DPDP Act Third-Party Contracts: DPA Requirements
What the DPDP Act 2023 requires in Data Processing Agreements with third-party vendors, what clauses must be included, and how to audit your vendor contracts.
- Section 8(2) requires Data Fiduciaries to enter a valid contract with each Data Processor specifying the processing to be performed.
- Unlike GDPR, the DPDP Act does not impose direct statutory obligations on Data Processors — their obligations flow entirely through the contract with the Fiduciary.
- Your DPA must cover: processing scope, security requirements, deletion obligations, sub-processor approval, audit rights, and breach notification.
- Existing standard vendor contracts are unlikely to be DPDP-compliant — audit all vendor relationships and issue DPA addenda.
- A single vendor breach can trigger your DPDP breach notification obligation — vendor security oversight is a compliance necessity.
In this guide
The DPA Obligation Under Section 8(2)
Section 8(2) of the DPDP Act requires every Data Fiduciary to enter into a valid contract with each Data Processor that processes personal data on its behalf. This contract must specify what processing the Processor will perform and must impose obligations on the Processor consistent with the Fiduciary's duties under the Act. The DPA is the legal instrument through which a Data Fiduciary extends its compliance obligations down the supply chain.
Without a compliant DPA, a Data Fiduciary cannot lawfully engage a Data Processor to process personal data. This means every vendor relationship involving personal data — cloud hosting, analytics platforms, CRM systems, email service providers, payment processors, HR tools, support platforms — requires a DPA. Many of these vendors will have their own standard DPA templates, but you should review them against the DPDP Act requirements and negotiate additions where needed.
Importantly, the DPDP Act does not create a parallel regulatory relationship between the Data Protection Board and Data Processors — the Board's enforcement jurisdiction runs to Data Fiduciaries. Processors are liable to their Fiduciary clients under the DPA contract. This is a significant difference from GDPR, where processors have direct regulatory obligations. Under the DPDP Act, your contract with your vendor is the primary mechanism for ensuring Processor compliance.
Data Processors vs. Data Fiduciaries Under the Act
The distinction between a Data Fiduciary and a Data Processor is crucial for contract structure. A Data Fiduciary (Section 2(i)) determines the purpose and means of processing personal data — they decide why and how data is processed. A Data Processor (Section 2(k)) processes data on behalf of and under the instructions of a Data Fiduciary — they provide a service and process data as instructed, not for their own purposes.
In practice, most SaaS vendors are Data Processors when they process your customers' data to deliver their service to you. An email service provider (ESP) that sends emails on your behalf is a Data Processor — they process the email addresses and content you provide, for the purpose you have defined. Your AWS account is a Data Processor environment — AWS processes your data to provide compute and storage, but does not determine the purpose of the processing.
A vendor can simultaneously be a Data Fiduciary for some purposes and a Data Processor for others. Your CRM vendor is a Data Processor when processing your customers' contact data to provide CRM services to you, but is a Data Fiduciary when they use that same data for their own product improvement, marketing, or analytics. Your DPA must clearly scope the Processor role and expressly prohibit the vendor from using your data for their own purposes.
Essential Clauses in a DPDP-Compliant DPA
A DPDP-compliant DPA must at minimum include: (1) Subject matter and duration — what processing activities are covered and for how long; (2) Nature and purpose of processing — a clear description of what processing the Processor will perform and why; (3) Type of personal data and categories of Data Principals — exactly what data will be processed; (4) Obligations and rights of the Data Fiduciary — that the Fiduciary's instructions govern the processing; (5) Confidentiality — the Processor's obligation to maintain confidentiality of personal data.
Additional essential clauses: (6) Security safeguards — the Processor must implement reasonable security measures consistent with Section 8(5), and the DPA should specify the minimum standards (SOC 2 or ISO 27001 certification, encryption requirements, access control standards); (7) Sub-processor management — a requirement to obtain the Fiduciary's prior written approval before engaging sub-processors, and to flow down equivalent obligations to any approved sub-processors; (8) Data Principal rights — the Processor must assist the Fiduciary in responding to Data Principal rights requests (access, correction, erasure) for data it holds.
Further clauses: (9) Deletion on termination — the Processor must delete or return all personal data upon termination or expiry of the contract, and provide written confirmation of deletion; (10) Breach notification — the Processor must notify the Fiduciary of any personal data breach within a defined short period (24-48 hours is typical) so the Fiduciary can meet its own Section 8(6) notification obligation; (11) Audit rights — the Fiduciary has the right to audit the Processor's compliance with the DPA, either directly or through a qualified third party; (12) Liability — the DPA should address the allocation of liability between the parties in the event of a breach caused by the Processor's failure.
