Which WhatsApp BSP is DPDP Act Compliant in India?

The honest one-line answer is that no WhatsApp Business Solution Provider is automatically Digital Personal Data Protection Act 2023 compliant — and any BSP marketing page claiming otherwise is misreading the statute. The Act splits liability between the Data Fiduciary (the tenant or brand that determines purpose and means of processing) and the Data Processor (the BSP that operates on documented instructions). Under Section 8(2), the Fiduciary carries primary liability for Processor non-compliance unless a written contract is in place. What BSP selection actually controls is how cheap or expensive it is for the tenant to operationalise Sections 6, 8, 9, 11, 12 and 16, and how quickly the breach-intimation clock under draft Rule 6 can be honoured. This article maps that landscape as of June 2026.

Why this question is the wrong question (and what to ask instead)

Search demand for "which WhatsApp BSP is DPDP compliant" has grown roughly 4x year-on-year as Indian tenants try to procurement-gate the November 2024 draft Rules. The reason the question keeps producing unsatisfying answers is that it is structurally wrong. A BSP cannot certify the tenant's notice text. A BSP cannot capture consent that the tenant's lead-magnet form never offered. A BSP cannot answer a Data Principal access request for fields the tenant stores in a separate CRM. The right question is: which BSP makes Section 6, 8, 9, 11, 12 and 16 cheap to operationalise for a Fiduciary? That question has a clean answer scored against a 12-point controls matrix — covered in the next section.

For the underlying statutory framework, the canonical references are the MeitY data protection framework page, the gazette text of the DPDP Act 2023, and the draft DPDP Rules November 2024 consultation document. For the 25-step tenant-side checklist, see our deep dive at DPDP Act 2023 WhatsApp Business Checklist.

The 12-point BSP controls matrix (DPDP Section by Section)

Every control below is mapped to a specific DPDP Act section or November 2024 draft Rule. Score your shortlisted BSP on a binary basis — either the control is shipped admin-facing and demonstrable in a live demo, or it is not. Partial credit is generous; in a Data Protection Board production request under Section 28(7), partial is not enough.

How eight India-relevant BSPs score (June 2026)

What changed between 2024 and 2026 that re-ranked every BSP

Three regulatory events between mid-2024 and mid-2026 invalidated every BSP-compliance article published before December 2024:

1. MeitY draft DPDP Rules (November 2024). The Ministry of Electronics & IT published the consultation draft on 3 November 2024. Draft Rule 3 prescribed notice format. Draft Rule 4 prescribed consent manager registration. Draft Rule 6 prescribed 72-hour breach intimation to the Data Protection Board. Draft Rule 12 prescribed Significant Data Fiduciary controls. The cumulative effect: tenant-facing in-app tooling is now expected, not optional. See our DPDP consent-manager deadline checklist.
2. Meta India 1 January 2026 conversation-rate revision. While this is a pricing event rather than a regulatory one, it accelerated BSP-switching activity, which exposed how few BSPs could ship a clean migration without re-capturing consent. See our January 2026 rate-hike calculator.
3. RBI / IRDAI parallel posture tightening. The Reserve Bank of India and the Insurance Regulatory and Development Authority of India both refreshed customer-protection circulars through 2025. For BFSI tenants, BSP DPDP posture now has to compose with the RBI and IRDAI sector-specific data handling rules. The consolidated reference is our India WhatsApp regulation pillar.

How to verify your current BSP is DPDP-ready (30-minute audit)

Run this in 30 minutes on a screen-share with your BSP's solutions team. If they cannot demonstrate all five live, treat that as a procurement red flag at your next renewal:

1. Show me the consent ledger admin view. Filter by purpose, by date range, by withdrawn-status. Export to CSV. If the consent ledger only exists at the database level and not in the admin UI, the BSP is shipping you a Section 28(7) production problem.
2. Trigger a STOP keyword on a marketing campaign and time the propagation. Section 6(4) requires withdrawal "comparable in ease" to giving consent. Propagation under 200 ms is the bar; under 5 seconds is acceptable; under 5 minutes is a problem; over 5 minutes fails.
3. Request a signed DPA from an authorised signatory. Not a template, not a generic terms-of-service. A DPA naming sub-processors, security obligations, breach-notification SLA back to the Fiduciary, audit-cooperation clause, and termination data-return / deletion path.
4. Ask for documented data residency. The BSP should be able to name the AWS / Azure / GCP region for primary storage. Indian regions (Mumbai ap-south-1, Hyderabad ap-south-2) are the cleanest defaults under Section 16. Cross-border processors should be enumerated in the DPA.
5. Request the breach-intimation runbook. Named on-call, Form-B-ready template for Board notification, dual notification path to Data Principals, audit logs proving the 72-hour SLA from awareness under draft Rule 6(1).

