SaaS Startup Compliance: GST (OIDAR), FEMA, ESOP & Data Protection — The Definitive Guide for Indian Founders

Why SaaS Startup Compliance Matters More Than Ever

India’s SaaS ecosystem has grown to become the world’s second-largest, with over 25,000 SaaS companies generating an estimated USD 12 billion in revenue. Yet, the compliance landscape remains one of the most misunderstood aspects of running a SaaS company from India. Whether you are bootstrapped or venture-funded, compliance is not optional — it is foundational.

We at Virtual Auditor have worked with hundreds of SaaS startups across Chennai, Bengaluru, and Hyderabad. From our experience, the four critical compliance pillars every SaaS founder must address are:

• GST compliance — particularly OIDAR provisions for B2C overseas customers
• FEMA compliance — for receiving foreign investment and cross-border subscription revenue
• ESOP structuring and taxation — critical for talent retention
• Data protection — under the DPDP Act, 2023

1. GST Compliance for SaaS Companies: The OIDAR Framework

What Are OIDAR Services Under GST?

OIDAR services are defined under Section 2(17) of the IGST Act, 2017 as services delivered over the internet or an electronic network, the nature of which renders their supply essentially automated and involving minimal human intervention. Most SaaS products fall squarely within this definition.

The GST Council has clarified through Circular No. 202/14/2023-GST that cloud-based software subscriptions, API access, and platform-as-a-service offerings are all treated as OIDAR services.

GST on B2B vs B2C SaaS Sales

The treatment differs significantly based on whether your customer is a business or an individual consumer:

B2B Sales (to registered businesses):

• Domestic: Charge 18% GST on the invoice
• Export to registered business overseas: Zero-rated supply under Section 16 of the IGST Act. You can either export under bond/LUT without payment of IGST, or pay IGST and claim refund

B2C Sales (to unregistered individuals):

• Domestic: Charge 18% GST
• Export to overseas consumers: This is where OIDAR rules become critical. The place of supply is the location of the recipient, and GST may apply if you do not have a fixed establishment outside India

Simplified Registration for Foreign OIDAR Providers

If a foreign SaaS company provides OIDAR services to non-taxable online recipients (B2C) in India, it must obtain a simplified GST registration under Section 24(xi) of the CGST Act. The registered person must appoint a representative in India for compliance.

LUT and Refund Mechanism for Exporters

For Indian SaaS companies exporting services, filing a Letter of Undertaking (LUT) in Form GST RFD-11 is the most efficient approach. Key conditions include:

• The supplier must not have been prosecuted for tax evasion exceeding ₹2.5 crore
• LUT must be renewed annually before the start of each financial year
• Foreign Inward Remittance Certificate (FIRC) or e-BRC must be obtained as proof of export

Cross-Border Subscription Billing and GST

When an Indian SaaS company uses platforms like Stripe, Paddle, or Chargebee for international billing, the following GST considerations arise:

• If the billing entity is outside India and collects payment on your behalf, the export of service conditions must still be met at the Indian entity level
• Commission paid to foreign payment processors may attract GST under Reverse Charge Mechanism (RCM) under Section 9(3) of the CGST Act
• Currency conversion differences must be handled using the RBI reference rate on the date of invoice

2. FEMA Compliance for SaaS Startups

Receiving Foreign Investment

SaaS companies receiving foreign investment must comply with the Foreign Exchange Management (Non-Debt Instruments) Rules, 2019. The IT/ITES sector enjoys 100% FDI under the automatic route, meaning no prior government approval is needed. However, the following filings are mandatory:

• FC-GPR (Foreign Currency — Gross Provisional Return): Must be filed within 30 days of allotment of shares to the foreign investor
• KYC of the investor: Including passport, address proof, and source of funds declaration
• Valuation certificate: From a SEBI-registered merchant banker or a Chartered Accountant using a globally accepted methodology (DCF being the most common for SaaS companies)

For more details on FEMA filings, visit our FEMA compliance services page.

