API Security

January 16, 2026

DPDP Act Compliance Checklist 2026: Step by Step Requirements for Indian Enterprises

Learn when to use DAST vs SAST for API security in 2026, their limitations, best practices, and how to secure modern APIs effectively.

Jeevan Kumar

Founding Platform Engineer

ON THIS PAGE

10238 views

India’s Digital Personal Data Protection (DPDP) Act, 2023 moves privacy from principle to enforcement. The law creates a statutory framework for processing digital personal data that explicitly balances two objectives:

protecting an individual’s right over personal data,
and enabling lawful processing for legitimate purposes.

This shift matters because the risk is no longer abstract. In India, the average cost of a data breach reached INR 220 million (INR 22 crore) in 2025, according to IBM’s reporting. At the same time, DPDP introduces meaningful financial exposure. The Data Protection Board can impose penalties that go up to INR 250 crore for certain classes of non-compliance, which changes how boards and audit committees evaluate privacy controls.

DPDP is also operational by design. It places direct obligations on Data Fiduciaries to implement reasonable security safeguards, notify the Board and affected individuals in the event of a personal data breach, and enable core Data Principal rights such as access, correction, erasure, nomination, and grievance redressal. The net impact is clear. Enterprises that cannot prove how personal data is collected, used, shared, retained, and secured across systems will struggle to demonstrate compliance under scrutiny.

What is the DPDP Act?

The Digital Personal Data Protection (DPDP) Act, 2023 is India’s first comprehensive law governing how personal data is collected, processed, stored, and shared in digital systems. It applies to the processing of digital personal data within India and also to processing outside India when it relates to offering goods or services to individuals in India.

At its core, the Act introduces two formal roles.

Data Principal is the individual to whom the personal data relates. This includes parents or lawful guardians acting on behalf of children or persons with disabilities.
Data Fiduciary is any enterprise, government body, or organization that determines the purpose and means of processing personal data. Entities that process data on behalf of a fiduciary are classified as Data Processors.

The DPDP Act is built around a consent driven and accountability based model. Personal data can be processed either on the basis of valid consent or under defined legitimate uses such as legal obligations, medical emergencies, or performance of state functions. For children under 18, processing requires verifiable parental consent, and behavioral tracking or targeted advertising is prohibited.

To enforce these obligations, the Act establishes the Data Protection Board of India, a statutory body with the power to investigate non-compliance, issue directions, and impose financial penalties. Penalties for breaches of key obligations, including failure to protect personal data or failure to notify data breaches, can reach INR 250 crore depending on the violation.

In practical terms, DPDP transforms data protection in India from a best effort compliance exercise into a legally enforceable operational requirement. Organizations must be able to demonstrate that personal data is handled lawfully, transparently, and securely across every system, application, and data flow that touches Indian residents’ information.

How DPDP is different from GDPR

Both the DPDP Act and the EU GDPR aim to protect personal data, but they are designed for very different regulatory and operational realities.

GDPR is a highly prescriptive, documentation heavy regime built around prior controls, formal records, and defined timelines. DPDP is a lighter, enforcement driven law that places responsibility on enterprises to prove that personal data is handled safely in real operating environments. It introduces new rights such as nomination, expands language accessibility, and uses a tiered risk model through Significant Data Fiduciaries rather than uniform obligations for all entities.

Parameter	DPDP Act (India)	GDPR (EU)	Illustrative Example
Scope of data	Applies to digital personal data and non-digital data once it is digitized	Applies to all personal data processed by automated means or in filing systems	A paper form scanned into a CRM becomes in scope under DPDP once digitized, while GDPR already covers it as part of a filing system
Consent for minors	Parental or guardian consent required for all children under 18	Consent required for minors under 16, which can be lowered to 13 by EU member states	A 17-year-old can consent independently in many EU countries but requires parental consent in India under DPDP
Data Principal rights	Includes right to nominate, but does not include data portability	Includes right to data portability, but no nomination right	Under DPDP, a person can nominate someone to manage their data after death or incapacity, which is not available under GDPR
Breach notification timeline	No fixed statutory deadline specified	Must notify the supervisory authority within 72 hours	An Indian company must report breaches to the Data Protection Board but without a fixed 72-hour clock, unlike an EU entity
Data transfer rules	Government will notify countries where transfer is not permitted	Requires mechanisms such as Standard Contractual Clauses and adequacy decisions	A SaaS company can transfer Indian data unless a destination country is restricted, whereas GDPR requires formal transfer mechanisms
Data Protection Officer (DPO)	Required only for Significant Data Fiduciaries	Required for many controllers and processors based on risk and scale	A fintech classified as an SDF must appoint a DPO in India, while a small EU controller might also need one under GDPR rules
Records of processing (ROPA)	Not explicitly required	Mandatory for controllers and processors	GDPR requires maintaining formal processing records, while DPDP focuses more on accountability and security outcomes
Penalties	Fines up to INR 250 crore	Up to €20 million or 4% of global annual turnover	A large Indian enterprise can face penalties in hundreds of crores even without revenue-based calculations

What the DPDP Act actually regulates

The DPDP Act does not regulate documents, policies, or privacy statements. It regulates what happens to personal data inside live digital systems.

