Data Processing Agreement Under DPDP

Mandatory vendor contracts under the DPDP Act, and why you stay liable either way
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

"Our Vendor Handles the Data, Not Us" Is the Costliest Myth in DPDP

Under the DPDP Act 2023, every vendor that processes personal data on your behalf, your cloud host, payroll provider, CRM, email tool, or marketing agency, is a Data Processor. And the law is blunt about the arrangement: processor contracts are mandatory, and the Data Fiduciary stays legally responsible for everything those vendors do with the data.

That makes the data processing agreement (DPA), sometimes just called a DPDP vendor contract, one of the most important documents in your compliance file. If a vendor leaks your customers' data, the Data Protection Board comes to you first, and penalties run up to ₹250 crore per violation.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Fiduciary vs Processor: Who Is Responsible for What?

QuestionData Fiduciary (You)Data Processor (Vendor)
Who decides purpose and means?You doFollows your instructions
Who is liable to the Data Protection Board?You, fullyContractual obligations to you
Who must take consent and give notices?You doNot their role
Who must maintain safeguards on their systems?On your systemsOn theirs, as your contract requires
Who reports breaches to the Board?You, within 72 hoursMust alert you fast enough for you to comply

The takeaway: the contract shifts work to the vendor, but it never shifts legal responsibility away from you. That is exactly why the contract's contents matter so much.

Clauses Every DPDP Vendor Contract Needs

  • Scope and purpose: exactly what data the vendor may process, for what purpose, and nothing beyond your instructions
  • Security safeguards: encryption, access controls, MFA, and logging matching the Rule 6 standard (see DPDP security safeguards)
  • Breach notification: the vendor must alert you immediately, so you can notify users without delay and report to the Board within 72 hours
  • Deletion obligations: erase data when the purpose is served or consent is withdrawn, in line with your data retention policy
  • Audit and verification rights: your right to check that the promised safeguards actually exist
  • Sub-processor controls: no passing data to a fourth party without your approval, and the same obligations flowing down the chain

A Signed Contract Isn't Enough: Verify Your Vendors

Since the liability stays with you, vendor compliance verification is self-defence. Here is a workable cycle.

List Every Vendor

Build a register of every third party that touches personal data, including the small tools nobody remembers signing up for.

Paper Then Proof

Get the DPA signed, then ask for evidence: security practices, breach procedures, and deletion capabilities, not just promises.

Re-check Periodically

Vendors change stacks, staff, and sub-processors. Repeat verification on a schedule and whenever a vendor's setup changes.

Vendor Paperwork Takes Longer Than You Think

Consent rules become mandatory on 13 November 2026, and full enforcement begins 13 May 2027. Compliance setup takes 2-6 months, and renegotiating contracts with every vendor is one of the slowest steps. Start the vendor review now.

Want the Complete DPDP Picture?

Vendor contracts are one obligation among many. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.

Data Processing Agreements: Frequently Asked Questions

Are data processing agreements mandatory under the DPDP Act?

Yes. A Data Fiduciary may only engage a Data Processor under a valid contract. Every vendor that processes personal data on your behalf needs a written agreement covering data protection obligations.

How Many of Your Vendors Have a DPDP-Ready Contract?

Our free audit maps your vendors, checks your contracts, and gives you a gap report with a fix roadmap.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.