Cross-Border Revenue Receipts

Subscription revenue received from overseas customers is treated as export of services. Key compliance requirements include:

• Purpose code in the FIRC must correctly reflect “software services” (code S099 or appropriate sub-code)
• Receipts must be realised within 9 months from the date of invoice (extended from the earlier 6-month requirement)
• Annual Return on Foreign Liabilities and Assets (FLA Return) must be filed with the RBI if there is any foreign investment in the company

Convertible Instruments: SAFEs and Convertible Notes

Indian SaaS startups frequently raise funds through SAFEs (Simple Agreements for Future Equity) and convertible notes. Under FEMA regulations:

• Convertible notes must have a minimum investment of ₹25 lakh per investor
• Conversion must happen within 10 years (or as per the latest RBI notification)
• SAFEs are not explicitly recognised under Indian law, and founders must carefully structure them as either equity instruments or convertible notes to ensure FEMA compliance

3. ESOP Compliance and Taxation

Structuring ESOPs for SaaS Companies

Employee Stock Option Plans are the lifeblood of SaaS talent acquisition. Under the Companies Act, 2013, only unlisted companies that comply with Section 62(1)(b) can issue ESOPs. Key structural requirements include:

• Board and shareholder approval (special resolution)
• Minimum vesting period of 1 year from the date of grant
• ESOP pool typically ranges from 5% to 15% of the fully diluted share capital
• A compensation committee must oversee the administration

Tax Implications at Each Stage

At the time of exercise: The difference between the Fair Market Value (FMV) on the date of exercise and the exercise price is taxed as a perquisite under Section 17(2) of the Income Tax Act. TDS must be deducted by the employer.

At the time of sale: The difference between the sale price and FMV on the date of exercise is taxed as capital gains. If held for more than 24 months (for unlisted shares), it qualifies as long-term capital gain taxed at 20% with indexation benefit.

Section 80-IAC benefit: Eligible startups recognised under DPIIT can defer the tax on ESOPs for up to 5 years from the date of exercise, or until they leave the company, or sell the shares — whichever is earliest.

Cross-Border ESOP Issues

When an Indian SaaS company has a foreign holding company that issues ESOPs, additional complications arise:

• The Indian subsidiary must report the ESOP expense as per Ind-AS 102 (Share-Based Payments)
• FEMA reporting is required if shares of the foreign company are allotted to Indian residents
• The employee must disclose foreign assets in Schedule FA of their ITR

4. DPDP Act Compliance for SaaS Companies

Overview of the Digital Personal Data Protection Act, 2023

The DPDP Act received Presidential assent in August 2023 and is expected to be fully enforced with subordinate rules in 2025-26. For SaaS companies, this law fundamentally changes how you collect, process, and store personal data.

Key Obligations for SaaS Data Fiduciaries

As a SaaS company, you are likely a “Data Fiduciary” under the Act. Your obligations include:

• Lawful purpose and consent: You must obtain free, specific, informed, and unambiguous consent before processing personal data. Pre-ticked consent boxes are invalid
• Purpose limitation: Data can only be processed for the purpose for which consent was given
• Data minimisation: Collect only what is necessary for the stated purpose
• Storage limitation: Personal data must be erased once the purpose is fulfilled, unless retention is required by law
• Accuracy: Reasonable effort must be made to ensure data accuracy
• Security safeguards: Implement appropriate technical and organisational measures

Data Principal Rights

Your users (called “Data Principals”) have the following rights:

• Right to access information about their data processing
• Right to correction and erasure
• Right to grievance redressal
• Right to nominate another person to exercise rights in case of death or incapacity

Penalties Under the DPDP Act

The penalties are significant and can cripple a startup:

• Failure to take security safeguards: Up to ₹250 crore
• Failure to notify a data breach: Up to ₹200 crore
• Non-compliance with obligations relating to children’s data: Up to ₹200 crore
• General non-compliance: Up to ₹50 crore

Practical Steps for SaaS Companies

Based on our advisory work with SaaS clients, we recommend the following action items:

1. Appoint a Data Protection Officer (mandatory for Significant Data Fiduciaries)
2. Conduct a data mapping exercise to identify all personal data flows
3. Update your privacy policy and terms of service
4. Implement a consent management platform (CMP)
5. Set up a data breach notification process (72-hour window is expected)
6. Review vendor contracts to ensure data processing agreements are in place

