

Under the DPDP Act 2023, every vendor that processes personal data on your behalf, your cloud host, payroll provider, CRM, email tool, or marketing agency, is a Data Processor. And the law is blunt about the arrangement: processor contracts are mandatory, and the Data Fiduciary stays legally responsible for everything those vendors do with the data.
That makes the data processing agreement (DPA), sometimes just called a DPDP vendor contract, one of the most important documents in your compliance file. If a vendor leaks your customers' data, the Data Protection Board comes to you first, and penalties run up to ₹250 crore per violation.
No cost. No obligation. Get your compliance gap report.
| Question | Data Fiduciary (You) | Data Processor (Vendor) |
|---|---|---|
| Who decides purpose and means? | You do | Follows your instructions |
| Who is liable to the Data Protection Board? | You, fully | Contractual obligations to you |
| Who must take consent and give notices? | You do | Not their role |
| Who must maintain safeguards on their systems? | On your systems | On theirs, as your contract requires |
| Who reports breaches to the Board? | You, within 72 hours | Must alert you fast enough for you to comply |
The takeaway: the contract shifts work to the vendor, but it never shifts legal responsibility away from you. That is exactly why the contract's contents matter so much.
Since the liability stays with you, vendor compliance verification is self-defence. Here is a workable cycle.
Build a register of every third party that touches personal data, including the small tools nobody remembers signing up for.
Get the DPA signed, then ask for evidence: security practices, breach procedures, and deletion capabilities, not just promises.
Vendors change stacks, staff, and sub-processors. Repeat verification on a schedule and whenever a vendor's setup changes.
Consent rules become mandatory on 13 November 2026, and full enforcement begins 13 May 2027. Compliance setup takes 2-6 months, and renegotiating contracts with every vendor is one of the slowest steps. Start the vendor review now.
Vendor contracts are one obligation among many. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.
Yes. A Data Fiduciary may only engage a Data Processor under a valid contract. Every vendor that processes personal data on your behalf needs a written agreement covering data protection obligations.
You are. The Data Fiduciary stays fully legally responsible even when a processor handles the data. A contract lets you recover losses from the vendor commercially, but the Board holds you accountable.
Scope and purpose of processing, security safeguards, breach notification fast enough for your 72-hour Board report, deletion on purpose completion or consent withdrawal, audit rights, and sub-processor controls.
Yes. A signed contract alone doesn't protect you, since the liability stays with you. Verify that vendors actually maintain the promised safeguards, through questionnaires, evidence reviews, or audits, and repeat the check periodically.
Our free audit maps your vendors, checks your contracts, and gives you a gap report with a fix roadmap.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.