Data Processing Agreement under India's Digital Personal Data Protection Act (DPDPA)

A Data Processing Agreement under the DPDPA documents the written instructions from the Data Fiduciary to the Data Processor, defines scope and limitations of processing, sets security and sub-processing controls, and establishes audit, cooperation and deletion obligations. The DPA serves as contract-level evidence of accountability and supports regulatory inquiries.

Written Instructions Security Standards Audit Rights

What Is a DPDPA Data Processing Agreement?

A Data Processing Agreement (DPA) under the DPDPA is a written contract between a Data Fiduciary and a Data Processor that defines the scope, instructions, obligations, and safeguards for processing personal data. It establishes clear accountability, ensures lawful processing, protects Data Principals' rights, and creates an audit trail for regulatory compliance with the Data Protection Board of India (DPBI).

Regulatory Status (October 2025): The DPDP Rules 2025 are pending final notification. Current provisions in the Act set the general framework; specific DPA requirements for different categories of Data Fiduciaries may be clarified upon rule notification.

Data Fiduciary vs. Data Processor

Data Fiduciary

  • Determines purposes and means of processing
  • Obtains consent or relies on legitimate uses
  • Bears primary accountability to Data Principals and DPBI
  • Issues written instructions to Processors via DPA
  • Monitors Processor compliance and safeguards

Data Processor

  • Processes data only per Fiduciary's written instructions
  • Implements reasonable security safeguards
  • Assists Fiduciary with Data Principal requests and audits
  • Notifies Fiduciary of breaches and compliance issues
  • Deletes or returns data upon contract termination

Essential DPA Clauses (DPDPA)

Scope & Instructions

  • Processing purposes, data categories, duration
  • Specific written instructions and limitations
  • Prohibition on processing beyond scope

Security & Confidentiality

  • Technical and organizational measures
  • Staff confidentiality obligations
  • Breach notification procedures

Sub-Processing

  • Prior written authorization required
  • Flow-down obligations to sub-processors
  • Processor remains liable for sub-processors

Data Principal Rights

  • Assistance with access, correction, erasure requests
  • Support for grievance redressal
  • Response timelines and escalation paths

Audit & Compliance

  • Fiduciary's right to audit and inspect
  • Documentation and evidence provision
  • Cooperation with DPBI inquiries

Data Return & Deletion

  • Return or deletion upon termination
  • Certification of deletion
  • Retention only if legally required

Sub-Processor Management

When a Data Processor engages sub-processors (e.g., cloud hosting, analytics), the DPA must address authorization, liability, and flow-down obligations. Recommended practices include:

Authorization Models

  • Specific Authorization: Fiduciary approves each sub-processor by name
  • General Authorization: Fiduciary consents to categories; Processor provides list and notifies changes

Flow-Down & Liability

  • Sub-processor DPA mirrors obligations
  • Processor remains fully liable to Fiduciary
  • Audit rights extend through chain

Security Obligations & Standards

The DPDPA requires "reasonable security safeguards" to prevent data breaches. DPAs should specify:

Technical Safeguards

  • Encryption in transit and at rest
  • Access controls and authentication (MFA)
  • Regular security patches and updates
  • Network segmentation and firewalls

Organizational Safeguards

  • Staff training on data protection
  • Background checks and NDAs
  • Policies, SOPs, and incident response plans
  • Regular risk assessments

Monitoring & Logging

  • Activity logs and audit trails
  • Intrusion detection systems
  • Regular security testing and scans
  • Backup and disaster recovery

Breach Notification & Incident Response

Report personal data breaches to the Data Fiduciary without undue delay in line with applicable rules. DPAs should define clear protocols:

Processor's Obligations

  • Immediate notification to Fiduciary without undue delay
  • Details: nature, scope, affected data, potential impact
  • Mitigation steps taken and recommended actions
  • Full cooperation in investigation and remediation

Fiduciary's Response

  • Assess impact on Data Principals
  • Notify affected individuals as required
  • Report to DPBI if material breach
  • Implement corrective measures
Note: Specific notification timelines may be prescribed in the DPDP Rules upon final notification. The DPA should set objective notification triggers and time-bound remediation procedures aligned with regulatory requirements.

