If you don't know where your data is stored, you can't protect it, and you can't tell customers or regulators where it went if there's a breach. A Delhi logistics company once discovered that their employee management SaaS was storing payroll data on servers in an unknown third country; when they got audited under DPDP Act, they faced legal action and lost a major client contract worth ₹50 lakhs. Untracked data copies also make you non-compliant with data protection laws, since you can't guarantee data is only in India if required. Every new tool you add without reviewing where data goes increases your attack surface and your liability.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You add new software whenever someone asks for it—Slack, Google Drive, a vendor's cloud portal—without asking or documenting where the data goes. Your IT person (or you) has no record of which tools hold which data.
Initial
You've made a list of the tools and vendors you use, but you haven't formally checked with each vendor about where they store data or who can access it. Some vendors sent you terms and conditions that you filed away but never reviewed.
Developing
You have a spreadsheet showing your main tools (accounting software, CRM, HR system, email) and you've asked vendors where data is stored. The answers are documented, but you haven't verified them or set any rules about what you will and won't accept.
Defined
Before buying any new tool, your IT person or manager asks the vendor three specific questions: where is data stored, which countries, and who has admin access. You maintain a current list and you've said no to at least one vendor because their data storage didn't meet your requirements.
Managed
You have a formal Data Storage Review checklist that every new vendor must complete before approval. You audit existing vendors annually, track data location in a central register, and your team knows how to escalate if a vendor changes their data location without notice.
Optimised
You have an automated process that flags whenever a vendor changes their data storage terms, you conduct data residency audits quarterly, you have contractual clauses requiring you to be notified of location changes, and you've mapped all data flows with technical verification. Your team can produce a complete data map to any customer or auditor within 24 hours.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | List all the software tools and vendor services your company currently uses (accounting, email, HR, CRM, file storage, communication apps, etc.). For each one, write down what type of data it handles: customer names, payments, employee records, business documents. | IT person or business owner | 2-3 days |
| 1 → 2 | Send a simple email to each vendor asking: 'Where is our data physically stored (country/region)?' and 'Can you confirm our data stays in India?' or 'Can you tell us all locations where our data is kept?' File the responses in a shared folder. | Business owner or office manager | 1 week |
| 2 → 3 | Create a Data Storage Review Form (can be a Google Form or simple checklist) with questions like: location of storage, data encryption, backup locations, third-party access, data retention period. Require this form to be completed by any new vendor before purchase is approved. | IT person with owner approval | 2-3 weeks |
| 3 → 4 | Set up a quarterly review calendar reminder. Every 3 months, pull your vendor list and spot-check 3-4 vendors' data storage terms. Update your central register. Create a simple one-page policy saying 'No new tool without data storage approval.' | IT person or designated data owner | 4-6 weeks (initial setup), then 4 hours per quarter |
| 4 → 5 | Add contractual clauses to vendor agreements requiring them to notify you within 7 days if they change data location. Set up automated alerts (via spreadsheet formulas or basic monitoring tool) if vendor terms pages change. Document your data map in a visual format (spreadsheet with all data flows) and test your ability to produce it in under 1 hour. | IT person with legal/procurement support | Ongoing: 2 hours per month for monitoring and updates |
Documents and records that prove your maturity level.
- A current spreadsheet or document listing all tools/vendors used, the data types they handle, and confirmed storage locations
- Documented responses from vendors answering data storage location questions (emails or formal Data Storage Review forms)
- A Data Storage Review Checklist or Approval Form template that every new vendor must complete before purchase
- A signed Data Processing Agreement (DPA) or vendor contract excerpt showing clauses about data location and notification of changes
- A quarterly review log showing dates you checked vendor terms and any findings or actions taken
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your process for checking where data is stored when you buy a new tool. How do you decide if a tool is acceptable?"
- "Show me your current list of vendors and tools. For each one, tell me where our data is stored and why you chose that vendor."
- "Have you ever discovered that a vendor was storing data in a location you didn't know about or didn't approve? What did you do about it?"
- "What is your data storage requirement—must all data stay in India, or are some locations acceptable? Can you show me the policy?"
- "If I ask you right now, can you produce a complete map of where all your customer and business data is physically located?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and track a simple vendor and data storage register | Google Sheets with a template (create columns: Vendor Name, Type of Data, Storage Location, Approved Yes/No, Last Verified Date) | Airtable (₹0-5,000/year for small teams) or Monday.com (₹8,000-15,000/year) |
| Build and share a Data Storage Review form with vendors | Google Forms (free, collect responses into a sheet automatically) | Typeform (₹3,000-8,000/year) or Jotform (₹2,500-6,000/year) |
| Monitor changes to vendor terms and privacy pages automatically | Google Alerts (set alerts for vendor name + 'data storage' or 'terms updated') or free tier of website monitoring tools | Versionista (₹8,000-15,000/year) or similar terms-monitoring service |
- Assuming that if a tool is popular (like Google Drive or Slack), it must be safe and compliant—these tools may store data outside India or in unknown locations, creating DPDP violations even though they're 'trusted' brands.
- Asking the vendor once and never following up—vendors change their infrastructure, get acquired, or move servers without telling you. Many Indian businesses discovered their data was moved abroad only during a compliance audit.
- Focusing only on new tools and ignoring existing ones—you probably have 15+ active tools right now with no idea where data lives; the biggest risks are often hiding in tools you've been using for 3 years.
- Treating data storage reviews as an IT-only task—business owners and finance teams often buy software on their own (Zoho, Freshdesk, vendor portals) without telling IT, creating blind spots.
- Confusing 'encrypted in transit' with 'stored securely'—vendors often say data is encrypted during transfer but still store backups on servers in the US or Singapore, which violates data localization requirements under DPDP.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (Principles: lawfulness, purpose limitation, data minimization) and Section 8 (Right to information about personal data processing); Schedule 1 (Important Personal Data) requires data localization in India |
| CERT-In Guidelines 2022 | Direction 4 (maintain an inventory of critical information assets and their location); Direction 6 (implement data protection and privacy controls) |
| ISO 27001:2022 | A.5.18 (Management of third-party relationships), A.8.1 (Asset inventory and management), A.8.2 (Ownership of assets) |
| NIST CSF 2.0 | Govern (GV.RO-02: Review 3rd party risk, GV.RO-04: Manage data flows), Protect (PR.DS-01: Understand data flows and storage) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →