12 Mandatory DPA Clauses

Under DPDP Act Sections 8 and 9, a Data Processing Agreement with every vendor (Data Processor) must contain the following clauses. Missing any single clause creates a compliance gap.

Clause 1: Purpose Limitation — Data Processor shall process personal data only for the specific purposes defined by the Data Fiduciary and documented in the agreement.
Clause 2: Processing Instructions — Data Processor shall act only on documented instructions from the Data Fiduciary, including for cross-border transfers.
Clause 3: Confidentiality Obligation — All personnel with access to personal data must be bound by confidentiality agreements or statutory obligations.
Clause 4: Security Measures — Data Processor must implement reasonable security safeguards (technical and organisational) as prescribed under §8(4) of the DPDP Act.
Clause 5: Sub-Processor Restrictions — No sub-processing without prior written authorisation from the Data Fiduciary. Sub-processor must be bound by equivalent obligations.
Clause 6: Data Principal Rights Assistance — Data Processor must assist the Data Fiduciary in responding to Data Principal rights requests (access, correction, erasure) within prescribed timelines.
Clause 7: Breach Notification — Data Processor must notify the Data Fiduciary of any personal data breach without unreasonable delay, enabling the Fiduciary to meet DPBI 72-hour reporting obligation.
Clause 8: Data Deletion on Termination — Upon contract termination or expiry, Data Processor must delete or return all personal data and provide a formal deletion certificate.
Clause 9: Audit & Inspection Rights — Data Fiduciary retains the right to audit the Data Processor's compliance with DPA obligations, including on-site inspection.
Clause 10: Data Localisation Declaration — Where applicable (BFSI, government), Data Processor must declare and maintain personal data within India unless exempted.
Clause 11: Indemnification — Data Processor indemnifies the Data Fiduciary for losses arising from the Processor's non-compliance with DPA obligations or data breaches caused by the Processor.
Clause 12: Compliance Evidence — Data Processor must provide evidence of compliance (certifications, audit reports, security assessments) upon request by the Data Fiduciary or regulatory authority.
Penalty Exposure Under the DPDP Act, the Data Fiduciary remains liable for the actions of its Data Processors. Penalties can reach up to INR 250 crore per instance. DPA clauses are your contractual shield — ensure every clause is enforceable.

Sub-Processor Notification Mechanism

When your vendor engages sub-processors (sub-contractors who handle personal data), you need a structured notification and approval process.

DPA specifies whether general or specific authorisation model is used for sub-processors
Vendor maintains a register of all sub-processors with name, location, and processing activity
Written notification required at least 30 days before engaging a new sub-processor
Data Fiduciary retains the right to object to new sub-processor engagement
Sub-processor contract mirrors all DPA obligations (back-to-back flow-down)
Vendor remains fully liable for sub-processor's compliance failures
Annual review of sub-processor register with Data Fiduciary sign-off

RBI IT Outsourcing Overlay Clauses

For BFSI entities regulated by RBI, the DPA must include additional clauses from the RBI Master Directions on IT Outsourcing. These overlay the DPDP requirements.

RBI audit right — RBI (or its authorised representatives) can directly audit the vendor and sub-processors
Data residency — All customer data must be stored and processed in India (with mirroring permitted only to India-based DCs)
Business continuity — Vendor must maintain a tested BCP/DR plan with documented RPO and RTO
Exit management — Transition plan with minimum 6-month notice period and data migration support
Concentration risk — Disclosure of other BFSI clients to assess concentration risk at vendor level
Material outsourcing declaration — Classified and reported to RBI as per outsourcing policy

Data Deletion Certificate Requirements

On contract termination, the Data Processor must provide a formal deletion certificate. This is not optional — it is evidence for DPBI and RBI inspections.

Deletion certificate issued within 30 days of contract termination
Certificate specifies: data categories deleted, storage locations, deletion method, and date of deletion
Certificate covers all environments: production, staging, development, backups, and disaster recovery
Sub-processor deletion certificates obtained and attached as annexures
Certificate signed by an authorised officer of the Data Processor (not just a technical team member)
Retention of deletion certificate by Data Fiduciary for minimum 3 years post-termination
Verification audit right retained for 12 months post-deletion to confirm no residual data

Where the vendor collects or processes personal data on behalf of the Data Fiduciary, consent management obligations flow through the DPA.

Vendor's data collection interfaces display consent notices drafted or approved by the Data Fiduciary
Consent records (timestamp, purpose, scope) are maintained and accessible to the Data Fiduciary
Consent withdrawal mechanism available to Data Principals with same ease as consent grant
Vendor processes consent withdrawal requests within 7 days and confirms cessation of processing
Consent re-collection workflow defined for changes in processing purpose or scope
Children's data (<18 years) processing includes verifiable parental consent mechanism
Consent dashboard or API integration available for Data Fiduciary to monitor consent status
RiskSage Capability RiskSage by CreativeCyber automates DPDP vendor DPA compliance — mandatory clause gap analysis across all vendor contracts, sub-processor register management, deletion certificate tracking, and consent management monitoring with automated alerts for non-compliant vendors.

Request access to RiskSage →