As per the SEBI Listing Regulations, a listed entity (i.e. an entity which is listed on the stock market) is required to have a policy for the preservation of documents. The SEBI Listing Regulations require that records, books, papers and documents of the company be preserved as per the following classifications:
- Schedule I - to be preserved permanently. Documents listed under these schedule include incorporation documents, share certificates, register of minutes of board meetings, register of members etc.
- Schedule II – to be preserved for eight years. Documents listed under this schedule include books of accounts, attendance register of board meetings, register of debenture holders etc.
- Schedule III – to be preserved for a minimum period of five years or such higher period as may be determine by the board of directors of the company. Documents listed under this schedule include register of stock options, register of directors and key managerial personnel, disclosures made under applicable company laws etc.
As per the SEBI Listing Regulations, documents set out in Schedule I and II can be kept in electronic mode. The complete list of documents under each schedule is set out in the SEBI Listing Regulations.

Direction 5 of Direction No. 20(3)/2022-CERT-In mandates data centres, virtual private server providers, cloud service providers, virtual private network service providers to mandatorily collect and retain certain subscriber related information in accurate manner, for a minimum period of five years after the subscriber is no longer availing the underlying services. These data sets include subscriber names, period of hire including dates, IPs allocated and used, e-mail address along with IP and time stamp used at time of registration, purpose of availing the services, verified address and contact numbers, and ownership pattern of subscribers. Virtual asset service providers, virtual asset exchange providers and custodian wallet providers must also maintain KYC information and records of financial transactions for period of 5 years. Specific to transaction records, Direction No. 20(3)/2022-CERT-In state that information must be maintained accurately in such a way that individual transaction can be reconstructed along with the relevant constituents such as IP addresses, time zones, transaction ID, public keys or equivalent identifiers, addresses or accounts involved, nature and date of transaction, amount transferred, etc.

India has not joined any agreement with binding commitments to open transfers of data across borders.

While India does not yet have a data protection law, it has sectoral laws on data protection applicable to internet service providers, telecom service providers, banking information and certain corporate entities. For internet service providers and telecom service providers requirements are set out in the Internet Service Provider License and the Unified Access Services License respectively and for banking information, data protection requirements are set out in the Prevention of Money-laundering (Maintenance of Records of the Nature and Value of Transactions, the Procedure and Manner of Maintaining and Time for Furnishing Information and Verification and Maintenance of Records of the Identity of the Clients of the Banking Companies, Financial Institutions and Intermediaries) Rules, 2005.

Rule 7 of Information Technology Rules 2011 states that export of sensitive personal data or information within or outside India is permissible provided that the same standards of data protection required in India are adhered to, and that transfer is necessary for the performance of a lawful contract or has been consented to by the provider of the information. Sensitive personal information includes passwords, financial information such as bank account or credit/debit card details, sexual orientation, physical, mental health condition, biometric information, among others.

In April 2018, the Reserve Bank of India (RBI) issued a one-page directive stating that, within six months, all payment data held by payment companies should be held in local facilities. The Directive noted that this would help the RBI gain "unfettered supervisory access" to transaction data, which it needs to ensure proper monitoring.
Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed (in "Frequently Asked Questions" of its website) to ease this restriction, so as to allow payment firms to store data offshore, as long as a copy was kept in India. The RBI has further clarified that for cross border transaction data consisting of a foreign component and domestic component, a copy of the domestic component may be stored abroad, if required.
With respect to processing of payment transactions outside India, the RBI requires that the data must be stored only in India after processing and should be deleted from systems abroad and brought back to India no later than 24 hours after processing. Any subsequent activity such as settlement processing after payment processing done outside India, this must be undertaken on a real time basis pursuant to which the data must be stored only in India.
The RBI has clarified that banks, especially foreign banks, can continue to store banking data abroad but in respect of domestic payment transactions, the data must be stored only in India.

According to the Insurance Regulatory and Development Authority of India (IRDAI) Maintenance of Insurance Records Regulations, 2015 (Regulation 3(9)), "Insurers are required that [...] (ii) the records pertaining to policies issued and claims made in India (including the records held in electronic form) are held in data centres located and maintained in India." In addition, the 2017 Regulations on Outsourcing of Activities by Indian Insurers provide that Indian insurers, even in cases where they outsource their services outside India, must retain all original records in India.

In 2015, India’s Ministry of Electronics and Information Technology (MeitY) issued guidelines for a cloud computing empanelment process under which cloud computing service providers may be provisionally accredited as eligible for government procurement of cloud services. The guidelines require such providers to store all data in India to qualify for the accreditation.
In addition, Section 2.1.d of the Guidelines for Government Departments on Contractual Terms Related to Cloud Services requires that any government contracts contain a localization clause mandating that all government data residing in cloud storage networks is located on servers in India.
Furthermore, Section 1.17.4 of the Master Service Agreement: Procurement of Cloud Services outlines, among other things, that cloud service providers must offer cloud services to the purchaser from a MeitY-enrolled data centre which is located in India, the data must be stored within India, and must not be taken out of India without explicit approval by the purchaser.

Rule 3(5) of the Companies (Accounts) Rules 2014 provides that if company books and papers (or back-ups of them) are kept electronically in any location, they must also be periodically stored on a server physically located in India. 

India’s National Data Sharing and Accessibility Policy requires that “non-sensitive data available either in digital or analog forms but generated using public funds” must be stored within the borders of India. The policy states that data belongs to the "agency/department/ministry/entity which collected them and reside in their IT enabled facility” (Section 10).

Under Condition 39.23(viii) of the Unified Licence Agreement granted by the Department of Telecommunications, licensees are not permitted to transfer “subscriber accounting information” (except for roaming and related billing purposes) or “user information” (except if pertaining to foreign subscribers using an Indian Operator’s network while roaming, and International Private Leased Circuit subscribers) to any person or place outside of India. “User information” is not defined by Indian telecommunications law and the requirements do not restrict financial disclosures imposed by statute. Condition 39.23(iii) prohibits the transfer of domestic technical network details to any place outside of India.

Section 4 of the Public Records Act states that no person shall take or cause to be taken public records out of India without the prior approval of the Central Government, except if done for any offical purpose. 

India has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Telecom Regulatory Authority of India, the executive authority established in the Telecom Regulatory Authority of India (Officers and Staff Appointment) Regulation, 2001, for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

India does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, the Accounting Separation Regulation is applicable to all the service providers having aggregate turnover of not less than rupees one hundred crore (approx. 12,182,700 USD) during the accounting year for which report is required to be submitted from operations under the telecom license(s) issued to them under section 4 of the Indian Telegraph Act 1885. The telecom service providers are required to submit their audited accounting separation reports based on a historical cost basis every year and on a replacement cost basis every second year within seven months of the end of the accounting year.