Data Processing Agreement India — DPDP Act Template, Clauses & Compliance Guide 2026
Posted inUncategorized

Data Processing Agreement India — DPDP Act Template, Clauses & Compliance Guide 2026

No Comments

Last verified: April 2026

A Data Processing Agreement (DPA) is now mandatory for every Indian business that outsources personal data handling to a third party. The Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025, fully operationalising the Digital Personal Data Protection Act, 2023. Together, the Act and Rules form a citizen-centred framework for responsible use of digital personal data.

Section 8(2) of the DPDP Act requires Data Fiduciaries to engage Data Processors “only under a valid contract.” Without this contract, you face penalties up to ₹250 crore per breach. The catch: the Act does not prescribe specific DPA clauses. It mandates the contract but leaves the drafting to you.

The DPDP Rules 2025 fill critical gaps. Rule 6 specifies minimum security safeguards. Rule 7 sets breach notification requirements. Rule 8 introduces mandatory data erasure timelines. Rule 6(f) explicitly requires contractual flow-down of security obligations to processors. These Rules roll out in phases — with full substantive obligations kicking in by May 2027.

This guide gives you everything you need. A clause-by-clause walkthrough, ready-to-adapt template language, a penalty matrix, the phased compliance timeline, and the exemptions that might apply to your organisation. Whether you are a startup processing customer data or a listed company managing employee records through an HR vendor, this is your complete DPA drafting resource for 2026.

Table of Contents

What Is a Data Processing Agreement Under the DPDP Act

A Data Processing Agreement is a legally binding contract between a Data Fiduciary (the organisation that determines why and how personal data is processed) and a Data Processor (the third party that processes data on the Fiduciary’s behalf). Under the DPDP Act 2023, this contract is not optional — it is a statutory requirement.

Section 8(2) states clearly: a Data Fiduciary may engage a Data Processor to process personal data on its behalf “only under a valid contract.” The word “only” leaves no room for informal arrangements, verbal agreements, or unsigned terms of service.

How a DPA Differs from an NDA or Service Agreement

Many businesses confuse DPAs with NDAs or general service agreements. They serve fundamentally different purposes.

An NDA protects confidential business information. A service agreement governs the commercial terms of the engagement. A DPA specifically governs how personal data is processed, stored, secured, and deleted.

Here is the critical difference. An NDA breach leads to commercial damages. A DPA failure under the DPDP Act triggers regulatory penalties up to ₹250 crore — imposed directly by the DPBI, not through civil courts.

Feature NDA Service Agreement Data Processing Agreement
Legal basis Indian Contract Act, 1872 Indian Contract Act, 1872 DPDP Act 2023, Section 8(2)
Protects Confidential business info Commercial interests Personal data of Data Principals
Regulatory backing None None DPBI enforcement + penalties
Penalty for breach Contractual damages Contractual damages Up to ₹250 crore per violation
Mandatory? No Depends on engagement Yes — Section 8(2) mandate

Who Needs to Sign a DPA

Every organisation that shares personal data with a vendor, contractor, or service provider needs a DPA. Common scenarios include:

  • Companies using cloud hosting providers (AWS, Azure, Indian cloud services)
  • Businesses outsourcing payroll processing to HR service providers
  • E-commerce companies sharing customer data with logistics partners
  • Hospitals sharing patient records with diagnostic labs or IT vendors
  • Law firms using legal tech platforms that process client data

The Data Fiduciary (your organisation) signs as the controller. The Data Processor (your vendor) signs as the processor. Both parties bear obligations, but the Fiduciary carries ultimate liability under Section 8(1).

Why Every Indian Business Needs a DPA Now

The DPDP Act changed one fundamental rule: liability cannot be outsourced. Section 8(1) creates what lawyers call “non-delegable vicarious liability.” Even if your vendor causes a data breach, your organisation pays the penalty.

Non-Delegable Vicarious Liability Explained

Section 8(1) states that a Data Fiduciary shall be responsible for complying with the Act “irrespective of any agreement to the contrary.” Read that again. No contractual clause can shift your statutory liability to the processor.

This means even if your DPA says “Processor bears all liability for breaches,” the DPBI will still penalise you. The DPA does not replace your liability — it creates a contractual right to claim indemnity from the processor after you have paid the regulatory penalty.

In practice, this changes how you evaluate vendors. A cheap data processor with weak security is now a ₹250 crore risk, not just a ₹5 lakh contract risk.

DPDP Rules 2025: Phased Compliance Timeline

The DPDP Rules 2025 were notified on 14 November 2025 and introduce an 18-month transition window. Compliance obligations roll out in three phases, giving organisations time to adjust — but the clock is already ticking.

Phase Effective Date Rules That Kick In DPA Impact
Immediate 14 November 2025 Rules 2, 17-21 — DPBI constitution, procedural framework, Board structure, penalties framework Section 8(2) valid contract requirement is in force. DPAs must exist for all processor engagements. DPBI can receive complaints and initiate inquiries.
12 Months 13 November 2026 Rule 4 — Consent Manager registration and obligations DPA must include consent management integration clauses. Consent Managers require ₹2 crore minimum net worth, India incorporation, AES-256 encryption, and 7-year record retention.
18 Months 13 May 2027 Rules 3, 5-16, 22-23 — Notice (Rule 3), Security safeguards (Rule 6), Breach notification (Rule 7), Data erasure (Rule 8), Cross-border transfers, SDF obligations All DPA clauses must be fully operational. Security safeguards per Rule 6 become enforceable. Breach notification within 72 hours to DPBI becomes mandatory. 48-hour pre-erasure notice to Data Principals required.

