Transfer of personal data from India to another country, permitted unless the destination is specifically restricted.
Cross-border data transfer refers to the transmission of digital personal data from India to any other country or territory. Under DPDPA 2023, transfers are permitted to all countries except those specifically restricted by the Central Government via notification. This is a "negative list" approach — everything is allowed unless explicitly blocked. The Government may restrict transfers to specific countries based on national security or other considerations.
Most Indian startups use global SaaS tools (AWS US, Google Cloud, Stripe) that transfer data outside India. Under DPDPA, this is currently permitted but could change overnight if the Government adds a country to the restricted list.
A Gurgaon B2B startup stores customer data on AWS US-East servers and uses Stripe (Ireland) for payments. Currently legal under DPDPA, but the startup should document these transfers in its RoPA and have contractual mechanisms in place should restrictions be imposed.
DPDPA does NOT require data localisation by default. Unlike RBI's payment data rules, DPDPA allows cross-border transfers unless specifically restricted by government notification.
DPDPA Shield automates Data Inventory & RoPA. See how →