SaaS Startup Compliance in India: GST, ROC, and Data Privacy Guide
SaaS startup compliance in India covers three critical pillars: GST obligations at 18%, ROC filings with the Ministry of Corporate Affairs, and data privacy under the Digital Personal Data Protection Act, 2023. A SaaS company incorporated as a Private Limited Company must file monthly GST returns, submit annual financial statements (Form AOC-4) and annual returns (Form MGT-7) to the Registrar of Companies, and implement data protection safeguards that comply with both Indian and international standards. The annual cost of staying compliant ranges from ₹50,000 to ₹2 lakh for early-stage SaaS startups. Missing these obligations triggers penalties: ₹100 per day for late ROC filings, ₹50 per day for missed GST returns, and up to ₹250 crore for DPDP Act violations. This guide covers every compliance requirement, with deadlines, costs, forms, and a month-by-month calendar to keep your SaaS company on the right side of the law.
- SaaS services attract 18% GST under SAC 998314/998315; exports are zero-rated with a Letter of Undertaking (LUT)
- Private Limited Company is the ideal entity for SaaS startups (equity funding, ESOPs, enterprise credibility)
- ROC annual filings (AOC-4, MGT-7, DIR-3 KYC) are mandatory regardless of revenue; late fees: ₹100/day per form
- DPDP Act, 2023 applies to every SaaS company collecting user data; penalties up to ₹250 crore
- CERT-In mandates cyber incident reporting within 6 hours and 180-day log retention for all SaaS providers
- Annual compliance cost for early-stage SaaS: ₹50,000 to ₹2 lakh (GST filing + ROC + audit + data privacy setup)
What is SaaS Compliance? The Three Pillars Every Founder Must Know
SaaS compliance is the ongoing process of meeting all legal, tax, and regulatory obligations that apply to a cloud-based software business operating in India. Unlike traditional software companies that ship a product once, SaaS companies run continuous subscription billing, store customer data on cloud infrastructure, and often serve clients across multiple countries. Each of these activities triggers specific compliance requirements under Indian law.
The three pillars of SaaS compliance are: (1) Tax compliance, primarily GST at 18% on subscription revenue, with special rules for exports and cross-border supply under OIDAR provisions; (2) Corporate compliance, which includes annual ROC filings, board meetings, statutory audits, and MCA form submissions under the Companies Act, 2013; and (3) Data and IT compliance, covering the DPDP Act, 2023, CERT-In directions, and international frameworks like GDPR and SOC 2 that enterprise clients demand. Ignore any one pillar, and the penalties stack up faster than your MRR.
SaaS startups in India are governed by the Companies Act, 2013 (corporate compliance), the Central Goods and Services Tax Act, 2017 (tax), the Digital Personal Data Protection Act, 2023 (data privacy), and the Information Technology Act, 2000 (IT security). Regulatory authorities include MCA (www.mca.gov.in), GSTN (www.gst.gov.in), and CERT-In.
Best Entity Structure for a SaaS Startup: Why Pvt Ltd Wins
If you are building a SaaS product in India, the Private Limited Company is not just a recommendation; it is the practical default. Over 90% of funded SaaS startups in India, from Freshworks to Zoho to Chargebee, are incorporated as Private Limited Companies under the Companies Act, 2013. The reasons are structural, not sentimental.
Why Pvt Ltd Over LLP or Proprietorship
A Pvt Ltd lets you issue equity shares to investors, create an ESOP pool for hiring engineers (critical in the SaaS talent market), and maintain limited liability protection that separates your personal assets from business debts. LLPs cannot issue shares, making VC fundraising extremely difficult. Sole proprietorships offer zero liability protection and no separation between the founder and the business. For a SaaS company that plans to raise angel or venture capital, the entity choice is already made.
Enterprise clients also prefer contracting with Private Limited Companies. When a Fortune 500 company evaluates your SaaS product for procurement, they check your incorporation certificate, audited financials, and compliance history. A Pvt Ltd provides all three. A proprietorship or partnership does not file audited financial statements with the ROC, which is a red flag in enterprise procurement.
| Feature | Pvt Ltd Company | LLP | Sole Proprietorship |
|---|---|---|---|
| Equity Fundraising | Yes (shares) | No (profit-sharing only) | No |
| ESOP Pool | Yes | No | No |
| Limited Liability | Yes | Yes | No |
| Statutory Audit Required | Yes (mandatory) | Only if turnover exceeds ₹40 lakh | Only if turnover exceeds ₹1 crore |
| ROC Filing | AOC-4, MGT-7, DIR-3 KYC | Form 8 and Form 11 | None |
| Startup India Eligibility | Yes | Yes | No |
| Enterprise Client Credibility | High | Medium | Low |
| Incorporation Cost | ₹6,000 to ₹15,000 | ₹4,000 to ₹10,000 | ₹0 to ₹2,000 |
Register Your SaaS Company as a Pvt Ltd
Start with the right foundation. Pvt Ltd registration takes 7 to 15 working days and costs ₹6,000 to ₹15,000.
Register Your Pvt LtdGST Compliance for SaaS Companies: Rates, Rules, and Returns
GST is where most SaaS founders first encounter compliance complexity. Your cloud-based subscription is classified as a service under the GST framework, but the rules change depending on who your customer is, where they are located, and whether payment comes in Indian rupees or foreign currency. Getting this wrong means either overpaying tax or facing notices from the GST department.
GST Rate and SAC Code for SaaS
SaaS products and cloud services fall under SAC 998314 (Online content) or SAC 998315 (IT design and development services), both attracting 18% GST. This rate applies to subscription fees, implementation charges, customization fees, and support contracts. There is no reduced rate for software-as-a-service; the 18% slab is uniform across all SaaS revenue types.
Domestic vs Export GST Treatment
The GST treatment of your SaaS revenue depends entirely on the customer's location and the payment currency. Here is the complete breakdown that your finance team needs to pin to the wall.
| Scenario | Customer Location | Payment Currency | GST Applicable | Tax Rate |
|---|---|---|---|---|
| Domestic B2B (same state) | Same state as supplier | INR | CGST + SGST | 9% + 9% = 18% |
| Domestic B2B (different state) | Different state | INR | IGST | 18% |
| Domestic B2C | India (individual) | INR | CGST + SGST or IGST | 18% |
| Export B2B with LUT | Outside India | Foreign currency | Zero-rated | 0% |
| Export B2B without LUT | Outside India | Foreign currency | IGST (refundable) | 18% |
| Export B2C | Outside India | Foreign currency | Zero-rated with LUT | 0% |
| OIDAR (foreign SaaS to Indian B2C) | India (individual) | Any | GST via simplified registration | 18% |
OIDAR Rules: When Cross-Border SaaS Gets Complicated
Online Information Database Access and Retrieval (OIDAR) is the GST classification that specifically targets cloud-based digital services delivered over the internet. If your SaaS product is used by an Indian consumer and the company is registered outside India, the foreign company must register for GST in India under the simplified registration scheme and charge 18% GST. For Indian SaaS companies selling to foreign clients, the OIDAR rules work in your favour: your export is zero-rated provided you file a Letter of Undertaking (Form GST RFD-11) at the start of each financial year and receive payment in convertible foreign exchange within the prescribed timeline.
Monthly and Quarterly GST Returns
A SaaS company with GST registration must file: GSTR-1 (outward supplies) by the 11th of the following month, GSTR-3B (summary return with tax payment) by the 20th of the following month. Companies with turnover up to ₹5 crore can opt for the QRMP scheme, filing GSTR-1 and GSTR-3B quarterly instead of monthly. Annual reconciliation via GSTR-9 is due by December 31 of the following financial year.
If your SaaS company exports services, file Form GST RFD-11 (Letter of Undertaking) before the start of each financial year (before April 1). Without a valid LUT, your exports will attract 18% IGST, and you will need to claim a refund, which can take 2 to 6 months to process.
ROC and MCA Compliance: The Corporate Filing Checklist
The moment you incorporate a Private Limited Company, the Ministry of Corporate Affairs starts its clock. ROC compliance is not optional, not turnover-dependent, and not something you can "do later when we have revenue." A SaaS Pvt Ltd with zero revenue has the same filing obligations as one doing ₹10 crore ARR. Here is the complete list of MCA forms your company must file.
Annual ROC Filings (Mandatory for Every Pvt Ltd)
- Form AOC-4 (Financial Statements): Filed within 30 days of the Annual General Meeting. Contains the balance sheet, profit and loss statement, cash flow statement, and notes to accounts. Government fee: ₹200 to ₹600 based on authorized capital. Late fee: ₹100 per day.
- Form MGT-7A (Annual Return): Filed within 60 days of the AGM. Contains shareholder details, share transfer records, indebtedness, and management information. Small companies and one-person companies file MGT-7A instead of MGT-7. Late fee: ₹100 per day.
- Form DIR-3 KYC (Director KYC): Every director with a DIN must verify their KYC details by September 30 each year. Failure to file leads to DIN deactivation, and reactivation costs ₹5,000 per director plus the original filing fee of ₹500.
- Form ADT-1 (Auditor Appointment): Filed within 15 days of the AGM when an auditor is appointed or reappointed. The first auditor appointed at incorporation must be ratified at the first AGM.
Event-Based ROC Filings for SaaS Startups
Beyond annual filings, certain events trigger additional MCA forms. SaaS startups frequently encounter these:
- Form PAS-3: Filed within 15 days of allotting shares (e.g., after a funding round or ESOP exercise)
- Form MGT-14: Filed within 30 days of passing special resolutions at a board or general meeting
- Form DPT-3: Annual return of deposits and transactions not considered as deposits, due by June 30
- Form INC-20A (Commencement of Business): Must be filed within 180 days of incorporation, declaring that every subscriber has paid the subscription amount
Based on our experience filing compliance for 500+ startups, the most common mistake SaaS founders make is skipping DIR-3 KYC. It seems trivial, but a deactivated DIN means the director cannot sign any MCA form, blocking all other filings. Set a calendar reminder for August every year. The ₹500 filing fee is nothing compared to the ₹5,000 reactivation penalty.
Stay Compliant with Zero Stress
IncorpX handles all ROC filings, statutory audits, and MCA compliance for SaaS startups. Plans start at ₹15,000 per year.
View Pvt Ltd Compliance PlansData Privacy and the DPDP Act, 2023: What SaaS Founders Must Do
If your SaaS product collects a user's name, email, phone number, or any identifier that can identify an individual, the Digital Personal Data Protection Act, 2023 (DPDP Act) applies to you. There are no turnover thresholds, no employee count exemptions, and no "we are too small" exceptions. A two-person SaaS startup with 100 users has the same obligations as an enterprise with a million users. The difference is only in the scale of implementation, not the legal requirement.
7 Core Obligations Under the DPDP Act
- Informed Consent: Obtain free, specific, and informed consent before collecting any personal data. The consent request must be in clear, plain language. Pre-ticked boxes and bundled consent are not permitted.
- Privacy Notice: Provide a notice at the point of data collection that specifies what data is collected, why, how long it will be stored, and the rights of the Data Principal (user).
- Purpose Limitation: Use collected data only for the stated purpose. If you collected an email for login, you cannot use it for marketing without separate consent.
- Security Safeguards: Implement reasonable security measures to protect personal data. The Act does not prescribe specific technology, but encryption, access controls, and regular security audits are expected.
- Breach Notification: Report data breaches to the Data Protection Board of India (DPBI) and affected users without unreasonable delay.
- Data Erasure: Erase personal data when the user withdraws consent or when the purpose of collection is fulfilled.
- Grievance Redressal: Publish the name and contact details of a Grievance Officer (or Data Protection Officer for Significant Data Fiduciaries) on your website or app.
Practical Steps for SaaS Companies
Start with a data audit. Map every piece of personal data your SaaS product collects, from sign-up forms to analytics cookies to support tickets. Document where this data is stored (AWS, GCP, Azure region), who can access it, and how long it is retained. Then implement a consent management system that records when and how each user gave consent. Most SaaS companies integrate this into their onboarding flow. Finally, set up a breach response plan with defined roles, communication templates, and a direct reporting channel to CERT-In and the Data Protection Board.
Penalties under the DPDP Act are severe: ₹250 crore for failing to implement security safeguards leading to a breach, ₹200 crore for violating children's data provisions, ₹150 crore for failing to notify the Board of a breach, and ₹50 crore for other non-compliance. These are per-incident penalties, not annual caps.
IT Infrastructure Compliance: CERT-In, Logging, and Incident Response
Beyond data privacy, SaaS companies face specific IT infrastructure compliance requirements under the Information Technology Act, 2000 and CERT-In (Indian Computer Emergency Response Team) directions. These rules apply to every company that provides digital services, stores data on cloud infrastructure, or operates internet-facing applications. If you run a SaaS product, all three apply to you.
CERT-In Direction, April 28, 2022: The 6-Hour Rule
CERT-In's 2022 direction made headlines for its aggressive timelines, and for good reason. The direction requires every service provider, intermediary, data centre, and body corporate to:
- Report cyber security incidents to CERT-In within 6 hours of noticing or being informed of the incident
- Maintain logs of all ICT systems for 180 days (rolling), stored within Indian jurisdiction
- Synchronize all ICT system clocks to NTP (Network Time Protocol) servers provided by NIC or NPL
- Designate a Point of Contact (PoC) for CERT-In communication and register them on the CERT-In portal
- Maintain records of all VPN subscribers for at least 5 years (if you operate a VPN service)
Reasonable Security Practices Under IT Act, 2000
Section 43A of the IT Act and the SPDI Rules (Sensitive Personal Data or Information Rules), 2011 require body corporates to implement and maintain "reasonable security practices." While the DPDP Act will eventually supersede some of these provisions, the IT Act obligations remain active. Compliance means implementing a documented information security programme, ideally aligned with ISO 27001 or SOC 2 standards. For SaaS startups, this translates to encrypted data at rest and in transit, role-based access controls, quarterly vulnerability assessments, and an incident response plan that maps to the 6-hour CERT-In reporting window.
Based on our experience with SaaS compliance implementations, the 6-hour reporting rule catches most startups off guard. You cannot draft a breach report in 6 hours unless you have a pre-built template and a defined escalation chain. We recommend every SaaS startup prepare three things on day one: a CERT-In incident report template, a Slack or Teams channel for security escalation, and a designated PoC who can file the report at any hour.
SaaS Billing and Revenue Recognition: Ind AS 115
SaaS billing is fundamentally different from traditional software licensing, and your accounting must reflect that. Under Ind AS 115 (Revenue from Contracts with Customers), a SaaS company cannot recognize the full value of an annual subscription at the point of billing. Revenue must be recognized over the service delivery period, matching the performance obligation to the time the customer actually uses the service.
How Revenue Recognition Works for SaaS
Consider a simple example: your SaaS product bills a customer ₹1,20,000 for a 12-month annual subscription starting in July. Under Ind AS 115, you recognize ₹10,000 per month as revenue. In the financial year ending March, you recognize ₹90,000 (July to March = 9 months) as revenue and carry ₹30,000 (April to June) as deferred revenue (a liability on the balance sheet). This is not optional accounting; it is a statutory requirement that affects your financial statements, income tax return, and investor reporting.
Multi-Element Arrangements
Most SaaS contracts include multiple deliverables: the software subscription, implementation services, training, and premium support. Under Ind AS 115, each distinct performance obligation must be identified separately, and the total transaction price allocated to each based on standalone selling prices. Implementation services delivered upfront are recognized as the service is performed. The subscription component is recognized ratably over the subscription period. This complexity is why SaaS companies need a CA familiar with technology sector accounting standards, not a generalist.
Get Your ROC Filings Done Right
Annual ROC filing for SaaS companies starts at ₹15,000. Includes AOC-4, MGT-7A, DIR-3 KYC, and ADT-1.
File Your ROC ReturnsInternational Compliance: GDPR, SOC 2, and Cross-Border Rules
An Indian SaaS company selling to global clients does not operate in an Indian compliance bubble. The moment your product is used by an EU-based customer, GDPR applies. When a US enterprise asks for your SOC 2 report before signing the contract, international compliance becomes a revenue requirement, not just a legal one. Here is what you need to know about the most common international frameworks Indian SaaS companies encounter.
GDPR Compliance for Indian SaaS Companies
The General Data Protection Regulation (GDPR) applies to any company, regardless of location, that processes personal data of individuals in the European Union. If your SaaS product has EU-based users or you sell to EU-headquartered companies, GDPR obligations apply. Key requirements include: obtaining explicit consent via a lawful basis (consent, contract, legitimate interest), appointing a Data Protection Officer if you process personal data at scale, maintaining Records of Processing Activities (ROPA), enabling data portability and the right to erasure, and reporting data breaches to the relevant supervisory authority within 72 hours. GDPR fines can reach 4% of global annual turnover or EUR 20 million, whichever is higher. Practical tip: align your DPDP Act compliance programme with GDPR from the start, and you cover most of the EU requirements by default.
SOC 2 Type II Compliance
SOC 2 (System and Organization Controls 2) is a security audit framework defined by the American Institute of Certified Public Accountants (AICPA). It is not legally required in India, but enterprise clients in the US, UK, and Australia routinely require a SOC 2 Type II report before approving a SaaS vendor. The audit evaluates five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. A Type II report covers a review period of 6 to 12 months, during which the auditor tests whether your controls actually operated effectively. Cost: ₹5 lakh to ₹15 lakh for a first-time SOC 2 Type II audit, with annual renewals costing ₹3 lakh to ₹8 lakh.
ISO 27001 Certification
ISO 27001 is the international standard for Information Security Management Systems (ISMS). Certification demonstrates that your SaaS company has a systematic approach to managing sensitive data. Government and banking clients in India increasingly require ISO 27001 as a procurement criterion. Certification takes 3 to 6 months and costs ₹2 lakh to ₹8 lakh, depending on company size and audit body.
DPDP Act applies to digital personal data processed in India; penalties up to ₹250 crore. GDPR applies to data of EU residents globally; fines up to 4% of global turnover. Both require consent, breach notification, and erasure rights. Aligning both frameworks from the start saves significant rework later.
Startup India Benefits for SaaS Companies
Here is the good news in an otherwise compliance-heavy article. The Government of India wants SaaS companies to succeed, and Startup India recognition from DPIIT unlocks tangible financial benefits that offset a significant portion of your compliance costs.
Eligibility Criteria
Your SaaS company qualifies for Startup India recognition if: it is incorporated as a Private Limited Company or LLP (Pvt Ltd recommended), it has been in existence for less than 10 years from the date of incorporation, its annual turnover has not exceeded ₹100 crore in any financial year, and it is working towards innovation, development, or improvement of a product or process. A SaaS product that solves a business problem in a new way easily meets the innovation criterion.
Tax and Compliance Benefits
- Section 80-IAC Tax Holiday: 3 consecutive years of 100% income tax exemption on profits, chosen from any 3 of the first 10 years after incorporation. For a SaaS company that becomes profitable in Year 3, this can save lakhs in tax.
- Angel Tax Exemption (Section 56(2)(viib)): Recognized startups are exempt from angel tax on share premiums received from resident investors. This is critical during seed and pre-Series A fundraising rounds.
- Self-Certification: Self-certify compliance for 9 labour and environment laws (3 labour laws and 6 environment laws), reducing inspector visits and compliance paperwork for the first 5 years.
- Fund of Funds (FFS): Access to SIDBI-managed Fund of Funds for Startups, which provides equity support through SEBI-registered Alternative Investment Funds.
- Patent and Trademark Fee Rebate: 80% rebate on patent filing fees and 50% rebate on trademark filing fees, significantly reducing IP protection costs.
Get Startup India Recognition for Your SaaS Company
Unlock 3-year tax holiday, angel tax exemption, and self-certification benefits. Registration takes 2 to 5 working days.
