A question that comes up constantly among Indian insurers: if a Third-Party Administrator processes claims through cloud infrastructure hosted outside India, does that violate data protection law?
The answer, under the DPDP Rules notified in late 2025, is more permissive than many expected — but with a catch. Rule 15 allows cross-border data sharing by default. Unless the Central Government specifically names a country as restricted, sending personal data to processors abroad is legal.
The catch is that "permitted" doesn't mean "unsupervised." The insurer — as Data Fiduciary — remains fully accountable for that data no matter which country it physically sits in. If a TPA routes back-office processing through a foreign subsidiary, the insurer's contract must impose the exact same DPDP-grade safeguards on that overseas entity as it would on an Indian one. There's no discount for distance.
It gets more layered when sector-specific rules enter the picture. IRDAI's April 2026 Information and Cyber Security Guidelines reinforce and, in places, exceed DPDP baseline requirements — mandating security assessments before onboarding any TPA or web aggregator, and requiring insurers to hold and actually exercise audit rights, not just have them on paper. An insurer relying on cross-border data sharing has to satisfy both the DPDP Board and IRDAI simultaneously, which in practice means mapping exactly where every category of policyholder data physically resides and under whose jurisdiction.
For insurers auditing their vendor stack, the practical checklist is:
- Identify every TPA/vendor using non-Indian infrastructure
- Confirm contracts extend full DPDP safeguards to that infrastructure, not just to the Indian entity
- Cross-check against current IRDAI restrictions on data localization for core insurance documents
- Document data residency per vendor, not just per contract
This cross-border nuance is one of several areas where DPDP and IRDAI obligations overlap and occasionally diverge — the full comparison, along with the specific rule numbers and enforcement timeline, is laid out here: DPDP data sharing compliance guide for insurance TPAs.