The processor agreement: what to sign with every vendor
Couriers, payment gateways, CRMs, email tools - each one processes your customers' data on your behalf, and the DPDP Act makes YOU answerable for them. The starter checklist to get signatures on.
- Who this is for
- Owners and ops leads who sign vendor contracts
- What you leave with
- A clause-by-clause starter you can send to vendors today
Section 8(2) of the DPDP Act is blunt: a Data Fiduciary may engage a Data Processor only under a valid contract. Your courier, payment gateway, CRM, analytics tool, WhatsApp marketing platform, and hosting provider are all processors - and if one of them leaks your customers' data, the Data Protection Board comes to you, not them. The contract is how you push obligations down the chain.
Where do you get one?
Three routes, in order of effort. First: most large vendors (payment gateways, cloud providers, courier aggregators) already publish a Data Processing Agreement or DPA - search their site for DPA or ask support to countersign theirs. Second: for smaller vendors without one, send them the checklist below as an addendum to your existing agreement. Third: for anything high-risk (health data, financial data, children), have counsel draft from scratch.
The clauses that must be in it
Whichever route you take, check the document covers these ten points:
- Scope and purpose - exactly what personal data the vendor receives and the only purposes they may use it for. No purpose, no processing.
- No independent use - the vendor must not use your customers' data for their own products, analytics, or AI training.
- Security safeguards - encryption in transit and at rest, access controls, and the vendor's duty to maintain them (Section 8(5) flows down).
- Breach notification to YOU - the vendor must tell you fast enough that you can meet your own 72-hour detailed report to the Board (Rule 7). Put hours in writing, not 'promptly'.
- Sub-processors - who else they hand data to, and your right to know when that list changes.
- Erasure on exit - when the contract ends or you ask, they delete and confirm deletion (Section 8(7)).
- Assistance with rights - if your customer asks you for correction or erasure, the vendor helps within a stated time.
- Location of data - where it is stored and processed, so your notice tells the truth.
- Audit or attestation - the right to ask for their security certifications or an annual confirmation.
- Liability - who pays what when the failure is theirs.
The two-line email that starts it
Send this to every vendor handling personal data: "Under India's DPDP Act we need a data processing agreement in place before 13 May 2027. Please share your standard DPA, or confirm you will countersign our addendum covering security, breach notification, sub-processors, and deletion." Vendors that refuse to sign anything are telling you something important.
Track which vendors have signed in a simple sheet - that inventory is also the processor disclosure your privacy notice needs. And as always: this checklist gets you to a strong draft fast, and your counsel makes it final.
See where your website stands
Free readiness check in about a minute. No card, no signup, no code to install.