDP can cross borders unless destination countries are restricted by government notification; sector regulators add further requirements for insurance, health, and capital markets. For Indian companies using foreign cloud or SaaS, the compliance gap is real and auditable. Map your data flows, classify against the right regulatory bucket, confirm your vendor architecture, and pair localization compliance with security assessments — because stored-in-India data that is also breached-in-India helps no one.

Frequently Asked Questions

Does the DPDP Act 2023 require all personal data to be stored in India?

No. The DPDP Act's baseline approach allows cross-border transfer of personal data unless the Central Government restricts specific destination countries by notification. This is a significant difference from the EU GDPR model. However, the Government can notify restrictions, and Significant Data Fiduciaries may face additional localisation requirements under rules yet to be finalised.

What does the RBI payment data localization mandate cover exactly?

The RBI's 2018 circular requires all Payment System Operators to store all data relating to payment systems — including full end-to-end transaction details, payment instructions, and associated customer data — only on servers located within India. Processing can occur abroad, but the data must be deleted from foreign systems immediately after and the master copy retained in India. See rbi.org.in for the master direction on payment systems.

Does using an AWS Mumbai or GCP India region automatically satisfy localization requirements?

It satisfies the geography requirement for primary storage, but you must also verify that cross-region replication, automated backups, disaster recovery, monitoring logs, and any ML training data are also region-pinned to India. Many default cloud configurations replicate data to additional regions for redundancy, which can create localization violations even with an India-primary setup.

Is data localization the same as data security?

No. Localization is a regulatory requirement about where data is stored geographically. Security is about protecting data from unauthorised access, breach, or misuse regardless of location. You can be fully localization-compliant and still have critical vulnerabilities in your India-hosted systems. Both must be addressed independently and simultaneously.

Which Indian companies are most exposed to localization risk?

Payment aggregators, UPI apps, and payment gateways face the most prescriptive and enforced requirements under the RBI mandate. Insurance technology companies have IRDAI obligations. Health-tech companies participating in the ABDM ecosystem have ABDM-specific requirements. Any company that processes Indian payment data through foreign infrastructure without a compliant architecture is at regulatory risk today.

Where can I find the official regulatory texts for India's data localization rules?

The RBI's payment data circular and master directions are on rbi.org.in. The DPDP Act text and associated Rules notifications are on meity.gov.in. IRDAI circulars on data localisation are on irdai.gov.in. SEBI requirements are on sebi.gov.in. Always refer to primary regulatory sources rather than secondary summaries, including this one.

Data Localization in India: RBI, DPDP and Where Data Must Live

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.