Auditing Your Existing Vendor Contracts
Most existing vendor contracts were not written with DPDP Act compliance in mind. Conduct a vendor contract audit to identify gaps. Start by cataloguing all vendors who process personal data on your behalf — include cloud infrastructure, analytics, marketing, support, HR, and any product integrations. For each vendor, review whether you have a DPA in place and whether it contains the essential clauses described above.
Prioritise vendors by risk: (a) volume of personal data processed (high-volume vendors first), (b) sensitivity of data (vendors processing financial or health data), (c) geographic location (international vendors have additional considerations), and (d) likelihood of a security incident (vendors with less mature security programmes). Begin DPA remediation with the highest-risk vendors.
For vendors with non-compliant or missing DPAs, issue a DPA addendum that supplements the existing service agreement. Most large SaaS vendors (AWS, Google, Microsoft, Salesforce, Zendesk) have DPDP-compatible DPA templates available or will accept an addendum. For smaller vendors, you may need to draft the DPA from your side. Template DPA language aligned to the DPDP Act is available from Indian bar associations and compliance platforms.
Managing Sub-Processors
Sub-processors are vendors used by your primary vendors to help deliver the service. For example, your CRM vendor may use a cloud database provider and an email infrastructure provider as sub-processors. Under the DPDP Act framework, you need to ensure that sub-processors are also subject to equivalent obligations — this flows through your DPA with the primary Processor (who must obtain your approval before engaging sub-processors and must flow down obligations contractually).
Request a list of sub-processors from each of your primary Processors. Review the list for any sub-processors that you have concerns about — particularly those processing sensitive data categories or located in jurisdictions with inadequate data protection. Your DPA should give you approval rights over material changes to sub-processor lists.
In practice, managing sub-processors at granular level is operationally intensive. Focus your oversight on sub-processors that access personal data directly — not those that simply provide underlying infrastructure. Require primary Processors to notify you of any changes to sub-processors that handle your personal data (as distinct from infrastructure sub-processors that merely host the Processor's systems).
Vendor Security Oversight Requirements
Section 8(5)'s reasonable safeguards obligation extends to personal data processed by your vendors. You need to exercise oversight of vendor security to satisfy this obligation. Establish a vendor security assessment process: before onboarding a new vendor that will process personal data, assess their security posture using a standardised questionnaire or by reviewing their security certifications.
Prioritise vendors that hold SOC 2 Type II or ISO 27001 certifications — these provide independent third-party assurance of their security controls. Make production of a current SOC 2 or ISO 27001 certificate a contractual requirement in your DPA, with an obligation to maintain certification and notify you if certification lapses. Where a vendor cannot provide certification, a completed security questionnaire reviewed by your security team is an alternative basis for due diligence.
Monitor vendor security on an ongoing basis. Subscribe to vendor security notifications, review annual SOC 2 report renewals when they arrive, and reassess vendor security posture at contract renewal. Include a security-related termination right in your DPA: if a vendor suffers a material breach, loses its security certification, or fails a security audit, you should have the right to terminate the contract promptly.
DPAs With International SaaS Vendors
Many Indian SaaS companies use international vendors — US, EU, or APAC-based SaaS tools — that process personal data of Indian Data Principals. The DPDP Act applies to these vendors as Data Processors, and DPAs must reflect DPDP Act requirements even when the vendor's standard DPA is based on GDPR or CCPA frameworks.
Review the vendor's standard DPA against the DPDP Act checklist. Key points of divergence: (a) the DPDP Act does not impose direct regulatory obligations on Processors, so the GDPR-style processor obligations in the standard DPA may need to be reframed as contractual commitments to the Fiduciary rather than regulatory compliance; (b) breach notification timelines may need adjustment; (c) Data Principal rights assistance clauses may need updating to reference DPDP Act rights rather than GDPR rights.
Cross-border data transfers are addressed separately under the DPDP Act — the Central Government will maintain a whitelist of permitted countries for cross-border transfers. Until the whitelist is published, companies should seek legal advice on the current permissibility of transferring personal data to specific jurisdictions. Your DPA with international vendors should include a clause confirming that any transfer of personal data outside India complies with DPDP Act requirements.
Frequently Asked Questions
Does the DPDP Act require us to have a DPA with our cloud hosting provider (AWS/Azure/GCP)?
We are a Data Processor ourselves — do we have DPDP obligations?
Can we use a single DPA to cover multiple vendors, or do we need separate DPAs?
What happens if a vendor refuses to sign a DPA?
Does the DPDP Act require us to maintain a register of all Data Processors?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free