A mandatory contract between a Data Fiduciary and Data Processor governing the processing of personal data.
A Data Protection Agreement is a legally binding contract that must exist between every Data Fiduciary and their Data Processors. Under DPDPA Section 8(2), the Fiduciary must ensure processors process data only under a valid contract with appropriate safeguards. The DPA must specify: the nature and purpose of processing, obligations of the processor, security requirements, sub-processing restrictions, audit rights, data return/deletion on termination, and breach notification obligations.
Without a signed DPA, every piece of data you share with a vendor or service provider is an unauthorised disclosure under DPDPA. This is one of the most common compliance gaps for Indian startups relying on multiple SaaS vendors.
A Delhi e-commerce company using Freshdesk for support, Razorpay for payments, and AWS for hosting needs three separate DPAs. Each must specify what data the processor receives, what they can do with it, security requirements, and breach notification timelines.
A vendor's standard Terms of Service is NOT a DPA. You need a specific data processing agreement with DPDPA-required clauses, even if the vendor is a large multinational.
DPDPA Shield automates Vendor Management. See how →