Data Processing Agreement (India)

A Data Processing Agreement in India records the bargain between the parties, fixing their respective rights, duties and remedies.

The legal framework for data protection in India comprises three overlapping instruments. The Information Technology Act 2000 (IT Act) provides the foundational digital law framework and Section 43A imposes a duty on body corporates handling sensitive personal data to implement reasonable security practices. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) specify what constitutes sensitive personal data — passwords, financial information, physical and mental health data, sexual orientation, medical records, and biometric data — and require the implementation of ISO/IEC 27001 or equivalent security standards.

The Digital Personal Data Protection Act 2023 (DPDPA), which received Presidential assent on 11 August 2023, is India's primary personal data protection legislation. It introduces the concepts of 'Data Fiduciary' (equivalent to the GDPR's data controller) and 'Data Processor' (equivalent to the GDPR's data processor), and imposes obligations on both. Section 8(1) of the DPDPA requires Data Fiduciaries to process personal data only for lawful purposes with the consent of data principals or under specified legitimate uses. Section 8(2) requires Data Fiduciaries to confirm that Data Processors they engage also comply with the DPDPA's provisions. The DPDPA Rules are expected to be notified by the Data Protection Board of India.

CERT-In (Computer Emergency Response Team — India) Directions issued in April 2022 under Section 70B of the IT Act 2000 require organisations to report cybersecurity incidents (including personal data breaches) to CERT-In within 6 hours of detection. This is a significantly shorter reporting window than the GDPR's 72-hour requirement and must be reflected in DPA breach notification clauses.

Forms-legal.com provides this India Data Processing Agreement as a starting point — always review with a qualified data protection counsel as the DPDPA Rules are notified and come into full force.

The Digital Personal Data Protection Act 2023 (DPDPA 2023) received Presidential assent on August 11, 2023 and replaced the previous framework under the Information Technology (Amendment) Act 2008 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules 2011). The DPDPA 2023 introduces the concepts of Data Fiduciary (the entity that determines the purpose and means of processing) and Data Processor (the entity that processes data on behalf of the Data Fiduciary) — equivalent to the controller/processor distinction under GDPR. Section 8(2) of the DPDPA 2023 requires that the Data Fiduciary enter into a valid contract with the Data Processor before entrusting any personal data processing.

The Data Protection Board of India (DPBI), established under Section 18 of the DPDPA 2023, is the adjudicatory body for data protection complaints and enforcement actions. Penalties under Schedule 1 of DPDPA 2023 can reach up to Rs 250 crore for breach of processing obligations. The Ministry of Electronics and Information Technology (MeitY) is the nodal ministry and is responsible for notifying the Rules under DPDPA 2023. As of 2024, draft Rules had been published for consultation — the final Rules will prescribe specifics of consent mechanisms, security safeguards, data retention periods, and cross-border data transfer conditions.

The CERT-In (Indian Computer Emergency Response Team) Directions issued on April 28, 2022 under Section 70B of the Information Technology Act 2000 require all entities to report cybersecurity incidents — including personal data breaches — to CERT-In within 6 hours of detection. Data Processors who suffer a breach involving their client's data must notify the Data Fiduciary immediately to enable the Fiduciary to comply with the CERT-In 6-hour reporting requirement and the breach notification obligations to the Data Protection Board under Section 8(6) of the DPDPA 2023.

The Reserve Bank of India (RBI) has issued guidelines on outsourcing of IT and IT-enabled services (Master Direction on IT Governance, Risk, Controls and Assurance Practices 2023) that apply to regulated entities including banks, NBFCs, and payment system operators, imposing additional contractual requirements beyond the DPDPA 2023 when personal financial data is processed by third parties. The Securities and Exchange Board of India (SEBI) and the Insurance Regulatory and Development Authority of India (IRDAI) have also issued sector-specific cloud and outsourcing frameworks that DPAs must reflect. Forms-legal.com provides this India Data Processing Agreement as a starting point — always have a technology law advocate review the DPA to confirm compliance with DPDPA 2023 Rules when notified.

A Data Processing Agreement is needed in India whenever a Data Fiduciary engages a third-party service provider — a Data Processor — that will access, process, store, or transmit personal data on the Data Fiduciary's behalf. Common scenarios include: engaging a cloud service provider (AWS, Azure, Google Cloud) to host systems containing customer data; using a payroll processing company that handles employee PAN details, bank account numbers, and salary information; deploying a CRM platform that stores customer contact and transaction data; engaging an IT support company with remote access to systems containing personal data; or using a marketing analytics firm that processes customer behavioural data.

A DPA is particularly critical where the personal data includes sensitive personal data as defined under the SPDI Rules 2011 — financial information, health data, biometrics, or passwords. The SPDI Rules impose civil liability under Section 43A of the IT Act 2000 on body corporates that fail to protect sensitive personal data, and a written DPA is the primary mechanism for allocating that liability between the Data Fiduciary and the Data Processor.

For companies subject to RBI guidelines — such as banks, NBFCs, and payment system operators — the Reserve Bank of India has issued specific guidelines on outsourcing of IT services and data localisation. RBI Master Direction on IT Governance (2021) and the RBI's outsourcing guidelines require that data processing arrangements be governed by written agreements with specified security and audit provisions.

For SEBI-registered entities — brokers, investment advisers, portfolio managers, and asset management companies — SEBI Circular SEBI/HO/MIRSD/SECFATF/P/CIR/2021/643 requires that KYC data and client information handled by third-party service providers be covered by appropriate data processing agreements. Forms-legal.com provides this India Data Processing Agreement template as a starting point — update regularly as the DPDPA Rules are notified.

