Vikram is 34 years old. He built a thriving edtech startup from his apartment in Bengaluru. Fifty thousand registered users. A small but dedicated team. And all of it running on a global cloud platform.
When he signed up, he ticked the terms of service. The data processing agreement was long. He didn’t read it. He assumed the cloud provider would handle security — that’s what the cloud is for, right?
One morning, Vikram receives an automated alert. His cloud provider has detected unusual access to a storage bucket containing the personal data of his users — names, email addresses, learning history, and payment records. The provider’s security team is investigating.
Vikram logs a support ticket with the cloud vendor and waits for them to resolve it.
He does not know that the DPDP Act has already placed the obligation firmly on him — and the 72-hour clock started the moment he became aware.
The accountability that does not transfer
Section 8(1) of the DPDP Act, 2023 is direct: a Data Fiduciary shall, irrespective of any agreement to the contrary, be responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf by a Data Processor.
Vikram’s cloud provider is a Data Processor. The personal data in that storage bucket belongs to Vikram’s users — users who gave their consent to Vikram’s platform, not to a global cloud company. The fact that the breach occurred at the cloud provider’s infrastructure does not move the compliance obligation. It remains with Vikram.
Section 8(2) requires that a Data Fiduciary may engage a Data Processor only under a valid contract. That contract must include — under Rule 6(1)(f) — appropriate provisions for taking reasonable security safeguards. If Vikram’s data processing agreement did not specify encryption of personal data at rest, access controls, log retention, and breach notification timelines aligned with DPDP requirements — the contract itself is a compliance gap.
The 72-hour window and what it demands from Vikram
Under Rule 7(2) of the DPDP Rules, 2025, a Data Fiduciary must intimate the Data Protection Board within 72 hours of becoming aware of a personal data breach — with the nature, extent, timing, location, likely impact, root cause, remedial measures, and a report on notifications sent to affected Data Principals.
Vikram became aware when he received the alert. The 72-hour clock started at that moment. It does not restart when the cloud vendor completes its investigation. It does not pause while the support ticket is open. It started when Vikram knew.
IS Audit Module 6 of the ICAI IS Audit 3.0 Course identifies a cloud-specific privacy risk directly relevant here: cloud computing involves a greater dependency on third parties and increased transborder flow of personally identifiable information, creating greater magnitude of privacy risks. The breach Vikram is experiencing is exactly that risk manifesting — and DPDP requires him to have anticipated it contractually, technically, and procedurally.
What Vikram should have built before going live on cloud
A DPDP-compliant cloud deployment for a Data Fiduciary requires four things that Vikram did not have.
A valid data processing agreement that explicitly requires the cloud provider to implement encryption, access controls, logs, and breach notification to the Data Fiduciary within a timeframe that allows the Data Fiduciary to meet its own 72-hour Board reporting obligation.
Encryption of personal data at rest in every cloud storage bucket and database — so that even if access is unauthorised, the data retrieved is unreadable without the decryption key (Rule 6(1)(a)).
Access controls and logs on every cloud resource holding personal data — so that Vikram can determine, at the time of the breach, exactly which data was accessed, when, and by whom (Rule 6(1)(b) and (c)).
A documented incident response workflow that — from the moment of a breach alert — initiates Board notification preparation, Data Principal communication, and forensic log preservation simultaneously, not sequentially.
The cloud is not a compliance shortcut. It is a processing architecture that transfers operational convenience to a third party while retaining legal accountability with the Data Fiduciary.
The question every founder must answer before their next cloud migration
Does your data processing agreement with your cloud provider obligate them — in writing — to implement the security safeguards that Rule 6 of the DPDP Rules requires? Does it require them to notify you of a breach within a timeframe that lets you meet your 72-hour obligation? Does it permit you to audit their compliance?
If the answer is “our standard plan terms cover it” — read the terms again. Vikram had the same assumption.
Sources: DPDP Act 2023 (Sections 8(1), 8(2)) | DPDP Rules 2025 (Rules 6(1)(a)(b)(c)(f), 7(2)) | ICAI IS Audit 3.0 Course — Module 6 (Section 6.3.5 — Cloud Privacy and Security Risks)
Disclaimer
The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.
The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.
Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.
The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.
Authors:
This article has been co-authored by CA. Sunil Elayadath and CA. Karthik Narayanan S, Partners of Karthik & Sunil, together with Mr. Dhanesh P. K., Designated Partner, DSK Sustainability Tech.
Karthik & Sunil 