DPDP Tools · Free

DPDP Data Processing Agreement Generator

Generate a signature-ready DPA for any vendor in 3 minutes. Covers every Rule 6(f) mandatory item — data categories, purpose, security mandate, breach SLA under 48 hours, erasure-on-instruction, sub-processor approval and audit rights.

Generated DPA · live preview

DATA PROCESSING AGREEMENT
This Data Processing Agreement ("DPA") is made and entered into on 2026-06-20 between:

(1) [Fiduciary Name], having its registered office at [address] (the "Data Fiduciary"); and
(2) [Processor Name], having its registered office at [address] (the "Data Processor").

Together referred to as the "Parties".

This DPA is executed under Section 8(2) of the Digital Personal Data Protection Act, 2023 ("DPDP Act") and Rule 6(f) of the DPDP Rules, 2025 ("Rules").

1. DEFINITIONS
All capitalised terms used in this DPA have the meaning assigned to them in the DPDP Act and Rules.

2. SCOPE & PURPOSE (Rule 6(f))
The Data Processor shall process personal data only on documented instructions from the Data Fiduciary and only for the following purpose:
Hosting and processing customer data to deliver the contracted Service to the Data Fiduciary's end-users.

3. CATEGORIES OF PERSONAL DATA (Rule 6(f))
The Data Processor will process the following categories of personal data:
Identity (name, email, phone), Usage data (pages viewed, sessions), Device data (IP, browser, OS)

4. TERM
This DPA is effective from 2026-06-20 and remains in force for 3 year(s), or until the underlying services agreement terminates (whichever is earlier).

5. PROHIBITION ON REPURPOSING (Rule 6(f))
The Data Processor shall NOT process personal data for any purpose other than that set out in Clause 2. The Data Processor shall not use the personal data for its own marketing, analytics or product development without the Data Fiduciary's prior written consent.

6. SECURITY SAFEGUARDS (Rule 6(a)-(g))
The Data Processor shall implement and maintain reasonable security safeguards equivalent to those required of a Data Fiduciary under Rule 6 of the DPDP Rules 2025, including:
  a) Encryption of personal data at rest (AES-256 or equivalent) and in transit (TLS 1.2 or above).
  b) Access controls based on need-to-know and need-to-use, with multi-factor authentication for privileged access.
  c) Continuous monitoring, anomaly detection and audit logging across all systems holding personal data.
  d) An Incident Response Plan tested at least annually.
  e) Periodic vulnerability assessment and penetration testing (at least annually).
  f) Documented information security policies and recurring staff training.

7. BREACH NOTIFICATION (Rule 7)
The Data Processor shall notify the Data Fiduciary of any personal data breach without undue delay, and in any case within 48 hours of becoming aware of the breach. Notification shall include the nature of the breach, categories and approximate number of Data Principals affected, likely consequences, measures taken or proposed, and Data Processor's contact details.

8. SUB-PROCESSORS (Rule 6(f))
The Data Processor may engage sub-processors only with the Data Fiduciary's prior written approval. The Data Processor shall maintain a current list of approved sub-processors and notify the Data Fiduciary at least 30 days before adding or changing a sub-processor. The Data Processor shall flow down equivalent obligations to every sub-processor.

9. CROSS-BORDER TRANSFERS (Section 16)
The Data Processor may transfer personal data outside India only to destinations not on the Central Government negative list under Section 16. The Data Processor shall promptly cease any transfer to a country added to the negative list within the transition window notified by the Central Government.

10. AUDIT RIGHTS
The Data Fiduciary may audit the Data Processor's compliance with this DPA once per calendar year, on at least 30 days' notice. The Data Processor shall make available all records, security certifications (ISO 27001, SOC 2 Type II or equivalent), and policies necessary to evidence compliance.

11. DATA PRINCIPAL RIGHTS
The Data Processor shall assist the Data Fiduciary in responding to Data Principal requests for access, correction, erasure and nomination under Sections 11-14 of the DPDP Act, including by providing the necessary technical and organisational measures within five (5) business days of receiving the request from the Data Fiduciary.

12. ERASURE ON INSTRUCTION & TERMINATION (Rule 6(f))
On the Data Fiduciary's written instruction, the Data Processor shall erase or return all personal data (and all copies, including backups, within the next backup cycle) within thirty (30) days. On termination of the underlying services agreement, the Data Processor shall erase all personal data within ninety (90) days and provide written confirmation of erasure.

13. PROCESSING LOG RETENTION (Rule 8(3) & Seventh Schedule)
The Data Processor shall retain processing logs and associated traffic data for at least twelve (12) months from creation and shall make them available to the Data Fiduciary or the Data Protection Board on request.

14. LIABILITY & INDEMNITY
The Data Processor shall indemnify the Data Fiduciary against any penalty, fine or compensation imposed under the DPDP Act to the extent caused by the Data Processor's breach of this DPA, subject to the limits in the underlying services agreement.

15. GOVERNING LAW & JURISDICTION
This DPA is governed by the laws of India. Subject to mandatory dispute resolution under the DPDP Act, the courts at the Data Fiduciary's principal place of business have exclusive jurisdiction.

16. ENTIRE AGREEMENT
This DPA supplements the underlying services agreement between the Parties. In case of conflict between this DPA and the services agreement on any matter relating to personal data, this DPA prevails.

SIGNED on the date first written above:

For [Fiduciary Name]                                For [Processor Name]

____________________________            ____________________________
Name:                                   Name:
Title:                                  Title:
Date:                                   Date:

Template only. Have your counsel review before signing.

Why this matters

DPA absence is the cheapest violation to find — and the most expensive to fix in court

Direct Section 8(2) exposure

Sharing personal data with a processor without a DPA is processing without lawful basis — immediate ₹50 cr cap exposure under Schedule 1, and joint liability when the processor breaches.

DPAs flow down to sub-processors

Rule 6(f) requires equivalent obligations on every sub-processor your vendor uses. The DPA template below includes the sub-processor approval clause that makes this enforceable.

Common questions

FAQ

What is a DPA?

A Data Processing Agreement is a contract between a Data Fiduciary (you) and a Data Processor (your vendor). Section 8(2) of the DPDP Act and Rule 6(f) require one before processing personal data through any vendor.

Is this DPA enforceable?

Yes — the output is a standard contractual template covering all Rule 6(f) mandatory items. Both parties must sign it. Have your counsel review before signing if the vendor relationship is high-value or high-risk.

Which vendors need a DPA?

Every vendor that processes personal data on your behalf — cloud (AWS / GCP / Azure), email (SES, SendGrid), CRM (HubSpot, Zoho), analytics (GA4, Mixpanel), payment (Razorpay, Stripe), KYC providers, courier and SMS vendors. If they touch any data about your users, they need a DPA.

What if a vendor refuses to sign?

Most major vendors publish their own DPA — sign theirs (verify it covers Rule 6(f)). For vendors that refuse and have no published DPA, you have an immediate Section 8 exposure — move to a vendor that will sign one.

Next steps

DPDP Data Processing Agreement Generator

DPA absence is the cheapest violation to find — and the most expensive to fix in court

Direct Section 8(2) exposure

DPAs flow down to sub-processors

FAQ

Use this with our other DPDP tools

Prerequisites Checklist →

Privacy Notice →

Gap Analysis →