Vendor Risk Management Under DPDP Act: Complete Third-Party Compliance Guide

## TL;DR Summary Your vendors are your compliance liability. Under DPDP Act, you remain responsible for how third parties process your customers' data. We've assessed 100+ vendors for clients and share our framework: tiered vendor classification, assessment questionnaires, DPA must-haves, and ongoing monitoring approaches. Budget ₹2-10 lakhs for initial vendor program setup. --- ## About the Author **Arpit Garg** *Founder & Chief Privacy Officer, Complynz* Arpit has conducted 100+ vendor privacy assessments across cloud providers, SaaS platforms, marketing tools, and payment processors. His vendor assessment framework is used by multiple organizations as their standard evaluation methodology. Connect on [LinkedIn](https://linkedin.com/in/arpitgarg). *This guide reflects our vendor assessment experience. AI assisted with structure; all frameworks and examples are from real engagements.* --- ## Why Vendor Risk Is Your Problem ### The DPDP Act Reality Under the DPDP Act, you (the Data Fiduciary) are responsible for ensuring that any Data Processor (vendor) you engage handles personal data appropriately. **Key Implication:** If your cloud provider is breached, if your marketing tool misuses data, if your payment processor fails security—you face the regulatory consequences. ### The Statistics Are Alarming | Finding | Source | |---------|--------| | 60% of breaches involve third parties | Verizon DBIR 2024 | | Average company shares data with 583 vendors | Ponemon Institute | | Only 34% of companies assess vendor privacy | IAPP Survey 2024 | --- ## Our Vendor Risk Framework ### Step 1: Vendor Inventory Before you can assess risk, know who processes your data. **Vendor Inventory Template:** | Vendor | Service | Data Processed | Data Volume | Location | Contract Status | |--------|---------|----------------|-------------|----------|-----------------| | AWS | Cloud hosting | All customer data | 500K records | Mumbai | Active, DPA signed | | Mailchimp | Email marketing | Email, name | 100K records | US | Active, DPA pending | | Razorpay | Payments | Payment data | 200K transactions | India | Active, DPA signed | **Common Vendor Categories:** | Category | Examples | |----------|----------| | Cloud Infrastructure | AWS, Azure, GCP | | CRM & Sales | Salesforce, Zoho, HubSpot | | Marketing | Mailchimp, Clevertap, WebEngage | | Payments | Razorpay, PayU, Paytm | | Analytics | Google Analytics, Mixpanel | | HR & Payroll | Darwinbox, GreytHR | | Customer Support | Freshdesk, Zendesk | | Communication | Twilio, Exotel | --- ### Step 2: Vendor Classification Not all vendors need the same level of scrutiny. We use a tiered approach: **Tier 1: Critical Risk** - Processes large volumes of personal data (>50,000 records) - Handles sensitive data (financial, health, children) - Has direct customer-facing presence - Single point of failure for operations **Assessment:** Full due diligence, annual reassessment, stringent DPA **Tier 2: Moderate Risk** - Processes moderate personal data (1,000-50,000 records) - Standard personal data (contact, behavioral) - Supports but not critical to operations **Assessment:** Standard questionnaire, biennial reassessment, standard DPA **Tier 3: Low Risk** - Minimal personal data (<1,000 records) - No sensitive data - Easily replaceable **Assessment:** Basic screening, contract review, simplified DPA --- ### Step 3: Vendor Assessment **Our Assessment Questionnaire (Tier 1 Vendors):** **Section A: General Information** 1. Legal entity name and registration 2. Primary contact for data protection 3. Certifications held (ISO 27001, SOC 2, etc.) **Section B: Data Processing** 4. What personal data will you process? 5. For what purposes? 6. Where is data stored (geography)? 7. How long is data retained? 8. Who has access to the data? **Section C: Security Controls** 9. Encryption at rest and in transit? 10. Access control mechanisms? 11. Security monitoring and logging? 12. Incident detection capabilities? 13. Last penetration test date and findings? **Section D: Compliance** 14. Do you have a privacy program? 15. Who is your DPO/privacy lead? 16. Have you had any data breaches in 3 years? 17. Are you certified to any privacy standards? **Section E: Subprocessors** 18. Do you use subprocessors? 19. List all subprocessors with data access 20. How do you assess subprocessor compliance? **Scoring Methodology:** | Score | Classification | Action | |-------|----------------|--------| | 80-100% | Low Risk | Approve with standard DPA | | 60-79% | Medium Risk | Approve with enhanced controls | | 40-59% | High Risk | Approve with mitigations or reject | | <40% | Unacceptable | Do not engage | --- ### Step 4: Data Processing Agreement (DPA) Every vendor processing personal data needs a DPA. Here are the essential clauses: **Essential DPA Clauses:** **1. Scope of Processing** ``` Processor shall process personal data only for the purposes specified in Schedule A and only in accordance with Controller's documented i