Video data residency for surveillance: keeping footage in India
Video data residency means storing and processing surveillance footage on infrastructure physically located in India. Under the DPDP Act 2023 and DPDP Rules 2025, CCTV footage of identifiable people is personal data — and with sector mandates from RBI to CERT-In already forcing related data onshore, on-premise, edge-first video architectures are the lowest-risk choice.
Every organisation that runs cameras in India is about to answer a question most have never asked: where, physically, does our footage live? For a decade the honest answer was "on a hard disk inside the NVR." Then cloud video surveillance arrived, and for many estates the honest answer quietly became "in a cloud region we've never verified, operated by a company headquartered somewhere else." Between the DPDP Act's cross-border regime, CERT-In's log-localisation directions, RBI's storage mandates and the BIS ER-01 enforcement that began 1 April 2026, that vagueness is no longer survivable. This analysis maps the rules, quantifies the risk, and explains why residency is one of the few procurement questions where architecture — not paperwork — decides the outcome.
What video data residency means — and what it doesn't
Three terms get blurred in vendor decks, and the blur is where buyers get hurt. Data residency is a fact: the physical location where data is stored and processed. Data localisation is a legal mandate: a requirement that certain data must be stored — sometimes exclusively — within a country's borders. Data sovereignty is a jurisdiction question: whose laws, courts and disclosure orders can reach the data, which follows the controlling entity as much as the data centre.
Why the third term is the trap
A foreign-controlled video cloud can store your footage in a Mumbai region and truthfully claim Indian residency — while its parent remains answerable to extraterritorial disclosure statutes such as the US CLOUD Act, which can compel US-incorporated providers to produce data they control regardless of where it is stored. Residency without sovereignty is a map pin, not a guarantee.
Surveillance footage sharpens all three questions, because video is not ordinary data. As legal analysis of the DPDP framework and CCTV has made clear, footage containing identifiable faces is personal data — with facial data treated as biometric information, among the most sensitive categories Indian law recognises. Every recording, every retention decision, every export to a cloud dashboard is processing of that data.
The rulebook: what already forces footage-related data onshore
India has no single "CCTV residency act." What it has instead is a lattice of overlapping regimes — and the lattice is tightening in one direction.
| Instrument | What it says | Residency effect on video |
|---|---|---|
| DPDP Act 2023, S.16 + Rule 15 (DPDP Rules notified 13 Nov 2025) | Transfers allowed to all countries except those the Centre restricts — a negative list, invocable at any time, with no duty to justify | Offshore footage storage is lawful today but revocable tomorrow; architecture must survive a notification |
| DPDP Rules — Significant Data Fiduciaries | SDFs must ensure government-specified categories of personal data are not transferred outside India (categories yet to be notified) | Large video estates processing biometric-grade footage should assume hard localisation is coming |
| CERT-In Directions, 28 Apr 2022 | All ICT system logs retained for a rolling 180 days within Indian jurisdiction | VMS, NVR and camera-platform logs stored in a foreign region are non-compliant by default |
| RBI, Storage of Payment System Data (2018) | End-to-end payment data stored only in India; branch/ATM CCTV retention of 90 days to 6 months | Any camera that sees a keypad, teller counter or ATM is capturing payment-adjacent data that must not leave |
| Supreme Court, Paramvir Singh Saini v. Baljit Singh | Police-station CCTV with retention up to 18 months | Public-sector video is already under judicially mandated long retention — on Indian systems |
| MeitY ER-01 / BIS CRO | From 1 April 2026, only cameras meeting the Essential Requirements — secure boot, signed firmware, encrypted transport, disclosed chipset — can be sold | The capture layer is now regulated hardware; buyers are being trained to ask "where does the data go?" next |
Read as a whole, the direction of travel is unambiguous. Payment regulators localised in 2018. CERT-In localised logs in 2022. The DPDP framework reserved the power to localise anything, for any destination, on notice. And penalties give the lattice teeth: the Data Protection Board can levy up to ₹250 crore per instance for failures like inadequate security safeguards — and a leaked footage archive is precisely such a failure, as incidents like the hospital-CCTV leak reported in Gujarat made painfully concrete.
Cloud VSaaS vs on-premise: follow the footage
Cloud video surveillance earns its popularity honestly — central dashboards, zero-touch updates, easy multi-site rollout. The residency analysis is not about whether cloud is good; it is about what a buyer inherits when raw footage leaves the building.
Four exposures that travel with offshore footage
Jurisdictional reach: footage held by a foreign-controlled provider can be compelled under that provider's home-country law, whatever region hosts the bytes. Negative-list repricing: a single Rule 15 notification restricting a destination country converts a lawful architecture into a violation with a migration bill attached — analysts note the government carries no obligation to give advance notice or justification. Breach surface: continuous upstream video is an always-on exfiltration channel; on-premise footage cannot leak from a cloud bucket it never entered. Erasure control: DPDP erasure rights extend to copies held by processors — harder to evidence across foreign replicas, backups and derived datasets.