Apply for Startup IndiaSaaS Compliance Calendar: Month-by-Month Deadlines
Compliance is not a one-time event; it is a calendar. SaaS founders who build filing deadlines into their operational rhythm avoid the penalty spiral that catches procrastinators. Here is the complete compliance calendar for a SaaS Private Limited Company, organized by frequency.
| Frequency | Filing/Obligation | Form/Action | Deadline | Penalty for Delay |
|---|---|---|---|---|
| Monthly | GSTR-1 (Outward Supplies) | GSTR-1 | 11th of following month | ₹50/day (max ₹10,000) |
| Monthly | GSTR-3B (Summary + Tax Payment) | GSTR-3B | 20th of following month | ₹50/day + 18% interest p.a. |
| Monthly | TDS Payment | Challan No. 281 | 7th of following month | 1.5% per month interest |
| Quarterly | TDS Return | Form 26Q/24Q | 31 days after quarter end | ₹200/day under Section 234E |
| Annually (April) | GST LUT for Exports | Form GST RFD-11 | Before April 1 | 18% IGST charged on exports |
| Annually (June) | DPT-3 (Deposit Return) | Form DPT-3 | June 30 | ₹10,000 to ₹25,000 + ₹200/day |
| Annually (Sep) | AGM + Board Meetings | Board Resolution | September 30 (for FY ending Mar) | ₹1 lakh on company + ₹5,000 per officer |
| Annually (Sep) | DIR-3 KYC (Director KYC) | DIR-3 KYC / DIR-3 KYC-WEB | September 30 | DIN deactivation + ₹5,000 reactivation |
| Annually (Oct) | AOC-4 (Financial Statements) | Form AOC-4 / AOC-4 XBRL | Within 30 days of AGM | ₹100/day per form |
| Annually (Nov) | MGT-7A (Annual Return) | Form MGT-7A | Within 60 days of AGM | ₹100/day per form |
| Annually (Oct) | Income Tax Return | ITR-6 (companies) | October 31 (if audit applicable) | ₹10,000 late fee + interest |
| Annually (Dec) | GST Annual Return | GSTR-9 | December 31 | ₹200/day (max 0.5% of turnover) |
| Ongoing | CERT-In Incident Reporting | Email to CERT-In | Within 6 hours of incident | Prosecution under IT Act |
| Ongoing | DPDP Act Breach Notification | Report to DPBI | Without unreasonable delay | Up to ₹150 crore |
The period between September and November is the heaviest compliance window: AGM, DIR-3 KYC, AOC-4, MGT-7A, and Income Tax Return all fall in this 90-day stretch. Start preparing financials in July to avoid last-minute scrambles. A CA firm that handles SaaS clients will know this drill and can manage overlapping deadlines.
Cost of Compliance: What SaaS Startups Actually Pay
Compliance has a price, but it is far less than the penalties for non-compliance. Here is a realistic cost breakdown for an early-stage SaaS Private Limited Company with annual revenue under ₹1 crore.
| Compliance Item | Annual Cost (Low End) | Annual Cost (High End) | Notes |
|---|---|---|---|
| GST Return Filing (Monthly) | ₹12,000 | ₹36,000 | ₹1,000 to ₹3,000 per month (CA fees) |
| ROC Annual Filings (AOC-4, MGT-7A) | ₹10,000 | ₹25,000 | Includes government fees + professional fees |
| DIR-3 KYC (per director) | ₹500 | ₹1,000 | Government fee ₹500; professional fee ₹500 |
| Statutory Audit | ₹15,000 | ₹50,000 | Mandatory for all Pvt Ltd companies |
| Income Tax Return (ITR-6) | ₹5,000 | ₹15,000 | CA filing fee for companies |
| TDS Compliance | ₹6,000 | ₹18,000 | 4 quarterly returns + monthly payments |
| DPDP Compliance Setup | ₹10,000 | ₹50,000 | Privacy policy, consent system, data audit |
| DPT-3 Filing | ₹2,000 | ₹5,000 | Only if loans/deposits received |
| Total Annual Cost | ₹60,500 | ₹2,00,000 | Early-stage SaaS (under ₹1 crore revenue) |
The cost increases as you scale. Companies with revenue above ₹1 crore typically add transfer pricing documentation (if receiving foreign payments), GST audit (if turnover exceeds ₹5 crore), and SOC 2 or ISO 27001 certification. At the ₹5 crore to ₹10 crore ARR stage, annual compliance spending can reach ₹5 lakh to ₹10 lakh, including a dedicated compliance manager or outsourced CFO.
