Data Processing and Storage Outside India for Regulated Entities: Regulatory Landscape and Compliance Considerations

With rapid advancements in cloud computing and artificial intelligence, regulatory scrutiny over data processing and storage outside India has intensified. This article aims to provide an overview of the regulatory requirements imposed by various sectoral regulators in India concerning data processing and storage. These regulations, issued through Circulars, Guidelines, and Frameworks, apply to Regulated Entities (‘REs') across different financial sectors.

While some of these requirements may currently apply only to specific REs, any organisation handling financial or personal data must stay informed about compliance obligations, particularly regarding cross-border data transfer. Given the regulatory direction towards data localisation, entities processing data must take a cautious approach to ensure compliance with evolving laws. 

Beyond the protection of Indian data principals, the primary objective of sectoral regulators is to exercise control over the data that is generated, owned, stored and processed by or on behalf of REs. Ensuring regulatory access to such data is a key concern, driving localisation mandates across financial services and technology ecosystems.

With the increasing adoption of AI-driven solutions, voice and text-based processing tools are becoming integral to customer interactions. Such tools often rely on third-party services for functionalities such as  Text-to-Speech (TTS) and Speech-to-Text (STT), amongst others. Some providers offer self-hosted solutions within India, while others may operate in a processing-only mode, ensuring that data is not stored outside the country. Evolving use cases may lead to the processing of more sensitive personal information, necessitating greater regulatory scrutiny.

Below, we discuss the current regulatory framework, key compliance considerations, and the anticipated trajectory of data localisation norms in India.

SECTORAL REGULATORS & REGULATIONS

1. Securities and Exchange Board of India (‘SEBI’)

   1. Framework for Adoption of Cloud Services by SEBI Regulated Entities, 2023,  dated 06.03.2023:

      1. The framework provides guidelines for stock brokers and other SEBI REs using cloud-based services such as Software-as-a-Service (‘SaaS’) from Cloud Service Providers (‘CSPs’). It outlines stringent requirements to ensure that data storage, and processing taken place within the legal boundaries of India. 

      2. The framework mandates the following:

         1. Data Localisation: All financial data, including logs from data centers and disaster recovery systems, must be stored and processed within the geographical boundaries of India.

         2.  Encryption Standards: Data must be encrypted at all stages to protect confidentiality and integrity.

         3.  Ownership: REs must retain ownership of their data at all times.

         4. Legal Agreement to Cover Compliance Requirements: Contracts with CSPs must explicitly address compliance obligations, roles, liabilities, and service level agreements (‘SLAs’).

         5. Visibility of Compliance: Whenever required by RE/SEBI, the CSPs shall ensure visibility to REs and SEBI in CSP’s processes and infrastructure. They are required to ensure continuous compliance status with respective SEBI, Government of India and State Government .

         6.  Selection of Cloud Providers: SEBI mandates that REs should engage only those CSPs offering Platform-as-a-Service (‘PaaS’) or SaaS solutions that operate on MEITY-empaneled infrastructure and data centers.

      3. The aim of the framework is to ensure SEBI’s right to access regulated entities’ data and SEBI’s rights of search and seizure are not affected by the adoption of cloud services. It also provides that the contracts entered into by REs with their CSPs should provide for, inter alia, storage of data within the legal boundaries of India, which should be interpreted to mean geographical boundaries of India. The terminology appears to be taken up from a 2020 CERT-In advisory  which was circulated further by SEBI, in its advisory dated 03.11.2020.

         
         

   2. Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI REs dated 20.08.2024 covers following important provisions:

      1. ‘Regulatory Data’ has been defined to include Data with respect to communication between investors and REs through applications (e.g. chat communication, messages, emails etc.). 

      2. Reiterates the requirements from the 2023 Framework discussed above and requires that all processing and storage of regulatory data must occur within legal boundaries of India to protect investors and financial institutions, as also to ensure availability & easy accessibility in legible and usable form.