The law applies to the processing of digital personal data, whether that data was collected online or was originally collected offline and later digitized. This includes customer records in CRM platforms, employee data in HR systems, transaction logs in financial systems, telemetry stored in SaaS tools, and personal data flowing through APIs between applications.

From an enterprise operating perspective, this means the regulatory perimeter is not limited to a single database or application. It extends across:

Business applications that collect or use personal data
Cloud platforms where data is stored or processed
APIs that move data between systems
Third party processors and service providers
Analytics, AI, and automation systems that consume personal data

Every operation performed on personal data falls within scope. The Act defines processing broadly to include collection, recording, storage, use, sharing, adaptation, and erasure. In practical terms, any workflow that touches a person’s data is regulated, not just the point of initial collection.

The DPDP Act also has extraterritorial reach. Organizations based outside India are covered if they process digital personal data in connection with offering goods or services to individuals in India. This brings global SaaS platforms, payment providers, and cloud hosted services into scope even when their infrastructure is located elsewhere.

What the Act ultimately enforces is control. Enterprises must be able to demonstrate that personal data is collected for defined purposes, accessed only by authorized systems and users, retained only as long as necessary, and protected against misuse or exposure across every environment where it flows.

Scope: Who must comply with the DPDP Act?

The DPDP Act applies to every entity that determines how and why digital personal data is processed, as well as those that process data on their behalf. The law uses a role based model that separates accountability from execution, which is central to how enforcement and penalties are applied.

1. Digital Personal Data Fiduciaries

A Data Fiduciary is any person, company, or government body that decides the purpose and means of processing personal data. This includes enterprises running consumer platforms, financial institutions, SaaS providers, healthcare organizations, and any business that collects or uses personal data of individuals in India.

Data Fiduciaries are directly responsible for complying with the DPDP Act, even when processing is outsourced to vendors or cloud platforms.

Their obligations include issuing clear privacy notices, obtaining valid consent where required, implementing reasonable security safeguards, enabling Data Principal rights, and reporting personal data breaches to the Data Protection Board and affected individuals.

2. Significant Data Fiduciaries (SDFs)

The Act introduces a risk based tier called Significant Data Fiduciaries. The Central Government can designate an entity as an SDF based on factors such as the volume and sensitivity of personal data processed, the risk to the rights of Data Principals, and the potential impact on sovereignty, integrity, or public order.

SDFs face additional compliance requirements that go beyond standard fiduciary duties. These include appointing a Data Protection Officer based in India, engaging an independent data auditor, and conducting periodic Data Protection Impact Assessments (DPIAs) for high risk processing activities. This tiered model ensures that organizations handling large or sensitive data sets are subject to stronger governance and oversight.

3. Data Processors

A Data Processor is any entity that processes personal data on behalf of a Data Fiduciary, such as cloud providers, analytics platforms, marketing vendors, or outsourced service providers. While processors operate under the instructions of the fiduciary, the fiduciary remains legally accountable for their actions.

This means that contractual controls, technical safeguards, and continuous oversight of processors are essential under DPDP. If a processor causes a breach or misuses personal data, the Data Fiduciary is still liable under the Act.

Together, these roles define the scope of DPDP enforcement. Whether an organization directly collects personal data or merely handles it through APIs, SaaS platforms, or third party services, it falls within the regulatory perimeter of the DPDP Act.

The Complete DPDP Act compliance checklist to follow

The DPDP Act is enforced through outcomes, not intent. Auditors and regulators will look for evidence that personal data is governed, tracked, protected, and controlled across the entire enterprise. The following checklist reflects the operational obligations that Data Fiduciaries and Significant Data Fiduciaries must be able to demonstrate.

1. Data Governance and Accountability

Enterprises must be able to show that ownership and responsibility for personal data is formally assigned and actively enforced.

For organizations designated as Significant Data Fiduciaries, this includes appointing a Data Protection Officer based in India, engaging an independent data auditor, and conducting periodic Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

Data Inventory and Mapping. All Data Fiduciaries, regardless of size, must document a data governance framework that defines who owns personal data, who can access it, and how compliance is monitored across business units and third parties. A formal data protection policy aligned to DPDP requirements is a baseline control that regulators expect to see.

