The insurance industry in India is embracing technology at a pace we have never seen before. Brokers are exploring AI tools to automate document reading, extract policy data, and reduce manual entry errors. And on the surface, that is a great direction.

But here is the question most vendors are not asking — and that most brokers are not thinking about: Where is your policyholder’s data actually going?

Table of Contents

1. The Seductive Pitch of Global AI Models
2. What IRDAI Actually Mandates on Data
3. The “Thin Wrapper” Problem
4. When Data Left the Building: Real-World Examples
5. India’s DPDP Act Adds Another Layer
6. How to Evaluate Your InsurTech Vendor
7. IMD.Mitra’s Approach to Compliant AI
8. Frequently Asked Questions

The Seductive Pitch of Global AI Models

Models like OpenAI’s ChatGPT, Google’s Gemini, and Anthropic’s Claude are extraordinary pieces of technology. They can read a document, extract information, summarize text, and respond in natural language — all within seconds. It is understandable why insurance technology vendors are rushing to build products using these tools.

The pitch sounds compelling: “We use GPT-4/Gemini to read insurance policies.” But the critical detail buried in the fine print is this — when you send a document to these models via their APIs (Application Programming Interfaces — the technical channel through which software communicates), that document travels to servers located outside India. Typically to the United States or Europe.

For most industries, this is an inconvenience. For regulated entities in Indian insurance, it is a legal violation.

What IRDAI Actually Mandates on Data

The Insurance Regulatory and Development Authority of India (IRDAI) has been explicit about data localization — the requirement that certain categories of data must be stored and processed on servers located within Indian borders.

The IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017, and subsequent circulars clearly establish that policyholders’ personally identifiable information (PII) — names, contact details, vehicle information, health details, financial records — must not be transferred outside India without regulatory approval. The ISNP (Insurance Self-Network Platform) guidelines reinforce this: any digital platform used by a broker must host its data on India-based infrastructure.

When a vendor routes your policy documents through an API call to OpenAI or Google, your policyholder’s data — names, claim details, vehicle registration numbers, health conditions — is transmitted to foreign servers. This is a clear breach of the data localization requirement.

The “Thin Wrapper” Problem

A “thin wrapper” is an InsurTech product that is, at its core, just a relay. It takes your document, sends it to a global AI provider, receives the response, and presents it to you with a branded interface. The vendor has done very little original engineering. The heavy lifting — and the data processing — happens on foreign infrastructure.

This is the reality of many AI-powered insurance tools currently available in India. The user interface is Indian; the data processing is not.

Identifying this is straightforward. Ask your vendor directly: “Does our policyholder data leave India at any point in the processing pipeline?” If they cannot answer with an unambiguous “No,” you have your answer.

When Data Left the Building: Real-World Examples

This is not a hypothetical risk. There is documented evidence of confidential business data being exposed when companies used global AI APIs carelessly.

In April 2023, Samsung engineers used ChatGPT to assist with internal code reviews and meeting transcripts. Sensitive source code and proprietary meeting notes were inadvertently fed into the model. Once data enters these systems, it can be retained and potentially used to improve the underlying AI model. Samsung subsequently banned the use of ChatGPT for employees. (Read the News)

Separately, in March 2023, Italy’s data protection authority temporarily banned ChatGPT from operating in the country, citing GDPR (the European data privacy law) violations related to the collection and storage of user data without a sufficient legal basis. The case highlighted how quickly regulatory authorities worldwide are acting when AI systems mishandle personal data. (Read the BBC report)

If a sophisticated engineering company like Samsung and an entire country’s regulator found themselves caught in this trap, a busy insurance broker in India is at far greater risk.

India’s DPDP Act Adds Another Layer

Beyond IRDAI, there is now a second layer of legal obligation. India’s Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a comprehensive legal framework for how personal data of Indian citizens must be handled. Policyholders’ data — health details, financial data, vehicle records — falls squarely within the definition of “personal data” under this Act.

The DPDP Act restricts the transfer of personal data to countries not notified by the Indian government. Sending policyholder documents to US-based AI servers today is operating in a legally uncertain zone that is rapidly closing.

