The India compliance clock has already started.

What the law requires

Implement reasonable security safeguards — encryption at rest and in transit, access controls, audit logging and monitoring. Under DPDP Rules 2025 these are now prescriptive technical requirements: encryption/masking, tokenisation, access controls, audit logging and backup are explicitly listed. Organisations must be able to evidence these controls to the Data Protection Board.

How Cyfriq addresses this

• AES-256 encryption at rest — separate encryption key per tenant stored in AWS KMS
• TLS 1.3 encryption in transit — all data including agent-to-cloud communication
• Role-based access control (RBAC) — users access only data relevant to their role
• Immutable WORM audit log — every access, action and event recorded and tamper-proof
• UEBA engine continuously monitors for anomalous access patterns and insider threats
• MFA enforced on every login — TOTP, push, FIDO2 / YubiKey
• Device trust — only registered healthy devices with valid certificates can access

What the law requires

Notify the Data Protection Board and all affected data principals immediately upon discovering a breach. Submit a detailed report within 72 hours covering nature, extent, timing, impact assessment, mitigation steps and cause. A parallel 6-hour CERT-In notification is also required.

How Cyfriq addresses this

• Real-time breach detection via UEBA and DLP engine — alerts in seconds
• Automated breach classification: data type, scope, affected users, timeline
• Pre-built DPDP 72-hour breach report template — DPB-submission ready
• Tamper-proof audit log provides complete forensic trail for regulators
• Automated affected-user list for data principal breach notifications
• SIEM integration supports parallel CERT-In 6-hour & DPB 72-hour workflows

What the law requires

Access controls are explicitly listed under Rules 2025 as required technical safeguards — not discretionary guidance. Organisations must implement and evidence controls that restrict personal data access to those with a legitimate, documented business need.

How Cyfriq addresses this

• RBAC — personal data access strictly limited by user role and department
• SSO and IdP enforce authentication before any data access is permitted
• MFA required on every session — prevents credential-based unauthorised access
• UEBA detects and alerts on access patterns inconsistent with normal behaviour
• Device trust — unregistered or unhealthy devices denied at the IdP layer
• Leaver workflow instantly revokes access across every connected system

What the law requires

Personal data of Indian data principals may only be transferred to countries not on the Central Government's restricted list. Organisations must have active technical controls preventing unauthorised transfer via email, file upload, cloud sync or any other digital channel.

How Cyfriq addresses this

• Email DLP blocks transfer of personal data to domains in restricted countries
• Browser extension blocks uploads of personal data to restricted-jurisdiction cloud services
• Geo-blocking at IdP level — logins from restricted countries denied at authentication
• All Cyfriq infrastructure on AWS India (ap-south-1) — customer data stays in India by default
• Audit log records all data egress events with destination country for regulatory evidence

What the law requires

Only collect personal data that is necessary for the stated purpose. Do not use data beyond that purpose. Organisations must demonstrate active controls preventing over-collection and misuse across email, endpoints and web applications.

How Cyfriq enables this

• DLP policies can block transmission of personal-data fields not required for a business process
• Email DLP scans for PAN, Aadhaar, mobile numbers — blocks unauthorised sharing
• Data classification engine labels documents by sensitivity and restricts access by role
• Customer must define which data categories are in scope and configure policies accordingly

What the law requires

Personal data must be erased once the purpose for which it was collected is fulfilled, unless retention is required by law. Organisations must have active, configured retention policies with evidenced, auditable erasure workflows.

How Cyfriq enables this

• Configurable data retention policies within the platform — set per data category
• Automated user data purge on deactivation via SCIM leaver workflow
• Audit log captures all erasure events as tamper-proof evidence for regulators
• Customer must map their own data categories and set appropriate retention periods in Cyfriq policies

What the law requires

Individuals have the right to access, correct and erase their personal data, obtain grievance redressal within 90 days, and nominate another person to exercise rights. Under Rules 2025, organisations must provide a publicly available mechanism for submitting these requests.

How Cyfriq enables this

• SCIM user-management enables data access & correction across all connected systems
• Leaver and erasure workflows support right-to-erasure requests with full audit trail
• Audit log enables access reports — what data was accessed, when, by whom
• Customer must build a public Data Principal rights request portal — Cyfriq provides backend tooling only
• Consumer-facing rights interface and 90-day SLA management are the customer's operational obligation

What the law requires

Organisations designated as Significant Data Fiduciaries must appoint a Data Protection Officer (DPO) based in India, conduct annual Data Protection Impact Assessments (DPIA), engage an independent data auditor, and periodically share significant observations with the Data Protection Board.

How Cyfriq enables this

• Immutable audit log provides comprehensive evidence base for independent annual audits
• Pre-built DPIA report template maps data flows, risks and Cyfriq control evidence
• UEBA risk reports demonstrate active monitoring as evidence of "reasonable safeguards"
• Data Protection Officer must be appointed by the customer organisation
• Independent auditor engagement and DPB periodic reporting are the customer's own obligation

What the law requires

Obtain free, specific, informed, unconditional and unambiguous consent before processing. Provide a clear privacy notice in English and all 22 languages of the 8th Schedule of the Constitution if required. Consent withdrawal must be as easy as giving consent.

How Cyfriq supports this

• User onboarding portal can present privacy notices at first login for employee data processing
• Audit log records consent acceptance with timestamp and user identifier as evidence
• Customer's legal team must draft the privacy notice content — Cyfriq does not provide legal text
• Consent Manager registration with the DPB is the customer's independent regulatory obligation
• Consumer-facing consent withdrawal mechanism must be built by customer into their own product or portal