Skip to main content
BiltIQ AI logoBiltIQ AI logo
India · DPDP Act 2023

DPDP Act Compliance for AI, By Construction

India’s Digital Personal Data Protection Act, 2023 makes where your data lives a board-level question. When your AI runs entirely on your own premises, the hardest questions — cross-border transfer, third-party processors, remote audit — simply don’t arise. There’s nothing to transfer and nothing to trust remotely.

01The Obligations

What the DPDP Act 2023 requires

The obligations that most directly shape an enterprise AI deployment decision.

Lawful, consented processing

Personal data may be processed only for a lawful purpose with the data principal’s consent (or a legitimate use), with clear notice and purpose limitation.

Data-principal rights

Individuals can access, correct, and erase their data, and withdraw consent — obligations that are far easier to honour when all copies live in one system you control.

Breach notification

Personal-data breaches must be reported to the Data Protection Board of India and to affected principals — you can only report what you can actually see and audit.

India-resident processing

Enterprise and government contracts increasingly require personal data to be processed on infrastructure inside India — a de-facto localisation pressure a foreign cloud API cannot cleanly satisfy.

Significant Data Fiduciary duties

Higher-exposure processors face added obligations (DPIAs, audits, a Data Protection Officer) — all of which assume you can demonstrate exactly where data goes.

Real, escalating enforcement

The Data Protection Board is issuing show-cause notices, and penalties for serious breaches reach up to ₹250 crore. This is a live compliance cost, not a theoretical one.

This page is an explainer, not legal advice — confirm your specific obligations with qualified counsel.

02Why On-Premise

Why on-premise AI satisfies it by construction

No cross-border transfer

The models, retrieval index, and memory all run on your premises in India. There is no data export to reason about — the hardest DPDP question simply doesn’t arise.

No third-party processor

Nothing is sent to a cloud LLM API, so there is no external data-processor relationship to contract, audit, or trust. Your data cannot train anyone else’s model because it never leaves your building.

Full provenance & erasure

Because every document, embedding, and log lives in systems you own, access, correction, and erasure requests are executable — not dependent on a vendor’s deletion SLA.

Auditable by design

A tamper-evident audit trail records what data was used, by which model, for which output — the evidence a DPIA or a Board inquiry actually asks for.

03Our Posture

How BiltIQ enforces it in code

Every BiltIQ deployment ships with a privacy filter in front of every model call — compliance enforced by architecture, not by policy documents.

  • Presidio + NER detection extended for Indian identifiers — Aadhaar, PAN, mobile numbers
  • HMAC pseudonymisation, so originals never reach a model while records stay linkable
  • DPDP 2023, GDPR, HIPAA, and CCPA validators that score every document before processing
  • A tamper-evident SHA-256 audit hash chain over every request and output
  • Compliance mode on_prem_required — fail-closed, no cloud egress, enforced in code, not policy

user/channel → privacy filter → [local model] → output validator → audit

Make compliance a non-issue

Your Data. Your Premises. Your AI. — the architecture that makes DPDP a design decision, not an audit scramble.