Section 6 consent: the part most BSPs get partially right

Section 6(1) language is verbatim "free, specific, informed, unconditional and unambiguous with a clear affirmative action." Five common BSP failure modes:

• Bundled marketing-plus-utility consent. A single "yes I agree to receive messages" opt-in fails the "specific" test. Marketing must be a separate consent from utility from authentication.
• Pre-ticked import lists. Uploading a CSV of historical customers without per-contact consent provenance fails. Section 6 needs a clear affirmative action per Data Principal.
• Implicit consent from Click-to-WhatsApp ads. The click is an interest signal, not a Section 6 consent. The first message must offer notice + capture consent before subsequent marketing.
• Notice version not stored with consent record. If the notice text changes in March 2026 and a Data Principal complains in May 2026, the consent record needs to prove what they actually consented to.
• Withdrawal that does not propagate to scheduler. A STOP keyword that opts out of future captures but leaves 10,000 queued messages in the scheduler is a Section 6(4) failure.

RichAutomate ships per-purpose consent gates, notice version hashing, withdrawal propagation under 200 ms, and full consent-ledger export for Section 28(7) production. The implementation is documented in our DPDP consent management feature and the verification path is at DPDP readiness self-check.

Section 16 cross-border transfer: the part that quietly breaks WATI and Respond.io

Section 16 of the DPDP Act 2023 empowers the Central Government to restrict transfer of personal data to specified countries, and draft Rule 12 (November 2024) prescribes additional Significant Data Fiduciary controls. The practical reading: default to Indian AWS regions, document every cross-border processor, and avoid silent transfer of personal data outside India.

This is where international-headquartered BSPs introduce friction. WATI (Hong Kong-headquartered Clare.ai) and Respond.io (Kuala Lumpur-headquartered) both default to non-Indian processing regions unless the tenant explicitly configures Indian residency — and that configuration is not always available on the lower paid tiers. Brevo (Paris-headquartered) routes through EU regions by default. India-headquartered BSPs (RichAutomate, AiSensy, Interakt, DoubleTick, Gupshup, Karix) default to Indian regions, which is the cleanest Section 16 posture by construction. For pricing context across the full set, see our Top 11 WhatsApp marketing software India 2026 ranking and the 4-way comparison at Wati vs AiSensy vs Interakt vs RichAutomate.

Section 9 minor protection: the part fintech, edtech and gaming tenants miss

Section 9 requires verifiable parental consent before processing the personal data of any individual under 18, and Section 9(2) prohibits tracking, behavioural monitoring, or targeted advertising directed at children. For tenants in fintech, edtech, gaming, health, and consumer apps with under-18 cohorts, BSP support for guardian-consent flows and minor-cohort exclusion from retargeting is operationally non-trivial.

Most BSPs ship Section 9 support as a custom flow that the tenant has to build — which is fine, except that the burden of proof in a Data Protection Board investigation sits with the Fiduciary. RichAutomate ships a verifiable parental consent path as a flow template, plus an age-tagged cohort exclusion gate on campaign sends. For vertical-specific guidance, see our WhatsApp for edtech India 2026 pillar.

The 72-hour breach intimation SLA (draft Rule 6) and why it forces BSP selection

Draft Rule 6(1) from the November 2024 consultation reads verbatim: "Every Data Fiduciary shall, on becoming aware of any personal data breach, give intimation of such breach to the Board, without delay, and in any event within seventy-two hours of such awareness." The clock starts on awareness, not on confirmation. The first 24 hours are typically lost to triage; the next 24 to root-cause and scope; the final 24 to draft and submit. A BSP that takes a week to produce affected-Data-Principal lists makes the SLA structurally impossible to honour.

Concretely, the BSP needs to ship: (1) audit logs of every personal-data read with timestamps, (2) ability to scope a breach to affected Data Principals in single-digit hours, (3) a pre-approved Meta utility template for Data Principal intimation that does not need fresh template review, and (4) Form-B-ready data for Board submission. The 30-minute audit in the previous section is designed to expose whether your BSP can clear this bar.

What to do this quarter (Q2 / Q3 2026)

Whether your current BSP is on this list or not, three actions belong on the Q2 / Q3 2026 calendar:

1. Run the 30-minute audit on your current BSP. If they pass all 5 live, you are well-positioned for the draft Rule 6 SLA. If they fail 3 or more, gate it on next renewal.
2. Score every BSP shortlist against the 12-point controls matrix. Use the matrix in the section above. Apply a 1.5x weight to consent ledger, breach SLA, and data residency.
3. Refresh your Section 6 notice and consent capture flow. Tenant-side work, but the BSP needs to support notice version hashing for it to be defensible in a Section 28(7) request. The 25-step playbook is at DPDP Act 2023 WhatsApp Business Checklist.

What to do next

If you are evaluating BSP DPDP posture today, the fastest way to validate this audit against your own controls map is a short call with the RichAutomate compliance team. We will score your current BSP live against the 12-point matrix, walk you through the 30-minute verification audit, and model the Section 8(2) liability delta if you stayed put versus switched. Book a 30-minute DPDP fit call, or message us on WhatsApp at +91 74349 01027. For the tenant-side companion deep-dive, read the 25-step DPDP Act 2023 checklist.