What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Quick Answer•4 min read

DPDP for B2B SaaS: Compliance Guide & Costs (MBS)

Does DPDP apply to your B2B SaaS company? Understand your obligations, what to do, and compliance costs. Expert insights from Sushant Pasamarty.

Sushant Pasumarty3 June 2026

Does DPDP Apply to B2B SaaS Companies?

Yes, the Digital Personal Data Protection Act (DPDP) 2023 absolutely applies to B2B SaaS companies in India. While your primary customers are businesses, your platform inevitably processes personal data of individuals associated with those businesses – employees, users, or even end-customers if your SaaS product is used to manage their data.

The key factor is the processing of 'personal data' of a 'Data Principal' (an individual). If your B2B SaaS collects, stores, uses, or otherwise processes any data that can identify an individual, you fall under DPDP's purview.

What This Means for B2B SaaS Right Now

While the enforcement timeline for DPDP is still being clarified, the practical reality is that businesses should prepare proactively. Regulators will expect a demonstrable commitment to data protection once the law is fully effective. Waiting for the final enforcement notification is a risky strategy.

As a B2B SaaS provider, you likely act as both a 'Data Fiduciary' (determining processing purpose and means) for your own employee/customer data, and a 'Data Processor' (processing data on behalf of another Data Fiduciary) for data your clients upload to your platform. Understanding these dual roles is critical for compliance.

💡 Key Insight: Even if your SaaS primarily processes company data, any employee names, email addresses, job titles, or login credentials constitute personal data under DPDP.

What B2B SaaS Companies Actually Need to Do for DPDP Compliance

Preparing for DPDP involves several core steps tailored for the B2B SaaS model. Sushant Pasamarty, founder of Meridian Bridge Strategy, recommends focusing on these areas:

Data Mapping & Inventory: Identify all personal data processed – both your internal employee/customer data and the data your B2B clients upload. Document where it comes from, where it's stored, who has access, and its purpose.
Review Data Processing Agreements (DPAs): If you process personal data on behalf of clients, ensure your DPAs clearly define roles (Fiduciary vs. Processor), responsibilities, security measures, and data deletion protocols as per DPDP requirements.
Update Consent Mechanisms & Privacy Policies: For data where you are the Data Fiduciary (e.g., your own marketing data, user logins), ensure consent is explicit, informed, and retractable. Your privacy policy must be transparent and DPDP-compliant.
Implement Robust Security Measures: DPDP mandates reasonable security safeguards to prevent data breaches. This includes technical and organizational measures appropriate to the data's sensitivity and volume.
Establish a Grievance Redressal Mechanism: You need a clear process for Data Principals to exercise their rights (e.g., correction, erasure, access) and raise grievances, including appointing a Data Protection Officer (DPO) or an equivalent point of contact.

What DPDP Compliance Costs for B2B SaaS Companies

The cost for DPDP compliance for a B2B SaaS company depends on the complexity of your data flows, the volume of personal data processed, and your current state of readiness. Meridian Bridge Strategy offers structured services to meet these needs, each building on the previous tier:

Tier	What it includes	Price range	Duration
Data Mapping	Map every personal data flow: who collects it, where it goes, which vendors touch it	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis (consent, DPAs, grievance, breach, deletion)	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Data Mapping + Gap Analysis + Prioritized Recommendations with a 90-day roadmap	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation Support + DPO Training + Final Readiness Opinion	₹7L – ₹12L	3-6 months

For a B2B SaaS with multiple product lines or complex international data transfers, the cost would typically be at the higher end of these ranges due to increased scope.

✅ Pro Tip: If your B2B SaaS handles sensitive personal data (e.g., health, financial, biometric data for end-users), your compliance needs will be more stringent, likely requiring a DPDP Workshop or Full DPDP Consulting engagement.

When to Start Your DPDP Journey

Start now. Proactive preparation allows for a smoother transition and minimizes potential disruption. Many of the required changes, such as updating internal processes, revising vendor contracts, and re-architecting consent flows, take time to implement effectively across a B2B SaaS platform.

Next Step: Estimate Your Specific DPDP Cost

Understanding your exact compliance requirements and associated costs can be complex. Sushant Pasamarty, founder of Meridian Bridge Strategy, has built an interactive calculator to help you get a tailored estimate. This tool considers your specific business context to suggest the most appropriate MBS service tier.

Frequently Asked Questions

How does DPDP distinguish between B2B SaaS as a Data Fiduciary vs. Data Processor?

Your B2B SaaS is a Data Fiduciary for personal data where you determine the 'purpose and means' of processing (e.g., your employees, direct customer contact info). You act as a Data Processor when you process data on behalf of your clients, where the client dictates the purpose and means. Clear DPAs are essential for this distinction.

Does DPDP apply if my B2B SaaS only stores data on servers outside India?

Yes. DPDP applies if the personal data is collected from Data Principals within India, even if it's subsequently transferred or stored outside India. The 'extraterritorial' clause means Indian residents' data is protected regardless of where the processing occurs.

What is the biggest DPDP challenge for B2B SaaS companies?

The biggest challenge is often managing the dual roles of Data Fiduciary and Data Processor simultaneously and ensuring all third-party vendors (sub-processors) in your supply chain also comply. Maintaining transparent and compliant data processing agreements (DPAs) with clients and vendors is critical.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →