EverydayPDF Logo
DPDP Act 2023 · India

Is Your PDF Tool DPDP Compliant? Ask Where the File Goes

Updated July 5, 2026·8 min read·EverydayPDF Research

Here is the compliance question hiding inside an everyday habit: when you drop a client's bank statement into a free online compressor, where does the file go? For most popular tools the honest answer is "to our servers, for a while, in another jurisdiction". Under the DPDP Act, that upload is a transfer of personal data to a Data Processor — and you, the fiduciary, answer for it.

What an upload legally is

The moment a document containing personal data leaves your machine for a tool's server, that operator is processing personal data on your behalf. The Act requires that processors act under a valid contract, and the 2025 Rules require you to ensure your processors maintain reasonable security safeguards. A free tool used without any agreement, with unknown retention and unknown jurisdiction, satisfies neither.

Five questions to ask any document tool

  1. Where is the file processed — on my device, or on your servers?
  2. If uploaded: how long is the file retained, and is deletion verifiable?
  3. Which jurisdiction do the servers sit in, and which law governs access to them?
  4. Is there a Data Processing Agreement I can actually sign?
  5. Has the service documented its security safeguards (encryption, access control, logging)?

Most consumer PDF sites answer the first question with "we upload, then auto-delete within a few hours". Even taken at face value, that leaves you with a processor relationship to paper over — contract, safeguards, cross-border analysis — for the sake of compressing one file.

The architecture that makes the questions moot

Client-side (browser-native) tools take a different approach: the processing code runs in your browser using WebAssembly and JavaScript, and the file never leaves your device. No upload means no processor, no transfer, no retention question, no cross-border analysis and no breach surface. It is not that the compliance questions get easier — they stop existing for that workflow.

Cloud upload vs client-side processing under DPDP
DPDP concernCloud-upload toolClient-side tool
Data Processor relationshipCreated — contract requiredNone created
Security safeguards for the transferYour duty to verifyNo transfer occurs
Retention/deletion on serversVendor's claim, your riskNothing stored remotely
Cross-border transfer analysisRequired if servers abroadNot applicable
Breach exposure for the fileVendor breach = your notificationNone beyond your own device

How to verify a "no upload" claim

Open the tool, then your browser's developer tools → Network tab, and process a file. A genuinely client-side tool shows no request carrying your file's bytes. You can even disconnect from the internet mid-task: EverydayPDF keeps working offline, which is only possible because nothing is server-side.

Every tool on this site is client-side

Compress, merge, split, redact, OCR, convert and sign — architecturally incapable of uploading your documents, because there is no server to upload to.

Use the tools

Frequently asked questions

Are popular cloud PDF tools illegal under the DPDP Act?+

No — using them can be compliant if you do the work: a processor contract, verified safeguards, retention clarity and cross-border analysis. The point is that for routine document tasks that work is disproportionate, and skipping it (as almost everyone does) is a safeguard failure you own as the fiduciary.

The tool says files are deleted after one hour. Is that enough?+

A retention promise on a marketing page is not a contract, and you cannot verify the deletion. It may be honest — but under DPDP you carry the burden of ensuring your processors' safeguards, and an unverifiable claim from an uncontracted foreign service is thin evidence.

How do client-side PDF tools work without a server?+

The processing engines — PDF parsers, compression codecs, OCR — are compiled to JavaScript and WebAssembly and run inside your browser tab. Your file is read into the page's memory, transformed on your CPU, and saved back to your disk. The network is not involved; such tools typically keep working with Wi-Fi switched off.

Does using client-side tools make my firm DPDP compliant?+

It removes one significant risk category — third-party document processors — and gives you a documented safeguard. Full compliance still needs the rest: lawful basis, notices, access controls, breach playbook and retention schedules. See our compliance checklist for the complete picture.

Continue reading

This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.