What is a Data Processing Agreement under the DPDP Act?

A Data Processing Agreement (DPA) is a contract between a Data Fiduciary and Data Processor specifying processing terms. Under the DPDP Act 2023, Data Fiduciaries must execute DPAs with all third-party processors. The DPA must cover processing scope, security, sub-processors, breach notification, and data erasure.

Is a Data Processing Agreement legally required under DPDP?

Yes. The DPDP Act 2023 requires Data Fiduciaries to engage Data Processors only through a valid contract specifying data protection obligations. Processing without a DPA violates the Act.

Can I use an existing GDPR DPA for DPDP compliance?

A GDPR DPA provides a good foundation but must be updated for DPDP: add Indian law governing clause, update breach notification timeline, include erasure certification obligations, and align terminology with DPDP Act definitions.

DPDP Data Processing Agreement Generator — DPA Template India

Free Preview: DPA Structure

Sections 1–2 and Schedule A are fully visible. Sections 3–8 and Schedule B unlock with purchase.

Free Preview

DATA PROCESSING AGREEMENT

Between: [Fiduciary] and [Processor]

Effective Date: — | Duration: — | Governing Law: India — DPDP Act 2023

TABLE OF CONTENTS

1. Definitions & Interpretation ✓ Unlocked
2. Scope and Purpose of Processing ✓ Unlocked
3. Obligations of Data Processor 🔒
4. Sub-processor Requirements 🔒
5. Technical & Organisational Security Measures 🔒
6. Personal Data Breach Notification 🔒
7. Return and Deletion of Data 🔒
8. Liability and Indemnification 🔒
Sch. A Categories of Personal Data ✓ Unlocked
Sch. B Security Requirements 🔒

1. DEFINITIONS & INTERPRETATION ✓ Unlocked

1.1 In this Agreement, "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the Digital Personal Data Protection Act, 2023 ("DPDP Act").

1.2 "Data Fiduciary" means [your company], who alone or in conjunction with other persons determines the purpose and means of processing Personal Data, as defined under Section 2(i) of the DPDP Act.

1.3 "Data Processor" means [vendor name], who processes Personal Data on behalf of the Data Fiduciary, as defined under Section 2(k) of the DPDP Act.

1.4 "Processing" means an automated operation or set of operations performed on digital Personal Data, including collection, recording, storage, adaptation, retrieval, use, disclosure, transmission, or erasure.

1.5 "Data Principal" means the natural person to whom the Personal Data relates.

2. SCOPE AND PURPOSE OF PROCESSING ✓ Unlocked

2.1 The Processor shall process Personal Data only for [nature of processing], as specified in Schedule A annexed hereto, and strictly in accordance with the documented instructions of the Fiduciary.

2.2 The Processor shall not process Personal Data for any purpose other than as instructed by the Fiduciary in writing, unless required to do so by applicable law.

2.3 The Processor shall inform the Fiduciary if, in its opinion, any instruction infringes the DPDP Act, 2023 or any other applicable data protection law, prior to carrying out such instruction.

3. OBLIGATIONS OF DATA PROCESSOR 🔒 Locked

3.1 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Personal Data.
3.2 The Processor shall ensure that persons authorised to process Personal Data have committed to confidentiality obligations or are under statutory obligations of confidentiality.
3.3 The Processor shall not engage sub-processors without prior written authorisation of the Fiduciary.

🔒 Unlock with Full DPA

4. SUB-PROCESSOR REQUIREMENTS 🔒 Locked

4.1 Where the Processor engages a sub-processor, it shall impose the same data protection obligations as set out in this Agreement on sub-processors.
4.2 The Processor shall inform the Fiduciary of any intended changes to sub-processors, affording the Fiduciary the opportunity to object to such changes.

🔒 Unlock with Full DPA

5. TECHNICAL & ORGANISATIONAL SECURITY MEASURES 🔒 Locked

5.1 The Processor shall implement measures including encryption of Personal Data at rest and in transit, pseudonymisation where appropriate, access controls, and regular security testing.
5.2 The Processor shall maintain a record of all processing activities carried out on behalf of the Fiduciary.

🔒 Unlock with Full DPA

6. PERSONAL DATA BREACH NOTIFICATION 🔒 Locked

6.1 The Processor shall notify the Fiduciary without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach.
6.2 Notification shall include the nature of the breach, categories of data involved, likely consequences, and measures taken to address it.

🔒 Unlock with Full DPA

7. RETURN AND DELETION OF DATA 🔒 Locked

7.1 Upon termination of the Agreement, the Processor shall, at the Fiduciary's choice, delete or return all Personal Data and delete existing copies unless law requires retention.
7.2 The Processor shall certify in writing that all Personal Data has been permanently deleted within 30 days of termination.

