Updated: 15 Apr 2026
The DPDPA compliance project is complete. Privacy notices are live on the platform. Consent mechanisms are implemented. Data processing agreements are signed with every third-party processor. The breach notification procedure is documented and tested.
Nobody looked at who has access to the database containing all the personal data the compliance work just covered.
DPDPA compliance work covers contractual and procedural obligations: privacy notices, consent mechanisms, data processing agreements, retention policies, and breach notification procedures. It is necessary work. It is not sufficient work.
The DPDPA 2023 requires data fiduciaries to implement reasonable security safeguards for personal data. In 2026, that standard includes MFA for every internal system where employees and contractors can access, modify, or export customer personal data. DPDPA compliance projects typically do not audit whether the people with access to those systems authenticate with a second factor.
The Data Protection Board of India, investigating a breach, will ask one question the compliance exercise was not designed to answer: who had access to the personal data, and what prevented an unauthorised person from having the same access?
A Vertical SaaS company that completed DPDPA compliance work last quarter typically has: a customer success manager with read access to every customer record, a data engineer with production database access provisioned at seed stage and never scoped down, a contractor who built the analytics integration six months ago whose credentials have not been rotated, and no MFA on the internal admin panel that accesses all of the above.
In Proactive's Cisco Duo deployments across Vertical SaaS companies in Bengaluru, Pune, and Hyderabad, the credential audit finds this profile in almost every engagement. The DPDPA compliance project was completed. The access register was not reviewed as part of it.
Indian Vertical SaaS companies face the same dual compliance pressure as enterprise IT counterparts: enterprise clients demanding SOC 2 certification from one direction and DPDPA data fiduciary obligations from another. Both arrive at the same internal access surface.
Cisco Duo, Cisco's identity security platform, enforces MFA across internal admin tools, production database access, analytics platforms, and contractor remote access. Named individual accounts. Access scoped to what each role requires. Logs that answer the Data Protection Board's question before it is asked.
Proactive is a Cisco Preferred Security Partner deploying Cisco Duo for Indian Vertical SaaS companies managing DPDPA and SOC 2 compliance across Bengaluru, Pune, and Hyderabad.
The compliance work covered the contracts.
The access controls cover the data.
Talk to a Proactive Cisco Duo specialist. Write to [email protected].
We'll get back to you shortly.