The practical takeaway: the DPBI is already operational. Section 8(2)’s contract mandate is already in force. If you have not executed DPAs with your processors, you are operating in violation today. By May 2027, every clause in your DPA — security, breach, deletion, notice — becomes directly enforceable with penalties.

The Rules provide an 18-month window specifically so organisations can prepare. Do not treat it as 18 months of exemption — treat it as 18 months to get compliant before enforcement begins at full strength.

What Businesses Are Actually Asking About DPAs

Legal and startup communities across Reddit, LinkedIn, and Quora are flooded with DPA-related confusion. The most common questions reveal a fundamental gap between what the law requires and what businesses understand.

Common Concerns from Legal and Startup Communities

A frequently asked question in legal forums: “Does my startup even need a DPA if we just use Google Workspace?” The answer is yes. Google processes your employees’ and customers’ personal data on your behalf. Google is your Data Processor under Section 8(2). You need either Google’s standard DPA (which Google offers) or a custom one.

Another recurring concern on LinkedIn discussions: “Can I just add data processing clauses to my existing service agreement?” Technically, yes — the DPDP Act requires a “valid contract,” not a standalone document. But combining them creates audit complications. When the DPBI requests your DPA, extracting data processing terms from a 40-page service agreement wastes time during an investigation.

A common question on Quora: “What if my processor is outside India?” Section 8(2) applies regardless of the processor’s location. If an Indian Data Fiduciary engages a foreign processor, the DPA must comply with DPDP Act requirements. The added complexity: your DPA also needs cross-border transfer provisions.

Multiple threads across platforms ask: “What happens if my existing vendor refuses to sign a DPA?” You have two options — negotiate until they sign, or switch vendors. Continuing without a DPA after Phase 1 means operating in violation of Section 8(2). The penalty exposure far outweighs any switching costs.

12 Essential Clauses Every DPDP-Compliant DPA Must Include

The DPDP Act does not list specific DPA clauses. But combining Section 8 obligations, DPDP Rules 2025 (especially Rule 6 on security), and global best practices, these 12 clauses form the minimum viable DPA for Indian compliance.

1. Purpose Limitation and Processing Scope

This clause defines exactly what the processor can do with personal data. It must specify:

  • The categories of personal data being processed (employee data, customer data, health data)
  • The specific purposes of processing (payroll calculation, order fulfilment, analytics)
  • The duration of processing (contract term, plus deletion period)
  • The categories of Data Principals whose data is processed

Sample Clause: “The Data Processor shall process Personal Data solely for the purposes of [specify: payroll processing / cloud hosting / customer support] as described in Schedule A. The Processor shall not process Personal Data for any purpose beyond those specified, including but not limited to profiling, marketing, or training of artificial intelligence models, without prior written consent of the Data Fiduciary.”

2. Security Safeguards Under Rule 6

Rule 6 of the DPDP Rules 2025 mandates specific technical measures. Critically, Rule 6(f) explicitly requires that Data Fiduciaries contractually obligate their Data Processors to implement equivalent security safeguards. This makes the DPA security clause not just best practice — it is a statutory requirement under the Rules.

The mandatory security safeguards under Rule 6 include:

  • Encryption or tokenisation — for data in transit and at rest (Rule 6 specifies these as minimum, not optional)
  • Data masking and obfuscation — for sensitive personal data fields in non-production environments
  • Role-based access controls — limiting access to authorised personnel only, with monitoring and periodic review
  • Continuous audit logs — retained for minimum 1 year, enabling detection, investigation, and remediation of unauthorised access
  • Data backup and continuity measures — verified backup systems to ensure continued processing in case of compromise
  • Contractual flow-down to processors — Rule 6(f) mandates that the Data Fiduciary’s contract must require the Data Processor to implement these same safeguards

Sample Clause: “The Data Processor shall implement and maintain technical and organisational security measures as specified in Schedule B, including but not limited to: (a) AES-256 encryption for data at rest and TLS 1.3 for data in transit; (b) data masking for all PII fields in non-production environments; (c) role-based access controls with quarterly access reviews; (d) continuous audit logging with minimum 1-year retention as mandated by Rule 6, DPDP Rules 2025.”

3. Breach Notification Obligations

This is where most DPAs fail. The DPDP Act creates a two-layer notification system. Your DPA must reflect both layers.

Layer 1 — Processor to Fiduciary: The processor must notify you within 24 hours of discovering a breach. This is your contractual requirement (not statutory — the Act does not prescribe processor-to-fiduciary timelines).

Layer 2 — Fiduciary to DPBI and Data Principals: You must notify the DPBI within 72 hours of becoming aware (Rule 7). You must also notify affected Data Principals “without delay” in clear, plain language via their registered communication channel. Critical point: unlike GDPR, the DPDP Act has no minimum threshold for breach reporting. Every personal data breach — large or small — must be reported to both the DPBI and affected individuals.

Sample Clause: “Upon becoming aware of any Personal Data Breach, the Data Processor shall: (a) notify the Data Fiduciary in writing within 24 hours of discovery; (b) provide full details including nature of breach, categories and approximate number of Data Principals affected, likely consequences, and measures taken or proposed; (c) cooperate fully with the Data Fiduciary’s notification to the Data Protection Board of India under Section 8(6); (d) preserve all evidence and logs related to the breach for a minimum period of 3 years.”

