AI deployment that fits the way Indian enterprises govern data.
For Indian enterprises, the Digital Personal Data Protection Act, 2023 is an operating-model question. Who is the Data Fiduciary? Who is the Data Processor? Where is the data hosted? How is consent captured? What happens when a Data Principal asks for access or erasure? And if your organisation is likely to be treated as a Significant Data Fiduciary, what evidence exists for audit, security, and governance? Invisibles is designed to make those questions easier to answer. The software deploys into your own AWS or Azure account, under your IAM and security controls. There is no standing access for Invisibles to customer data. If policy requires India-based hosting, the deployment can align to Mumbai or Hyderabad regions. You remain the Data Fiduciary; Invisibles operates as Processor.
Data Fiduciary, Data Processor, and role clarity.
Under the DPDP Act, the organisation deciding the purpose and means of processing is the Data Fiduciary. A vendor processing on its behalf is the Data Processor. That distinction matters because Indian enterprises need to know where accountability sits before they can approve a new AI system.
Invisibles fits that model. You remain the Data Fiduciary. Invisibles provides software that runs in your own cloud account and processes data under your instructions. That makes the role-split easier to explain internally and easier to document contractually. It also means your existing access controls, cloud policies, and security-review processes can continue to apply instead of being bypassed by a separate AI SaaS environment.
Consent, purpose limitation, and governed use.
The DPDP Act is consent-centric, with some recognised legitimate uses. Indian enterprises need to be precise about what data is being used, for what purpose, and under what authority. AI projects often fail this test when they widen scope too quickly. A team starts with one support use case and ends up exposing far more data than the original purpose required.
Invisibles is built to support narrower, governed use. Data Context Mappings pin the exact fields a Prompt can see. Skills can be limited to specific users, channels, or workflows. Masking can be applied before data reaches the model. That helps align the technical implementation with the purpose and consent logic already defined in the business process. If a use case depends on consent, the product can be wired to respect consent status from the source system rather than treating AI as a separate exception.
Where a use case involves children’s data or other consent-sensitive workflows, you remain responsible for parental-consent capture, notices, and grievance-redressal obligations, including appointing a grievance officer where the Act requires one. Invisibles is designed to respect those controls rather than replace them — consent status and purpose flags from your source systems flow through to the Prompts and Skills that act on them.
Data Principal rights and operational evidence.
The DPDP Act gives Data Principals rights around access, correction, erasure, grievance redressal, and consent withdrawal. In practice, the challenge is not only fulfilling the request. It is proving what happened and where the data moved.
Invisibles helps by keeping the AI layer inside your environment and by writing an immutable audit trail with six-year retention by default. That gives teams a record of which Prompt or Skill ran, what channel invoked it, and what controls were applied. Your source systems remain authoritative, which is important for correction and erasure workflows. The AI layer is designed not to become a second uncontrolled repository of personal data. That makes rights handling more manageable, especially in large enterprises with multiple business systems.
Significant Data Fiduciaries, security, and breach readiness.
Some organisations may be designated Significant Data Fiduciaries based on volume, sensitivity, risk, or impact. Those organisations should expect more scrutiny around governance, security safeguards, and demonstrable controls. Even where designation is uncertain, many large Indian enterprises already operate as if that scrutiny is coming.
That is where the security architecture matters. Field-level PII masking uses AWS Comprehend on AWS or Microsoft Presidio on Azure. Structured tokenization uses ephemeral handles with a 15-minute TTL in DynamoDB or Cosmos DB. Prompt-injection defenses reduce the risk of unsafe tool use or data leakage. Audit provides a durable evidence trail. None of that replaces your own statutory obligations, including breach notification and internal governance, but it gives you a technical foundation that is easier to defend in review.
Cross-border transfers and practical localisation.
The DPDP Act does not create a blanket rule that all personal data must stay in India at all times. But many Indian enterprises still need local hosting because of sectoral expectations, customer contracts, procurement requirements, or internal policy. That is why the deployment model matters as much as the legal text.
Invisibles can be deployed in your own AWS or Azure account in the region you choose. For many India-based customers, that means Mumbai or Hyderabad. The point is not to overstate localisation law. The point is to give you a deployment model that supports local hosting where required and avoids unnecessary external copies where it is not. That is often the difference between a project that clears review and one that stalls.
DPDP obligation to product mechanism.
Data Fiduciary and Data Processor role separation map to customer-controlled deployment and processor positioning. Consent and purpose limitation map to pinned Data Context Mappings, permissioned Skills, and consent-aware workflow hooks. Data Principal rights map to keeping source systems authoritative and preserving evidence in audit. Security safeguards map to masking, tokenization, prompt-injection defenses, and customer IAM. Cross-border and localisation concerns map to deployment in your own AWS or Azure account, including India regions where you choose. Breach readiness maps to immutable logs and a system boundary you can actually monitor.
Questions Indian privacy teams ask.
Is Invisibles the Data Fiduciary under the DPDP Act?
No. You are typically the Data Fiduciary. Invisibles acts as a Data Processor, providing software that runs under your instructions in your own cloud account.
Can we deploy Invisibles in India?
Yes. You deploy in your own AWS or Azure account in the region you choose, including India regions such as Mumbai (ap-south-1) or Hyderabad (ap-south-2) where appropriate.
Does Invisibles handle consent capture for us?
No, but it can respect your consent logic. You remain responsible for consent capture, notices, and withdrawal processes. Invisibles can be wired to honour consent status and purpose controls from your source systems.
How does Invisibles support Data Principal rights?
By keeping source systems authoritative and preserving evidence. Audit logs show when AI processing occurred for a given principal; the product is designed to avoid unnecessary shadow copies that would complicate erasure and correction.
Is Invisibles suitable for Significant Data Fiduciary environments?
It is designed to support those environments. Customer-cloud deployment, masking, tokenization, immutable audit, and customer-IAM access controls help large Indian enterprises implement stronger governance and evidence practices.
Does the DPDP Act require all data to stay in India?
Not as a blanket rule. The Act permits cross-border transfers except to countries specifically restricted by the government. Many Indian organisations still require India-based hosting for policy, sectoral, or contractual reasons, and Invisibles supports that deployment model.
This page is for informational purposes only and is not legal advice. A Data Processing Addendum is available on request; email security@invisibles.app. Customers should review their specific obligations with their own privacy, legal, and compliance counsel.
Talk to us about India deployments.
Book 30 minutes. We walk through Mumbai or Hyderabad deployment, Data-Fiduciary obligations, and the consent and audit hooks that matter for Indian procurement review.