Requirements to store and process certain categories of personal data within India's territorial boundaries.
Data localisation refers to regulatory requirements mandating that certain data be stored and processed within India's territory. While DPDPA 2023 itself uses a permissive cross-border approach (negative list), sector-specific regulations impose localisation: RBI mandates payment data storage in India, IRDAI requires insurance data localisation, and SEBI has similar requirements for market data. The Central Government retains power to restrict transfers to specific countries, potentially introducing broader localisation requirements.
Even though DPDPA allows cross-border transfers, sectoral regulations may require you to host data in Indian data centres. Understanding which data categories face localisation mandates prevents costly infrastructure migrations later.
A Mumbai neobank must store all payment transaction data in Indian data centres (RBI mandate) while its CRM data can be on global AWS regions under DPDPA. It deploys a hybrid architecture: core banking on AWS Mumbai (ap-south-1) with analytics on global regions using anonymised data.
DPDPA does not mandate universal data localisation. The localisation requirements come from sector-specific regulators (RBI, IRDAI, SEBI). Pure DPDPA compliance allows cross-border transfers to non-restricted countries.
DPDPA Shield automates Data Inventory & RoPA. See how →