Back to Blog
DPDP Act 9 min read

DPDP Act Vendor Due Diligence: Assessing Data Processors

How to conduct DPDP Act-compliant vendor due diligence for Data Processors — risk tiers, security questionnaires, DPA requirements, and ongoing monitoring.

Key Takeaways
  • The Data Fiduciary is responsible for ensuring Data Processors implement adequate safeguards — you cannot transfer DPDP liability by outsourcing processing.
  • Section 8(2) requires a valid contract with each Data Processor — vendor due diligence precedes and informs that contract.
  • Risk-tier your vendor base: high-risk vendors (large data volumes, sensitive data categories) receive deeper due diligence than low-risk vendors.
  • SOC 2 Type II and ISO 27001 certifications from vendors are the strongest evidence of processor security adequacy.
  • Annual vendor reviews ensure that vendor security posture remains adequate as both your usage and their product evolve.

Why Vendor Due Diligence Is a DPDP Obligation

The DPDP Act 2023 places the primary compliance obligation on Data Fiduciaries — and that obligation extends to personal data processed by vendors on the Fiduciary's behalf. Section 8(5) requires reasonable security safeguards to prevent personal data breaches, and this obligation covers personal data "in its possession or under its control" — a phrase that includes data held by processors under your instruction.

This means you cannot transfer DPDP liability by outsourcing processing to a vendor. If a vendor you have engaged to process personal data suffers a breach due to inadequate security, the Board will assess your due diligence: did you assess the vendor's security before engaging them? Did you have a contractual obligation requiring adequate security? Did you monitor the vendor's security posture over time? A company that hired a security-deficient vendor without due diligence faces a much harder enforcement position than one that performed thorough diligence and was victimised despite it.

Vendor due diligence is also commercially increasingly important. Enterprise buyers conducting their own vendor assessments will ask about your sub-processor due diligence practices. Demonstrating a systematic programme — with tiered assessments, DPA coverage, and annual reviews — is a commercial differentiator in addition to a compliance requirement.

Vendor Risk Tiering and Due Diligence Proportionality

Not all vendors pose equal risk to personal data. A vendor who accesses the email addresses of 10 users in a test environment is very different from a vendor who processes payment data for all your production users. Due diligence should be proportionate to risk — invest the most effort in highest-risk vendors and maintain proportionate oversight for lower-risk vendors.

A risk tiering framework might classify vendors as: Tier 1 (high risk) — vendors with access to sensitive personal data (financial, health, identity documents), large volumes of personal data (your full customer database), or production system access; requiring full security questionnaire, SOC 2/ISO 27001 review, DPA negotiation, and annual review. Tier 2 (medium risk) — vendors with access to limited personal data categories or small volumes; requiring abbreviated security questionnaire, certification review, standard DPA, and biennial review. Tier 3 (low risk) — vendors with no direct access to personal data (e.g., a project management tool used by your team that you ensure contains no customer personal data); requiring basic assessment and standard vendor terms.

Tier assignment should be documented and reviewed whenever your usage of a vendor changes significantly. A vendor that starts as Tier 3 (no personal data access) can become Tier 1 if you expand usage to include processing customer data. Re-assess tiering annually as part of your vendor review cycle.

Components of a DPDP Due Diligence Assessment

A comprehensive vendor due diligence assessment for Tier 1 vendors comprises: (1) Privacy and security questionnaire — a structured set of questions covering security controls, data handling practices, breach history, certifications, and DPDP Act-specific questions; (2) Certification review — reviewing current SOC 2 Type II reports or ISO 27001 certificates and certificates of compliance; (3) Privacy policy and terms review — reviewing the vendor's privacy policy, terms of service, and sub-processor list; (4) Reference check — speaking with existing customers about their experience with the vendor's security and data handling; (5) DPA negotiation — confirming that appropriate contractual data protection provisions are in place.

For Tier 1 vendors processing particularly sensitive data (health, financial, biometric), consider requesting a penetration test report, a vulnerability disclosure policy, or specific security architecture documentation. The depth of diligence should match the severity of potential harm if the vendor suffers a breach.

Document the due diligence assessment: what information was requested, what was provided, what gaps were identified, and how gaps were resolved before onboarding. This documentation is evidence of your reasonable safeguards programme if a vendor breach triggers a Board investigation. Retain due diligence documentation for the duration of the vendor relationship plus 3 years.

Using a Security Questionnaire Effectively

A security questionnaire is a structured set of questions designed to assess a vendor's security controls. Standard questionnaire frameworks include: the Shared Assessments SIG (Standardised Information Gathering), CAIQ (Consensus Assessments Initiative Questionnaire from the Cloud Security Alliance), and VSAQ (Vendor Security Assessment Questionnaire). For DPDP Act-specific due diligence, add sections covering: DPDP compliance programme status, breach notification procedures, cross-border transfer controls, and sub-processor management.

Questionnaire responses should be verified where possible — do not simply accept self-reported answers for critical controls. Verify that the vendor has the certifications they claim (check issuing body registries), that their DLP controls actually function as described, and that their breach notification process has been tested. For high-risk vendors, a brief technical review call with their security team can validate questionnaire responses and add nuance.

Many large vendors have pre-completed questionnaire responses available (through platforms like OneTrust Exchange, Whistic, or Security Studio). Using these pre-completed responses is efficient, but supplement them with DPDP Act-specific questions that may not be covered in generic questionnaires. The vendor's GDPR compliance posture is a useful proxy for DPDP readiness, but the specific DPDP obligations (no direct processor liability, the Board notification regime, cross-border transfer whitelist) require specific assessment.

