DPDP Sections 8 and 9: The DPA Mandate

The Digital Personal Data Protection Act, 2023, does not use the phrase "Data Processing Agreement" anywhere in its text. Yet Sections 8 and 9 create exactly that obligation. Section 8 establishes that a Data Fiduciary may engage a Data Processor to process personal data on its behalf — but the Fiduciary remains fully liable for the processing. Section 9 requires the Fiduciary to ensure that the Processor processes data only for the purpose for which the data was collected, and implements appropriate security safeguards.

In practical terms, every vendor contract that involves personal data — your cloud provider, your payroll SaaS, your KYC verification API, your customer support BPO — now requires a formal Data Processing Agreement that establishes purpose limitation, security obligations, breach notification duties, and data deletion requirements. The DPDP Act does not provide a grace period. If your vendor contracts were signed before the Act and lack these clauses, they are non-compliant today.

The Sub-Processor Chain Problem

The challenge compounds when your vendor engages their own vendors. Your cloud-hosted CRM provider uses a third-party email delivery service, which uses a sub-contracted infrastructure provider. Each link in this chain processes the same personal data that originated with your Data Principals. Under DPDP, the Data Fiduciary remains liable for the entire chain — even for processors they have never heard of and have no contractual relationship with.

This is the sub-processor problem, and it is where most organisations' vendor risk programmes have a structural gap. A DPA with your direct vendor is necessary but insufficient. You need contractual flow-down clauses that require your vendor to impose equivalent obligations on their sub-processors, maintain a current sub-processor list, notify you of changes, and ensure that every entity in the chain complies with the same purpose limitation and security requirements that bind you as the Fiduciary.

Sub-Processor Visibility Gap Most organisations can name their direct vendors. Very few can name their vendors' vendors. Under DPDP, the Data Fiduciary is liable for the entire processing chain. If your KYC vendor uses a sub-contracted OCR service that stores Aadhaar images on servers outside your knowledge, the compliance failure is yours, not theirs.

The 12 Mandatory DPA Clauses

While the DPDP Act does not prescribe a DPA template, the combined requirements of Sections 8, 9, and the forthcoming Rules create a minimum set of clauses that every DPA must contain. Based on the Act's requirements and RBI's overlapping expectations, the essential clauses are: (1) purpose limitation — data processed only for the specified purpose; (2) processing instructions — processor acts only on documented instructions; (3) confidentiality obligations on processor personnel; (4) security safeguards appropriate to the data type; (5) sub-processor restrictions and flow-down; (6) breach notification — processor to Fiduciary without undue delay; (7) data deletion on termination — with certified evidence of deletion; (8) audit and inspection rights; (9) data localisation compliance; (10) cross-border transfer restrictions; (11) liability and indemnification; and (12) cooperation with the Data Protection Board during investigations.

Each of these clauses has operational consequences. Breach notification clauses without defined timelines are unenforceable. Deletion clauses without certificate requirements provide no evidence. Audit rights without scope and frequency definitions are never exercised. The DPA must be operationally specific, not legally generic.

RBI IT Outsourcing Overlap

For regulated financial institutions, the DPDP vendor risk obligation sits on top of RBI's existing IT Outsourcing framework. RBI's Master Direction on Information Technology Governance already requires audit rights over outsourced service providers, service continuity and business continuity planning, exit management with data handover, and data localisation for payment system data. The two frameworks are not duplicative — they are complementary. DPDP adds purpose limitation and data principal rights. RBI adds operational resilience and financial sector-specific controls.

Where they overlap is on audit rights and data localisation. A single contract clause can satisfy both requirements, but only if it is drafted with both frameworks in mind. Most legacy outsourcing agreements were drafted for RBI compliance alone and will need amendment to incorporate DPDP obligations. The risk of maintaining separate DPA and outsourcing agreements for the same vendor is inconsistency — and an inspector will find it.

What an RBI Inspector Actually Asks

When an RBI IT examination team arrives, the vendor risk conversation follows a predictable pattern. They ask for three things in sequence: the signed DPA for every vendor processing personal or financial data; the current sub-processor list with location and data type details; and deletion certificates from vendors whose contracts have terminated in the past 12 months. The organisations that struggle are not the ones lacking policies — they are the ones lacking evidence.

A signed DPA in a legal folder satisfies the first question. But the sub-processor list must be current — not the list from contract signing, but the list as of the inspection date. And deletion certificates must be specific: which data, what format, when deleted, by whom, and verified how. Organisations that have automated vendor lifecycle management — with live sub-processor registers and automated deletion tracking — answer these questions in minutes. Those relying on email chains and spreadsheets answer them in days, if at all.

RiskSage Capability RiskSage by CreativeCyber automates vendor risk lifecycle management — DPA clause tracking across all vendors, sub-processor register with change notifications, deletion certificate collection and verification, and automated evidence packaging for RBI IT examinations and DPDP compliance audits.

Request access to RiskSage →