5. Integrating Compliance Into Your SaaS Workflow

Month-by-Month Compliance Calendar

We recommend SaaS founders maintain a compliance calendar that includes:

• Monthly: GST return filing (GSTR-1 by 11th, GSTR-3B by 20th), TDS payment by 7th
• Quarterly: TDS return filing (Form 26Q), advance tax payments (15th June, September, December, March)
• Annually: LUT renewal, FLA return (by 15th July), annual return filing with ROC, income tax return, transfer pricing report (if applicable)
• Event-based: FC-GPR within 30 days of share allotment, ESOP exercise reporting, data breach notification

Common Mistakes SaaS Startups Make

From our practice, these are the most frequent compliance errors we encounter:

1. Not obtaining an LUT before exporting: This results in IGST being charged on export invoices, blocking working capital
2. Incorrect SAC code on invoices: SaaS services should use SAC 998314 (Online content) or 998315 (Online software), not generic codes
3. Missing FC-GPR filing: A 30-day deadline that many founders miss, leading to compounding applications with RBI
4. ESOP exercise without TDS: The employer is liable for TDS on the perquisite value at the time of exercise
5. No DPDP readiness: Waiting for enforcement without building systems is a recipe for panic compliance

6. How Virtual Auditor Helps SaaS Startups

At Virtual Auditor, we offer end-to-end compliance management for SaaS companies. Our services include:

• GST advisory: OIDAR classification, LUT filing, refund management, and GST audit
• FEMA compliance: FC-GPR filing, valuation for foreign investment, FLA returns, and structuring convertible instruments
• ESOP structuring: Plan design, valuation under Rule 11UA, tax advisory, and annual compliance
• DPDP Act readiness: Data mapping, privacy impact assessments, policy drafting, and ongoing compliance monitoring
• Transfer pricing: Benchmarking studies, documentation, and dispute resolution

Explore our startup advisory services or GST compliance services for more information.

Frequently Asked Questions

1. Do Indian SaaS companies need to charge GST on overseas B2B subscriptions?

No. Export of SaaS services to overseas businesses qualifies as zero-rated supply under Section 16 of the IGST Act, provided you file an LUT and receive payment in convertible foreign exchange. You must retain the FIRC or e-BRC as evidence of export.

2. Is a SaaS subscription considered an OIDAR service under GST?

Yes. Cloud-based software subscriptions delivered over the internet with minimal human intervention are classified as OIDAR services under Section 2(17) of the IGST Act. This classification affects the place of supply rules and registration requirements.

3. What is the penalty for not filing FC-GPR within 30 days?

Late filing of FC-GPR requires a compounding application to the RBI. The compounding fee can be up to three times the amount involved in the contravention, subject to a minimum of ₹10,000. We strongly recommend filing within the stipulated timeline to avoid this.

4. Can SaaS startups use SAFEs for fundraising under FEMA?

SAFEs are not explicitly recognised under Indian FEMA regulations. They must be structured either as equity instruments or convertible notes (with a minimum ₹25 lakh investment per investor) to be FEMA-compliant. We recommend working with a specialised advisor to structure the instrument correctly.

5. When will the DPDP Act rules be enforced?

The DPDP Act, 2023 received Presidential assent in August 2023. The subordinate rules are expected to be notified in phases during 2025-26. However, prudent SaaS companies should begin compliance preparations now, as the Act’s framework is already law.

6. How are ESOPs taxed for employees of Indian SaaS companies?

ESOPs are taxed at two points: (a) at exercise — the difference between FMV and exercise price is taxed as perquisite income under Section 17(2), and (b) at sale — the difference between sale price and FMV at exercise is taxed as capital gains. DPIIT-recognised startups may defer the exercise-stage tax for up to 5 years under Section 80-IAC.

7. What SAC code should SaaS companies use on their GST invoices?

SaaS companies should use SAC 998314 (Online content) or SAC 998315 (Online software) depending on the nature of the service. Using incorrect SAC codes can lead to classification disputes during audits. Consult our GST team for precise classification.