Where Does Your Patient Data Live? Data Residency, India

India's DPDP Act does not, today, force patient data to live inside India. It uses a negative-list model: data can move to any country except those the government specifically restricts, and that restricted list isn't published yet. So the real data-residency question for an AI scribe isn't "is it in a Mumbai data centre." It's whether the data is stored at all, who can reach it, and whether you can delete it.

That reframing matters, because most "data residency" sales pitches answer the wrong question. The rest of this page sorts out what DPDP actually demands, why purpose limitation beats geography, and a short checklist you can run any vendor through.

Key takeaways

• DPDP 2023 uses a negative-list, not mandatory localization: data may leave India unless the government restricts the destination. That restricted list isn't notified yet.
• The sharper rule is purpose limitation: use data only for the stated purpose, then erase it (Section 8(7)).
• The DPDP Rules 2025 (notified 13 November 2025) phase in; cross-border and general security obligations land around 13 May 2027.
• For an AI scribe, the audio is the residency problem. A tool that never stores it removes the question for the most sensitive artifact.
• ABDM data rules and DPDP data rules are different things. Don't let a vendor blur them.

Does DPDP require patient data to be stored in India?

Short answer: no general localization mandate, as of mid-2026.

The DPDP Act 2023 takes a negative-list approach to cross-border transfers. A Data Fiduciary may transfer personal data outside India except to a country or territory the central government specifically restricts. As policy analysts at ITIF and several Indian law firms have noted, that restricted list has not been notified, so in practice transfers are broadly permitted today. There is no blanket rule that clinical data must sit on Indian soil.

Two honest qualifications. First, where any other Indian law sets a higher bar for a particular sector, that higher bar still applies, DPDP doesn't dilute it. Second, the government has reserved the power to restrict specific categories or destinations later, including for sensitive sectors like public health. So "no localization mandate" is the position now, not a permanent guarantee. A vendor that promises you "DPDP requires Indian storage, and we provide it" is overstating the law to sell a feature.

If location isn't the test, what is?

Purpose limitation and deletion. This is the part of DPDP that actually governs an AI scribe.

Section 8(7) of the DPDP Act is blunt about it. A Data Fiduciary must erase personal data "upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier," unless a law requires keeping it. Read that as an operating instruction: collect the visit data for one stated purpose, drafting your note, use it only for that, and delete it when the purpose is done or the patient pulls consent.

That's why the geography question is a distraction. A recording sitting in an Indian data centre for six months, used to "improve the model," is more of a DPDP problem than a note processed and stored under a clear purpose and deletable on request. Where the data lives matters far less than how long it lives and what it's used for.

The audio is the real residency problem

Here's the version that decides everything for a scribe specifically. The single most sensitive thing an AI scribe touches is the visit audio, the raw recording of what your patient said before any of it became a note. If that file is stored anywhere, in India or not, it's the artifact a breach exposes and a court can reach.

So the cleanest answer to "where does my patient data live" is: the most sensitive part of it doesn't live anywhere. Our position, stated as ours: visit audio is processed in memory and discarded the moment the note is drafted. There's no recording to localize, breach, or subpoena. What survives is the note you reviewed and signed, encrypted at rest with AES-256, in transit with TLS 1.2 or newer, with role-scoped, logged access. For tier-2 and tier-3 clinics where the signal drops mid-OPD, capture works offline with on-device AES-256-GCM encryption and syncs later.

The cross-vendor version of the audio question is worth your time before you sign anyone: what happens to your visit audio across major scribes. And the broader vetting routine is in the AI scribe security checklist, which puts the audio question first for exactly this reason. If a clean audio answer is what you're after, book a demo and ask it before anyone talks features.

The clinic data-location and deletion checklist

Run any India scribe vendor through this. The questions are about residency, ownership, and exit, the three things that actually matter under DPDP.

On that last row, the honest concession: ABDM integration is on our roadmap, not live. Some India-native platforms do have live ABDM integration today, and if ABDM connectivity is a hard requirement for your practice right now, that's a real reason to look at them. We won't pretend otherwise. What we will say plainly is that DPDP-aligned handling and ABDM integration are two different claims, and we meet the first while being honest about the second.

How DPDP's timeline changes what you should ask in 2026

The DPDP Rules 2025 were notified on 13 November 2025 and don't all switch on at once. The consent-manager provisions come into force around 13 November 2026. The general obligations, security safeguards, breach reporting, and the cross-border transfer framework, come into force around 13 May 2027. Clinics get a transition window.

What that means for a buyer today: you're choosing a vendor in the run-up to those obligations, so pick one whose posture already matches where the law is going, consent-first, purpose-limited, deletable, rather than one scrambling to retrofit it in early 2027. The phased calendar in plain language is in our DPDP for clinics guide, and the ownership half of this question, who actually owns the notes and how you exit, is in who owns your AI scribe notes.

What it costs, and the honest GST line

Pricing belongs in a residency conversation only because lock-in and surprise costs are their own kind of risk. So, plainly: AI Scribe by Patient Square launches in India at ₹1,199 per clinician per month on annual billing, ex-GST. Add 18% GST and that's ₹1,415 per clinician per month all-in. There's no feature gating between plans, and a 7-day free trial on both plans. The full ladder, month-to-month and annual, is on the pricing page, and the India-specific rate-card breakdown is in AI medical scribe price in India.

The canonical line, so you know exactly what's being handled to DPDP standards: AI Scribe by Patient Square is an ambient AI medical scribe that listens during the visit and hands back a structured SOAP note, ICD-10 suggestions, and a prescription draft, ready to review and sign about two minutes after the visit.

The short version for a clinic deciding this week

Five things, in order:

1. Stop asking only where the data lives. DPDP doesn't mandate Indian storage today; it mandates purpose limitation and deletion.
2. Ask whether the audio is stored at all. The recording is the residency problem. A no-storage scribe removes it.
3. Confirm you can delete and export any visit yourself, without a support ticket.
4. Separate DPDP from ABDM. They're different claims; make the vendor answer both honestly.
5. Pick a posture, not a promise. Consent-first and purpose-limited is where the law lands in 2027. Choose a vendor already there.

The cleanest way to test all of it is a quiet week of real OPD visits with the deletion and export functions exercised yourself. Book a demo, ask where the audio goes first, then run the 7-day trial on your own clinic days and verify every answer.