Vendor DPA Checklist
Liability Check
Your third-party vendors are processing personal data, and under DPDP, their non-compliance is your liability. No DPDP-compliant Data Processing Agreement (DPA) means you're on the hook for their mistakes.
Why Vendor DPA Checklist is at Risk
Under the DPDP Act, when an external vendor (a 'Data Processor') handles personal data on your behalf (as the 'Data Fiduciary'), **you remain accountable for their actions**. This means if your cloud CRM provider (like Zoho or Salesforce India) or your payroll processor has a data breach, the **penalties up to ₹250 Crore fall directly on you**. A robust Data Processing Agreement (DPA) isn't just a legal formality; it's your primary shield. It defines roles, responsibilities, security measures, audit rights, and liability, ensuring that vendors comply with DPDP standards, thereby significantly reducing your **financial and reputational risk**.
Common Violations
- 1.Operating with critical vendors (e.g., HR platforms, marketing CRMs, cloud hosts) without a formal, DPDP-compliant Data Processing Agreement (DPA).
- 2.Assuming standard 'Terms of Service' or 'Service Level Agreements' adequately cover DPDP responsibilities and data protection clauses.
- 3.Not periodically auditing or reviewing your vendors' security practices, especially those handling sensitive personal data like employee salary details or customer KYC documents.
The Immediate Fix
Immediately identify all third-party vendors and service providers who process personal data on your behalf. Prioritise those handling sensitive personal data (e.g., financial, health, biometric). Initiate a DPA review or negotiation process with each, ensuring the agreement explicitly addresses DPDP compliance, including data security, breach notification, and data retention policies.
Projected Compliance Deadline: Immediate