The bandwidth arithmetic nobody puts in the brochure
Residency also has a physics dimension. A 100-camera site streaming continuously at a conservative 4 Mbps per camera needs ~400 Mbps of sustained upstream and ships roughly 130 TB of video every month across the WAN — bandwidth paid for monthly, forever, to move data that in most deployments is viewed less than 1% of the time. Keeping footage on site and moving only events inverts that ratio: kilobytes of metadata travel; terabytes of video stay home.
The two-layer answer: residency by architecture, not by contract
At IndoAI we frame every video procurement as two separate evaluations. The capture layer — cameras, lenses, NVRs — is where footage is born, and after ER-01 it is regulated hardware. The intelligence layer — analytics, search, alerts, integrations — is where value is created. The residency insight is simple: if intelligence comes to the footage, the footage never has to travel.
That is what edge-first means in practice. AI apps run on the camera or on a small on-site compute node beside the existing NVR, ingesting standard ONVIF/RTSP streams. Detection, recognition and event logic execute where the data is captured. What leaves the premises is an alert, a count, a thumbnail — governed, minimal, and easy to keep inside India. Even investigation workflows, historically cloud's strongest argument, now run locally: on-site semantic video search lets an operator ask natural-language questions of footage that has never left the building.
This is also why residency does not require ripping out working cameras. A compliant intelligence layer can sit on top of any ONVIF/RTSP-compliant estate — the same collaborative, two-layer logic we applied when comparing IndoAI with global cloud platforms. Contracts can promise residency; architecture can make the question moot.
A five-step video data residency audit
- Map the flows. For every camera group, document where footage is stored, where it is processed, where logs live, and where backups replicate — down to named regions, not marketing phrases like "secure cloud."
- Classify the views. Flag cameras covering payment surfaces (ATMs, tills, teller counters), children, or health settings; these inherit the strictest sectoral regimes and should default to India-only, on-premise storage.
- Interrogate sovereignty. Ask each vendor: where is the controlling entity incorporated? Can foreign process compel disclosure? Where do support staff access footage from? Get answers in the contract.
- Fix the logs first. CERT-In's 180-day India-resident log rule is already in force — verify your VMS and camera-platform logs are retained onshore before worrying about future DPDP notifications.
- Buy for the 2027 rulebook. Assume SDF designation, assume at least one restricted destination, assume erasure requests. An edge-first, on-premise architecture is compliant under every one of those futures; an offshore one is compliant only under the most permissive.
Frequently asked questions
Is CCTV footage personal data under the DPDP Act?
Yes. Footage in which a person is identifiable — by face, gait, vehicle plate or context — is digital personal data under the DPDP Act, 2023, and facial data is treated as biometric information, one of the most sensitive categories. Every step from recording to storage to sharing counts as processing.
Is it illegal to store CCTV footage outside India today?
Not automatically. The DPDP Act uses a negative-list model: transfers are permitted to any country the Central Government has not restricted. But sectoral rules already localise related data (RBI payment data, CERT-In logs), and the government can restrict destinations at any time — which makes offshore storage a standing regulatory risk rather than a settled right.
What is the negative list under DPDP Rule 15?
Rule 15 of the DPDP Rules, 2025 lets a Data Fiduciary transfer personal data outside India except to countries the Central Government restricts by notification, subject to any conditions it imposes. Unlike GDPR's adequacy whitelist, India permits transfers everywhere by default and blocks by exception — with no obligation to justify or pre-announce a restriction.
When do DPDP cross-border and consent obligations actually bite?
The DPDP Rules were notified on 13 November 2025 with staggered commencement. Core Data Fiduciary obligations — consent notices, security safeguards, breach reporting, cross-border compliance — become fully operational within eighteen months, i.e. by May 2027, and MeitY has consulted on compressing that window. Enterprises typically need 9–12 months to become audit-ready, so procurement decisions made now are effectively DPDP decisions.
Do banks and financial institutions have stricter video rules?
Yes. RBI's 2018 Storage of Payment System Data directive requires end-to-end payment data to be stored only in India, and branch surveillance sits inside that regulated perimeter. RBI guidance requires bank branch and ATM CCTV footage to be retained roughly 90 days to 6 months, and any camera that can see a keypad, teller counter or PIN entry is capturing payment-adjacent data that should never leave the country.
What does CERT-In require to be stored inside India?