Regulatory penalties under the DPDP Act can be substantial. More importantly, the reputational damage to a brokerage that is found to have mishandled client data is irreversible.

How to Evaluate Your InsurTech Vendor

Before signing up with any AI-powered insurance technology provider, ask these specific questions:

1. Where are your servers located? The answer must be “India.” Specifically, on Indian data centers, not just an Indian-sounding brand name.
2. Do you use any third-party AI APIs? If the answer is yes, ask which ones. If the list includes OpenAI, Google, Anthropic, or similar global providers, your data is leaving India.
3. Can you provide documentation of your data residency? A legitimate vendor will have no hesitation providing this.
4. Have you undergone a security audits or certifications? An Audited and Certified vendor is a trustworthy one.
5. What happens to my data after processing? Data retention policies matter. Ensure processed document data is not stored beyond necessity.

IMD.Mitra’s Approach to Compliant AI

The team behind IMD.Mitra has spent years building technology specifically for the Indian insurance ecosystem. We have seen, first-hand, how poorly designed systems can put a broker’s license at risk. That experience is precisely why compliance is not a feature we added later — it is the foundation on which everything is built.

IMD.Mitra’s document parsing and AI-powered policy reader are built entirely on proprietary technology, processed and stored on India-based infrastructure. We do not route your data through any global AI provider’s API. There is no third-party cloud service receiving your policyholders’ sensitive information.

To our knowledge, IMD.Mitra is the only InsurTech player in India taking this position — building original capabilities in-house, within Indian borders, under the full scope of IRDAI and DPDP compliance.

We recognize that building this way is harder. It takes more time and more engineering effort than assembling a thin wrapper around a global model. But when your clients trust you with their most sensitive personal and financial information, “harder” is the only acceptable path.

Frequently Asked Questions

1. Is it illegal for Indian insurance brokers to use ChatGPT or Gemini?

   Not necessarily illegal in all contexts — but using these tools to process policyholder documents (names, policy numbers, health data, vehicle details) almost certainly violates IRDAI’s data localization requirements and creates significant risk under the DPDP Act, 2023. The regulatory guidance is clear that personal data of Indian policyholders must be processed on India-based infrastructure.

2. What is data localization, in simple terms?

   Data localization means that certain types of sensitive data — in this case, insurance-related personal data — must be stored and processed on servers physically located inside India. Sending that data to a foreign server, even briefly for AI processing, violates this principle.

3. What is a “thin wrapper” and why is it risky?

   A thin wrapper is a software product that simply forwards your data to a third-party AI service (like OpenAI’s API) and returns the result. The vendor has not built the AI themselves. The risk is that your policyholder’s data is being processed on foreign infrastructure outside IRDAI’s regulatory jurisdiction.

4. How do I know if my current InsurTech vendor is compliant?

   Ask them directly: “Does any policyholder data leave India at any point?” and “Do you use any third-party AI APIs?” Also request their data residency documentation and security certificates, if applicable.

5. What makes IMD.Mitra different from other AI-powered insurance tools?

   IMD.Mitra builds its AI and document processing capabilities in-house using proprietary technology hosted on Indian servers. We do not use global AI APIs for processing policyholder data. This makes us the compliant choice for brokers who take IRDAI regulations and the DPDP Act seriously.

Why Indian Insurance Brokers Should Choose IMD.Mitra

When you choose IMD.Mitra, you are choosing a platform that:

• Processes all insurance documents entirely within India — no exceptions
• Uses proprietary AI built for the Indian insurance context, not a generic global model
• Is designed to meet IRDAI’s ISNP requirements and data localization mandates
• Is aligned with the Digital Personal Data Protection Act, 2023
• Can demonstrate compliance documentation to your own auditors and regulators

Your broker license is your most valuable asset. Do not let a convenient-sounding AI tool put it at risk.

Book a demo with IMD.Mitra and see exactly how our compliant, India-first technology works — and get straight answers to every compliance question you have.