Your accountability does not
end at your vendor’s door.
Under Section 8, you remain accountable for personal data even when a processor handles it. The contract is the only instrument that flows that accountability down the chain. AMLEGALS drafts DPDPA data processing agreements, sub-processor terms, cross-border clauses and vendor schedules that hold — aligned to the Act and the DPDP Rules, 2025.
Accountability Anchor
Cross-Border Terms
Sub-Processor Flow-Down
Drafted & Negotiated
The Contract Is Where DPDPA Liability Is Won or Lost
Most personal data does not stay inside the organisation that collects it. It moves to payroll providers, cloud platforms, analytics vendors, marketing tools and their sub-processors. DPDPA does not let your accountability move with it — under Section 8, you answer for what your processors do.
The data processing agreement is therefore not boilerplate at the back of a contract. It is the mechanism that converts your accountability into the processor’s enforceable obligation. When it is weak, generic, or missing, a vendor’s breach becomes your penalty under the Schedule.
You can outsource the processing. You cannot outsource the accountability. The contract is the only place you can allocate the risk — so it has to be drafted as if it will be tested.
DPDPA Contracts We Draft
Data Processing Agreement (DPA)
The core controller-processor agreement that binds your processor to act only on instructions, apply reasonable security safeguards, assist with rights and breach obligations, and accept liability — the instrument through which you discharge your accountability.
- •Purpose and scope limitation
- •Processing on instruction only
- •Security safeguards
- •Liability and indemnity
Sub-Processor Terms
Back-to-back terms ensuring every sub-processor in the chain is bound by obligations equivalent to your primary processor agreement, with approval and flow-down controls.
- •Equivalent obligations
- •Approval controls
- •Flow-down terms
- •Chain visibility
Cross-Border Transfer Clauses
Contractual provisions for international data flows under DPDPA’s transfer model, including monitoring of restricted territories and alignment with any sectoral localisation requirements.
- •Transfer mechanism
- •Restricted-territory monitoring
- •Localisation alignment
- •Intra-group terms
Rights & Breach Cooperation
Clauses obliging the processor to assist with Data Principal rights requests and to cooperate on personal data breach notification within the timelines you must meet to the Board.
- •Rights-request assistance
- •Breach notification cooperation
- •Notification timelines
- •Evidence support
Vendor & SaaS Privacy Schedules
Privacy schedules and addenda for vendor, SaaS and cloud agreements that retrofit DPDPA obligations into existing commercial contracts without renegotiating the whole relationship.
- •DPDPA addendum
- •SaaS privacy schedule
- •Cloud terms alignment
- •Retrofit to existing MSAs
Contract Review & Remediation
Review of your existing contract estate to identify DPDPA gaps, prioritise remediation, and provide negotiation positions for high-risk processor and vendor relationships.
- •Contract estate review
- •Gap identification
- •Remediation priority
- •Negotiation positions
Request DPDPA Contract Drafting
Tell us about your vendor and processor relationships. A senior practitioner will respond within one working day.
Request Contract Drafting
A senior practitioner will respond within one working day.
What practitioners and boards are asking
What contracts are required for DPDPA compliance?
The core instrument is the Data Processing Agreement between Data Fiduciary and Data Processor, mandated because Section 8(2) requires processing by a processor to be under a valid contract. A complete contract set also includes sub-processor flow-down agreements, cross-border transfer clauses addressing Section 16, Data Principal rights and breach-cooperation provisions, and DPDPA schedules within vendor and SaaS master agreements. Existing contracts should be reviewed and retrofitted with DPDPA addenda.
What must a DPDPA Data Processing Agreement contain?
A DPDPA DPA should define the scope, purpose and duration of processing; restrict the processor to documented instructions; impose reasonable security safeguards mirroring Section 8(4); require breach notification to the Fiduciary within a timeframe that lets the Fiduciary meet its own Section 8(6) and Rule 7 obligations; govern sub-processor engagement and flow-down; provide for assistance with Data Principal rights; and require deletion or return of data on termination consistent with the storage-limitation principle.
Does the DPDPA require contracts with data processors?
Yes. Section 8(2) provides that a Data Fiduciary may engage a Data Processor to process personal data only under a valid contract. The absence of a compliant processor contract is itself a compliance failure that exposes the Fiduciary, which remains accountable for the processor’s acts, to penalties under the Schedule.
How are cross-border data transfers handled in DPDPA contracts?
Section 16 permits transfer of personal data outside India except to countries or territories that the Central Government restricts by notification — a negative-list model rather than the adequacy or SCC regime of the GDPR. Contracts should therefore include a transfer clause that tracks the restricted-territory list, allocates responsibility for monitoring changes, and preserves the full DPDPA obligation set wherever the data is processed, including breach cooperation and Data Principal rights support.