## TL;DR Summary Your vendors are your compliance liability. Under DPDP Act, you remain responsible for how third parties process your customers' data. We've assessed 100+ vendors for clients and share our framework: tiered vendor classification, assessment questionnaires, DPA must-haves, and ongoing monitoring approaches. Budget ₹2-10 lakhs for initial vendor program setup. --- ## About the Author **Arpit Garg** *Founder & Chief Privacy Officer, Complynz* Arpit has conducted 100+ vendor privacy assessments across cloud providers, SaaS platforms, marketing tools, and payment processors. His vendor assessment framework is used by multiple organizations as their standard evaluation methodology. Connect on [LinkedIn](https://linkedin.com/in/arpitgarg). *This guide reflects our vendor assessment experience. AI assisted with structure; all frameworks and examples are from real engagements.* --- ## Why Vendor Risk Is Your Problem ### The DPDP Act Reality Under the DPDP Act, you (the Data Fiduciary) are responsible for ensuring that any Data Processor (vendor) you engage handles personal data appropriately. **Key Implication:** If your cloud provider is breached, if your marketing tool misuses data, if your payment processor fails security—you face the regulatory consequences. ### The Statistics Are Alarming | Finding | Source | |---------|--------| | 60% of breaches involve third parties | Verizon DBIR 2024 | | Average company shares data with 583 vendors | Ponemon Institute | | Only 34% of companies assess vendor privacy | IAPP Survey 2024 | --- ## Our Vendor Risk Framework ### Step 1: Vendor Inventory Before you can assess risk, know who processes your data. **Vendor Inventory Template:** | Vendor | Service | Data Processed | Data Volume | Location | Contract Status | |--------|---------|----------------|-------------|----------|-----------------| | AWS | Cloud hosting | All customer data | 500K records | Mumbai | Active, DPA signed | | Mailchimp | Email marketing | Email, name | 100K records | US | Active, DPA pending | | Razorpay | Payments | Payment data | 200K transactions | India | Active, DPA signed | **Common Vendor Categories:** | Category | Examples | |----------|----------| | Cloud Infrastructure | AWS, Azure, GCP | | CRM & Sales | Salesforce, Zoho, HubSpot | | Marketing | Mailchimp, Clevertap, WebEngage | | Payments | Razorpay, PayU, Paytm | | Analytics | Google Analytics, Mixpanel | | HR & Payroll | Darwinbox, GreytHR | | Customer Support | Freshdesk, Zendesk | | Communication | Twilio, Exotel | --- ### Step 2: Vendor Classification Not all vendors need the same level of scrutiny. We use a tiered approach: **Tier 1: Critical Risk** - Processes large volumes of personal data (>50,000 records) - Handles sensitive data (financial, health, children) - Has direct customer-facing presence - Single point of failure for operations **Assessment:** Full due diligence, annual reassessment, stringent DPA **Tier 2: Moderate Risk** - Processes moderate personal data (1,000-50,000 records) - Standard personal data (contact, behavioral) - Supports but not critical to operations **Assessment:** Standard questionnaire, biennial reassessment, standard DPA **Tier 3: Low Risk** - Minimal personal data (<1,000 records) - No sensitive data - Easily replaceable **Assessment:** Basic screening, contract review, simplified DPA --- ### Step 3: Vendor Assessment **Our Assessment Questionnaire (Tier 1 Vendors):** **Section A: General Information** 1. Legal entity name and registration 2. Primary contact for data protection 3. Certifications held (ISO 27001, SOC 2, etc.) **Section B: Data Processing** 4. What personal data will you process? 5. For what purposes? 6. Where is data stored (geography)? 7. How long is data retained? 8. Who has access to the data? **Section C: Security Controls** 9. Encryption at rest and in transit? 10. Access control mechanisms? 11. Security monitoring and logging? 12. Incident detection capabilities? 13. Last penetration test date and findings? **Section D: Compliance** 14. Do you have a privacy program? 15. Who is your DPO/privacy lead? 16. Have you had any data breaches in 3 years? 17. Are you certified to any privacy standards? **Section E: Subprocessors** 18. Do you use subprocessors? 19. List all subprocessors with data access 20. How do you assess subprocessor compliance? **Scoring Methodology:** | Score | Classification | Action | |-------|----------------|--------| | 80-100% | Low Risk | Approve with standard DPA | | 60-79% | Medium Risk | Approve with enhanced controls | | 40-59% | High Risk | Approve with mitigations or reject | | <40% | Unacceptable | Do not engage | --- ### Step 4: Data Processing Agreement (DPA) Every vendor processing personal data needs a DPA. Here are the essential clauses: **Essential DPA Clauses:** **1. Scope of Processing** ``` Processor shall process personal data only for the purposes specified in Schedule A and only in accordance with Controller's documented instructions. ``` **2. Security Obligations** ``` Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to: (a) Encryption of personal data at rest and in transit (b) Role-based access controls (c) Regular security testing (d) Security awareness training ``` **3. Subprocessor Requirements** ``` Processor shall not engage any subprocessor without prior written authorization from Controller. Processor shall ensure that any subprocessor is bound by equivalent data protection