Every organisation in India that uses a cloud platform, payroll provider, CRM vendor, analytics tool, or any third-party service that touches personal data is now a Data Fiduciary with a legal obligation under the DPDP Act 2023. And under Section 8(2) of that Act, every one of those vendor relationships requires a Data Processing Agreement (DPA) — a written contract that defines how personal data may be processed, secured, and returned or deleted.
There are no exceptions for startup size, data volume, or the type of service. If personal data flows to a third party that processes it on your behalf, a valid contract is mandatory.
This guide covers everything you need to know: the statutory basis, what a compliant DPA must contain, how DPDP differs from GDPR, and a step-by-step action plan for your vendor contract review before the May 13, 2027 enforcement deadline.
1. What Is a Data Processor Under the DPDP Act?
Section 2(k) of the DPDP Act 2023 defines a Data Processor as:
“any person who processes personal data on behalf of a Data Fiduciary”
The defining characteristic is control vs execution. A Data Fiduciary determines why and how personal data is processed. A Data Processor carries out those instructions on the Fiduciary’s behalf, without independently deciding the purpose.
In practice, this means:
| Vendor / Service | Typical Role | DPA Required? |
|---|---|---|
| AWS, Azure, GCP (IaaS/PaaS hosting) | Data Processor | Yes |
| Salesforce, HubSpot (CRM) | Data Processor | Yes |
| Darwinbox, Keka (HR/Payroll SaaS) | Data Processor | Yes |
| Google Analytics, Mixpanel (Analytics) | Data Processor (partially) | Yes |
| WhatsApp Business API / SMS gateway | Data Processor | Yes |
| Third-party background verification firm | Often Data Fiduciary | DFA/data sharing agreement required |
| Lawyers, CAs processing client data | Data Processor | Yes |
| Marketing agency with CRM access | Data Processor | Yes |
The key question to ask for each vendor: “Does this party process personal data according to our instructions, or do they independently decide the purpose?” If the former — they are your Data Processor and a DPA is mandatory.
2. The Legal Basis: Section 8 of the DPDP Act 2023
Section 8 is the core provision governing Data Fiduciary obligations. Three sub-sections are directly relevant to DPAs:
Section 8(1) — Non-Delegable Liability
“A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.”
This is the most important provision for CIOs and DPOs to internalise. Outsourcing processing does not outsource accountability. If your cloud provider suffers a breach that exposes your users’ data, you are the one the Data Protection Board will hold responsible. Your vendor’s DPA is not a liability transfer — it is a governance instrument.
Section 8(2) — Mandatory Contract
“A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.”
This is unambiguous. There is no size threshold, no sector exclusion, no volume minimum. Every engagement of a Data Processor requires a valid written contract. An email confirmation, a purchase order, or a vendor’s standard terms of service are not sufficient unless they specifically incorporate DPDP-compliant obligations.
Section 8(3) — Data Accuracy Obligation
Section 8(3) requires that the Data Fiduciary ensure personal data is complete, accurate, and consistent, particularly where it is used for decision-making or disclosed to another fiduciary. This creates an obligation to include data quality and accuracy warranties in your DPAs.
⚠️ Critical — Section 8(1) Vicarious Liability: Unlike GDPR, the DPDP Act does not create direct regulatory obligations for Data Processors. The Data Protection Board cannot directly fine your vendor. But it can — and will — fine you for your vendor’s failures. This makes DPA drafting and vendor oversight a top-priority compliance activity.
3. What Must a DPDP-Compliant DPA Contain?
The DPDP Act and Rules 2025 do not prescribe specific clause language (unlike GDPR’s Article 28 which lists mandatory elements). However, based on Section 8’s requirements and regulatory best practice, a compliant DPA must address the following:
3.1 Purpose and Scope of Processing
The contract must clearly define what personal data is covered, why it is being processed, and the boundaries of permitted processing. The processor must be contractually restricted to processing data only for the stated purpose — any use beyond that scope is a breach of both the contract and the DPDP Act.