4. Sub-Processor Controls

When your processor hires another processor (a sub-processor), the data protection chain must not break. Common example: your cloud hosting vendor uses a third-party backup service.

Sample Clause: “The Data Processor shall not engage any Sub-Processor without prior written authorisation from the Data Fiduciary. The Processor shall: (a) maintain a current list of all Sub-Processors with details of processing activities; (b) impose data protection obligations on each Sub-Processor by written contract no less protective than this Agreement; (c) remain fully liable for the acts and omissions of its Sub-Processors; (d) provide the Data Fiduciary 30 days’ prior notice before engaging any new Sub-Processor.”

5. Data Deletion and Return (Rule 8 Compliance)

Section 8(7) of the DPDP Act requires deletion of personal data when the purpose of processing is fulfilled. Rule 8 of the DPDP Rules 2025 adds critical specifics: the Data Fiduciary must notify the Data Principal at least 48 hours before scheduled erasure. For entities in the Third Schedule, mandatory erasure applies after 3 years of inactivity unless the user re-engages. Your DPA must define “deletion” precisely — vague language creates disputes.

Sample Clause: “Upon termination of this Agreement or upon written request by the Data Fiduciary, the Data Processor shall within 30 days: (a) return all Personal Data in a machine-readable format specified by the Fiduciary; (b) permanently delete all copies of Personal Data using NIST SP 800-88 compliant methods, including encrypted overwriting or physical destruction of storage media; (c) delete Personal Data from backup systems within 90 days of the primary deletion; (d) provide a Certificate of Destruction signed by an authorised officer confirming complete deletion.”

The critical detail: backup systems must be included in the deletion scope. Many DPAs exempt archived or backup data from deletion — this creates ongoing DPDP exposure.

6. Audit Rights and Cooperation

Without audit rights, your DPA is unenforceable. You cannot verify compliance with security safeguards unless you can inspect.

Sample Clause: “The Data Fiduciary shall have the right to audit the Data Processor’s compliance with this Agreement and applicable data protection laws. Audits may be conducted: (a) annually as a scheduled audit with 15 days’ prior notice; (b) immediately without notice following a data breach or credible complaint; (c) by the Data Fiduciary’s internal team or appointed third-party auditor. The Processor shall provide full access to relevant systems, records, and personnel during audits.”

7. Cross-Border Transfer Restrictions

The DPDP Act empowers the Central Government to restrict transfers to certain countries. Until the restricted list is notified, include a precautionary clause.

Sample Clause: “All Personal Data shall be processed and stored within India unless the Data Fiduciary provides prior written consent for specific cross-border transfers. The Processor shall not transfer, access, or allow access to Personal Data from outside India without such consent. If the Central Government notifies restricted territories under the DPDP Act, the Processor shall immediately cease transfers to any restricted territory and notify the Fiduciary within 48 hours.”

Additional essential clauses that must appear in your DPA (covered briefly — expand based on your specific requirements):

  • 8. Confidentiality obligations — all processor personnel bound by written confidentiality agreements
  • 9. Data Principal rights cooperation — processor assists fiduciary in responding to access, correction, and erasure requests
  • 10. Consent Manager integration — for Phase 2 compliance (November 2026), processor respects consent withdrawal signals
  • 11. Record-keeping — Consent Managers must retain records for 7 years; processor maintains processing logs
  • 12. Indemnification — processor indemnifies fiduciary for penalties arising from processor’s breach of DPA terms

Complete DPA Template Structure for India

Here is the full skeleton of a DPDP-compliant Data Processing Agreement. Use this as your starting checklist — every section must appear in your final document.

Full Template Skeleton

  1. Parties and Definitions
    • Data Fiduciary identity and registered address
    • Data Processor identity and registered address
    • Definitions: Personal Data, Data Principal, Processing, Breach, Sub-Processor (aligned with DPDP Act definitions in Section 2)
  2. Scope and Purpose of Processing
    • Categories of personal data
    • Categories of Data Principals
    • Specific processing activities authorised
    • Duration of processing
  3. Data Fiduciary’s Obligations
    • Lawful basis for processing (valid consent or legitimate use under Section 7)
    • Providing clear written instructions
    • Notifying processor of Data Principal rights requests
  4. Data Processor’s Obligations
    • Processing only per written instructions
    • Security safeguards (Rule 6 compliance)
    • Confidentiality requirements
    • Breach notification (24-hour contractual deadline)
    • Cooperation with audits
    • Assistance with Data Principal rights
  5. Sub-Processing
    • Prior written consent requirement
    • Flow-down obligations
    • Current sub-processor list
  6. Cross-Border Transfers
    • Default restriction to Indian territory
    • Exceptions with written consent
    • Restricted territory compliance
  7. Data Breach Management
    • Detection and notification protocol
    • Investigation cooperation
    • Evidence preservation (minimum 3 years)
  8. Audit Rights
    • Scheduled annual audits
    • Emergency audit provisions
    • Third-party auditor engagement
  9. Data Deletion and Return
    • Return format and timeline
    • Deletion methodology
    • Backup and disaster recovery data deletion
    • Certificate of Destruction
  10. Liability and Indemnification
    • Indemnity for regulatory penalties
    • Limitation of liability (if any)
    • Insurance requirements (recommended)
  11. Term and Termination
    • Duration linked to service agreement
    • Termination triggers (material breach, repeated violations)
    • Post-termination data handling obligations
  12. Governing Law and Dispute Resolution
    • Indian law (DPDP Act + Indian Contract Act)
    • Arbitration clause (recommended: seat in India)
    • DPBI jurisdiction for regulatory matters