         
         

         However, a Circular issued on 31.12.2024, has temporarily suspended the enforcement of data localisation norms, i.e. not being enforced by the regulator at this time:

         “Based on the feedback received on the provisions of Data Localisation, a need is felt for further consultations. Accordingly, the guidelines and provisions with regard to Data Localisation [Data  Security standard  (PR.DS.S2)] have been kept in abeyance until further notification.”

         
         

         Regulatory Forbearance: SEBI has granted forbearance for compliance with CSCRF from 01.01.2025 to March 31.03.2025. No regulatory action will be taken during this period if REs show meaningful progress in implementation. SEBI has extended compliance timelines based on feedback regarding the categorization of REs:

         1. KYC Registration Agencies (‘KRAs’): Extended till 01.04.2025

         2. Depository Participants (‘DPs’): Extended till 01.04.2025.

         
         

         This Circular should not be interpreted as a roll-back of the SEBI requirements on its REs, and rather as a temporary hold on the measures in view of difficulties faced by REs in complying with them

         
         

2. Reserve Bank of India (RBI)

   1. Master Direction on Outsourcing of Information Technology Services, 2023, dated 10.04.2023

      RBI has established comprehensive guidelines governing the outsourcing of IT services by banks, lenders, and other REs. These Directions define the regulatory framework for outsourcing critical IT functions, ensuring operational resilience, data security, and compliance with regulatory requirements.

      1. Scope and Applicability: These Directions apply to outsourcing arrangements where IT services are classified as “Material Outsourcing of IT Services.” These include services that:

         1. if disrupted or compromised, could significantly impact the RE’s operations, or

         2. could have a material impact on customers of REs, particularly in cases of unauthorized access, data loss or theft.

         3. Additionally, the framework provides a non-exhaustive list of entities that do not qualify as ‘Third-Party Service Providers’, including:

         4. Payment system operators

         5. Fintech firms offering co-branded applications

         6. Telecom service providers

         7. Security and audit consultants

         
         

         Given the broad scope of material services, even services that do not initially appear to be material may still be subject to compliance requirements, particularly if they involve sensitive customer data or critical IT infrastructure. Further, without any precedent, it is unclear how materiality may be determined in the event of unauthorised access, loss or theft of end-user information.

         It may be noted while the Directions state that they apply to ‘Material Outsourcing of IT Services’, in various places, the reference to ‘Material’ is dropped and is made simply to ‘Outsourcing of IT Services’ - in which case, practically, it is likely that adherence will be required by REs from all their vendors. 

      2. Compliance Requirements for IT Outsourcing: Where these Directions are found to be applicable, the following requirements are prescribed with respect to Cross-Border outsourcing: Cross-Border Outsourcing Considerations

         1. REs must actively monitor the legal, economic, and regulatory conditions of the jurisdiction where the service provider is based.

         2. If data is stored or processed outside India, the legal framework of the foreign jurisdiction must provide for strong confidentiality protections and uphold contractual obligations.

         3. RBI and REs must retain the right to audit foreign service providers, ensuring compliance with data protection norms.

      3. Cloud computing services:

         1. While engaging any cloud services, REs must ensure that the outsourcing of IT services addresses the lifecycle of data in its entirety, i.e., from the time of entry of data into cloud till the data is permanently erased.

         2. Additionally, REs must also take into account multi-location storing and processing of data to ensure adherence to the applicable laws.

         3. REs must ensure that the selection of cloud service provider is based on a comprehensive risk assessment and globally recognized principles and standards.

      4. Cyber security incident reporting:

         1. The Master Directions require cyber incidents to be reported to the RE by the service provider without undue delay, such that the incident is reported by the RE to the RBI within 6 (six) hours of detection by the service providers. REs must ensure that the service providers adhere to this requirement. 

         2. The draft of the Master Directions had mandated such breach reporting by the service providers to the REs within 1 (one) hour of detection; however, no such limitation is specified in the Master Directions.

