REGULATORY NOTICE
The Digital Personal Data Protection Rules 2025 are in force. If your business holds personal data of Indian citizens on a Linux server, compliance obligations apply to you now.
DPDP Compliance for Linux Server Owners in India
The DPDP Act 2023 and Rules 2025 place documented obligations on every organisation that stores personal data of Indian citizens. Most of that data sits on Linux servers. Here is what compliance requires — and how a managed retainer satisfies it.
What the law requires from you
Reasonable security safeguards
Documented patch management, access controls, and breach detection. An unpatched kernel or an active ex-employee SSH key is not a reasonable safeguard — it is a documented compliance failure.
Breach notification capability
You cannot notify the Data Protection Board of a breach you did not detect. Continuous monitoring is the technical foundation of this obligation. A server with no monitoring is a server where breaches develop undetected.
Data principal rights
Indian citizens can request access to, correction of, or erasure of their data. You need to know where personal data lives on your server to respond. Most Indian SMEs do not have this documented.
Documentation trail
If the Data Protection Board investigates, they will ask for evidence — not assurances. Patch records, access audit logs, incident reports. “We thought the server was secure” is not documentation.
Which server types are in scope
Any Linux server that stores or processes personal data of Indian citizens is in scope. In practice, that means:
- ERP servers — ERPNext, SAP, Tally Prime Server. Employee records, supplier data, customer billing history.
- E-commerce and D2C servers — customer names, addresses, order histories, payment references.
- Healthcare application servers — patient records, appointment data, clinical notes. Higher sensitivity under the Act.
- CRM and lead management servers — prospect and customer contact data.
- HR and payroll servers — employee personal data, salary records, Aadhaar-linked information.
How a managed retainer satisfies DPDP obligations
The documentation DPDP requires is a byproduct of proper Linux server management. AV Services retainer clients receive this as standard output every month.
| DPDP obligation | What AV Services produces |
|---|---|
| Reasonable security safeguards | Monthly patch records, SSH access audits, fail2ban logs, firewall review |
| Breach detection | 24/7 monitoring via Observium and Nagios, auth log review, anomaly alerting |
| Access control documentation | Quarterly user account and SSH key audit with written report |
| Incident documentation | Written root-cause analysis and resolution report within 24 hours of any incident |
| Offboarding and access revocation | Written confirmation of credential removal within 5 business days of engagement end |
Start with a free infrastructure audit
The audit covers the 3 compliance pillars the DPDP Rules require evidence for: patch status, access control gaps, and monitoring state. Written report within 5 business days. No write access needed. No commitment.
Mumbai-based Linux infrastructure management since 1999 · GSTIN: 27ACAPV2614B1Z0
Book Free Audit Check Your RiskRelated: DPDP Act 2025 and Your Linux Server — detailed guide · Linux Security Hardening · AV Services Privacy & Data Processing Policy