Vendor and Processor Governance Under DPDPA

The DPDPA fundamentally reconfigures the vendor-processor relationship by imposing direct statutory obligations that transcend contractual arrangements. Section 8(2) establishes that processors must act exclusively within fiduciary instructions, while Section 8(3) requires processors to delete personal data upon cessation of the processing purpose. Rule 6 of the DPDP Rules 2025 operationalises these obligations with specific contractual and technical requirements. For organisations managing extensive vendor ecosystems — technology providers, cloud platforms, analytics partners, BPO operations — the compliance surface area multiplies with each processor relationship. This analysis maps the complete obligation architecture from contract formation through ongoing oversight to relationship termination.

The DPDPA departs from a purely contractual model of processor governance by establishing direct statutory obligations. Section 8(2) mandates that processors act solely within fiduciary instructions — this is not a contractual covenant but a statutory command that applies regardless of what the processor agreement states. Section 8(3) creates an independent deletion obligation: upon cessation of the purpose or withdrawal of consent, the processor must delete personal data unless retention is required by law. These provisions mean that a processor cannot rely on contractual carve-outs to justify unauthorised processing or retention. The Data Fiduciary remains accountable under Section 8(1) for ensuring processor compliance, creating a dual accountability structure. From a practical standpoint, this means vendor selection is no longer purely a procurement decision — it is a compliance decision with direct penalty implications under Section 33.

Rule 6 of the DPDP Rules 2025 translates the statutory obligations into operational requirements. Processor agreements must include: defined processing purposes and scope, technical and organisational security measures, obligations regarding sub-processing, breach notification requirements aligned with Section 8(6) and Rule 7, data return and deletion procedures, and audit or inspection rights. The contractual requirements under Rule 6 are minimum standards — organisations cannot contract below them. Critically, Rule 6 also addresses the sub-processor chain: where a processor engages another processor, the original fiduciary's instructions and obligations flow through the chain. This creates a cascade of accountability that requires organisations to maintain visibility beyond their direct vendor relationships. Existing vendor contracts that pre-date the DPDPA must be reviewed and amended to incorporate these mandatory provisions. Legacy contracts that rely on general confidentiality clauses or industry-standard security terms are insufficient under the DPDP Rules framework.

Compliance-mature organisations must implement a vendor risk assessment framework calibrated to DPDPA requirements. This framework should evaluate: (a) the volume and sensitivity of personal data processed; (b) the processor's technical security posture against the reasonable security safeguards standard under Section 8(5) and Rule 6; (c) cross-border transfer exposure under Section 16; (d) sub-processing arrangements and their compliance implications; and (e) breach response capability, given the 72-hour notification obligation under Rule 7. Ongoing oversight is not optional — the fiduciary's accountability under Section 8(1) requires continuous assurance that processor operations remain within statutory boundaries. This means periodic audits, real-time security monitoring where technically feasible, and documented processor performance reviews. The cost of this oversight must be factored into vendor economics: a cheaper processor with weaker compliance infrastructure may generate significantly higher total cost when breach remediation and regulatory penalties are included.

Vendor relationship termination under the DPDPA triggers specific obligations that extend beyond conventional offboarding. Section 8(3) requires deletion of personal data upon purpose cessation, and this obligation survives contract termination. The processor must certify complete deletion — including backups, disaster recovery copies, and data in sub-processor environments. Organisations must establish contractually enforceable deletion verification procedures: technical logs showing deletion execution, written certification from the processor, and, for high-risk processing, independent verification by a qualified assessor. The data return process must account for format compatibility, completeness verification, and secure transfer protocols. Failure to manage the termination process creates residual compliance exposure: personal data remaining in former processor environments represents an ongoing obligation that the fiduciary cannot discharge through contract termination alone.