Reviewing SOC 2 and ISO 27001 Certifications

SOC 2 Type II reports and ISO 27001 certificates are the gold standard for third-party assurance of a vendor's security controls. Reviewing these certifications is more efficient and more reliable than relying on security questionnaire responses alone — they represent an independent auditor's or certification body's assessment of the vendor's actual controls, not just the vendor's own claims.

When reviewing a SOC 2 Type II report: check the period covered (a report more than 12 months old may not reflect current controls); review the scope — are the systems and services you use covered by the report? Read the description of controls in sections CC6 (logical access), CC7 (system operations and monitoring), and CC9 (risk mitigation); review the auditor's test results — are there any qualified opinions, exceptions, or control deficiencies? The management response to any exceptions tells you a lot about the vendor's compliance culture.

For ISO 27001 certificates: verify that the certificate is current (check expiry date) and issued by a UKAS or accredited certification body; confirm the scope covers the systems and locations relevant to your use; and request the Statement of Applicability to understand which controls are included. An ISO 27001 certificate without a recent surveillance audit may not reflect the current state of controls — ask for the most recent audit findings.

DPA Negotiation as Part of Due Diligence

DPA negotiation is the final step of vendor due diligence — after assessing the vendor's security posture, negotiate the contractual terms that will govern the data processing relationship. A vendor who passes your security assessment but refuses to sign a DPA with appropriate terms should not be onboarded for personal data processing.

Use the due diligence findings to inform DPA negotiation. If the security questionnaire revealed that the vendor does not have a formal breach notification process, negotiate a specific contractual breach notification SLA into the DPA — typically 24-48 hours notification to you after a breach. If the vendor processes data in multiple global regions, ensure the DPA addresses the cross-border transfer situation for data of Indian Data Principals.

Negotiate audit rights into the DPA: the right to audit the vendor's compliance with the DPA at least annually, either through direct audit or through review of the vendor's latest SOC 2 report or ISO 27001 certificate. Many vendors will resist direct audit rights but will accept a "right to receive and review independent audit reports" as an equivalent. This allows you to exercise oversight without the practical burden of conducting on-site audits of every vendor.

Ongoing Vendor Monitoring Programme

Vendor due diligence at onboarding is necessary but not sufficient. Vendor security posture changes over time — acquisitions, leadership changes, product pivots, and growth can all affect a vendor's security programme. Implement an ongoing vendor monitoring programme that ensures your vendor assessments remain current.

Annual vendor reviews for Tier 1 vendors should include: re-requesting or reviewing updated SOC 2/ISO 27001 documentation; reviewing any material changes to the vendor's DPA, sub-processor list, or privacy policy; confirming there have been no material breaches or regulatory actions against the vendor; and confirming that your usage of the vendor has not changed in ways that would trigger re-assessment.

Monitor vendor security news between annual reviews. Subscribe to the vendor's security advisory mailing list and RSS feed if available. Monitor breach disclosure databases (HaveIBeenPwned, vendors' own security pages) for incidents involving your vendors. Participate in vendor user security groups where threat intelligence is shared. Prompt awareness of a vendor incident allows you to initiate your own incident response process quickly if your data may be affected.

Frequently Asked Questions

How many vendors do most Indian SaaS companies need to assess?
A typical SaaS product might use 20-50 tools that access personal data in some form — cloud infrastructure, analytics, CRM, marketing automation, support, payments, HR tools, and product integrations. Tier 1 (high-risk) vendors are usually a smaller subset — perhaps 5-10 critical vendors. The remainder can be handled with lighter Tier 2 or Tier 3 assessments. Start with a vendor inventory to understand your landscape before estimating assessment effort.
Can we rely on a vendor's SOC 2 report without conducting our own questionnaire?
For Tier 1 vendors, a SOC 2 Type II report significantly reduces (but does not replace) questionnaire assessment. Review the SOC 2 report and supplement with targeted questions on DPDP-specific points not covered in a standard SOC 2 (cross-border transfers, breach notification to Indian regulators, DPA availability). For Tier 2 and Tier 3 vendors, a current SOC 2 report may be sufficient without an additional questionnaire.
A vendor we use just announced they were acquired. What should we do?
Trigger an out-of-cycle due diligence review. Acquisitions can change a vendor's data handling practices, sub-processor relationships, geographic operations, and security programme. Review any communications from the vendor about data handling post-acquisition, request an updated DPA or confirmation that existing terms remain in force, and consider whether the acquiring entity is acceptable from a DPDP cross-border transfer perspective.
Do we need to assess free-tier or freemium SaaS tools that our employees use?
If a freemium tool processes personal data (employee data, customer data, any individually identifiable information), yes. The DPDP Act does not have a fee-based threshold — if personal data is processed, the DPA requirement applies. Common examples: free-tier collaboration tools (Notion, Airtable) that employees put customer contact data in, or free email marketing tools used for small-scale campaigns. Audit shadow IT to identify unsanctioned tools that may be processing personal data.
What is our obligation if a vendor we have assessed and DPA'd then suffers a breach?
Activate your incident response plan. Assess the scope of your Data Principals' exposure. If notifiable personal data was affected, prepare Board and Data Principal notifications. Review the breach details: did the vendor comply with the breach notification clause in your DPA? Did their security posture at the time of breach meet the standards they represented? Consider whether the breach creates grounds to terminate the vendor relationship or require additional security commitments.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free