The CERT-In Directions of 28 April 2022 require all service providers, intermediaries, data centres, body corporates and government organisations to enable logs of all ICT systems — which includes VMS, NVR and camera platforms — and retain them securely for a rolling 180 days within Indian jurisdiction. A video platform whose audit logs live in a foreign cloud region is non-compliant by default.
How long should CCTV footage be retained in India?
There is no single statutory number for private premises; 30–90 days is common practice, and DPDP requires you to keep footage only as long as the documented purpose justifies. Sector rules override: RBI expects 90 days to 6 months for banks, MHA has advised at least 30 days for government establishments, and the Supreme Court in Paramvir Singh Saini v. Baljit Singh mandated up to 18 months for police station CCTV.
Does the DPDP Act require consent for CCTV recording?
Individual, express consent from every person entering a monitored space is practically infeasible, and the Act provides no CCTV-specific consent mechanism. The emerging compliance position is prominent signage at entry points, a published purpose and retention policy, minimal camera coverage, and honouring erasure rights — with legitimate-use grounds doing the legal work that consent cannot.
What are the penalties for getting video data wrong?
The Data Protection Board of India can impose penalties of up to ₹250 crore per instance for failures such as inadequate security safeguards leading to a breach of personal data — and leaked CCTV footage is exactly that. Transfers to a restricted jurisdiction after a Rule 15 notification would attract the same enforcement framework.
Does BIS ER-01 certification affect data residency?
Indirectly but materially. From 1 April 2026, only CCTV cameras conforming to MeitY's Essential Requirements (ER-01) — covering secure boot, signed firmware, encrypted communication and disclosed chipset origin — can be sold in India. ER-01 governs the trustworthiness of the capture device; residency governs where its output lives. A compliant deployment needs both.
What is the difference between data residency, localisation and sovereignty?
Residency is where data physically sits. Localisation is a legal mandate that it must sit (or keep a copy) in a specific country. Sovereignty is whose laws can reach it — a foreign-controlled provider can hold data in an Indian region yet still be subject to foreign disclosure orders. Buyers should evaluate all three, not just the data-centre pin on a map.
Can a foreign cloud VSaaS with an Indian region satisfy residency?
It satisfies residency in the narrow sense — the bytes are in India. It does not settle sovereignty: a provider incorporated abroad can face extraterritorial disclosure demands such as those under the US CLOUD Act, and its control plane, support access and derived metadata often remain offshore. Contracts should pin storage region, metadata flows, support access geography and audit rights in writing.
What is a Significant Data Fiduciary and why does it matter for video?
The government can designate high-volume or high-risk processors as Significant Data Fiduciaries, adding data protection officers, annual audits and impact assessments. DPDP Rules additionally require SDFs to ensure that categories of personal data specified by the government — not yet notified — are not transferred outside India at all. Large multi-site video estates processing biometric-grade footage are natural candidates, so architecture chosen today should assume hard localisation tomorrow.
Does keeping footage on-premise mean giving up AI analytics?
No. Edge-first architectures run detection, recognition and event logic on or beside the camera, so intelligence happens where the footage is captured. Only lightweight events and alerts travel; raw video stays on site. On-site semantic video search — natural-language queries over locally stored footage — now delivers cloud-style investigation workflows without footage ever leaving the premises.
How does IndoAI keep surveillance footage in India?
IndoAI is edge-first by design: Appization runs AI apps on the camera or on-site compute, footage is stored on the customer's premises or in an India-region facility of the customer's choice, and only metadata and alerts move. The platform layers onto existing ONVIF/RTSP cameras and NVRs, so residency is achieved without replacing the capture estate. IndoAI is a Pune-headquartered Indian company, so no foreign disclosure statute reaches the stack.
Sources
DSCI, FAQs on Cross-Border Flow of Data (DPDP Act & Rules) · King Stubb & Kasiva, India's New Cross-Border Data Transfer Framework · MediaNama, Can the DPDP Act Protect Citizens from CCTV Surveillance? · CERT-In, Directions under S.70B, IT Act (28 Apr 2022) · RBI, Storage of Payment System Data (6 Apr 2018) · S.S. Rana & Co., CCTV Surveillance and the Right to Privacy · Certification-India, India Mandates BIS ER Compliance for CCTV Cameras · DLA Piper, Data Protection Laws of the World: India — Transfer · ITIF, India's Cross-Border Data Transfer Regulation
Not sure where your footage lives?
The IndoAI Adviser walks through your camera estate, sector, and retention obligations, and returns a residency-safe architecture recommendation in minutes — built on the two-layer model, on your existing ONVIF/RTSP cameras.
Run the IndoAI AdviserDr. Vivek Gujar
Co-founder & Chief Science Officer, IndoAI Technologies Pvt. Ltd. (Pune, est. 2021). Dr. Gujar leads research on edge AI, video intelligence and privacy-preserving computer vision on the Appization platform.
