A B2B SaaS provides a cloud CRM to 500 enterprise clients (banks, NBFCs, retailers). Enterprise clients upload their customer data (contact records, transaction history, support tickets). The SaaS vendor stores data on infrastructure, uses aggregated anonymised data to improve AI features, performs maintenance requiring technical access, and replicates data to Singapore for DR. A data principal files a DSAR directly with the SaaS vendor.

Who is the Data Fiduciary in a B2B SaaS model — the vendor or the enterprise client?

The enterprise client is the Data Fiduciary for their customers' personal data — they decide what to upload, what processing to run, what retention to apply, and what to report. The SaaS vendor is the Data Processor — it acts on the enterprise client's instructions. However, the vendor becomes a co-Fiduciary the moment it uses any tenant's customer data for its own product improvement, benchmarking, or AI training — even in aggregated form — without the enterprise client's explicit permission and the original data principals' consent chain being intact.

Data replication to Singapore for DR — is this a cross-border transfer under DPDP §16?

Yes — data replication to Singapore constitutes a cross-border transfer under §16 regardless of whether it is for operational use or passive DR. The physical movement of personal data outside India triggers the restriction, not the active use of the data. Until MeitY publishes the White List, the enterprise client (as Fiduciary) must ensure appropriate safeguards: contractual protections equivalent to DPDP standards, encryption at rest and in transit, access controls, and the ability to retrieve or delete the data from Singapore on demand. The enterprise client cannot outsource this compliance obligation to the SaaS vendor through a contract clause alone.

A data principal files a DSAR directly with the SaaS vendor. How should this be handled?

The SaaS vendor, as a Data Processor, has no direct DSAR obligation to the data principal. The correct response: (a) log the DSAR request, (b) immediately notify the enterprise client, and (c) direct the data principal to contact the enterprise client via their official DSAR channel. The vendor should build a DSAR routing mechanism that identifies the enterprise client whose data is in question and routes the request to that client's DPO.

A ransomware attack exfiltrates enterprise client data. Who must notify the Data Protection Board?

Each enterprise client (as Data Fiduciary) is independently obligated to notify the Data Protection Board under §8(6). The SaaS vendor must notify all affected enterprise clients immediately upon discovering the breach — the DPA must specify a maximum notification window (standard: 24–72 hours of confirmed breach discovery). Each enterprise client must independently determine: which data principals' data was compromised, the likely harm, and whether the breach meets the notification threshold. The SaaS vendor's assessment cannot substitute for the Fiduciary's independent determination. Breach Response Plans and vendor breach notification clauses are non-negotiable in every SaaS procurement in the DPDP era.