      5. REs Requirements: Master Directions provide that in addition to the Outsourcing of IT Services controls prescribed in these Directions, REs shall adopt the requirements for storage, computing and movement of data in cloud environments. These are given in Appendix I:

         1. Cloud Governance: REs shall adopt and demonstrate a well-established and documented cloud adoption policy. Such a policy should, inter alia, identify the activities that can be moved to the cloud, enable and support protection of various stakeholder interests, ensure compliance with regulatory requirements, including those on privacy, security, data sovereignty, recoverability and data storage requirements, aligned with data classification. 

         2. The policy should provide for appropriate due diligence to manage and continually monitor the risks associated with CSPs.

         
         

         These requirements are broad and may be interpreted with the assistance of other sectoral regulations in the absence of specific guidance - in which case, they may be seen to state similar requirements as those proscribed by the SEBI. 

         
         

   2. Guidelines on Digital Lending, dated 02.09.2022

      The guidelines prescribes that ‘REs shall ensure that all data is stored only in servers located within India, while ensuring compliance with statutory obligations/ regulatory instructions.’  These Guidelines do not stipulate restrictions on processing of data.

      
      

   3. RBI’s Master Directions on Payment System Operators, dated 06.04.2018

      These Directions establish a framework for data storage and processing within India, particularly focusing on the localisation of sensitive payment-related data ensuring  to enhance data security, ensure regulatory oversight, and strengthen financial stability.

      1. Scope and Applicability

         The Directions and clarifications thereto apply to banks and non-banking entities operating as payment system operators, mandating strict data storage and retention requirements. These guidelines aim to enhance data security by ensuring sensitive financial information remains within Indian jurisdiction. With respect to foreign data leg of the transactions, these Directions provide that a copy of the data may be stored in foreign country, if required. Further, it facilitates the regulatory access to critical transaction data for audit and supervision purposes. 

      2. Mandatory Data Localisation

         1. Full data storage in India: All payment system data, including customer information and transaction details, must be stored domestically.

         2. Limited foreign storage exceptions: A copy of the data may be stored abroad only for international transactions, ensuring regulatory compliance in India.

      3. Types of Data Covered

         The data required to be stored in India includes:

         1. Customer Data: Name, mobile number, email, Aadhaar number, PAN number, etc.

         2. Payment-Sensitive Data: Account details of customers and beneficiaries.

         3. Payment Credentials: OTPs, PINs, passwords, and other authentication details.

         4. Transaction Data: Originating and destination system information, timestamps, transaction references, and amounts.

      4. Processing and Deletion Timelines

         1. Foreign-stored data must be deleted within 24 hours or within one business day, whichever is earlier.

         2. This ensures that all payment transaction records remain under RBI’s regulatory jurisdiction without undue exposure to foreign entities.

         3. While data localisation is the primary requirement, limited cross-border transaction-related data transfers are permitted under stringent conditions.

         4. Entities processing international transactions must ensure data stored abroad aligns with confidentiality and security standards set by Indian regulators as well.

            
            

3. Insurance Regulatory and Development Authority of India (IRDAI)

   1. IRDAI Information and Cyber Security Guidelines, 2023

      1. Storage Requirement: REs must confirm, through Annexure III - Audit Checklist, that all critical business and ICT infrastructure data is stored in India.

      2. Implied Localisation Norms: Although not explicitly stated, this requirement strongly suggests that IRDAI mandates data localisation for REs.

   2. IRDAI (Maintenance of Information by the Regulated Entities and Sharing of Information by the Authority), Regulations 2024, dated 10.01.2025

      1. All records, including those maintained in electronic form, on policies issued and claims made in India, must be stored in data centers located and maintained in India.

      2. This requirement was first introduced in the IRDAI (Maintenance of Insurance Records) Regulations, 2015, and is now reaffirmed in the 2024 regulations.

      3. While the regulations explicitly require data storage within India, they do not provide clarity on whether processing of such data must also take place domestically.

      
      

GENERAL LAWS

While sectoral regulations take precedence over the general data protection laws in India, it is important to note that any white or grey spaces left by sectoral regulators will come to be governed by these general laws:

1. Information Technology Act, 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (IT Act & SPDI Rules, respectively)

   1. The SPDI Rules, framed under the IT Act, currently regulate the collection, storage, and processing of sensitive personal data. 

