For years, Indian enterprises treated cloud storage as an IT infrastructure decision — a question of cost, performance, and reliability. The Digital Personal Data Protection Act 2023 changes that. Cloud storage decisions now have legal dimensions, and getting them wrong carries penalties of up to ₹250 crore.
Your Cloud Provider Is a Data Processor Under the DPDP Act
The DPDP Act defines a Data Processor as any entity that processes personal data on behalf of a Data Fiduciary. When your organisation stores customer records or employee data on AWS S3, Azure Blob Storage, or Google Cloud Storage, your cloud provider is acting as a Data Processor.
This has a specific legal consequence: you need a formal Data Processing Agreement (DPA) with your cloud provider. All three major cloud providers have standard DPAs available:
- AWS: AWS Data Processing Addendum
- Microsoft Azure: Microsoft Products and Services Data Protection Addendum
- Google Cloud: Google Cloud Data Processing Addendum
The issue for most Indian enterprises is not that these agreements do not exist — it is that they have never been formally executed and documented. If you cannot produce a signed DPA with your cloud provider, you have a compliance gap that needs to be closed today.
Data Residency: Where Is Your Data Actually Stored?
One of the most pressing cloud implications of the DPDP Act is data residency. The Act empowers the Government of India to restrict the transfer of certain categories of personal data outside Indian territory. All three major cloud providers have data centre regions in India:
| Cloud Provider | Indian Regions |
| AWS | Mumbai (ap-south-1), Hyderabad (ap-south-2) |
| Microsoft Azure | Central India (Pune), South India (Chennai), West India (Mumbai) |
| Google Cloud | Mumbai (asia-south1), Delhi (asia-south2) |
Questions You Need to Answer Right Now
- Which cloud regions contain personal data of Indian citizens?
- Is any personal data being replicated to regions outside India for backup or DR purposes?
- Are any SaaS applications used by your organisation storing Indian personal data outside India?
- Do your cloud provider agreements specify where your data is stored and replicated?
Data Retention and Deletion in Cloud Storage
The DPDP Act introduces a clear obligation to delete personal data once the purpose for which it was collected has been fulfilled. In cloud storage terms, this means you need automated retention policies configured on all cloud storage resources containing personal data.
Platform-Specific Retention Tools
- AWS S3: S3 Lifecycle Policies that automatically expire and delete objects after a specified number of days
- Azure Blob Storage: Lifecycle Management policies that delete blobs after defined retention periods
- Google Cloud Storage: Object Lifecycle Management rules for automatic deletion
If your cloud storage buckets do not have retention and deletion policies configured, you are not DPDP-compliant for any personal data stored there.
Security Obligations for Cloud Storage
For cloud storage, reasonable security safeguards under the DPDP Act include:
- Encryption at rest: All cloud storage containing personal data must be encrypted at rest
- Encryption in transit: All data transfers must use TLS/HTTPS
- Access controls: Strict IAM policies, bucket policies, and ACLs on all storage containing personal data
- Access logging: Enable access logging on all storage resources containing personal data
- Backup security: Backup archives must be encrypted, access-controlled, and covered by retention policies
SaaS Applications and the DPDP Act
Most Indian enterprises are also heavy users of SaaS applications — Salesforce, HubSpot, Workday, Zoom, and hundreds of others. Every SaaS application that processes personal data of Indian citizens makes its vendor a Data Processor under the DPDP Act. You need a DPA with every such vendor and visibility into where each SaaS vendor stores data.
The Cloud Storage DPDP Audit: What to Do This Quarter
- Step 1 — Map your cloud regions. Identify every cloud account and document which regions are active and what data is stored there
- Step 2 — Identify personal data in cloud storage. Use AWS Macie, Microsoft Purview, or Google Cloud DLP to scan for personal data
- Step 3 — Review and execute DPAs. Confirm DPAs are in place with AWS, Microsoft, Google, and every SaaS vendor that processes personal data
- Step 4 — Configure retention policies. Set automated retention and deletion policies on all cloud storage containing personal data
- Step 5 — Audit security controls. Review encryption, access controls, and logging on all cloud storage resources
CloudFirst helps Indian enterprises audit cloud infrastructure for DPDP Act compliance. Contact us → cloudfirst.in/contact-sales.php
Frequently Asked Questions
Q: Does the DPDP Act require all data to be stored in India?
Not currently. The Act permits cross-border data transfers except to countries the Government specifically restricts. However, the Government can notify data localisation requirements for specific categories of data at any time.
Q: Is an AWS S3 bucket in the Mumbai region automatically DPDP compliant?
Storing data in an Indian region satisfies the data residency aspect of compliance, but it does not make you automatically compliant. You still need a DPA with AWS, appropriate retention policies, encryption, access controls, and breach notification procedures.
Q: How does the DPDP Act interact with RBI data localisation requirements?
RBI has its own data localisation requirements for payment data — all payment system data must be stored only in India. The DPDP Act operates alongside these sector-specific requirements; both apply.
