Skip to main content

India DPDP Act: AI Governance Under India's Data Protection Law

India's Digital Personal Data Protection Act, 2023 is not a full horizontal AI law. It does, however, change the governance baseline for AI systems that process digital personal data. If your support assistant, internal copilot, case summarizer, or customer-facing workflow touches names, contact details, identifiers, account histories, or prompt content that can be linked back to a person, the DPDP Act matters.

That is why AI governance in India cannot stop at vendor questionnaires and procurement review. The DPDP Act puts pressure on the live route itself. Teams need a practical way to minimize personal data before it reaches a model provider, constrain which providers are approved for sensitive routes, and prove that higher-impact uses are not running as uncontrolled straight-through automation. Keeptrusts fits that runtime problem well. It does not replace legal basis analysis, notice design, data-principal rights handling, or breach response procedures. It does make the operating path more defensible.

Use this page when

  • You are deploying AI in India and need a practical DPDP-aligned control model.
  • You want to distinguish low-risk drafting routes from workflows that influence decisions about individuals.
  • You need precise language about what Keeptrusts can enforce technically versus what still belongs to legal, privacy, and operations teams.

Primary audience

  • Primary: Compliance officers, privacy leaders, platform owners
  • Secondary: security teams, engineering managers, product counsel

The problem

The DPDP Act is easy to misunderstand in AI programs because it sits in the middle ground between broad privacy governance and concrete operational obligations. Teams often know the headline requirements: lawful handling of digital personal data, data-security safeguards, breach notification, and rights for data principals. What gets missed is how quickly everyday AI usage falls inside that perimeter.

Customer-support prompts include names, phone numbers, order history, and billing context. Internal copilots summarize HR tickets, legal memos, and customer complaints. Engineers paste logs into debugging assistants and forget that logs can still contain personal data. If those routes all share one generic provider path, the organization cannot answer basic compliance questions about upstream disclosure, approved providers, and where human review is required.

The DPDP Act creates additional governance pressure for organizations that meet the threshold for Significant Data Fiduciary obligations. That increases the need for documented controls, role ownership, and impact-aware design. Even where a route is not making a final automated decision, it can still influence a human operator in ways that matter operationally.

Cross-border processing adds another layer. The DPDP Act does not create a blanket prohibition on international transfers of personal data. Instead, India can restrict transfers to notified territories. That means provider governance cannot rely on simplistic assumptions like "foreign provider equals prohibited" or "global provider equals fine." The real question is whether the route is sending more personal data than necessary and whether the approved provider set aligns with the organization's legal, contractual, and operational posture.

The solution

The practical answer is route-specific governance. Do not treat all AI traffic as one class of activity. Start by identifying which routes process digital personal data, which routes influence materially sensitive outcomes, and which routes can safely remain in a lower-control lane.

Keeptrusts helps at the runtime boundary in four ways.

First, pii-detector reduces unnecessary personal-data exposure before a request leaves your environment. That is useful for both DPDP minimization discipline and plain operational prudence. Second, data-routing-policy turns provider approval into enforcement. Instead of trusting documentation alone, the route can require zero data retention, no training use, and a bounded provider posture for the traffic that matters most. Third, human-oversight gives you a real stop for routes that should never act autonomously. Fourth, decision events and audit logging give the compliance function evidence that the declared operating model is actually the live one.

This matters because the DPDP Act is not satisfied by saying "our vendor is compliant." You need to show that the application is not casually oversharing personal data and that sensitive routes are governed differently from low-risk productivity tools. Keeptrusts gives you the technical separation: a low-risk internal drafting assistant can run on one path, while a complaint-triage route or benefits-eligibility assistant can be forced into redaction, provider constraints, and escalation.

That still leaves important work outside the gateway. Notices, consent or legitimate-use analysis, data-principal request handling, retention schedules, breach management, and board or management review remain organizational obligations. The value of Keeptrusts is that the runtime route stops undermining those broader commitments.

Implementation

For an India customer-support route that handles personal data and should never deliver a final response without review when the interaction may affect account status or complaint handling, use a conservative configuration.

pack:
  name: india-customer-support-review
  version: "1.0.0"
  enabled: true

providers:
  targets:
    - id: reviewed-provider
      provider: openai
      model: gpt-5.4-mini-mini
      secret_key_ref:
        env: OPENAI_API_KEY
      data_policy:
        zero_data_retention: true
        training_opt_out: true
        retention_days: 0
        allow_internet_egress: false

policies:
  chain:
    - pii-detector
    - data-routing-policy
    - citation-verifier
    - human-oversight
    - audit-logger

policy:
  pii-detector:
    action: redact
    redaction:
      marker_format: label
      include_metadata: true

  data-routing-policy:
    require_zero_data_retention: true
    require_no_training: true
    max_retention_days: 0
    allow_internet_egress: false
    on_no_compliant_provider: block
    log_provider_selection: true

  citation-verifier:
    require_sources: true
    require_source_match: true
    output_action:
      unverified_action: block

  human-oversight:
    action: escalate

  audit-logger: {}

This pattern does three important things. It redacts obvious personal data before the provider call, blocks routing to providers that do not match the declared data policy, and forces the route into escalation instead of direct delivery when the workflow calls for human judgment. The citation step is useful where the assistant should ground responses in approved policy or knowledge-base material rather than improvise.

Do not apply this exact configuration to every route. For ordinary internal drafting, an escalation stop may be too strict. The right move is to reserve the heavier lane for workflows where personal data and downstream impact are both meaningful. That is the heart of DPDP-aligned AI governance: not one universal rule, but proportionate controls with evidence.

The most relevant companion pages are Configuration & Policy Overview, PII Detector, Data Routing Policy, Compliance Officer Guide, and Zero-Trust AI.

Results and impact

When teams adopt this route model, privacy reviews become more concrete. Instead of debating AI at an abstract level, compliance can inspect a specific route and see whether personal-data minimization is active, whether an approved-provider boundary exists, and whether human review is required. That makes DPIA-style work, supplier review, and control attestation easier even where the formal legal artifact lives elsewhere.

This also reduces operational drift. Without runtime enforcement, organizations gradually expand the scope of an assistant from low-risk drafting into customer-impacting activity. With route-level controls, that change becomes visible because the route must either stay in the light lane or move into the stricter one.

Most importantly, it keeps the legal narrative honest. The DPDP Act is about accountable handling of digital personal data. Keeptrusts helps ensure that the live AI path does not casually violate that principle. It does not, by itself, complete the program.

Key takeaways

  • The DPDP Act is not an omnibus AI statute, but it directly affects AI routes that process digital personal data.
  • Route-specific controls are more defensible than one shared assistant path for every use case.
  • Use pii-detector to minimize personal data before upstream calls and data-routing-policy to enforce provider posture.
  • Reserve human-oversight for routes where outputs should not be delivered without review.
  • Notices, rights handling, breach response, and broader privacy governance still sit outside the gateway.

Next steps