   2. These rules do not impose strict cross-border transfer restrictions but require that:

      1. Personal data can be transferred only with the individual’s consent or for contractual performance.

      2. The receiving entity must maintain a comparable level of data protection as per the SPDI Rules.

   3. The Digital Personal Data Rules, 2025, (‘DPDP Rules’) issued under the Digital Personal Data Act, 2023, (‘DPDP Act’), are yet to be notified. The public consultation period for the DPDP Rules was extended to  05.03.2025, following an earlier deadline of 18.02.2025. Once the DPDP Rules are notified:

      1. Section 43A of the IT Act will be omitted, whereby, the SPDI Rules will also stop being in force, replacing the old regime.

      2.  A new compliance framework with clearer data transfer regulations will come into effect.

   4. Entities processing personal data must ensure continuity in compliance until the DPDP Act and DPDP Rules are fully enforced. Cross-border transfers may face new restrictions, depending on government-imposed conditions under the DPDP framework. Organizations should assess and align their data protection measures with the upcoming DPDP rules to avoid regulatory gaps.

   
   

   As India moves towards a modernized data protection regime, businesses must proactively adapt to ensure compliance with evolving legal obligations.

2. Digital Personal Data Protection Act, 2023 and Digital Personal Data Protection Rules, 2025 (Draft):

   The DPDP Act is set to introduce a modernized framework for data protection in India. The DPDP Rules will define compliance obligations, particularly regarding cross-border data transfers

   1. Cross-Border Data Transfers

      1. Any entity processing personal data within India or outside India (in connection with providing goods/services to Indian data principals) may transfer data only if permitted by the Indian Government.

      2. Government-imposed restrictions on transfers will be outlined in future regulations.

      3. Draft Rule 12(4): Significant Data Fiduciaries (SDFs) must ensure that certain personal and traffic data, as specified by the government, is not transferred outside India.

   2. Significant Data Fiduciaries (SDFs) & Sectoral Laws

      1. The definition of SDFs is yet to be determined by the government. For context, under the IT Act, social media platforms with over 5 million registered users were designated as Significant Social Media Intermediaries.

      2. Draft Rule 14: The government will issue further regulations on data processing outside India, ensuring compliance with India’s national security and sovereignty policies.

   3.  Sectoral Regulations & Higher Protection Standards

      1. Section 16(2) of DPDP Act: If any Indian sectoral law (e.g., RBI, SEBI, IRDAI regulations) provides stricter data protection requirements, those laws will prevail over the DPDP Act.

      2. Sectoral regulators may impose additional restrictions on data transfers beyond what the DPDP Act mandates.

   4. Policy Direction

      1. The Ministry of Electronics and Information Technology (MeitY) has stated that data localisation will be the default approach, with cross-border transfers allowed only through ‘trusted corridors’ with specific nations.

      2. This signals a restrictive approach to offshore data processing, reinforcing India’s focus on data sovereignty.

   
   
   
   

ADAPTING TO INDIA'S DATA COMPLIANCE SHIFT

India’s regulatory focus on data localisation and security is only getting stronger. With SEBI, RBI, IRDAI, and the DPDP Act shaping strict compliance norms, businesses must stay ahead by aligning their data strategies with evolving laws. While some mandates, like SEBI’s localisation rules, are temporarily on hold, the larger trend is clear—data sovereignty and regulatory oversight are here to stay. Organisations handling financial or personal data must adopt secure, compliant, and locally aligned data practices to mitigate risks and ensure smooth operations.

As policies continue to evolve, the key to staying compliant is being proactive, conducting regular assessments, and embracing secure, scalable data solutions. With the right approach, businesses can turn regulatory challenges into an opportunity for stronger governance, trust, and long-term growth.

Authors: Abhinav Goyal, Anmol Singh and Nishika Godha

Readers can direct their queries or comments to the authors.