3.2 Reasonable Security Safeguards
The DPDP Rules 2025 (Rule 6) require Data Fiduciaries to implement “reasonable security safeguards to prevent personal data breach.” Your DPA must pass this obligation downstream — the processor must contractually commit to maintaining equivalent or higher security standards. Specifically, the DPA should specify:
- Encryption standards (in transit and at rest)
- Access control requirements (least privilege, MFA)
- Security certifications required (ISO 27001, SOC 2, or equivalent)
- Right to conduct or commission security audits
- Incident response capabilities and contact points
3.3 Breach Notification — Immediate Escalation
Under Section 8(6) of the DPDP Act, you as Data Fiduciary must notify the Data Protection Board of any personal data breach. But you can only do that if your processor tells you first. Your DPA must require the processor to notify you immediately upon becoming aware of any security incident or breach — ideally within 6–12 hours — so you have time to assess and meet your statutory notification obligations.
The breach notification clause must include: what constitutes a “breach” for notification purposes, the contact person/channel, the initial notification format, and the processor’s obligation to assist with your DPBI notification.
3.4 Data Deletion or Return
When the processing purpose is complete, or the contract is terminated, the processor must delete all personal data (or return it to you) within a defined timeframe. The DPA must specify:
- The deletion/return timeline (e.g., within 30 days of termination)
- Certification of deletion (a written confirmation)
- Whether backups and archived copies are included
- Any legal hold exceptions that override deletion
3.5 Sub-Processing Restrictions
Your processor may themselves use sub-processors (e.g., AWS uses sub-processors for certain services; your payroll vendor may outsource tax calculations). The DPA must either: (a) prohibit sub-processing without your prior written consent, or (b) require the processor to flow down all DPDP obligations to sub-processors and remain liable for their acts. Do not allow open-ended sub-processing clauses.
3.6 Data Principal Rights Support
When a Data Principal exercises their rights — access, correction, erasure, or withdrawal of consent — you need your processor’s cooperation to fulfil them. The DPA must obligate the processor to assist you in responding to Data Principal requests within the timeframes prescribed under the DPDP Act (to be specified in the Rules).
3.7 Audit Rights
Given your vicarious liability under Section 8(1), you need the contractual right to verify that your processor is actually meeting its obligations. The DPA must grant you (or your appointed auditor) the right to conduct or commission security audits and assessments. This is not just good practice — it is the foundation of your third-party risk management programme.
3.8 Confidentiality
All personnel with access to personal data on the processor’s side must be bound by confidentiality obligations, either through individual NDAs or the DPA itself. This obligation should survive termination of the contract.
3.9 Indemnity and Liability
Since you bear regulatory liability for your processor’s failures, your DPA should include indemnity provisions that allow you to recover costs — including DPBI penalties, legal fees, and remediation expenses — from the processor if their failure caused the breach. Note: this does not shift regulatory liability away from you, but it does give you contractual recourse.