Mandatory Schedules and Annexures

Every DPA should include these annexures as separate schedules referenced in the main agreement:

  • Schedule A: Description of Processing — categories of data, Data Principals, processing activities, retention periods
  • Schedule B: Technical and Organisational Security Measures — specific encryption standards, access control protocols, backup procedures per Rule 6
  • Schedule C: List of Approved Sub-Processors — name, location, processing activity, security certifications
  • Schedule D: Breach Notification Protocol — escalation matrix, contact details, evidence preservation checklist

Keep schedules as separate attachments. This allows you to update security measures or sub-processor lists without re-executing the entire agreement.

DPA Clause Drafting: Wrong vs Right

Vague language in a DPA is worse than no DPA at all — it creates a false sense of security. Here are the most common drafting mistakes and their corrections.

Mistake 1: Vague Security Obligations

❌ WRONG:

“The Processor shall implement appropriate security measures to protect Personal Data.”

✅ RIGHT:

“The Processor shall implement security safeguards in compliance with Rule 6, DPDP Rules 2025, including: AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access controls with quarterly reviews, data masking in non-production environments, and continuous audit logging with 1-year retention.”

Why it matters: “appropriate” is subjective. When the DPBI investigates, they check against Rule 6 specifics. Your DPA should mirror those specifics.

Mistake 2: No Deletion Timeline

❌ WRONG:

“Upon termination, the Processor shall delete all data.”

✅ RIGHT:

“Upon termination, the Processor shall within 30 calendar days: (a) return Personal Data in CSV/JSON format; (b) permanently delete all copies using NIST SP 800-88 methods; (c) delete backup copies within 90 days; (d) provide a signed Certificate of Destruction.”

Why it matters: without a timeline, “delete” can mean 6 months later. Without a methodology, “delete” can mean moving to an archive folder.

Mistake 3: Liability Shifting That Does Not Work

❌ WRONG:

“The Processor shall bear full liability for any data breach occurring within its systems.”

✅ RIGHT:

“The Data Fiduciary acknowledges its non-delegable liability under Section 8(1), DPDP Act 2023. The Processor shall indemnify the Data Fiduciary for all regulatory penalties, costs, and claims arising from the Processor’s breach of this Agreement, subject to a liability cap of [X] times the annual contract value.”

Why it matters: Section 8(1) explicitly overrides contractual liability allocation. Your DPA must acknowledge this reality while still creating an indemnity right.

Mistake 4: Missing Breach Notification Details

❌ WRONG:

“The Processor shall promptly notify the Fiduciary of any data breach.”

✅ RIGHT:

“The Processor shall notify the Data Fiduciary within 24 hours of discovering any breach, providing: (a) nature and scope of the breach; (b) approximate number of affected Data Principals; (c) categories of Personal Data compromised; (d) measures taken to contain the breach; (e) identity of the incident response team lead.”

Why it matters: “promptly” gives the processor discretion to delay. The Fiduciary has only 72 hours to notify the DPBI — your processor’s notification must give you enough time and information to meet your statutory deadline.

Mistake 5: No Sub-Processor Controls

❌ WRONG:

“The Processor may engage sub-contractors as needed.”

✅ RIGHT:

“The Processor shall not engage any Sub-Processor without prior written consent. Each Sub-Processor must be bound by data protection obligations no less protective than this Agreement. The Processor shall maintain and share a current list of Sub-Processors and provide 30 days’ notice before any new engagement.”

DPDP Act Penalty Matrix: What Non-Compliance Costs

The DPDP Act’s penalty regime is the strictest India has ever seen for data protection. Understanding these numbers is essential when negotiating DPA indemnity clauses.

Penalty Amounts by Violation Type

Violation DPDP Section Maximum Penalty DPA Relevance
Failure to implement reasonable security safeguards leading to breach Section 8(5) ₹250 crore per breach Security safeguards clause must match Rule 6 standards
Failure to notify DPBI and affected Data Principals of breach Section 8(6) ₹200 crore Breach notification clause must enable 72-hour DPBI notification
Breach of children’s data obligations Section 9 ₹200 crore DPA must restrict children’s data processing unless explicitly authorised
Breach of Significant Data Fiduciary obligations Section 10 ₹150 crore SDFs need enhanced DPA clauses (DPO appointment, DPIA, algorithmic audit)
Any other DPDP Act or Rules violation General ₹50 crore Catch-all — covers processing without valid contract, purpose limitation breaches

How Penalties Are Calculated Per Violation

A critical detail most guides miss: these penalties are per violation, not per incident. A single data breach can trigger multiple violations simultaneously.

For example, if a breach occurs because your processor lacked encryption (₹250 crore for security failure) AND you failed to notify the DPBI within 72 hours (₹200 crore for notification failure), the total exposure is ₹450 crore — not ₹250 crore.

This is why your DPA’s indemnity clause matters enormously. The indemnity cap should reflect the realistic exposure across multiple violation categories, not just a single penalty slab.

