Vendor Risk Under DPDP: The Procurement Checklist

Vendor Risk Under DPDP: The Procurement Checklist Every Indian Company Needs

April 2026 · ComplyDP Free Resource

Here is a fact that surprises most companies: under the DPDP Act, you are responsible for what your vendors do with personal data. Not your vendor. You.

Section 8(2) makes this explicit. The Data Fiduciary - your company - remains accountable for DPDP compliance even when processing is carried out by a Data Processor (your vendor). If your cloud hosting provider suffers a breach exposing your customers' data, the DPBI comes to you first. If your marketing automation tool uses customer data in ways your privacy notice did not disclose, you are in violation - not the tool.

This guide is for anyone who procures technology, outsources data processing, or manages vendor relationships. It gives you a practical framework for evaluating and managing vendor DPDP risk - before procurement, during the contract, and at termination.

Why Vendor Risk Is the Biggest Blind Spot

Most DPDP compliance efforts focus inward: privacy notices, consent flows, internal policies. That is necessary but insufficient. The average Indian company with 50–500 employees uses 15–40 SaaS tools that process personal data. Each of those tools is a Data Processor under the DPDP Act.

Consider a typical mid-market company: - CRM (Salesforce, Zoho, HubSpot): stores customer names, emails, phone numbers, interaction history - Email marketing (Mailchimp, Sendinblue, WebEngage): processes contact lists, behavioural data, consent records - Analytics (Google Analytics, Mixpanel, Amplitude): processes device IDs, IP addresses, user behaviour - Payment processing (Razorpay, Stripe, PayU): processes financial data, transaction records - HR/Payroll (Keka, Darwinbox, Zoho People): processes employee personal data, financial data, health data - Customer support (Freshdesk, Zendesk, Intercom): processes customer communications, sometimes sensitive queries - Cloud hosting (AWS, GCP, Azure): stores all of the above

Each of these is a data processing relationship that requires a DPDP-compliant contractual framework. Most companies have signed standard terms of service without any DPDP-specific provisions. That needs to change before May 2027.

The Pre-Procurement Checklist: 10 Questions to Ask Every Vendor

Before signing a new vendor or renewing an existing contract, evaluate the vendor against these 10 questions. A vendor that cannot answer these is a compliance risk.

Question 1: Where is personal data stored and processed? Why it matters: Section 16 restricts cross-border transfer of personal data. If your vendor stores data on servers in countries not on the government's permitted list, you may be in violation. What to look for: Data residency documentation, server location disclosure, option for India-only data hosting.

Question 2: Does the vendor have a Data Processing Agreement (DPA) that addresses DPDP? Why it matters: GDPR DPAs are not sufficient for DPDP. The consent framework, lawful bases, and specific obligations differ. What to look for: A DPA that references the DPDP Act specifically, not just "applicable data protection laws."

Question 3: How does the vendor handle Data Principal rights requests? Why it matters: When a customer asks you to delete their data, you need the vendor to delete it from their systems too - within 7 days. What to look for: Documented process for processing access, correction, and erasure requests from Data Fiduciaries. SLA commitment on response time.

Question 4: What are the vendor's breach notification commitments? Why it matters: You have 72 hours to notify the DPBI. If your vendor takes 5 days to tell you about a breach on their end, you have already missed the deadline. What to look for: Contractual commitment to notify you within 24 hours (maximum 48 hours) of detecting a breach affecting your data.

Question 5: Does the vendor use sub-processors? Why it matters: Your vendor may outsource processing to other companies. Each sub-processor is an additional risk surface. What to look for: List of sub-processors, right to approve or reject new sub-processors, contractual flow-down of DPDP obligations.

Question 6: What security measures does the vendor implement? Why it matters: Section 8(4) requires "reasonable security safeguards." You are responsible for ensuring your processors meet this standard. What to look for: Encryption at rest and in transit, access controls, logging, regular security assessments, SOC 2 or ISO 27001 certification.

Question 7: How does the vendor handle data retention and deletion? Why it matters: Personal data must be deleted when the purpose is complete. If your vendor retains data indefinitely in backups, you may be non-compliant. What to look for: Documented retention periods, automated deletion capabilities, certification of deletion upon contract termination.

Question 8: Does the vendor process children's data? Why it matters: If any of the data flowing through the vendor involves children (under 18), additional restrictions apply - including prohibition on behavioural tracking. What to look for: Age verification capabilities, ability to segregate children's data, compliance with Section 9.

Question 9: Does the vendor use personal data for AI/ML training? Why it matters: Some SaaS vendors use customer data to train their models. If this is not disclosed in your privacy notice and consent framework, you are processing data beyond the consented purpose. What to look for: Clear documentation of whether customer data is used for model training. Option to opt out.

Question 10: What audit rights do you have? Why it matters: You need the ability to verify your vendor's compliance claims. Without audit rights, you are relying on trust. What to look for: Right to audit (directly or through independent auditor), commitment to cooperate with regulatory investigations.

The Vendor Risk Tier Framework

Not every vendor carries the same risk. Prioritise your vendor compliance work by tier:

Tier 1 - High Risk: Vendors that process large volumes of personal data, process sensitive data (financial, health, biometric), or are critical to your core service. Examples: cloud hosting, payment processing, CRM, HR/payroll. Action: Full DPA with all DPDP clauses, annual compliance review, audit rights exercised at least once.

Tier 2 - Medium Risk: Vendors that process moderate volumes of personal data as part of business operations. Examples: email marketing, analytics, customer support, project management. Action: DPA with core DPDP clauses, annual self-certification from vendor, breach notification SLA.

Tier 3 - Low Risk: Vendors that process minimal personal data or only metadata. Examples: code repositories (if no customer data in code), design tools, internal communication tools (if no customer data discussed). Action: Standard contract review, confirm data processing scope, basic breach notification clause.

The Existing Vendor Remediation Plan

For vendors you already use:

Month 1: Inventory all vendors that process personal data. Classify by tier. Month 2: Send DPA addendum to all Tier 1 vendors. Negotiate and sign. Month 3: Send DPA addendum to Tier 2 vendors. Negotiate and sign. Month 4: Review Tier 3 vendor contracts. Add basic clauses where needed. Month 5: Verify Tier 1 vendor compliance (request evidence, exercise audit rights if needed). Ongoing: Review vendor compliance annually. Re-assess tier classification when processing scope changes.

What to Do When a Vendor Cannot Comply

Some vendors - particularly smaller SaaS tools or international platforms without India-specific operations - may not be able to meet DPDP requirements. Your options:

Option 1: Accept the risk. Document the risk, the mitigation measures you have in place, and the business justification. This is defensible if the risk is low and the mitigation is reasonable.

Option 2: Negotiate harder. Push for specific contractual commitments even if the vendor does not have a standard DPA.

Option 3: Switch vendors. If a Tier 1 vendor cannot meet DPDP requirements, the compliance risk may outweigh the switching cost. Factor this into your budgeting.

Option 4: Bring the processing in-house. For some processing activities, eliminating the vendor entirely may be the most compliant approach.

Getting Started

ComplyDP's free Readiness Scan includes a vendor risk assessment as part of its 43-control diagnostic. It will flag which of your vendor relationships need immediate attention and which are lower priority. Start at complydp.com/scan - and bring your vendor list.