Confidential Dispatch
At a glance

This is a free Data Processing Agreement (DPA) template for engaging any vendor that handles personal data on your behalf — the DPDP Act allows a Data Fiduciary to use a processor only under a valid contract, and this is that contract’s data-protection core. It covers the clauses that do the work: instructions-only processing, security safeguards, breach notification to you without delay, sub-processor control, deletion at the end, and help with rights requests. Fill the brackets, attach it to your service agreement, and have it legally reviewed before signature.

Educational resource only. This provides a template for the data-protection clauses of a processor agreement under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and its Rules; it is not formal legal advice — have the finished agreement reviewed by a lawyer before signature.

The situation

Your payroll runs on a bureau, your data sits with a cloud host, your KYC checks go through a vendor — and under the DPDP Act, their failures with your customers’ data are your liability. The Act’s answer is contractual: a fiduciary may engage a processor only under a valid contract. Most service agreements don’t contain the clauses that make that contract do its protective job; this template is those clauses.

What a DPA is (and why the Act makes it non-optional)

A DPA is the part of your vendor contract that governs personal data — and under the DPDP Act, processing through a vendor without a valid contract is itself the violation. The Act permits a Data Fiduciary to engage, appoint or use a Data Processor only under a valid contract (Section 8), and it keeps the fiduciary answerable for compliance regardless of any agreement — meaning the DPA doesn’t transfer your liability, it gives you the control and recourse that make your own duties dischargeable: knowing what the vendor does, being told fast when things go wrong, and being able to make deletion actually happen. Use this template with every vendor that touches personal data on your behalf: hosting, payroll, analytics, KYC, support tooling, marketing platforms.

The template — copy and fill in

Copy everything below, fill the brackets, and attach it as the data-processing schedule to your main service agreement.

Data Processing Agreement

Between [Your Business Name] (“the Fiduciary”) and [Vendor Name] (“the Processor”), effective [date], forming part of [the main agreement].

1. Scope. The Processor processes the personal data described in Annex A ([data categories]) solely to provide [the services], on the Fiduciary’s documented instructions, and for no other purpose. The Processor acquires no rights in the data.

2. Security. The Processor implements reasonable security safeguards to prevent personal data breach, including [key measures], and ensures persons authorised to process the data are bound by confidentiality.

3. Breach notification. The Processor informs the Fiduciary without delay on becoming aware of any personal data breach affecting the data, providing the information the Fiduciary needs to meet its own notification duties, and cooperates fully in response and remediation.

4. Sub-processors. The Processor engages no sub-processor without the Fiduciary’s [prior written consent / notice-and-objection right], and flows these obligations down to every approved sub-processor. Current sub-processors are listed in Annex B.

5. Location. The data is processed and stored at/in [locations]; any change, including any processing outside India, requires the Fiduciary’s prior written consent.

6. Rights and erasure requests. The Processor assists the Fiduciary in fulfilling Data Principals’ rights — access, correction and erasure — within [assistance timeframe], and erases or corrects data on the Fiduciary’s instruction.

7. End of engagement. On termination or expiry, the Processor [deletes / returns then deletes] all personal data, including copies and backups per its stated backup cycle of [cycle], and confirms completion in writing within [timeframe].

8. Audit and information. The Processor provides information reasonably needed to demonstrate compliance with this agreement, and permits [audits / third-party assessments] on [notice period]'s notice.

Annex A — Data & processing description: [data categories, Data Principals concerned, processing operations] Annex B — Approved sub-processors: [list]

How to fill it in

The brackets are your negotiation points — fill them deliberately, not generously.

  • [data categories] / Annex A
    • What it means: Exactly what personal data the vendor touches — pulled from your processing records, not guessed.
    • Examples: “Customer names, phone numbers, KYC documents”; “employee bank and salary details.”
  • [key measures]
    • What it means: The security baseline you’re actually relying on — name the load-bearing ones rather than “industry standard.”
    • Examples: “Encryption at rest and in transit, role-based access, access logging.”
  • [prior written consent / notice-and-objection right] — sub-processors
    • What it means: Your control level over fourth parties. Prior consent is stronger; notice-and-objection is the common compromise for large vendors.
  • [locations]
    • What it means: Where the data physically sits — the clause that surfaces cross-border processing before it surprises you.
    • Examples: “Cloud region: Mumbai”; “processed in India; support access from [country].”
  • [deletes / returns then deletes] — end of engagement
    • What it means: What happens to the data when the relationship ends — the clause that makes your own retention schedule enforceable one hop out.

What this template doesn’t cover

It’s the data-protection schedule, not the whole contract — and it isn’t legal advice. Commercial terms, service levels, indemnities and liability caps live in your main agreement, and the interplay between those caps and data-breach liability is exactly where a lawyer earns their fee — have the finished agreement reviewed before signature. Note also the direction: this is a fiduciary-side template for engaging processors. If you are the processor, you’ll meet its mirror image from your clients, and the same clauses read as your obligations. And no DPA transfers your accountability — the Act keeps the fiduciary answerable regardless of what the contract says.

FAQ

Do I really need a DPA with every vendor?

With every vendor that processes personal data on your behalf — hosting, payroll, analytics, KYC, support tools. The Act permits processor engagement only under a valid contract, so a data-touching vendor with no contractual data terms is itself a gap.

Does a DPA make the vendor liable instead of me?

No — the fiduciary stays answerable to the Data Protection Board of India regardless. The DPA’s job is control and recourse: fast breach notice, enforceable deletion, audit rights, and a contractual claim against the vendor if their failure caused yours.

What if a big SaaS vendor won’t sign my DPA?

Large vendors typically offer their own standard DPA instead — review it against this template’s checklist: instructions-only processing, breach notice without delay, sub-processor control, location disclosure, deletion at end. Gaps you can’t negotiate are risks you’re choosing to accept.

What’s the single most important clause?

Breach notification “without delay” — your own clock to the Board and affected people starts on awareness, and a vendor who tells you late spends your response time for you. Deletion-at-end runs it close.

Reviewed by Confidential Dispatch Editorial Team
Last updated 18 July 2026
Not legal advice.

Collecting personal data from your own customers?

These are the rights your business has to honour. See where you stand with a two-minute self-check — no sign-up, no data stored.

Run the compliance self-check →