Step-by-Step DPA Compliance Checklist

Use this checklist to ensure your organisation is DPA-compliant by each phase deadline. LawSikho’s Diploma in Cyber Law, Fintech and Technology Contracts covers these compliance frameworks in depth for practitioners.

For Existing Vendor Contracts (Immediate Priority)

  1. Audit all existing vendor relationships — list every vendor that accesses, stores, or processes personal data on your behalf
  2. Classify each vendor — is this a Data Processor under Section 2(21)? Does it process personal data for your purposes?
  3. Check existing contracts — does the service agreement contain data processing terms? Are they DPDP-compliant?
  4. Identify gaps — missing clauses (security, breach notification, deletion, audit rights, sub-processor controls)
  5. Draft DPA addenda — for vendors with existing contracts, execute a DPA as an addendum rather than renegotiating the entire agreement
  6. Set internal deadlines — prioritise high-risk processors (those handling large volumes of personal data, health data, or financial data)
  7. Obtain signed DPAs — escalate with procurement and legal teams; set 60-day deadline for execution

For New Engagements (Standard Process)

  1. Include DPA in the RFP/vendor evaluation — share your standard DPA template during vendor selection
  2. Evaluate processor’s security posture — request SOC 2 Type II, ISO 27001, or equivalent certifications before signing
  3. Negotiate DPA terms — focus on breach notification timelines, indemnity caps, and audit rights
  4. Execute DPA before data sharing — no personal data flows until the DPA is signed
  5. Maintain a DPA register — centralised log of all DPAs with execution dates, renewal dates, and processor details
  6. Schedule annual DPA reviews — update security standards, sub-processor lists, and compliance terms annually

Common rejection reasons when the DPBI reviews DPAs during investigations:

  • DPA signed after the data processing began (not “prior” engagement as required)
  • Security clauses do not reference Rule 6 specific measures
  • No breach notification timeline specified
  • Sub-processor list outdated or missing
  • Deletion clause has no methodology or timeline
  • DPA not executed on proper stamp paper (see Stamp Duty section)

Exemptions: Who Does Not Need a Full DPA

Not every data processing relationship requires a DPA. The DPDP Act carves out specific exemptions. But the exemptions are narrower than most businesses assume.

Detailed Exemption Categories

1. Personal or Domestic Use Exemption

Who is exempt: individuals processing personal data for purely personal or domestic purposes — such as maintaining a personal contact list or sharing family photos.

Legal basis: Section 17(1)(a) of the DPDP Act 2023.

Scope: exempt FROM all obligations under the Act, including the DPA requirement. NOT exempt from: criminal liability if data is used to cause harm.

Conditions: the moment personal data is used for any commercial, professional, or organisational purpose, this exemption ceases. A freelancer maintaining client records is not covered — that is professional use.

Practical implication: this exemption is irrelevant for any business context. No company can claim personal or domestic use.

2. State Security and Public Order Exemption

Who is exempt: the Central Government and its instrumentalities when processing data in the interest of sovereignty, integrity, and security of India, or for maintaining public order.

Legal basis: Section 17(2)(a) of the DPDP Act 2023.

Scope: exempt FROM consent requirements, purpose limitation, and DPA requirements for the exempted processing. NOT exempt from: security safeguards under Section 8(5) — even exempted government processing must maintain reasonable security measures.

Conditions: the exemption applies only to the specific processing activity notified by the Government, not to all data processing by government agencies. Processing for routine administrative functions (payroll, procurement) is not covered.

Practical implication: government departments still need DPAs for their vendor relationships that are not covered by a specific security exemption notification.

3. Research and Archival Exemption

Who is exempt: processing of personal data for research, archiving, or statistical purposes.

Legal basis: Section 17(2)(d) of the DPDP Act 2023.

Scope: exempt FROM certain consent and notice requirements for the research processing. NOT exempt from: security safeguards, breach notification obligations, or the general requirement to engage processors under a valid contract.

Conditions: the data must be anonymised or de-identified where reasonably possible. The research must not be directed at any specific individual. Commercial research (market research for product development) may not qualify — the exemption targets academic and public interest research.

Practical implication: universities and research institutions still need DPAs with their data processing vendors. The exemption relaxes consent requirements, not the processor engagement rules.

4. Startup Exemption Under Section 17(3)

Who is exempt: startups as notified by the Central Government, based on criteria such as volume and nature of data processed.

Legal basis: Section 17(3) of the DPDP Act 2023.

Scope: the Central Government may exempt certain classes of Data Fiduciaries (including startups) from specific provisions of the Act. The exact scope depends on the notification — which has not been issued as of April 2026. NOT exempt from: core obligations such as security safeguards and breach notification are unlikely to be waived even for startups.

Conditions: the notification must specify which startups qualify (likely based on DPIIT recognition, data volume thresholds, or sector). Until the notification is issued, no startup can claim this exemption.

Practical implication: do not rely on this exemption. Draft your DPAs now. If and when the startup exemption notification arrives, you can scale back requirements. Building without a DPA and hoping for an exemption is a ₹50 crore gamble. LawSikho’s Diploma in Entrepreneurship Administration and Business Laws covers startup compliance frameworks including upcoming DPDP exemptions.

5. Judicial and Legal Proceedings Exemption

Who is exempt: processing of personal data that is necessary for enforcing any legal right or claim, or by courts and tribunals in the exercise of judicial functions.

Legal basis: Section 17(2)(c) of the DPDP Act 2023.

