DPDP Act Vendor Due Diligence: Assessing Data Processors
How to conduct DPDP Act-compliant vendor due diligence for Data Processors — risk tiers, security questionnaires, DPA requirements, and ongoing monitoring.
- The Data Fiduciary is responsible for ensuring Data Processors implement adequate safeguards — you cannot transfer DPDP liability by outsourcing processing.
- Section 8(2) requires a valid contract with each Data Processor — vendor due diligence precedes and informs that contract.
- Risk-tier your vendor base: high-risk vendors (large data volumes, sensitive data categories) receive deeper due diligence than low-risk vendors.
- SOC 2 Type II and ISO 27001 certifications from vendors are the strongest evidence of processor security adequacy.
- Annual vendor reviews ensure that vendor security posture remains adequate as both your usage and their product evolve.
In this guide
- Why Vendor Due Diligence Is a DPDP Obligation
- Vendor Risk Tiering and Due Diligence Proportionality
- Components of a DPDP Due Diligence Assessment
- Using a Security Questionnaire Effectively
- Reviewing SOC 2 and ISO 27001 Certifications
- DPA Negotiation as Part of Due Diligence
- Ongoing Vendor Monitoring Programme
Why Vendor Due Diligence Is a DPDP Obligation
The DPDP Act 2023 places the primary compliance obligation on Data Fiduciaries — and that obligation extends to personal data processed by vendors on the Fiduciary's behalf. Section 8(5) requires reasonable security safeguards to prevent personal data breaches, and this obligation covers personal data "in its possession or under its control" — a phrase that includes data held by processors under your instruction.
This means you cannot transfer DPDP liability by outsourcing processing to a vendor. If a vendor you have engaged to process personal data suffers a breach due to inadequate security, the Board will assess your due diligence: did you assess the vendor's security before engaging them? Did you have a contractual obligation requiring adequate security? Did you monitor the vendor's security posture over time? A company that hired a security-deficient vendor without due diligence faces a much harder enforcement position than one that performed thorough diligence and was victimised despite it.
Vendor due diligence is also commercially increasingly important. Enterprise buyers conducting their own vendor assessments will ask about your sub-processor due diligence practices. Demonstrating a systematic programme — with tiered assessments, DPA coverage, and annual reviews — is a commercial differentiator in addition to a compliance requirement.
Vendor Risk Tiering and Due Diligence Proportionality
Not all vendors pose equal risk to personal data. A vendor who accesses the email addresses of 10 users in a test environment is very different from a vendor who processes payment data for all your production users. Due diligence should be proportionate to risk — invest the most effort in highest-risk vendors and maintain proportionate oversight for lower-risk vendors.
A risk tiering framework might classify vendors as: Tier 1 (high risk) — vendors with access to sensitive personal data (financial, health, identity documents), large volumes of personal data (your full customer database), or production system access; requiring full security questionnaire, SOC 2/ISO 27001 review, DPA negotiation, and annual review. Tier 2 (medium risk) — vendors with access to limited personal data categories or small volumes; requiring abbreviated security questionnaire, certification review, standard DPA, and biennial review. Tier 3 (low risk) — vendors with no direct access to personal data (e.g., a project management tool used by your team that you ensure contains no customer personal data); requiring basic assessment and standard vendor terms.
Tier assignment should be documented and reviewed whenever your usage of a vendor changes significantly. A vendor that starts as Tier 3 (no personal data access) can become Tier 1 if you expand usage to include processing customer data. Re-assess tiering annually as part of your vendor review cycle.
Components of a DPDP Due Diligence Assessment
A comprehensive vendor due diligence assessment for Tier 1 vendors comprises: (1) Privacy and security questionnaire — a structured set of questions covering security controls, data handling practices, breach history, certifications, and DPDP Act-specific questions; (2) Certification review — reviewing current SOC 2 Type II reports or ISO 27001 certificates and certificates of compliance; (3) Privacy policy and terms review — reviewing the vendor's privacy policy, terms of service, and sub-processor list; (4) Reference check — speaking with existing customers about their experience with the vendor's security and data handling; (5) DPA negotiation — confirming that appropriate contractual data protection provisions are in place.
For Tier 1 vendors processing particularly sensitive data (health, financial, biometric), consider requesting a penetration test report, a vulnerability disclosure policy, or specific security architecture documentation. The depth of diligence should match the severity of potential harm if the vendor suffers a breach.
Document the due diligence assessment: what information was requested, what was provided, what gaps were identified, and how gaps were resolved before onboarding. This documentation is evidence of your reasonable safeguards programme if a vendor breach triggers a Board investigation. Retain due diligence documentation for the duration of the vendor relationship plus 3 years.