From an operational perspective, accountability cannot stop at organizational charts. It must extend across APIs, cloud services, and processors where personal data is actually handled, which is where runtime visibility becomes critical.

2. Consent & Notice Management

DPDP compliance starts with knowing where personal data exists.

The Act requires Data Fiduciaries to understand what personal data they collect, how it is processed, where it is stored, and with whom it is shared. This applies equally to data in core applications, cloud platforms, data warehouses, SaaS tools, and the APIs that connect them.

3. Data Principal Rights

The DPDP Act gives individuals enforceable rights over their personal data, including the right to access, correction, erasure, nomination, and grievance redressal.

Data Fiduciaries must establish clear procedures for receiving, verifying, and responding to these requests and must do so within the timeframes that may be prescribed by future rules. Every request and response should be logged so that the organization can demonstrate compliance if challenged by the Data Protection Board.

In practice, fulfilling these rights requires knowing which systems hold a person’s data and how it is used across the enterprise, not just in a single customer database.

4. Security Safeguards & Controls

The DPDP Act requires Data Fiduciaries to implement reasonable security safeguards to protect personal data against unauthorized access, disclosure, alteration, or destruction.

This includes technical and organizational controls such as:

Encryption of personal data at rest and in transit
Role based access controls and multi-factor authentication
Regular security reviews, audits, and vulnerability assessments

Security under DPDP is not limited to perimeter defenses. It applies to how personal data is accessed and used inside applications, services, and APIs, which is where most modern data exposure occurs.

5. Breach Reporting & Incident Response

A personal data breach under the DPDP Act includes any unauthorized or accidental disclosure, access, use, alteration, or loss of personal data. When a breach occurs, the Data Fiduciary must notify both the Data Protection Board of India and each affected Data Principal in the prescribed manner.

To meet this obligation, enterprises must maintain logs and monitoring systems that can identify suspicious activity, reconstruct what happened, and support timely reporting. Penalties for failure to report breaches or protect personal data can reach hundreds of crores of rupees, making incident response a board-level risk.

6. Third Party & Processor Governance

Data Fiduciaries remain legally responsible for personal data processed by their vendors, cloud providers, and other Data Processors.

This requires:

Contracts that bind processors to DPDP obligations
Controls over how data is shared and retained
Ongoing verification that processors apply appropriate security measures

In modern enterprises, much of this processing happens through APIs and integrated platforms, which makes continuous oversight of third-party data flows essential.

7. Data Retention & Deletion

The DPDP Act enforces purpose based retention. Personal data must be erased when the purpose for which it was collected has been fulfilled or when consent is withdrawn, unless retention is required by law.

Enterprises must define retention schedules, implement deletion workflows, and keep records of when and how data was erased. These controls must apply across all systems and services that hold personal data, not just primary databases.

In operational terms, retention and deletion policies must be enforced wherever data is consumed, stored, or transmitted, including downstream systems and third party integrations.

Why Static API Security Tools(SAST) Fall Short when it comes to DPDP Compliance

Most compliance programs still rely on static controls. Policies, spreadsheets, architecture diagrams, and periodic scans are used to describe how personal data is supposed to move through the enterprise. The DPDP Act does not regulate intent. It regulates actual processing of personal data.

Static application security testing and inventory based API tools operate on declared assets. They depend on OpenAPI specifications, code repositories, or manually maintained service lists. These sources cannot see how data actually moves across live production systems, where modern personal data processing takes place.

This creates three fundamental gaps.

First, manual inventories and policies do not reflect real data flows. APIs are created, deprecated, and repurposed continuously. Cloud services and SaaS platforms exchange personal data through integrations that are often not documented. A static list of systems may show what should exist, but it does not show what is actually processing personal data at any given moment.
Second, static tools cannot see shadow and machine-driven activity. Modern enterprises rely on internal APIs, partner APIs, automation pipelines, and AI agents that consume and transmit personal data. These flows rarely appear in formal documentation. Shadow APIs, undocumented endpoints, and autonomous AI-driven calls are invisible to SAST and design-time scanners, yet they are fully in scope under the DPDP Act.
Third, regulatory enforcement depends on proof of behavior. When a breach, complaint, or audit occurs, the Data Protection Board will expect evidence of what happened to personal data. That evidence must show which systems accessed the data, which APIs transmitted it, and whether access was authorized and aligned with consent. Static security tools and periodic scans cannot provide this level of forensic accuracy because they do not observe live production traffic.