🔒 Unlock with Full DPA

8. LIABILITY AND INDEMNIFICATION 🔒 Locked

8.1 Each Party shall be liable to the other for any damages arising from the breach of its obligations under this Agreement.
8.2 The Processor shall indemnify the Fiduciary against all penalties, fines, and costs arising from the Processor's non-compliance with this Agreement or the DPDP Act, 2023.

🔒 Unlock with Full DPA

SCHEDULE A — Categories of Personal Data ✓ Unlocked

The following categories of Personal Data are shared under this Agreement:

None selected — please check applicable categories above

SCHEDULE B — Security Requirements 🔒 Locked

B.1 Minimum encryption standard: AES-256 for data at rest, TLS 1.2+ for data in transit.
B.2 Access control: Role-based access with multi-factor authentication for all personnel with access to Personal Data.
B.3 Audit logging: All access to Personal Data to be logged with timestamps and user identifiers, retained for minimum 2 years.

🔒 Unlock with Full DPA

Unlock the Complete DPA Document

₹1,499 one-time

Full DPDP-compliant DPA with all clauses pre-filled with your details, emailed as a PDF within 15 minutes.

All 8 sections fully drafted with your company details pre-filled
Schedule A: Categories of Data (auto-populated from your selection)
Schedule B: Security Requirements (12 specific technical controls)
Board signature page with witness and notary fields
Attorney review notes on each high-risk clause
DPDP Act 2023 section references and annotations

Secure payment via Razorpay · PDF delivered in 15 min · Not legal advice

Why the DPDP Act Requires Data Processing Agreements

Section 8(2) of the Digital Personal Data Protection Act, 2023 places a clear obligation on every Data Fiduciary: if you engage a Data Processor — any vendor, contractor, or cloud provider that handles personal data on your behalf — you must have a written contract in place. This contract must require the Processor to implement reasonable security safeguards and comply with all applicable provisions of the DPDP Act.

In practice, this means that your payroll software vendor, HR management platform, CRM provider, cloud hosting company, IT support team, and background verification agency are all Data Processors if they touch personal data belonging to your employees or customers. Without a signed, DPDP-compliant DPA with each of these vendors, your organisation remains the sole party accountable for any data breach or misuse that occurs within the processor's systems.

The consequences are severe. Under Section 33 of the DPDP Act, penalties for failing to implement adequate safeguards — including failing to bind processors by contract — can reach ₹250 crore per incident. The Data Protection Board of India may investigate complaints filed by any Data Principal whose data was mishandled, even if the mishandling occurred at your vendor's infrastructure. Your DPA is your primary contractual defence in such proceedings.

A generic NDA or MSA does not satisfy the requirements of Section 8(2). The DPA must specifically address the nature of processing, categories of data, the processor's security obligations, breach notification timelines, sub-processor controls, and data return or deletion procedures — all within the framework of the DPDP Act, 2023.

What Must a DPDP-Compliant DPA Contain?

A DPA that meets the requirements of the DPDP Act, 2023 must address several core obligations:

Purpose Limitation: The processor may only process data for the specific purposes documented in the agreement and per the fiduciary's written instructions.

Instructions in Writing: Any change in the scope or nature of processing must be documented in writing — verbal instructions are insufficient.

Security Obligations: The processor must maintain technical and organisational safeguards appropriate to the risk, including encryption, access controls, and audit logging.

Sub-processor Controls: The processor must obtain prior written consent before engaging sub-processors and must flow down equivalent obligations to them.

Breach Notification: The processor must notify the fiduciary within 72 hours of discovering a personal data breach, in sufficient detail to enable the fiduciary to meet its own notification obligations.

Data Return or Deletion: On termination, the processor must delete or return all personal data and certify in writing that deletion is complete.

Note that copy-pasting a GDPR-compliant DPA is not sufficient. The DPDP Act has different definitions, thresholds, and requirements — particularly around "digital personal data" scope, the role of Data Principals, and the penalties structure.

DPA vs NDA vs MSA — What's the Difference?

These three agreements serve entirely different purposes and all three may be required in a vendor relationship:

NDA (Non-Disclosure Agreement): Covers confidentiality of business information broadly — trade secrets, pricing, product roadmaps. It does not specifically govern personal data obligations under data protection law.

MSA (Master Services Agreement): Defines the commercial terms of the engagement — scope of services, payment, SLAs, intellectual property, and termination. It is the operational backbone of the vendor relationship.

DPA (Data Processing Agreement): Specifically governs the processor's obligations when handling personal data on your behalf. The DPDP Act mandates this agreement; the other two do not substitute for it.

In practice, the DPA is often executed as an addendum to the MSA, or incorporated by reference. However, it must exist as a distinct, identifiable document that can be produced during a regulatory audit or Board investigation.

Quick Answer

DPDP Data Processing Agreement Generator — DPA Template for India

Unlock the Complete DPA Document

Why the DPDP Act Requires Data Processing Agreements

What Must a DPDP-Compliant DPA Contain?

DPA vs NDA vs MSA — What's the Difference?