Ping Identity’s Commitment to India’s DPDPA.

India’s Digital Personal Data Protection Act (DPDPA) governs how organizations collect, use, store, and share individuals’ digital personal data. It establishes obligations for organizations that process personal data (called “Data Fiduciaries”) and grants individuals (“Data Principals”) rights such as the ability to access, correct, and erase their personal data. The law applies to processing in India and can also apply to processing outside India if it is connected to offering goods or services to people there.  As a result, DPDPA considerations may be relevant for customers operating in India, as well as customers offering goods/services to individuals in India while using Ping Identity’s services in the processing chain.

The Digital Personal Data Protection Rules (DPDP Rules) implement and operationalize the DPDPA by providing more detailed requirements for compliance. The rules address issues such as consent notices, breach reporting, grievance redress mechanisms, and the functioning of the Data Protection Board, the regulator that oversees DPDDPA compliance.

The DPDPA and its rules are being implemented in phases, with full implementation expected by May 2027 and different provisions taking effect at different times as specified by the Government of India.

Ping Identity has a comprehensive global privacy and security program designed to enable compliance with the DPDPA and other applicable privacy laws worldwide. Our policies, procedures, and controls are designed to reflect the principles of lawful processing, purpose limitation, data minimization, accuracy, and storage limitation.

For DPDPA readiness, this typically translates into:

• Contractual controls appropriate to Ping’s role in the relationship (Data Fiduciary vs. Data Processor).

• Security safeguards designed to align with DPDPA/DPDP Rules expectations.

• Operational processes to support customers with rights requests, incident response coordination, and vendor governance.

Ping Identity is a leading provider of enterprise identity and access management (IAM) products and related security solutions (IAM Services) to large enterprises. Our products enable customers to provide secure access to their networks and systems for their employees and customers. Our products range from fundamental single sign-on solutions to fully orchestrated risk-based, adaptive authentication workflows that support different IAM use cases, such as fraud detection, identity proofing, and authorization. 

In order to provide IAM services, personal data pertaining to our customers’ employees and/or customers may be routinely transferred to and processed by Ping Identity. This data is processed as needed to provide the services, verify, and authenticate user identities, manage access rights and privileges, and for compatible security and access management purposes. 

Under the DPDPA:

• A Data Fiduciary remains responsible for compliance for processing it performs and processing done “on its behalf” by a Data Processor. A Data Fiduciary is similar to the concept of a “controller” under the GDPR and similar data protection laws.

• A Data Fiduciary may involve a Data Processor to process personal data on its behalf under a valid contract.  A Data Processor is similar to the concept of a “processor” under the GDPR and similar data protection laws.

In many enterprise SaaS IAM deployments, the customer determines the purposes and means of processing (typically aligning with the Data Fiduciary role), while Ping processes data to deliver the IAM service (often aligning with the Data Processor role). Ping describes itself as primarily acting as a processor in the GDPR context, and many deployments map similarly by function.

Ping’s solutions processes data elements such as:

• Name and business contact details; and

• ID/device data, connection data, and localization data

Depending on customer configuration, some products provide customers and end users with the capability to process biometric data for authentication and multi-factor authentication:

• For the PingID Service: The service itself does not process biometric data but does allow users to authenticate using the biometric capabilities of their devices (such as TouchID). 

• For the PingOne Verify Service: If implemented by our customer, biometric data (facial recognition) is processed for authentication. The end user uploads a photo to enable this functionality.

For the PingOne DaVinci Service: The orchestration platform allows customers to process and store additional categories of data, which may include special categories of data—these are determined by the customer and are not required by Ping Identity.

While Ping primarily serves as a Data Processor, our Data Processing Agreement with customers indicates that we may further process customer data for limited business purposes (as permitted by law), namely: 

• Detecting security breaches and protecting against malicious, deceptive, fraudulent, or illegal activity.

• Debugging to identify and repair errors that impair intended functionality of our products and other activities needed to maintain the quality and/or safety of the products and platforms.

• Internal operational activities, such as making back-ups as part of disaster recovery/business continuity programs and confirming usage quantities.

• Processing required for legal or regulatory compliance.

The confidentiality, accuracy, integrity, and availability of the data we process is of paramount importance for Ping Identity. As a leader in the enterprise security industry, our products are engineered for security. Comprehensive information about Ping Identity’s information security program can be found by viewing Security at Ping Identity and our Security Exhibit. 

Ping Identity maintains SSAE18 SOC 2 and ISO/IEC 27001:2013 certifications. ISO 27001 is the international standard outlining best practices for information security management systems. Compliance with these standards demonstrates our commitment to a repeatable, continuously improving, risk-based security program. The management system was inspected by an independent third party accredited through the ANSI-ASQ National Accreditation Board (ANAB).

Consistent with the “reasonable security safeguards” requirements in the DPDPA and the DPDP Rules, Ping Identity maintains technical and organizational security measures designed to prevent personal data breaches. These safeguards may include measures such as encryption in transit and at rest, and other data protection techniques, access controls and authentication safeguards, logging and monitoring to detect and investigate unauthorized access, and backup and recovery capabilities to help maintain the confidentiality, integrity, and availability of personal data.

Yes, Ping Identity uses strong encryption for data in transit and at rest to enhance the security and privacy of customer data.

Our security breach response program is designed to enable us to (1) detect possible security breaches, (2) mitigate risk of harm from the breach, and (3) comply with applicable laws and our contracts. As a Data Processor, if we determined that a security breach impacted customer data, we would notify the customer without undue delay and in accordance with our agreement.

In the event that we receive a request from an individual in our capacity as a Data Processor, we would refer the individual to the relevant customer in accordance with our contract with that customer.

Our Customer Data Privacy Addendum (DPA) is available here and designed to meet requirements under many data protection laws. We take steps to ensure our contracts with our own subprocessors include appropriate provisions about how to process data on our behalf.

As detailed in our customer Data Privacy Addendum and subject to retention requirements in the DPDPA and DPDP Rules, when personal data is no longer necessary for the purposes set forth in the customer agreement or at an earlier time as a customer requests in writing, we will (at the customer’s request) either return the customer’s data to it or delete the customer’s data—except for backups and monitoring data which will be deleted per Ping Identity’s data retention policy. Any personal data that is not immediately deleted will continue to be protected in accordance with applicable law and our DPA. Our Customer DPA can be found here.

Ping Identity has formal third-party risk management programs to manage risks associated with its service providers. These programs include procedures for supplier qualification, contracting, ongoing oversight, and off-boarding at the end of the term. All suppliers that handle personal data are required to accept appropriate contract terms and applicable legal requirements for processors. A list of third-party service providers (subprocessors) that may have access to customer personal data is provided here.

The DPDPA contemplates that the Central Government may restrict transfers of personal data by notification to certain countries/territories outside India. As of March 2026, the Central Government has not issued any such restrictions.

Customer data is physically stored in Google Cloud Platform (GCP) and Amazon Web Services (AWS) secure data centers at the locations listed in our Data Supplement. Each customer selects its hosting region during implementation. However, this data may be accessed remotely by Ping Identity workers as needed to provide the contracted services and 24/7 support. 

Ping Identity has established guidelines for responding to government and law enforcement requests for customer data. Where Ping receives a legally binding request requiring disclosure under applicable law, Ping reviews the request and responds in accordance with that law and its contractual commitments. Ping may publish aggregated transparency information regarding such requests where permitted by law; however, in some circumstances applicable law may restrict notice to customers or public disclosure of the request.

We are always happy to receive privacy-related questions or comments. You can contact Ping Identity’s Global Privacy Office with any questions via email to privacy@pingidentity.com.