DPDP compliance is therefore not achieved by knowing what systems exist. It is achieved by knowing how personal data is actually used across those systems in real time.

How Levo enables DPDP compliance

DPDP compliance breaks when enterprises cannot prove how personal data is processed across production systems. Levo is built for that evidence layer. It uses kernel level eBPF telemetry to observe real API behavior, even in encrypted environments, and converts that telemetry into inventory, monitoring, detections, and enforceable controls across the DPDP lifecycle.

Below is how Levo maps directly to the DPDP obligations defined earlier.

Data inventory and mapping that stays current

DPDP requires knowing where personal data exists and how it moves. Levo’s API Inventory continuously discovers internal, external, partner, third-party, shadow, and zombie APIs across environments and API types, without relying on static specs that go stale.

This closes a common compliance gap: undocumented endpoints and “forgotten” services that still process personal data.

Continuous monitoring for misconfigurations and exposure paths

DPDP compliance is undermined by misconfigurations that appear after releases, integrations, or operational changes. Levo’s API Monitoring continuously observes APIs to detect misconfigurations, failures, data exposures, and policy violations in real time, rather than at audit time.

This supports DPDP security safeguard expectations by surfacing exposure conditions as soon as they occur.

Sensitive data discovery tied to real flows

DPDP is fundamentally about protecting personal data, not just securing endpoints. Levo’s Sensitive Data Discovery inspects live traffic to automatically identify and classify sensitive data and map where it flows, including to third-party APIs. It surfaces exposure paths with context, instead of isolated payload fragments.

This is what makes consent, minimization, and purpose control auditable across distributed systems.

High-fidelity detections that reduce audit and incident noise

DPDP enforcement will reward clarity. Levo’s API Detection anchors detections in runtime behavior and application context, including identity and data flow signals, and maintains visibility even when TLS or mTLS is used.

This reduces the “alert volume without evidence” problem that makes compliance reviews slow and inconclusive.

Runtime protection that blocks abuse without breaking performance or data residency

DPDP penalties are driven by real harm. Levo’s API Protection is an inline runtime control layer built on kernel-level visibility, local analysis, and policy enforcement. It is designed to block malicious behavior on live traffic while keeping analysis local, avoiding data egress and residency risks.

This is the enforcement counterpart to detection, and it matters when regulators expect prevention, not just post-incident reporting.

Continuous API security testing that mirrors real abuse patterns

DPDP controls fail when testing is incomplete, tokenized endpoints are skipped, or test coverage is limited to what developers documented. Levo’s API Security Testing generates large sets of endpoint-specific payloads using API documentation and catalog context, and runs continuously across commits, changes, and integrations.

This directly supports DPDP readiness by finding exploitable weaknesses before they become personal data incidents.

Vulnerability reporting that is prioritised for action

DPDP compliance programs collapse under untriaged backlogs. Levo’s Vulnerabilities Reporting focuses on high-confidence findings validated by real traffic and runtime context, rather than long lists of theoretical issues.

This produces remediation queues that security, engineering, and audit teams can actually close.

MCP Server for governed agentic workflows and audit evidence

DPDP obligations increasingly intersect with AI-driven operations and automation. Levo’s MCP Server exposes governed, real-time security context and safe actions through a programmable interface, with controls such as RBAC and audit logging. It is designed to let internal tools and AI agents query current security posture, test outcomes, exposure paths, and evidence without relying on screenshots or manual exports.

Conclusion

The DPDP Act marks a structural shift in how data protection is enforced in India. Compliance is no longer satisfied by privacy policies, static inventories, or annual audits. The law places accountability on how personal data is actually processed across live systems, APIs, cloud platforms, and third-party integrations. Data Fiduciaries are expected to prove control over every stage of the data lifecycle, from consent and collection to access, sharing, retention, and breach response.

This creates a gap that traditional compliance and security tooling cannot close. Static documentation, design-time scans, and periodic assessments do not capture how personal data moves in production, especially in environments built on microservices, SaaS, and AI-driven automation. When regulators or Data Principals ask what happened to specific data, only runtime evidence can provide a defensible answer.

Levo addresses this requirement by making DPDP compliance observable and enforceable at the point where it matters most: live API traffic and real data flows. By continuously discovering APIs, mapping sensitive data, detecting exposure paths, and enforcing policies in production, Levo gives enterprises the operational control that the DPDP Act demands.

In a regulatory environment where penalties can reach hundreds of crores of rupees and enforcement is tied to real outcomes, DPDP compliance becomes a matter of visibility and control, not paperwork. Enterprises that invest in runtime-level governance will be positioned to meet both the letter and the spirit of India’s data protection law.