Scope: exempt FROM consent and purpose limitation requirements for the specific legal proceeding. NOT exempt from: security safeguards, and not exempt from DPA requirements when sharing litigation data with external legal tech processors or e-discovery vendors.

Conditions: the exemption applies only to processing directly necessary for the legal proceeding. Sharing litigation data with a third-party analytics firm for case strategy still requires a DPA, because the analytics firm is a Data Processor.

Practical implication: law firms using legal tech platforms for document review, e-discovery, or case management still need DPAs with those platforms.

Important note on journalism: Unlike many global data protection laws, the DPDP Act 2023 does not provide a blanket exemption for journalistic purposes. Media organisations processing personal data through third-party vendors must execute DPAs.

Industry-Specific DPA Variations

A one-size-fits-all DPA misses critical industry requirements. Here is how key clauses change across four major sectors.

IT and SaaS Companies

IT companies face the highest DPA complexity because they are often both Data Fiduciaries (for employee and customer data) and Data Processors (for client data they process through their platforms).

Key DPA additions for IT/SaaS:

  • Multi-tenancy isolation clause — personal data of different clients must be logically or physically separated
  • API access controls — specify which APIs can access personal data, authentication requirements
  • AI/ML training restriction — explicitly prohibit using client data for training proprietary AI models
  • Uptime and availability SLA — tie data availability commitments to the DPA, not just the service agreement

Healthcare and Pharma

Health data carries the highest risk under DPDP because breach consequences directly affect individuals. The penalty exposure is compounded when children’s health data is involved (₹200 crore under Section 9).

Key DPA additions for healthcare:

  • Health data classification — explicitly define what constitutes health data (diagnosis, prescriptions, lab results, insurance claims)
  • Access logging granularity — log every individual access to patient records, not just system-level access
  • De-identification standards — specify the anonymisation methodology for research data sharing
  • Emergency access protocols — define how data can be accessed in medical emergencies without standard authorisation flows

Fintech and Banking

Fintech companies face dual regulation — DPDP Act and RBI’s data localisation circular. Both must be reflected in the DPA.

Key DPA additions for fintech:

  • Data localisation compliance — all payment data must be stored in India per RBI circular dated April 6, 2018
  • Account aggregator framework — if the processor participates in the Account Aggregator ecosystem, the DPA must align with RBI’s AA guidelines
  • PCI-DSS compliance — processors handling card data must maintain PCI-DSS certification
  • Transaction data retention limits — align with both DPDP deletion requirements and RBI’s mandatory retention periods

E-Commerce and D2C

E-commerce companies share customer data with multiple processors simultaneously — logistics, payments, marketing, customer support. Each requires a separate DPA.

Key DPA additions for e-commerce:

  • Marketing use restriction — processors must not use customer data for their own marketing or cross-selling
  • Delivery data minimisation — logistics partners receive only necessary delivery information, not full purchase history
  • Return and refund data handling — define how customer data from returns is processed and deleted
  • Cookie and tracking consent alignment — processors operating customer-facing tools (chatbots, analytics) must respect consent preferences

Stamp Duty and Execution Requirements

A DPA is a contract under the Indian Contract Act, 1872. Like any contract, it must comply with stamp duty requirements to be admissible as evidence and enforceable in court.

Stamp duty on agreements is a state subject. Rates vary depending on where the agreement is executed. For a DPA, which is typically classified as an “agreement” or “article of agreement” under state Stamp Acts, the applicable rates for the top 5 states are:

State Stamp Duty on Agreements E-Stamping Available Notes
Maharashtra ₹500 (if no monetary consideration specified) or 0.1% of consideration Yes — via GRAS portal DPAs without specified monetary value typically attract ₹500 flat duty
Delhi ₹100 for general agreements Yes — via SHCIL portal Lower rate applies when DPA is an addendum to an existing stamped service agreement
Karnataka ₹500 for general agreements Yes — via KAVERI portal Additional registration fee of ₹500 if registered
Tamil Nadu ₹100 for general agreements Yes — via TNREGINET If executed as part of service agreement, stamp duty of main agreement applies
Telangana ₹500 for general agreements Yes — via CARD portal E-stamping mandatory for values above ₹500

Execution formalities for a valid DPA:

  • Execute on proper stamp paper or e-stamp of the state where the DPA is signed
  • Both parties must sign (digital signatures valid under IT Act, 2000 Section 5)
  • Two witnesses recommended (though not strictly mandatory for all agreement types)
  • Retain original copies — one with each party
  • Registration is optional for DPAs unless the agreement term exceeds 12 months and involves immovable property

Digital execution using Aadhaar e-sign or DSC (Digital Signature Certificate) is legally valid. Many organisations now execute DPAs digitally through platforms like Leegality or DigiLocker-integrated signing tools.

DPDP Rules 2025: Rule-by-Rule Impact on DPA Drafting

The Government of India notified the DPDP Rules 2025 on 14 November 2025, marking the full operationalisation of the DPDP Act 2023. The Act and Rules together form a citizen-centred framework placing equal weight on individual rights and lawful data processing. Here is how each key Rule directly affects your DPA.

