DPDP Act Compliance for Customer Support Tools (2026 Checklist)
India's Digital Personal Data Protection Act is now enforced. If your customer support tool stores personal data — and it does — here's what your vendor must support.
Bublly Team
March 25, 2026 · 10 min read
What the DPDP Act Covers
The Digital Personal Data Protection Act, 2023 governs the processing of personal data of individuals in India. It applies whether you're an Indian company or a foreign one offering goods/services to Indian users.
Personal data your support tool typically handles:
- Name, email, phone number
- Conversation transcripts (often containing PII)
- IP addresses, device fingerprints
- Behavioral analytics (page visits, click patterns)
- Customer photos, voice notes, document uploads
All of this is in scope.
Your Obligations as a Data Fiduciary
If your company decides why and how to process personal data, you're a Data Fiduciary under DPDP. Key obligations:
- Explicit consent for non-essential processing (marketing, analytics)
- Notice in clear language at the point of collection
- Purpose limitation — only use data for declared purposes
- Reasonable security safeguards including encryption at rest and in transit
- Breach notification to the Board within prescribed timelines
- Grievance redressal mechanism including a Grievance Officer
- Right to correction, completion, erasure of personal data on user request
Your support vendor (the Data Processor) must enable all of this. They share liability for breaches.
What Your Support Tool Must Support
| Requirement | What to look for |
|---|---|
| Consent capture | Per-channel, per-purpose, with timestamp + audit trail |
| Consent revocation | One-click; processing must stop |
| Data residency | India region pinned in DPA |
| Encryption | TLS 1.2+ in transit; AES-256 at rest |
| Access controls | RBAC, MFA, session timeout |
| Audit logs | Who saw what, when |
| Data export | Machine-readable format for portability rights |
| Data deletion | Hard delete on user request, with confirmation |
| Breach notification | Vendor commits to notifying you within 24h |
| Sub-processor list | Published, with notice of changes |
Vendor Evaluation Checklist
Before signing a DPA, ask your vendor:
- Where is data physically stored? Get the region in writing.
- Are sub-processors listed publicly? Are you notified of changes?
- What's the encryption scheme — at rest and in transit?
- Can a user's data be exported in a portable format on request?
- How fast can a user's data be hard-deleted? Is deletion confirmable?
- What's the breach notification SLA?
- Is there a SOC 2 Type II or ISO 27001 report under NDA?
- Are audit logs immutable? How long are they retained?
- Does the DPA name DPDP-specific obligations or is it a generic template?
- What's the indemnification posture for vendor-caused breaches?
If a vendor can't answer 8+ of these in writing, that's a compliance risk.
Common Compliance Gaps
In our audits across 50+ Indian support deployments, the most common gaps:
- Marketing consent recorded but never revocable in the tool's UI
- Conversation transcripts retained indefinitely without retention policy
- AI training on raw conversations including PAN, Aadhaar, account numbers
- No grievance officer contact published on the support widget or footer
- Sub-processors changed without notice (especially when vendors swap AI providers)
Fixing these is mostly configuration, not code. But you have to ask first.
Ready to simplify customer relationships?
See how Bublly's Contact Management works