A Data Processing Agreement is also needed under the CERT-In Directions 2022 whenever a service provider (cloud provider, SaaS vendor, managed service provider) processes data on behalf of a Reporting Entity — as both parties need contractual arrangements that allocate responsibility for the mandatory 6-hour breach reporting obligation under Section 70B of the Information Technology Act 2000. Failure to report within 6 hours attracts penalties for the Reporting Entity.

For entities subject to RBI Master Directions on outsourcing (including banks regulated under the Banking Regulation Act 1949, NBFCs regulated under the Reserve Bank of India Act 1934, and Payment Aggregators regulated under the Payment and Settlement Systems Act 2007), the DPA must address: the right of the Data Fiduciary and RBI to conduct audits of the Data Processor; restrictions on sub-processing to foreign entities; data localisation requirements; and business continuity obligations. The National Payments Corporation of India (NPCI), operating the UPI, IMPS, and NACH systems, imposes additional contractual requirements on Payment Service Providers that process payment data through NPCI infrastructure. Forms-legal.com provides this India Data Processing Agreement template — the DPA must be reviewed once the final DPDPA 2023 Rules are notified by MeitY.

A thorough India Data Processing Agreement must include the following provisions to satisfy the requirements of the IT Act 2000, SPDI Rules 2011, and the Digital Personal Data Protection Act 2023.

Party identification: Full legal names, addresses, and registration details of the Data Fiduciary and the Data Processor. Specify the nature of each party's business and the context in which personal data will be shared.

Subject matter, nature, and purpose of processing: Describe precisely what personal data will be processed, for what purpose, and by what means. Vague descriptions such as 'processing for business purposes' are insufficient — specify the exact processing activities (storage, analysis, profiling, transmission, etc.).

Categories of personal data: List the categories of personal data covered — names, email addresses, phone numbers, financial account details, health information, biometrics, government IDs (Aadhaar, PAN), or other data. Identify whether any sensitive personal data under the SPDI Rules 2011 is included.

Data principal categories: The categories of individuals whose data is being processed — customers, employees, website visitors, patients, etc.

Processing instructions: The processor must process personal data only on the documented instructions of the Data Fiduciary and must not process for any other purpose. Consistent with Section 8(2) of the DPDPA 2023.

Security measures: The processor must implement ISO/IEC 27001-aligned technical and organisational security measures including encryption, access controls, logging, vulnerability management, and physical security. This satisfies the 'reasonable security practices' requirement of Section 43A of the IT Act 2000 and the SPDI Rules 2011.

Sub-processor controls: The processor must not engage sub-processors without prior written approval of the Data Fiduciary. Approved sub-processors must be bound by equivalent obligations. A schedule of approved sub-processors should be annexed.

Data principal rights: The processor must assist the Data Fiduciary in responding to data principal requests — right of access, correction, and grievance redressal under the DPDPA 2023.

Personal data breach notification: The processor must notify the Data Fiduciary immediately upon becoming aware of a personal data breach. The Data Fiduciary must notify CERT-In within 6 hours of detection under the CERT-In Directions of April 2022. The DPA should specify that the processor provides all information needed for the Data Fiduciary to make this notification.

Data localisation: For regulated sectors (payments, financial services), RBI and SEBI require that certain data be stored in India. The DPA should address cross-border data transfer restrictions under the DPDPA 2023 once notified.

Data deletion or return: On termination, the processor must delete or return all personal data and certify destruction.

Audit rights: The Data Fiduciary's right to audit the processor's compliance, either directly or through a qualified third-party auditor. Forms-legal.com provides this India Data Processing Agreement as a starting point — update with your specific data categories and security requirements.

DPDPA 2023 compliance clauses: Specific reference to Section 8(2) (requirement for a valid contract), Section 8(5) (prohibition on retaining data beyond the purpose for which it was shared), and Section 8(6) (obligation to notify the Data Fiduciary of any personal data breach). Processor's obligation to assist the Data Fiduciary in responding to Data Principals' exercise of rights under Section 13 (right to information), Section 14 (right to correction and erasure), and Section 16 (right to grievance redressal). Processor's obligation to delete personal data on termination of the DPA (Section 8(7)).

CERT-In incident reporting: Processor's obligation to report any cybersecurity incident or personal data breach to the Data Fiduciary within 2 hours of detection (to enable the Fiduciary's 6-hour reporting to CERT-In under the IT Act 2000 Directions). Processor must maintain logs of all relevant cybersecurity events for 180 days as required by CERT-In Directions 2022.

Sector-specific regulatory schedule: Where the Data Fiduciary is an entity regulated by RBI (under Banking Regulation Act 1949 or RBI Act 1934), SEBI (under SEBI Act 1992), IRDAI (under Insurance Regulatory and Development Authority Act 1999), or TRAI (under Telecom Regulatory Authority of India Act 1997), the DPA should include a schedule incorporating the sector regulator's specific outsourcing and data governance requirements by reference.

Sub-processor controls: Processor may not engage sub-processors without the Data Fiduciary's prior written consent. The Processor remains liable for the acts and omissions of its sub-processors. Any sub-processing contract must impose equivalent obligations on the sub-processor as those in this DPA.

Data return/deletion: Upon termination or expiry, the Processor must return all personal data to the Data Fiduciary in a portable format and securely delete all copies. The Processor must provide a Certificate of Deletion signed by its Data Protection Officer (DPO) or equivalent officer within 30 days of return/deletion. Forms-legal.com provides this India Data Processing Agreement template — engage a technology lawyer and review once DPDPA 2023 Rules are finalised.