4. DPA Clause Summary Checklist
| DPA Clause | DPDP Act Basis | Priority |
|---|---|---|
| Purpose and scope of processing | Section 8(2) | Critical |
| Reasonable security safeguards | Section 8(1), Rule 6 | Critical |
| Immediate breach notification to Data Fiduciary | Section 8(6) | Critical |
| Data deletion or return on termination | Section 8(7) | Critical |
| Sub-processing restrictions | Section 8(2) | High |
| Data Principal rights support | Sections 11–14 | High |
| Audit rights | Section 8(1) — vicarious liability | High |
| Confidentiality obligations | Best practice + Section 8(1) | High |
| Data accuracy and quality | Section 8(3) | Medium |
| Indemnity and liability allocation | Commercial best practice | Medium |
| Cross-border transfer restrictions | Section 16 | Medium (check sector rules) |
5. How DPDP DPA Requirements Differ from GDPR Article 28
If your organisation is already GDPR-compliant, you have a strong foundation — but there are critical differences that require attention:
| Dimension | GDPR Article 28 | DPDP Act Section 8 |
|---|---|---|
| Mandatory clause content | Yes — specific 8-point list prescribed in Article 28(3) | No — outcome-based; clauses inferred from Section 8 obligations |
| Direct processor obligations | Yes — DPA non-compliance exposed directly to supervisory authorities | No — only Data Fiduciary is directly regulated; processor obligations flow through contract |
| Standard Contractual Clauses | EU SCCs available for cross-border transfers | No equivalent issued yet; negative-list approach for cross-border |
| Sub-processor chains | Requires flow-down of Article 28 obligations to sub-processors | Required contractually; specifics left to the DPA |
| Data subject rights response | Processor must assist controller within defined timelines | Processor must assist Data Fiduciary; timelines to be prescribed in Rules |
| Audit rights | Explicitly required in Article 28(3)(h) | Not explicitly stated but implied by Section 8(1) vicarious liability |
The most important GDPR-to-DPDP gap: under GDPR, your data processor has direct regulatory exposure and skin in the game. Under the DPDP Act, they do not — which means your DPA is the only instrument creating processor accountability. Draft it robustly.
6. Cross-Border Data Transfers and Your DPA
The DPDP Act’s cross-border framework is defined in Section 16: personal data may be transferred to any country not specifically restricted by the Central Government. As of June 2026, no restricted country list has been notified. This means transfers to US-based cloud providers (AWS, Azure, GCP, Salesforce, etc.) are currently permitted from a DPDP perspective.
However, three important caveats apply:
- Sectoral localization rules prevail — RBI’s payment data localization, IRDAI health data rules, and SEBI’s data requirements are stricter and continue to apply independently of the DPDP Act.
- The restricted country list may be notified at any time — your DPA should include a clause that restricts transfers to newly restricted countries within a defined period after notification.
- The DPA must still apply regardless of where the processor is located — a Section 8(2) compliant contract is required for foreign processors just as for Indian ones.
7. Your DPA Action Plan: Vendor Prioritisation Framework
Most organisations have dozens or hundreds of vendor relationships. You cannot renegotiate all DPAs simultaneously. Prioritise using this risk-based framework:
| Priority Tier | Criteria | Examples | Target Timeline |
|---|---|---|---|
| Tier 1 — Critical | Access to large volumes of personal data; customer-facing; breach would cause significant harm | Cloud infrastructure (AWS/Azure/GCP), CRM, HR/Payroll SaaS, Payment processors | Complete by Oct 2026 |
| Tier 2 — High | Access to personal data; significant but narrower scope | Marketing platforms, Analytics, Background verification, Customer support tools | Complete by Jan 2027 |
| Tier 3 — Medium | Incidental access to personal data; limited scope | IT support vendors, Office software, Security tools with log access | Complete by Apr 2027 |
Use our Third-Party Risk Assessment service to conduct a structured vendor inventory and classify all processor relationships in a single engagement.
8. Penalties for DPA Non-Compliance
Failing to have a valid contract with a Data Processor violates Section 8(2) directly. The consequences stack:
- Up to ₹250 crore — if the absence of a DPA (or its inadequacy) contributed to a personal data breach resulting from failure to implement reasonable security safeguards
- Up to ₹200 crore — if the breach results in failure to notify the Data Protection Board or affected Data Principals
- Reputational damage — the DPBI may publish enforcement decisions, creating significant reputational exposure for listed companies and consumer-facing brands
- Loss of client contracts — enterprise clients (especially BFSI and global companies) increasingly require DPA evidence as part of vendor due diligence; non-compliance risks client churn
9. Step-by-Step: How to Draft a DPDP-Compliant DPA
- Map all Data Processor relationships — Create a complete inventory of every vendor that processes personal data on your behalf. Include SaaS tools, cloud infrastructure, outsourced services, and professional services with data access. Most organisations discover significantly more processor relationships than they initially estimate.
