Compliance
Data residency refers to where data is physically stored. Data residency requirements in India mandate that certain types of data — especially personal data of Indian citizens, financial data, government data — must be stored on servers located within India. Multiple Indian regulators have data residency provisions: RBI (banking), DPDP Act (personal data), MeitY (government), SEBI (capital markets).
India's data residency landscape includes: (1) RBI Storage of Payment System Data Direction 2018 — all payment data of Indian customers must be stored only in India, (2) DPDP Act 2023 — government can restrict cross-border transfer to specific countries, (3) MeitY guidelines — government data on sovereign Indian cloud (typically Yotta, NIC, BSNL), (4) Sectoral regulators (SEBI, IRDAI) — specific data residency for their domains. India has multiple data centre regions from hyperscalers (AWS Mumbai/Hyderabad, Azure Pune/Chennai/Mumbai, Google asia-south1/2) and sovereign Indian clouds (Yotta, NIC, ESDS).
Industries served: BFSI, Government / PSU, Healthcare, Insurance, All Indian businesses under DPDP
Related terms: DPDP Act 2023, Yotta Cloud, AWS Mumbai Region, Azure India, MeitY Empanelment
Not directly. DPDP allows cross-border transfer except to countries the Government restricts via notification. As of 2026, no countries are restricted, but the framework allows future restrictions. Best practice for Indian businesses: prefer Indian data residency where possible to be future-proof against potential cross-border restrictions.
Per RBI's Storage of Payment System Data Direction (April 2018), entire data relating to payment systems operated by entities authorised under PSS Act must be stored only in India. This includes end-to-end transaction details and payment processing data. Indian banks, payment processors (Razorpay, Paytm), and PSPs comply by using Indian data centres (AWS Mumbai, Yotta, NIC).
AWS: Mumbai (ap-south-1) — multi-AZ, mature; Hyderabad (ap-south-2) — newer, multi-AZ. Azure: India South (Chennai), India Central (Pune), India West (Mumbai) — multiple regions. Google Cloud: asia-south1 (Mumbai), asia-south2 (Delhi). All hyperscaler regions are MeitY-empanelled for general enterprise and most government workloads.
Depends on customer data sensitivity. For BFSI customers — yes, mandatory. For DPDP compliance with sensitive personal data — strongly recommended. For general SMB SaaS without regulated data — optional, but increasingly customer-expected. Most Indian SaaS startups now deploy on AWS Mumbai or Azure India for Indian customers; foreign region for non-Indian customers.
Sovereign cloud means cloud infrastructure owned and operated by Indian entities (not foreign-owned). Yotta Hyperscaler (Hiranandani Group), NIC Cloud, ESDS are examples. Indian government workloads, defence, and some BFSI regulators require sovereign cloud (not just Indian region of foreign cloud). For typical Indian enterprise without these mandates, AWS/Azure/GCP India regions are sufficient.
Indian data residency strategy — free compliance assessment for BFSI/healthcare/government workloads.