Contract Lifecycle & Termination

Term & Renewal

Define processing duration aligned with service term; auto-renewal clauses should reference updated compliance requirements

Amendment Rights

Allow Fiduciary to update instructions for legal/regulatory changes; require written change process

Termination & Data Fate

Upon termination: return data in structured format OR certify secure deletion (with exceptions for legal holds)

Cross-Border Data Transfers

When personal data leaves India, DPAs must address cross-border safeguards:

Current Position (October 2025): Under the DPDPA, cross-border transfers are generally permitted except to countries restricted by government notification (negative list/blacklist approach). Final rules on transfer mechanisms and safeguards are pending notification. DPAs should include conditional wording to update obligations upon notification of restrictions.

Transfer Framework

  • Transfers permitted except to restricted countries
  • Government may notify restricted destinations
  • Rules on transfer mechanisms awaited

DPA Provisions

  • List of countries/regions where data is processed
  • Additional safeguards (encryption, pseudonymization)
  • Compliance with foreign surveillance laws
  • Flexibility clauses to incorporate future requirements

Significant Data Fiduciary (SDF) Considerations

Organizations notified as Significant Data Fiduciaries under Section 10 of the DPDPA face heightened obligations. DPAs supporting SDF relationships should enable:

Enhanced Governance

  • Periodic Data Protection Impact Assessments (DPIAs)
  • Regular compliance audits and assessments
  • Data Protection Officer (DPO) liaison protocols

Documentation Requirements

  • Comprehensive record of processing activities
  • Audit trail maintenance and evidence packs
  • Processing instructions with version control

Reporting Obligations

  • Timely breach reporting to DPBI
  • Periodic compliance reporting
  • Processor cooperation for regulatory inquiries

Sector-Specific DPA Considerations

FinTech / BFSI

  • RBI guidelines on outsourcing and data localization
  • Transaction monitoring and fraud detection clauses
  • Extended retention for regulatory records

Health / MedTech

  • Heightened security for health data
  • Interoperability with ABDM (Ayushman Bharat)
  • Safeguards for sensitive health information

SaaS / Cloud

  • Multi-tenant isolation and access controls
  • Data residency commitments (India-specific)
  • Sub-processor transparency and change notifications

DPA Schedules & Documentation

A comprehensive DPA includes detailed schedules that specify processing parameters and obligations:

Schedule A – Processing Details

  • Processing purposes and lawful basis
  • Data categories and Data Principal categories
  • Processing operations and duration
  • Processing locations and data residency

Schedule B – Security Measures

  • Technical controls (encryption, access controls)
  • Organizational controls (training, policies)
  • Certifications and compliance frameworks
  • Incident response and breach notification procedures

Schedule C – Sub-Processor Register

  • List of authorized sub-processors
  • Processing activities performed by each
  • Location and jurisdiction
  • Change notification protocol

Schedule D – Audit Protocol

  • Audit frequency and notice period
  • Scope and methodology
  • Confidentiality and access restrictions
  • Remediation windows and corrective actions

DPA Implementation Checklist

Pre-Execution

  • Map all processor relationships and data flows
  • Conduct vendor due diligence (security, certifications)
  • Define processing purposes and instructions precisely
  • Prepare schedules: data categories, retention, sub-processors

Post-Execution

  • Maintain central DPA repository
  • Monitor compliance and conduct periodic audits
  • Review and update DPAs annually or upon changes
  • Train procurement and legal teams on DPA requirements

Frequently Asked Questions

Is a written DPA mandatory under DPDPA?

While not explicitly mandated in every case under the current Act, a written DPA is recommended for demonstrating accountability. The DPDP Rules 2025 are pending final notification as of October 2025, which may clarify specific requirements for different categories of Data Fiduciaries.

Can we use a vendor's standard DPA?

Review vendor templates carefully—they may not fully align with DPDPA requirements or your organization's risk profile. Negotiate India-specific clauses, audit rights, and ensure compliance with DPDPA obligations.

What if our processor is outside India?

Ensure DPA includes cross-border safeguards. Under the DPDPA, transfers are generally permitted except to countries restricted by government notification. Include conditional wording to update obligations upon notification of restrictions and address foreign law enforcement access.

How often should DPAs be reviewed?

Annually, or whenever there's a material change in processing activities, regulatory requirements, or vendor capabilities. Update DPAs upon notification of new DPDP Rules or changes in transfer restrictions.

DPA Parameters Review

Share parameters for a DPDPA-aligned Data Processing Agreement review or template preparation.