- Classify each relationship — For each vendor, determine: are they a Data Processor (your instructions) or a separate Data Fiduciary (their own purpose)? The classification determines what type of agreement is required.
- Review existing contracts for DPA coverage — Many vendor contracts already contain data protection clauses — but are they DPDP-compliant? Check for the 9 clause categories listed in Section 3 above. Document gaps.
- Draft DPDP-compliant DPA addenda — For contracts that lack adequate provisions, prepare a DPA addendum. Your standard template should include all 9 clause categories and be customisable for processor-specific risks.
- Negotiate and execute with vendors — Start with Tier 1 vendors. Many major cloud providers (AWS, Azure, GCP) already offer DPDP-ready DPA addenda — request and review them. For Indian vendors, you may need to negotiate bespoke addenda.
- Implement processor oversight — Execute is not enough. Establish an annual security questionnaire, review audit rights periodically, and maintain evidence of ongoing compliance monitoring. Your DPA is your governance instrument — exercise it.
- Maintain a Processor Register — Document all processors, DPA status, data categories, security certifications, and review dates. This is your primary audit evidence and the foundation of your third-party risk programme. See our Data Discovery & Classification service for structured data mapping support.
Need Your Vendor DPAs Reviewed Before the 2027 Deadline?
MYITMANAGER’s Third-Party Risk programme covers vendor inventory, DPA gap analysis, template creation, and ongoing oversight — delivered by CISM + CIPP/E certified advisors with 20+ years in enterprise IT.
Book a Free DPA Gap Assessment →Frequently Asked Questions: Data Processing Agreement DPDP Act India
Is a Data Processing Agreement mandatory under the DPDP Act?
Yes. Section 8(2) of the DPDP Act 2023 makes a written contract between a Data Fiduciary and Data Processor mandatory whenever personal data is shared for processing. There are no exemptions based on company size, data volume, or the nature of the processing activity.
Who is liable if a Data Processor causes a data breach?
The Data Fiduciary bears primary liability under Section 8(1) — non-delegable, vicarious liability regardless of any contractual arrangement. The Data Fiduciary can face penalties up to ₹250 crore even if the breach was entirely caused by the processor’s failure.
Does the DPDP Act require DPAs with foreign vendors?
Yes. The DPA requirement applies regardless of whether the Data Processor is in India or abroad. Cross-border transfers are currently permitted (no restricted country list has been notified as of June 2026), but the contractual requirement applies in all cases.
How is a DPDP DPA different from a GDPR Article 28 DPA?
Under GDPR, Data Processors have direct regulatory obligations and GDPR prescribes specific mandatory clause content. Under the DPDP Act, only the Data Fiduciary is directly regulated — the Act does not prescribe specific clause language. Your DPA is the sole instrument creating processor accountability, making robust drafting critical.
When does the DPDP Act DPA obligation become enforceable?
Full enforcement is expected from May 13, 2027 — 18 months after the DPDP Rules 2025 were notified on November 13, 2025. However, 18 months is insufficient for organisations with large vendor portfolios. Begin now.
What is the penalty for not having a DPA under the DPDP Act?
Directly, engaging a processor without a valid contract violates Section 8(2). Where the absence of adequate contractual safeguards contributes to a breach, penalties of up to ₹250 crore per contravention may apply for failure to implement reasonable security measures.
Related MYITMANAGER Guides
- DPDP Act Compliance Services — End-to-End Implementation
- DPDP Act Compliance Checklist India 2026 — Complete Guide
- Consent Manager India — DPDP Act Requirements 2026
- Third-Party Risk & Vendor Assessments
- DPO as a Service — CIPP/E Qualified for Indian Organisations
- Data Discovery & Classification — Know What Data You Hold
- RBI Cybersecurity Guidelines 2026 — Banks and NBFCs
Ready to Get Started?
Speak directly with Saurabh Gupta — CISM, CIPP/E, ex-Bain India IT Head.
No sales pitch. Just clarity on your compliance path.
