📘 Introduction
With the enactment of the Digital Personal Data Protection (DPDP) Act, 2023 and enforcement of CERT-IN guidelines, Indian businesses—whether corporate entities, SMEs, or individuals—must adopt stricter standards around website hosting, data storage, and user privacy.
This article offers a comprehensive breakdown of what compliance looks like, especially in the context of web hosting and storage solutions, with clear steps for business owners, developers, and IT teams.
📜 Overview of the DPDP Act, 2023
The Digital Personal Data Protection Act, 2023 was introduced to:
-
Govern the processing of personal data of Indian citizens.
-
Enforce principles of consent, transparency, data minimization, and accountability.
-
Empower individuals with rights over their personal data.
🧩 Key Definitions
-
Data Principal: The individual whose data is being collected.
-
Data Fiduciary: The entity (e.g., your company) that determines the purpose and means of processing.
-
Consent: Must be free, informed, specific, and revocable.
✅ Core Obligations for Website Owners & Hosting Providers
| Area | Requirement |
|---|---|
| Consent Management | Explicit user consent is required before collecting or processing data. |
| Purpose Limitation | Data should only be used for the purpose stated at the time of collection. |
| Data Minimization | Only collect data that is strictly necessary. |
| Storage Limitation | Retain data only as long as needed, and delete when no longer required. |
| Security Safeguards | Implement reasonable security measures like SSL, firewalls, 2FA, etc. |
| User Rights | Users can request access, correction, deletion, and withdrawal of consent. |
| Grievance Officer | Must be appointed to handle data-related complaints within 7 working days. |
| Cross-border Transfer | Data can only be transferred to countries approved by the Indian government. |
🔐 CERT-IN Guidelines: Log Retention & Cybersecurity
The Indian Computer Emergency Response Team (CERT-IN), under the Ministry of Electronics and Information Technology (MeitY), enforces separate but complementary rules that apply to all businesses operating digital infrastructure, including websites and hosting services.
🧾 Key CERT-IN Compliance Requirements
-
Log Retention:
Store all system logs (e.g., firewall logs, web server logs, access logs, control panel and email logs) within India for at least 180 days, in a secure and accessible format. -
Time Synchronization:
All servers must be synchronized with Indian NTP servers to ensure accurate and verifiable timestamps in the event of incident investigations. -
Incident Reporting:
Any cyber security incident—such as website defacement, unauthorized access, DDoS attacks, ransomware, or data leaks—must be reported to CERT-IN within 6 hours of detection. -
Data Breach Notification:
If personal data is compromised, businesses must inform both:-
The affected users
-
CERT-IN, with complete details of the breach, impact, and mitigation
-
🧭 How to Report a Cybersecurity Incident to CERT-IN
If you encounter a qualifying cybersecurity incident—such as malware infection, data breach, DDoS attack, or unauthorized access—you must report it to CERT-IN within 6 hours of detection, as mandated under Indian law.
✅ Step-by-Step Reporting Guide
1️⃣ Document the Incident:
-
Capture logs, screenshots, forensic artifacts
-
Record the exact timestamp of detection
-
Note affected systems, user data, and breach vectors
2️⃣ Notify CERT-IN via Email (Primary Method):
-
📧 Email: incident@cert-in.org.in
-
📨 Use your official organization email (avoid Gmail/Yahoo/etc.)
-
📝 Subject Line:
Security Incident Report – [Your Domain/Company Name] – [Short Description]
3️⃣ Include These Details in Your Email Body:
-
Organization name and registered address
-
Name, email, and phone number of reporting contact
-
Type of incident (e.g., ransomware, phishing, defacement)
-
Date and time of detection
-
Logs or evidence files (if available)
-
Summary of impact (data affected, users, systems)
-
Steps taken to mitigate
-
Whether law enforcement or data protection authorities have been notified
4️⃣ Fill the Incident Report Form (Optional):
-
Download and fill CERT-IN’s official PDF form:
🔗 https://www.cert-in.org.in/PDF/certinirform.pdf -
Submit it along with your email to incident@cert-in.org.in
⚠️ Note: The previous online reporting portal (cert-in.org.in/incident) is currently unavailable. Use the PDF + email method instead.
5️⃣ Preserve Logs and Communications:
-
Retain all logs, emails, and related reports for audit and legal traceability
-
Be prepared to assist with CERT-IN investigations or follow-ups
🔁 Reporting is mandatory. Failure to report qualifying incidents within 6 hours can lead to penalties, audits, or compliance actions under the IT Act and CERT-IN guidelines.
🏢 Website & Database Hosting for Indian Businesses: What the Law Implies
📍 Hosting Location
-
While the DPDP Act does not mandate data localization, if data is hosted outside India, you must ensure:
-
It is transferred to jurisdictions approved by the Indian government.
-
Adequate security and contractual safeguards are in place.
-
You inform users where their data is being stored and why.
-
🗂️ Recommended Storage Architecture for Indian Companies
| Component | Storage Location | Notes |
|---|---|---|
| Website Content | Global (if encrypted) | Allowed, but India-preferred for sensitive services |
| Application Logs | 🇮🇳 Within India | Required under CERT-IN |
| User Data (DBs) | India preferred | Especially for healthcare, finance, e-commerce |
| Backups | At least one copy in India | For audit, breach response, and CERT-IN |
⚙️ Hosting Compliance Checklist
Here’s a practical checklist for aligning your web hosting with Indian law:
✅ Choose hosting providers with India-based data centers (AWS Mumbai, DigitalOcean Bangalore, NxtGen, etc.)
✅ Store access logs, audit logs, auth logs within India
✅ Enable SSL certificates and HTTPS on all public interfaces
✅ Store backups with 180-day retention in India (S3 Mumbai, ESDS Object Storage, etc.)
✅ Maintain a grievance redressal mechanism on your site
✅ Use firewalls, WAFs, malware scanners (e.g., CSF, Imunify360)
✅ Keep track of data subject rights requests (access, erase, etc.)
🌐 What If You're Using Foreign Hosting ?
If you're hosting in Europe or the U.S., you should:
-
Explicitly state it in your Privacy Policy
-
Offer India-based storage as a paid upgrade if clients request compliance
-
Store regulatory logs and snapshots separately in India
💡 It’s also best practice to maintain a data flow map showing how data travels from your website, where it’s stored, and who has access.
✍️ What to Include in Your Privacy Policy
Your privacy policy should include:
-
What data you collect and why
-
Where it’s stored (including cross-border mentions)
-
Retention periods
-
Rights of users under the DPDP Act
-
Grievance redressal contact details
-
Mention of CERT-IN compliance (log retention, breach notification)
✔️ Keep your Privacy Policy updated at least annually or after major infrastructure changes.
📢 Final Recommendations
✅ Start migrating at least critical logs and backups to India
✅ Keep your privacy documentation updated and transparent
✅ Consider India-compliant hosting options if you handle healthcare, financial, or educational data
✅ Train your team on incident response and data handling SOPs
✅ Maintain a paper trail for compliance—especially around data retention and breach response
