Vendor & Processor Risk
Your vendors process your customers' data. Under DPDP, their compliance gaps are your liability.
The problem
Under Section 8(2) of the DPDP Act, you - the Data Fiduciary - remain accountable for what your Data Processors do with personal data. If your payment processor suffers a breach, the DPBI comes to you. If your email marketing tool uses customer data beyond the consented purposes, you are in violation.
The average mid-market company uses 15-40 SaaS tools that process personal data: CRM, analytics, email marketing, payment processing, HR/payroll, customer support, cloud hosting, and more. Each of these is a data processing relationship that requires a DPDP-compliant Data Processing Agreement.
Most companies have signed standard terms of service with these vendors - terms that were written for GDPR or for no specific regulation at all. Those terms do not address DPDP's specific requirements: the 72-hour breach notification to the DPBI (your vendor needs to tell you fast enough for you to report on time), the 7-day erasure timeline (your vendor needs to delete data when you tell them to), the cross-border transfer restrictions (you need to know where your vendor stores data and whether those jurisdictions are permitted), and the prohibition on using data beyond consented purposes (your vendor cannot use your customers' data for their own model training without disclosure).
The gap between "we use Razorpay and Mixpanel" and "we have auditable DPAs with Razorpay and Mixpanel that address DPDP-specific obligations" is the gap the DPBI will investigate.
What ComplyDP does
Vendor register
A centralised register of every vendor that processes personal data on your behalf. Classified by risk tier (high/medium/low), with processing scope, data categories, storage locations, and DPA status tracked for each.
DPA template library
Pre-built Data Processing Agreement templates and addendum clauses specifically drafted for DPDP compliance. Cover breach notification SLAs, deletion obligations, sub-processor controls, cross-border transfers, and audit rights. Customise for each vendor relationship.
Sub-processor tracking
Track your vendors' sub-processors - the companies your vendors share data with. Maintain a chain-of-processing view and get alerted when a vendor adds a new sub-processor that may affect your compliance posture.
Compliance status dashboard
See which vendors have signed DPAs, which are pending, and which have gaps. Track breach notification SLA commitments, deletion capability confirmations, and cross-border transfer documentation across your entire vendor portfolio.
Audit evidence pack
When the DPBI asks how you manage processor risk, export a complete vendor compliance report: register, DPA status, sub-processor list, risk classifications, and evidence of due diligence.
How it works
- 1
Inventory your vendors
List every tool, platform, and partner that processes personal data. ComplyDP provides a starter list of 50+ common SaaS tools to ensure nothing is missed.
- 2
Classify by risk
Assign each vendor to a risk tier based on data volume, data sensitivity, and criticality. High-risk vendors get full DPA treatment; low-risk vendors get standard clauses.
- 3
Deploy DPAs
Use ComplyDP's templates to generate DPA addendums for each vendor. Track which vendors have signed, which are negotiating, and which need escalation.
- 4
Monitor and update
Review vendor compliance annually. Track sub-processor changes. Update risk classifications when processing scope changes. Export audit-ready reports on demand.
What the Act requires
| Section | Requirement |
|---|---|
| Section 8(2) | Data Fiduciary remains accountable even when processing is done by a Data Processor |
| Section 8(4) | Reasonable security safeguards must extend to processor relationships |
| Section 8(6) | Breach notification within 72 hours - requires processors to notify you promptly |
| Section 16 | Cross-border transfers only to permitted jurisdictions - requires knowing where processors store data |
| Rule 15 | Documentation of cross-border transfer safeguards |
Frequently asked questions
What should be in vendor (processor) contracts?▼
At minimum: scope of processing, security safeguard requirements, breach notification timeline (24-48 hours to give you time for 72-hour DPBI notification), deletion obligations upon contract termination, sub-processor disclosure and approval rights, audit rights, cross-border transfer documentation, and indemnification for processor-caused non-compliance.
Can we transfer personal data outside India?▼
Yes, to countries or territories not restricted by the Central Government under Section 16. The government has not yet published the restricted list. Until it does, document where data goes and ensure contractual safeguards are in place with every international processor.
What is a 'Consent Manager'? Is it mandatory?▼
A Consent Manager is a registered intermediary that manages consent on behalf of Data Principals. Registration opens November 2026. It is not mandatory to use one, but your consent infrastructure must be compatible with registered Consent Managers when they become operational.
Do processors have breach duties too?▼
The Act places breach notification obligations on the Data Fiduciary, not the processor directly. But as a practical matter, your processor must notify you of breaches fast enough for you to meet the 72-hour DPBI deadline. This must be a contractual obligation in your DPA.
Find out where you stand
10-minute diagnostic. 43 controls. No demo call required.