Using a Security Questionnaire Effectively
A security questionnaire is a structured set of questions designed to assess a vendor's security controls. Standard questionnaire frameworks include: the Shared Assessments SIG (Standardised Information Gathering), CAIQ (Consensus Assessments Initiative Questionnaire from the Cloud Security Alliance), and VSAQ (Vendor Security Assessment Questionnaire). For DPDP Act-specific due diligence, add sections covering: DPDP compliance programme status, breach notification procedures, cross-border transfer controls, and sub-processor management.
Questionnaire responses should be verified where possible — do not simply accept self-reported answers for critical controls. Verify that the vendor has the certifications they claim (check issuing body registries), that their DLP controls actually function as described, and that their breach notification process has been tested. For high-risk vendors, a brief technical review call with their security team can validate questionnaire responses and add nuance.
Many large vendors have pre-completed questionnaire responses available (through platforms like OneTrust Exchange, Whistic, or Security Studio). Using these pre-completed responses is efficient, but supplement them with DPDP Act-specific questions that may not be covered in generic questionnaires. The vendor's GDPR compliance posture is a useful proxy for DPDP readiness, but the specific DPDP obligations (no direct processor liability, the Board notification regime, cross-border transfer whitelist) require specific assessment.
Reviewing SOC 2 and ISO 27001 Certifications
SOC 2 Type II reports and ISO 27001 certificates are the gold standard for third-party assurance of a vendor's security controls. Reviewing these certifications is more efficient and more reliable than relying on security questionnaire responses alone — they represent an independent auditor's or certification body's assessment of the vendor's actual controls, not just the vendor's own claims.
When reviewing a SOC 2 Type II report: check the period covered (a report more than 12 months old may not reflect current controls); review the scope — are the systems and services you use covered by the report? Read the description of controls in sections CC6 (logical access), CC7 (system operations and monitoring), and CC9 (risk mitigation); review the auditor's test results — are there any qualified opinions, exceptions, or control deficiencies? The management response to any exceptions tells you a lot about the vendor's compliance culture.
For ISO 27001 certificates: verify that the certificate is current (check expiry date) and issued by a UKAS or accredited certification body; confirm the scope covers the systems and locations relevant to your use; and request the Statement of Applicability to understand which controls are included. An ISO 27001 certificate without a recent surveillance audit may not reflect the current state of controls — ask for the most recent audit findings.
DPA Negotiation as Part of Due Diligence
DPA negotiation is the final step of vendor due diligence — after assessing the vendor's security posture, negotiate the contractual terms that will govern the data processing relationship. A vendor who passes your security assessment but refuses to sign a DPA with appropriate terms should not be onboarded for personal data processing.
Use the due diligence findings to inform DPA negotiation. If the security questionnaire revealed that the vendor does not have a formal breach notification process, negotiate a specific contractual breach notification SLA into the DPA — typically 24-48 hours notification to you after a breach. If the vendor processes data in multiple global regions, ensure the DPA addresses the cross-border transfer situation for data of Indian Data Principals.
Negotiate audit rights into the DPA: the right to audit the vendor's compliance with the DPA at least annually, either through direct audit or through review of the vendor's latest SOC 2 report or ISO 27001 certificate. Many vendors will resist direct audit rights but will accept a "right to receive and review independent audit reports" as an equivalent. This allows you to exercise oversight without the practical burden of conducting on-site audits of every vendor.
Ongoing Vendor Monitoring Programme
Vendor due diligence at onboarding is necessary but not sufficient. Vendor security posture changes over time — acquisitions, leadership changes, product pivots, and growth can all affect a vendor's security programme. Implement an ongoing vendor monitoring programme that ensures your vendor assessments remain current.
Annual vendor reviews for Tier 1 vendors should include: re-requesting or reviewing updated SOC 2/ISO 27001 documentation; reviewing any material changes to the vendor's DPA, sub-processor list, or privacy policy; confirming there have been no material breaches or regulatory actions against the vendor; and confirming that your usage of the vendor has not changed in ways that would trigger re-assessment.
Monitor vendor security news between annual reviews. Subscribe to the vendor's security advisory mailing list and RSS feed if available. Monitor breach disclosure databases (HaveIBeenPwned, vendors' own security pages) for incidents involving your vendors. Participate in vendor user security groups where threat intelligence is shared. Prompt awareness of a vendor incident allows you to initiate your own incident response process quickly if your data may be affected.
Frequently Asked Questions
How many vendors do most Indian SaaS companies need to assess?
Can we rely on a vendor's SOC 2 report without conducting our own questionnaire?
A vendor we use just announced they were acquired. What should we do?
Do we need to assess free-tier or freemium SaaS tools that our employees use?
What is our obligation if a vendor we have assessed and DPA'd then suffers a breach?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free