Guide6 min read

Vendor Management Under the DPDP Act: What Your Data Processing Agreements Need

Your vendors' data gaps are your liability under the DPDP Act. A template and checklist for the contractual terms every Data Processor agreement needs.

A DPDP-compliant Data Processing Agreement needs eight specific clauses: purpose limitation, security safeguard flow-down, sub-processor restrictions, fast breach notification back to you, data return or deletion at contract end, audit rights, cross-border transfer disclosure, and retention alignment.

The DPDP Act holds the Data Fiduciary responsible for personal data even when a third party, a Data Processor, is the one physically handling it. If your analytics tool, customer support platform, or AI vendor mishandles data you gave them, the Board's first call is to you, not to them. This makes vendor management a compliance function, not just a procurement checkbox.

What Rule 6 actually requires of processor contracts

Rule 6(1)(f) specifically requires "appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor... for taking reasonable security safeguards." This is not optional boilerplate. It is a named requirement in the Rules.

The clauses your Data Processing Agreement needs

  1. 1.Purpose limitation. The vendor may process the data only for the purpose you specify, not for their own product improvement or a use you have not consented to on the user's behalf.
  2. 2.Security safeguard flow-down. The vendor commits to the same standard of security safeguards required of you under Rule 6: encryption, access controls, monitoring, and backups.
  3. 3.Sub-processor restrictions. The vendor cannot bring in a further sub-processor without your knowledge and equivalent contractual protection flowing down to them too.
  4. 4.Breach notification to you, fast. The vendor must notify you of any incident quickly enough that you can still meet your own 72-hour Board notification window under Rule 7. A vendor contract that only promises "prompt" notice, with no number attached, is a gap.
  5. 5.Data return or deletion at contract end. When the relationship ends, the vendor must return or verifiably delete the data, not retain it indefinitely on the theory that the contract "just lapsed".
  6. 6.Audit and evidence rights. You should be able to request evidence of the vendor's security posture, not just take their word for it, especially for vendors touching sensitive categories like payment or health data.
  7. 7.Cross-border transfer disclosure. If the vendor processes data outside India, or uses infrastructure that does, that needs to be disclosed and accounted for in your own transfer posture under Rule 15.
  8. 8.Retention alignment. The vendor's own retention period for your data should match, or be shorter than, the retention schedule you have committed to under Rule 8. A vendor that keeps data longer than you do defeats your own retention policy.

The audit you should run on your current vendor list

Most startups accumulate vendors faster than they accumulate contracts reviewed for this. A practical starting exercise: list every third party that receives personal data (analytics, support, email, AI features, payment processing, logistics), and check each one against the eight clauses above. The gaps you find are your actual DPDP vendor risk, and they are usually concentrated in tools added quickly during early growth, not the vendors you negotiated carefully.

Privacy Labs maps your live third-party data flows automatically as part of the discovery scan, so this audit does not depend on someone's memory of which tools touch what. A RoPA is the natural place to record each vendor against these clauses once you have run the audit. Run a free Compliance Score below to start.

Frequently asked questions

Am I liable if my vendor causes a data breach?

Under the DPDP Act, the Data Fiduciary is accountable for personal data even when a Data Processor is handling it on their behalf. A vendor's security failure is treated as a risk you were responsible for managing, which is why contractual security flow-down clauses under Rule 6(1)(f) matter.

Do I need a Data Processing Agreement with every vendor?

You need one with any vendor or third party that processes personal data on your behalf, including analytics tools, support platforms, email services, and AI vendors. Vendors that never touch personal data (e.g. a pure infrastructure tool with no PII access) fall outside this requirement.

What happens if a vendor takes longer than 72 hours to tell me about a breach?

You are still responsible for notifying the Data Protection Board within 72 hours of your own awareness under Rule 7, which starts as soon as you learn of the breach, including from the vendor. This is exactly why your Data Processing Agreement should require the vendor to notify you well inside that window, not at its edge.

Compliance Score

Where does your website stand against the DPDP Act?

Run a free Compliance Score: privacy policy, cookie consent, and retention posture, checked in 60 seconds. No signup.