The Data Processing Agreement Under the DPDPA

Under the DPDPA, the relationship between a Data Fiduciary and its Data Processors is fundamentally asymmetric. The Fiduciary bears absolute statutory liability for every processing operation conducted on its behalf — including those it did not authorise, failed to oversee, or delegated through sub-processors it never vetted. Section 8(1) codifies this as a non-delegable obligation: the Fiduciary remains liable irrespective of any contractual indemnity, limitation clause, or risk-sharing arrangement.

This creates a commercial imperative that goes beyond legal compliance. Every Data Processing Agreement must function as a structural instrument that maps processing boundaries, enforces security standards aligned with Rule 6, establishes breach notification cascades that feed into the 72-hour regulatory window, governs sub-processor engagement, and provides audit rights that are operationally enforceable. The failure to architect these contracts correctly does not merely create legal exposure — it creates uninsurable risk.

Purpose Limitation and Processing Scope

The DPA must explicitly define processing boundaries — data categories, permitted purposes, retention periods, and prohibited uses. Processing beyond written instructions constitutes a Section 8 violation. This clause must specifically prohibit the processor from using data for AI model training, profiling, or secondary analytics without separate written authorisation.

Security Safeguard Obligations

Rule 6(f) requires the Fiduciary to contractually mandate reasonable security safeguards from every processor. The DPA must specify encryption standards (AES-256 at rest, TLS 1.3 in transit), role-based access controls, continuous audit logging retained for at least one year, and mandatory vulnerability assessment schedules. Ambiguous language invites Board scrutiny.

Breach Notification Cascade

The 72-hour regulatory notification window starts when the Fiduciary becomes aware of a breach — not when the processor reports it. Operationally, the DPA must mandate a 24-hour processor-to-fiduciary alert window, including breach categorisation, affected data categories, preliminary impact assessment, and mitigation steps already initiated.

Sub-Processor Governance

The DPA must prohibit sub-processor engagement without prior written authorisation from the Fiduciary. Every sub-processor must be bound by flow-down obligations that are at least as protective as the primary DPA. The processor remains fully liable for sub-processor acts and omissions — and this liability must be explicitly documented in the contract.

Audit Rights and Compliance Verification

The Fiduciary must retain contractual rights to conduct annual compliance audits — including on-site inspections or third-party assessments (SOC 2, ISO 27001). The DPA must mandate that the processor produces audit evidence within defined timelines and cooperates fully with any Data Protection Board investigation.

Data Erasure and Termination Protocols

Upon contract termination or purpose fulfilment, the processor must either return data in a structured, portable format or certify its permanent destruction using NIST-compliant methods. Backup systems must be included in the deletion scope. The processor must provide a written Certificate of Destruction within a contractually specified period — typically 30 to 60 days.

The Liability Sandwich: Why Risk Allocation Matters

The DPDPA establishes what practitioners describe as a liability sandwich. The Data Fiduciary faces direct regulatory liability from the Data Protection Board — penalties, investigations, remediation orders. Simultaneously, it must recover losses from processors through contractual indemnities that may be capped, qualified, or commercially inadequate. This gap between statutory exposure and contractual protection is where organisations experience the most acute financial risk. The DPA is the only instrument that bridges this gap. Liability caps must align with realistic penalty exposure. Indemnities must be linked to causation and operational control rather than serving as blanket risk-transfer mechanisms. Cyber insurance coverage must be integrated with contractual risk allocation so that policy limits cover the specific scenarios the DPA contemplates. Foreign companies entering India often discover that their global DPA templates — designed for GDPR or CCPA environments — contain structural gaps when measured against the DPDPA. The absence of a joint controller concept, the non-delegable liability framework, and the specific requirements of the DPDP Rules 2025 mean that a purpose-built Indian DPA is not optional. It is a regulatory prerequisite.

The contract is the compliance. Under the DPDPA, a Data Fiduciary without a structurally sound Data Processing Agreement does not have a compliance programme — it has an exposure.

Is a Data Processing Agreement mandatory under the DPDPA?

Yes. Section 8(2) of the DPDPA explicitly requires that every Data Fiduciary engage a Data Processor only under a valid contract. This applies to all vendors, cloud providers, analytics platforms, and any entity processing personal data on the Fiduciary's behalf. Informal arrangements, verbal agreements, or reliance on vendor Terms of Service do not satisfy this requirement.

Can a Data Fiduciary limit its liability through the DPA?

No. Section 8(1) establishes that the Data Fiduciary remains liable for compliance irrespective of any agreement to the contrary. While the DPA can allocate commercial risk and establish indemnity mechanisms between the Fiduciary and Processor, it cannot limit the Fiduciary's statutory liability to the Data Protection Board or affected Data Principals.

What security standards must be specified in the DPA?

Rule 6(f) of the DPDP Rules 2025 requires the Fiduciary to contractually mandate reasonable security safeguards. Best practice includes specifying encryption standards (AES-256 at rest, TLS 1.3 in transit), role-based access controls, audit log retention for at least 12 months, mandatory vulnerability assessments, and incident response procedures.

How does the DPA requirement affect foreign companies with Indian vendors?

Foreign companies that qualify as Data Fiduciaries under the DPDPA's extraterritorial provisions must ensure that their Indian vendor contracts comply with Section 8(2). Global DPA templates designed for GDPR or CCPA often contain structural gaps — including the absence of non-delegable liability provisions, specific Rule 6 security mandates, and the 72-hour breach notification cascade required under Indian law.

Get Your DPDPA-Compliant DPA Architecture

Our DPA Compliance Toolkit includes a Section 8(2) gap analysis framework, clause-by-clause drafting guidance aligned with the DPDP Rules 2025, sub-processor governance templates, and a breach notification cascade protocol — engineered for foreign companies operating in India.