obligations. ``` **4. Breach Notification** ``` Processor shall notify Controller within 72 hours of becoming aware of any personal data breach. Notification shall include: (a) Nature of the breach (b) Categories and approximate number of data subjects affected (c) Likely consequences (d) Measures taken or proposed to address the breach ``` **5. Audit Rights** ``` Processor shall make available to Controller all information necessary to demonstrate compliance with this Agreement and allow for and contribute to audits conducted by Controller or Controller's designated auditor. ``` **6. Data Return/Deletion** ``` Upon termination of the Agreement, Processor shall, at Controller's choice, return all personal data to Controller or securely delete all personal data and certify such deletion. ``` **7. Cross-Border Transfers** ``` Processor shall not transfer personal data outside India unless such transfer is to a jurisdiction notified by the Central Government or adequate safeguards are implemented. ``` --- ### Step 5: Ongoing Monitoring Assessment isn't one-time. Vendors change, risks evolve. **Monitoring Activities:** | Activity | Frequency | Responsibility | |----------|-----------|----------------| | Certification status check | Quarterly | Procurement | | Security news monitoring | Continuous | IT Security | | Breach notification review | As received | DPO | | Subprocessor change review | As notified | DPO | | Full reassessment (Tier 1) | Annual | DPO | | Full reassessment (Tier 2) | Biennial | DPO | --- ## Handling Existing Vendor Relationships Most organizations have vendors already engaged without proper DPAs. **Remediation Approach:** **Phase 1: Inventory (Week 1-2)** - List all vendors with data access - Classify by tier - Identify DPA gaps **Phase 2: Prioritization (Week 3)** - Start with Tier 1 vendors - Focus on largest data exposure **Phase 3: Outreach (Week 4-12)** - Request existing security documentation - Negotiate DPA addendums - Document vendor responses **Phase 4: Decision (Ongoing)** - Approve vendors meeting standards - Remediate gaps with willing vendors - Plan replacement for non-compliant critical vendors --- ## When Vendors Push Back ### Common Objections and Responses **"We already have a privacy policy"** Response: A privacy policy is for your customers. We need a DPA covering your processing of our data. **"We're ISO 27001 certified, that's enough"** Response: ISO 27001 is security, not privacy. We need contractual commitments on data protection. **"We can't accept audit rights"** Response: Audit rights are non-negotiable under DPDP Act. We can discuss scope limitations. **"Our standard terms already cover this"** Response: We need to verify. Please highlight the specific clauses addressing breach notification, subprocessors, and data deletion. --- ## Vendor Risk Red Flags | Red Flag | Risk Level | Action | |----------|------------|--------| | Refuses to sign any DPA | Critical | Do not engage | | No security certifications | High | Require independent assessment | | History of breaches (undisclosed) | High | Additional due diligence | | Opaque subprocessor chain | Medium | Request full disclosure | | Data stored in non-approved jurisdictions | Medium | Assess transfer mechanisms | | No dedicated security/privacy function | Medium | Enhanced monitoring | --- ## Budget for Vendor Risk Program ### Initial Setup | Component | Cost Range | |-----------|------------| | Vendor inventory project | ₹50K - 2L | | Assessment questionnaire development | ₹30K - 1L | | DPA template development | ₹50K - 2L | | Top 20 vendor assessments | ₹1L - 3L | | Monitoring tool (optional) | ₹2L - 8L/year | | **Total Year 1** | **₹2.3L - 16L** | ### Ongoing | Component | Annual Cost | |-----------|-------------| | Vendor reassessments | ₹50K - 2L | | Contract renewals with DPAs | ₹30K - 1L | | Monitoring and reporting | ₹50K - 1L | | **Total Ongoing** | **₹1.3L - 4L** | --- ## Frequently Asked Questions ### Do we need DPAs with every vendor? Only vendors who process personal data on your behalf. Pure software licenses without data access may not need DPAs. ### What if a vendor is too small to have certifications? Smaller vendors can still demonstrate appropriate security through questionnaire responses and documentation. Adjust expectations to their scale. ### Can we accept vendor-provided DPAs? Yes, but review them carefully. Many favor the vendor. Negotiate key clauses if needed. ### How do we handle vendors in the US/EU? DPDP Act allows transfers to certain jurisdictions (to be notified by government). Until then, use contractual safeguards and assess adequacy. ### What about open-source tools? Open-source itself isn't a vendor relationship. But services using open-source (hosted solutions) still need assessment. --- ## Conclusion Your vendors are an extension of your data protection practices. Under DPDP Act, you can't outsource responsibility—only execution. **Key Takeaways:** 1. Inventory all vendors with data access 2. Classify by risk tier 3. Assess before engaging (or retroactively for existing) 4. Implement DPAs with essential clauses 5. Monitor continuously --- ## Sources & References 1. Digital Personal Data Protection Act, 2023 - MeitY 2. Verizon Data Breach Investigations Report, 2024 3. IAPP Vendor Management Survey, 2024 4. Our internal vendor assessment data (100+ assessments) --- *Last Updated: February 2026* *[Contact us for compliance guidance →](/contact)*