Annual compliance for an early-stage SaaS Pvt Ltd costs ₹50,000 to ₹2 lakh. Skipping it for one year can cost: ₹36,500+ in ROC late fees (₹100/day x 365 days), ₹10,000+ in GST late fees, ₹5,000 per director for DIN reactivation, and potential director disqualification under Section 164(2). The math is straightforward: compliance is cheaper than non-compliance.
Outsource Your SaaS Compliance to IncorpX
Focus on building your product. We handle GST, ROC, TDS, and data privacy compliance. View all compliance plans.
Explore Compliance ServicesSaaS Compliance Checklist: 15 Items Before Your First Customer
Before you onboard your first paying customer, make sure these 15 compliance items are in place. This list is built from the common gaps we see when SaaS founders come to us after their first audit notice. Getting these right from day one saves money, time, and founder stress.
- Incorporate as a Pvt Ltd: File SPICe+ on MCA portal; takes 7 to 15 working days. Get PAN, TAN, and incorporation certificate.
- File INC-20A: Commencement of Business declaration within 180 days of incorporation. Cannot start operations without it.
- Register for GST: Apply on the GST portal; approval in 3 to 7 working days. Mandatory if turnover exceeds ₹20 lakh or if making inter-state supplies.
- Open a Current Account: Use company PAN and incorporation certificate. Required for GST compliance and receiving payments.
- Appoint an Auditor: First auditor within 30 days of incorporation (Board appointment). Ratify at first AGM and file Form ADT-1.
- Set Up TDS Compliance: Register on TRACES portal. Deduct TDS on contractor payments (Section 194C/194J), rent (194I), and salaries (192).
- File LUT for Exports: If you plan to serve foreign clients, file Form GST RFD-11 before April 1 of the financial year.
- Draft Privacy Policy: DPDP Act compliant privacy notice on your website. Include data collected, purpose, retention period, and user rights.
- Implement Consent Management: Consent capture at sign-up; withdrawal mechanism accessible from user settings.
- Set Up CERT-In Compliance: Designate a Point of Contact, enable NTP synchronization, configure 180-day log retention.
- Register on Startup India Portal: Apply for DPIIT recognition on startupindia.gov.in. Takes 2 to 5 working days.
- Employee Compliance: Register for PF (EPFO) and ESI (ESIC) if you have 20+ employees or meet wage thresholds.
- Professional Tax Registration: Register in states where you have employees (Maharashtra, Karnataka, etc.).
- Subscription Billing Setup: Configure invoicing system with proper SAC codes, GST calculation, and Ind AS 115-compliant revenue recognition.
- Cyber Insurance: Get a cyber liability policy covering data breach costs; ₹25 lakh to ₹1 crore coverage for early-stage startups.
Summary
SaaS startup compliance in India rests on three pillars: GST compliance at 18% (with zero-rating for exports), ROC filings under the Companies Act, 2013 (AOC-4, MGT-7A, DIR-3 KYC), and data privacy under the DPDP Act, 2023 and IT Act, 2000. The annual cost ranges from ₹50,000 to ₹2 lakh for early-stage companies, and every rupee spent on compliance saves multiples in avoided penalties. Start with a Private Limited Company registration, get your GST registration, and build a compliance calendar from day one. Your SaaS product deserves a foundation that scales with it.
Start Your SaaS Compliance with IncorpX
From Pvt Ltd registration to GST, ROC, and data privacy compliance, IncorpX covers every requirement. Pvt Ltd registration starts at ₹6,999.
Register Your SaaS Company