Rule 3: Notice Requirements (Effective May 2027)

Rule 3 addresses one of the most persistent failures in Indian data protection: the use of long, inaccessible privacy policies as consent notices. The formal notice from a Data Fiduciary must now be:

  • Clear, independent, and in plain language
  • Contains an itemised description of personal data to be processed
  • States the specified purpose of each processing activity
  • Includes a specific communication link for Data Principals to withdraw consent, exercise rights, or file complaints

DPA impact: your processor must support your ability to serve compliant notices. If the processor operates customer-facing touchpoints (apps, chatbots, portals), the DPA must require the processor’s interface to display your notice in compliance with Rule 3 standards.

Rule 4: Consent Manager Registration (Effective November 2026)

Consent Managers are a new category of registered entities that manage consent on behalf of Data Principals. Registration requirements under the First Schedule are stringent:

  • Must be incorporated in India (private/public company, society, or trust)
  • Minimum net worth of ₹2 crore (adjusted annually for inflation)
  • Governance framework with Board of Directors and conflict-of-interest policies
  • Secure technical infrastructure with AES-256 minimum encryption
  • Must retain consent records for 7 years

DPA impact: if you engage a Consent Manager, your DPA must include additional clauses on consent verification protocols, withdrawal handling timelines, record access rights, and the Consent Manager’s obligation to meet First Schedule standards throughout the engagement.

Rule 6: Security Safeguards (Effective May 2027)

Before the Rules, the Act only said “reasonable security safeguards.” Rule 6 now specifies the minimum: encryption or tokenisation, masking, access controls with monitoring and review, audit logging with 1-year retention, backup and continuity systems. Most critically, Rule 6(f) makes the contractual flow-down to processors a statutory requirement — not just a best practice.

DPA impact: every DPA executed after November 2025 must reference Rule 6 specific measures. DPAs drafted before the Rules should be amended immediately to include them. When May 2027 arrives, DPAs without Rule 6 alignment are non-compliant.

Rule 7: Breach Notification (Effective May 2027)

Rule 7 sets out mandatory breach notification obligations. Key requirements:

  • Notify each affected Data Principal “without delay” in clear, plain language via their user account or registered communication channel
  • Submit a detailed report to the DPBI within 72 hours (or longer if the Board permits), including nature of breach, causes, and iterative updates
  • No minimum threshold — every personal data breach must be reported, regardless of size or severity

DPA impact: your DPA’s processor notification deadline must leave sufficient time within the 72-hour DPBI window. If your DPA requires 24-hour processor notification, you have 48 hours to assess and file. If you allow 48 hours, you have only 24 — which is dangerously tight. Keep the processor deadline at 24 hours or less.

Rule 8: Data Erasure (Effective May 2027)

Rule 8 introduces mandatory erasure obligations that directly affect DPA deletion clauses:

  • Data Fiduciaries must notify Data Principals at least 48 hours before scheduled erasure
  • For entities in the Third Schedule (large online platforms), mandatory erasure applies after 3 years of user inactivity unless the user re-engages
  • Backup systems are included in the erasure scope — they are not exempted as “archived” data
  • Disaster recovery data must be addressed with clear deletion timelines

DPA impact: your deletion clause must now include the 48-hour pre-erasure notification mechanism, 3-year inactivity triggers (if applicable), and explicit backup/DR data deletion timelines. Litigation hold procedures should not exceed 2 years without additional justification.

Significant Data Fiduciary (SDF) Enhanced Obligations

If the Central Government designates you as an SDF, your DPAs require additional clauses:

  • Data Protection Officer (DPO) appointment — must be based in India
  • Annual Data Protection Impact Assessment (DPIA) — processor must cooperate and provide access
  • Algorithmic fairness audit — if the processor uses automated decision-making on personal data
  • Annual audit by independent auditor — processor must facilitate access to systems and records
  • Periodic audit of policies and infrastructure by independent data auditor

Significant Data Fiduciary (SDF) Obligations

If you are designated as an SDF by the Central Government, your DPAs require additional clauses:

  • Data Protection Officer (DPO) appointment — DPO must be based in India
  • Data Protection Impact Assessment (DPIA) — processors must cooperate with your DPIA process
  • Algorithmic fairness audit — if the processor uses automated decision-making on personal data
  • Annual audit by independent auditor — processor must facilitate and provide access

Disclaimer

This article is for informational and educational purposes only. It does not constitute legal advice, and no lawyer-client relationship is created by reading this content. The DPDP Act 2023 and DPDP Rules 2025 are evolving — provisions may be amended, and further notifications may be issued. For advice specific to your organisation’s compliance requirements, consult a qualified data protection lawyer. LawSikho’s Diploma in Cyber Law, Fintech and Technology Contracts provides structured training on DPDP compliance but is not a substitute for personalised legal counsel.

Frequently Asked Questions

Fundamentals

1. What is a Data Processing Agreement under Indian law?

A Data Processing Agreement (DPA) is a contract between a Data Fiduciary and Data Processor required under Section 8(2) of the DPDP Act, 2023. It governs how the processor handles personal data on the fiduciary’s behalf, covering security measures, breach notification, deletion procedures, and audit rights. Without this contract, engaging a data processor violates the Act.

2. Is a DPA the same as a Non-Disclosure Agreement for data?

No. An NDA protects confidential business information and is governed by the Indian Contract Act, 1872. A DPA specifically governs personal data processing and is mandated by the DPDP Act, 2023. NDAs carry contractual penalties; DPA violations carry regulatory penalties up to ₹250 crore from the DPBI. You need both — they serve different legal purposes.

