Skip to content

Do Indian Fintechs Need to Disclose DPDP Compliance Before an IPO?

Who this is for: General counsel, CFOs, and CTOs at India fintechs preparing a DRHP or planning an IPO in the next 12 months.

Short answer: no SEBI rule specifically requires DPDP disclosure. But underwriters and counsel now expect it as part of ordinary IPO risk-factor review, and that expectation sharpened in 2026.

Underwriters and regulators are now asking Indian fintechs preparing to go public to show their data governance work in writing.

Razorpay confidentially filed a draft red herring prospectus (DRHP) with SEBI in June 2026 for a large fresh-issue raise. Moneyview filed a ₹1,500 crore DRHP in March, per reporting from Inc42 and Entrackr.

No SEBI rule specifically requires DPDP disclosure. But underwriters and counsel now treat it as a routine part of ordinary IPO risk-factor review.

Neither company has made prospectus contents public. That's what "confidential" filing means. But the pattern around them is public. It points to a structural shift: data protection posture is becoming a risk factor companies have to be able to evidence, not just describe, before they list.

Juro is a non-custodial compliance scanner. It produces signed, verifiable records of what a scan found against a specific rule: evidence a legal or compliance team can use when drafting disclosure language, not a substitute for that judgment.

What is a DPDP compliance disclosure, in plain terms?

It is the practice of describing, in a prospectus's risk-factor section, how a company handles personal data under India's Digital Personal Data Protection Act, 2025. That includes breach-detection capability, consent-collection mechanisms, and the process for honoring data principal rights requests (access, correction, erasure).

This is not a certification. It is a narrative disclosure, reviewed by underwriters and legal counsel, that investors read to gauge regulatory risk. See our DPDP processor guide for what the underlying obligations look like for a data processor.

Why IPO timing raises the bar

A company preparing to list faces different scrutiny than one operating quietly.

Underwriters, auditors, and institutional investors read risk factors closely. Litigation or regulatory exposure discovered after listing becomes a disclosure liability, not just an operational one.

DPDP Rules 2025 add a specific forcing event to this calendar. Consent Manager registration obligations begin in November 2026. A Consent Manager is an intermediary registered with the Data Protection Board (the statutory body that adjudicates DPDP complaints), through which individuals grant, manage, and withdraw consent for how their personal data is used. Core operational requirements, including audit trails, breach notification workflows, and grievance redress mechanisms, are due by May 2027.

A fintech filing a DRHP in mid-2026 is drafting risk-factor language against a regulatory regime that is still being phased in. That makes the disclosure harder to write and easier to get wrong. See our DPDP Consent Manager explainer for what registration actually requires, and the November 2026 deadline countdown for the full compliance calendar.

The forcing event here isn't a new SEBI rule specific to DPDP. It's the collision of two existing timelines: the ordinary rigor of IPO risk disclosure, and the DPDP Rules 2025 rollout schedule landing in the same 12-month window as multiple fintech IPO filings.

What "evidence" looks like versus what a narrative disclosure looks like

Most compliance disclosure today is written, not measured.

A risk-factor paragraph says a company "maintains appropriate technical and organisational measures" or "has implemented consent management processes." That language is standard, legally reviewed, and largely unverifiable by anyone outside the company without a full audit.

The alternative is disclosure backed by artifacts: a dated record of what a scan or audit actually found, against which rule, with a signature that can be checked independently later.

That distinction, claim versus checkable evidence, is exactly the gap a prospectus reader can't close from the document alone. Underwriters can ask for supporting materials; retail investors reading a published DRHP cannot.

None of this means Razorpay or Moneyview's actual data governance is strong, weak, adequate, or inadequate. That isn't public information, and it isn't something an outside party can conclude from a confidential filing. What is public is the pattern: DPDP-relevant disclosure is now a standard part of the IPO risk-factor conversation for Indian fintechs, and the underlying regulatory deadlines (November 2026, May 2027) apply regardless of listing timeline.

Payment platforms face a related, separate pressure

Outside the IPO track, several major payment platforms and the National Payments Corporation of India (NPCI) have reportedly sought an exemption from DPDP's per-transaction consent requirements, citing cost and complexity, a request that, per Inc42's coverage of the matter, is still pending.

If it's denied, those platforms, IPO-bound or not, will need to build per-transaction consent logging and audit trails ahead of the November 2026 Consent Manager deadline. It's a parallel signal to the IPO disclosure trend: the same underlying requirement (provable consent handling) is showing up as a business risk in more than one part of the fintech stack at once.

What this means for a company preparing to file

A company drafting DPDP risk-factor language for a DRHP is, in effect, being asked to describe a compliance program that regulators are still finishing the rules for.

The practical response isn't to wait for full clarity. The November 2026 and May 2027 deadlines apply either way. It's to build the underlying evidence now: dated records of breach-detection tests, consent-flow audits, and data principal rights handling, so that when legal counsel drafts the risk factor, there's something concrete behind the sentence.

Frequently asked questions

Does SEBI require a formal DPDP audit as part of the IPO process?

Not as a separate mandated audit distinct from standard prospectus risk-factor review. What has changed is that DPDP-relevant risk disclosure is now a routine part of the broader risk-factor drafting process for data-handling businesses, reviewed by the same underwriters and counsel who review financial and legal risk factors.

What does "confidential DRHP" mean for public visibility into a company's compliance posture?

A confidentially filed DRHP is not published for public review until later in the process (or at all, if the deal does not proceed). That means specific disclosure language in Razorpay's or similar filings is not publicly available. Commentary should describe the regulatory pattern, not the contents of a document the public has not seen.

When do DPDP Rules 2025 obligations actually take effect?

Foundational provisions are already in effect as of November 2025. Consent Manager registration obligations begin in November 2026. Core operational requirements, including audit trails, breach notification, and grievance redress, are due by May 13, 2027.

Is a company's data governance program "DPDP compliant" once it files an IPO risk-factor disclosure?

No. A risk-factor disclosure is a narrative statement reviewed by counsel, not a compliance certification, and it does not establish a legal compliance status one way or the other. Whether a company meets DPDP requirements is a legal determination made by counsel, auditors, or the Data Protection Board, not by the fact of having filed a disclosure.

Build the evidence before the filing timeline forces it

See what the evidence looks like before you draft the risk factor

Install juro-deploy and run a scan inside your own infrastructure. It's a single curl command, non-custodial, and nothing leaves your VPC.

Install juro-deploy →
About Juro: Juro is a non-custodial compliance scanner that produces signed, verifiable records of what was found during a scan: evidence a legal or compliance team can use when drafting disclosure language, not a substitute for that judgment. Note: jurocompliant.com is a compliance scanning tool, not juro.com, which is a contract management platform.