3. Who qualifies as a Data Processor under the DPDP Act?

Under Section 2(21), a Data Processor is any person who processes personal data on behalf of a Data Fiduciary. This includes cloud hosting providers, payroll vendors, HR SaaS platforms, marketing automation tools, logistics partners, and any third party that accesses or handles personal data under your instructions. If they touch personal data for your purposes, they are your processor.

Drafting and Implementation

4. Can I add DPA clauses to my existing service agreement instead of a separate document?

Yes — the DPDP Act requires a “valid contract,” not a standalone DPA. However, a separate DPA is strongly recommended. During DPBI investigations, extracting data processing terms from a multi-page service agreement wastes critical time. A standalone DPA also simplifies annual reviews and makes audit compliance easier.

5. What are the minimum clauses required in a DPDP-compliant DPA?

At minimum: purpose limitation and processing scope, security safeguards per Rule 6, breach notification timeline (24 hours processor to fiduciary), sub-processor controls with prior consent requirement, data deletion methodology and timeline, audit rights with annual and emergency provisions, and cross-border transfer restrictions. Missing any of these creates compliance gaps the DPBI can penalise.

6. How do I handle DPAs with international processors like AWS or Google?

Major cloud providers offer standard DPAs. Review their standard terms against DPDP Act requirements — specifically Rule 6 security safeguards, breach notification timelines, and data localisation provisions. Negotiate addenda where their standard DPA falls short. For critical gaps, consider Indian cloud alternatives or negotiate custom enterprise DPA terms.

Compliance and Penalties

7. What is the penalty for not having a DPA with my data processor?

Operating without a valid DPA violates Section 8(2) and falls under the general violations category — penalty up to ₹50 crore. If a breach occurs while you have no DPA, additional penalties for security safeguard failure (up to ₹250 crore) and notification failure (up to ₹200 crore) may apply simultaneously. Penalties are per violation, not per incident.

8. When do DPDP Act DPA requirements actually take effect?

The DPDP Rules 2025 were notified on 14 November 2025, fully operationalising the Act. Section 8(2)’s valid contract requirement is already in force — you need DPAs now. The Rules roll out in phases: DPBI and procedural rules are immediate; Consent Manager registration (Rule 4) takes effect November 2026; full substantive obligations including security safeguards (Rule 6), breach notification (Rule 7), and data erasure (Rule 8) take effect May 2027.

9. Can my company be penalised for my processor’s security failure?

Yes. Section 8(1) creates non-delegable vicarious liability. The Data Fiduciary is responsible for compliance “irrespective of any agreement to the contrary.” If your processor’s weak security causes a breach, the DPBI penalises you first. Your DPA’s indemnity clause then gives you a contractual right to recover from the processor — but the regulatory penalty hits you directly.

Specific Scenarios

10. Does a startup using Google Workspace need a DPA?

Yes. Google processes your employees’ and customers’ personal data on your behalf. Google is your Data Processor under Section 2(21). Google offers a standard DPA for Workspace customers — activate it through your admin console. The startup exemption under Section 17(3) has not been notified as of April 2026, so no startup can rely on it.

11. Do I need a separate DPA for each vendor or can I use one master agreement?

You need a separate DPA (or DPA addendum) for each Data Processor, because each processor handles different data categories, has different security postures, and requires specific processing instructions. A master template is fine as the base — but Schedule A (processing description) and Schedule C (sub-processor list) must be customised for each vendor.

12. What happens if my processor refuses to sign a DPA?

You have two options: negotiate until they agree, or switch to a processor willing to sign. Continuing to share personal data without a DPA after Phase 1 violates Section 8(2). The ₹50 crore penalty exposure for operating without a valid contract far exceeds any vendor switching costs. Document the refusal in writing for your compliance records.

Advanced and Future Considerations

13. How does the DPDP Act DPA requirement interact with RBI data localisation rules?

They operate in parallel. RBI’s April 2018 circular mandates that all payment system data must be stored only in India. Your DPA with fintech/payment processors must comply with both: DPDP Act security and processing requirements AND RBI data localisation mandates. Include explicit data localisation clauses referencing both regulatory frameworks.

14. Will the DPDP Act require standard contractual clauses like GDPR?

Not currently. Unlike the EU’s GDPR which prescribes Standard Contractual Clauses (SCCs) for international transfers, the DPDP Act leaves DPA drafting to the parties. The Central Government may notify restricted territories for cross-border transfers, but no DPDP-equivalent of SCCs has been proposed. This may change as the regulatory framework matures through 2027.

15. How often should I review and update my DPAs?

Review annually at minimum. Trigger immediate reviews when: the DPDP Rules are amended, your processor changes sub-processors, you are designated as a Significant Data Fiduciary, the processor suffers a data breach, or new compliance phases take effect (November 2026 and May 2027). Build an annual review clause directly into your DPA with a specific review date.

Conclusion

The DPDP Act has made Data Processing Agreements a legal necessity, not a best practice. With Phase 1 already live and Phase 2 arriving in November 2026, every organisation sharing personal data with third parties needs a compliant DPA in place.

Use the 12-clause framework and template skeleton in this guide as your starting point. Customise for your industry. Pay special attention to breach notification timelines, indemnity caps, and security safeguards that mirror Rule 6 requirements.

The cost of a well-drafted DPA is a few hours of legal review. The cost of not having one is exposure to penalties that can reach ₹250 crore per violation. The maths is straightforward — draft your DPA today.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *