TPRM & TPRA Under DPDP Act India: Third Party Risk Management Guide 2025 | KavachOne

🔗 Vendor Risk Management

TPRM & TPRA
Under India's
DPDP Act —
Complete Guide

Your organisation is only as secure as your weakest vendor. Under India's DPDP Act, you remain fully liable for every personal data breach caused by a third-party processor. Third Party Risk Management (TPRM) and Third Party Risk Assessment (TPRA) are no longer optional — they are the law.

🔗 Start Your TPRM Programme See TPRA Methodology ↓

⚡ VENDOR RISK DASHBOARD

YOUR
ORG

☁️ Cloud Host Low

💳 Payment Medium

📧 Email SaaS Medium

📊 Analytics High

🏥 Health API Critical

🤝 CRM High

📞 Call Centre Critical

🔐 Auth/IAM Low

📦 Logistics Medium

Low

Medium

High

Critical

60%+Breaches Linked to Third Parties

100%Data Fiduciary Liability for Processor Breaches

₹250CrMax Penalty for Processor Failures

AllProcessors Need DPA Under DPDP

AnnualTPRA Review Recommended

Why TPRM Matters

Your Vendors Are Your Biggest Compliance Risk

Under DPDP, your liability does not stop at your own systems. Every vendor, SaaS tool, and data processor that touches your customers' personal data is your responsibility — legally and financially.

⚖️

Fiduciary Liability Doesn't Transfer

The DPDP Act makes clear: as the Data Fiduciary, you remain fully responsible for personal data processed on your behalf — even when a third-party processor causes the breach. Their failure is your liability.

🌐

Modern Businesses Use 100+ Vendors

The average enterprise uses over 100 SaaS applications — many processing personal data. Without a systematic TPRM programme, most organisations have no idea which vendors access which data or what protections they have.

🔓

Supply Chain Breaches Are Rising

Third-party breaches account for over 60% of all major data incidents globally. Attackers deliberately target smaller, less-secure vendors as a back door into larger, better-protected organisations.

📋

DPAs Are Legally Mandatory

DPDP §8(3) explicitly requires Data Fiduciaries to have binding Data Processing Agreements with every processor. Operating without DPAs is a direct, documented violation — not just a best-practice gap.

🌍

Cross-Border Transfers Need Oversight

Many SaaS vendors store or process data outside India. DPDP restricts cross-border personal data transfers — making vendor location a compliance issue, not just a technical one.

📊

Regulators Expect Vendor Evidence

In the event of a breach or investigation, the Data Protection Board will ask for evidence of your vendor due diligence. A well-documented TPRM programme is one of the strongest mitigating factors available.

TPRM vs TPRA

What's the Difference Between TPRM and TPRA?

These two terms are closely related but serve different functions in your vendor privacy compliance programme. Both are essential.

🔗 TPRM Ongoing Programme

Third Party Risk Management — the continuous, organisation-wide programme that governs all vendor relationships involving personal data

Vendor inventory and classification programme
DPA lifecycle management (drafting, signing, renewal)
Ongoing vendor security monitoring
Vendor breach notification and response protocols
Annual vendor re-assessment schedule
Offboarding and data deletion verification
Sub-processor oversight and controls
Cross-border transfer governance

🔍 TPRA Point-in-Time Assessment

Third Party Risk Assessment — the structured evaluation of an individual vendor's privacy and security posture at a specific point in time

Vendor security questionnaire (DDQ) completion and review
ISO 27001, SOC 2, or PCI DSS certification verification
Data handling and storage location assessment
Sub-processor identification and risk review
Breach history and incident response capability review
DPA adequacy review against DPDP requirements
Risk score calculation and tier assignment
Remediation requirements and re-assessment timeline

Vendor Classification

5-Tier Vendor Risk Classification Framework

Not all vendors carry equal risk. KavachOne's TPRM framework classifies every data processor into one of five risk tiers — driving proportionate assessment, monitoring, and DPA requirements.

Tier	Risk Level	Vendor Characteristics	DPDP Examples	Assessment Frequency	DPA Requirement
Tier 1	Critical	Processes sensitive PII at scale; core business function; breach would affect millions	Payment processors, healthcare data platforms, Aadhaar-linked services	Bi-Annual TPRA + Continuous Monitoring	Full DPDP DPA + SLAs + Audit Rights
Tier 2	High	Access to significant personal data volumes; SaaS with customer PII; cross-border transfer	CRM platforms, customer analytics, call centre BPOs, cloud infrastructure	Annual TPRA + Quarterly Reviews	Full DPDP DPA + Data Location Clauses
Tier 3	Medium	Limited personal data access; supporting business tools; standard commercial SaaS	HR/payroll SaaS, email marketing, logistics APIs, authentication services	Annual TPRA	Standard DPDP DPA Required
Tier 4	Low	Minimal or incidental personal data access; infrastructure-level services; certified providers	CDN providers, cloud hosting (India-based), certified ISO 27001 SaaS	Annual Review + Certification Check	Standard DPA + Terms of Service
Tier 5	Minimal	No meaningful personal data access; publicly available services; anonymised data only	Public APIs, open-source tools, mapping services (anonymised), monitoring SaaS	Annual Inventory Check	Standard Terms of Service Sufficient

TPRA Methodology

KavachOne's 6-Step TPRA Process

A structured, evidence-based Third Party Risk Assessment methodology — producing a vendor risk score, tier assignment, and DPA adequacy verdict.

STEP 01

🗺️

Vendor Discovery & Inventory

Identify and document every third party that has access to personal data — using a combination of PII Scanner data flow mapping, IT asset inventory, and business unit interviews.

All vendors in ROPA third-party field reviewed

PII Scanner data flow map cross-referenced

Shadow IT / unapproved SaaS tools identified

Sub-processors of each vendor identified

STEP 02

🏷️

Initial Risk Classification

Classify each vendor into one of five risk tiers based on data sensitivity, volume processed, business criticality, and geographic data storage location.

Data sensitivity assessed (standard vs sensitive PII)

Volume of data subjects processed estimated

Data storage location confirmed (India vs cross-border)

Business criticality and replaceability assessed

STEP 03

📋

Due Diligence Questionnaire (DDQ)

Send a structured privacy and security questionnaire to Tier 1–3 vendors — covering security controls, certifications, breach history, sub-processors, and DPDP-specific requirements.

ISO 27001 / SOC 2 / PCI DSS certification verified

Security controls (encryption, access control) confirmed

Breach history and incident response reviewed

Sub-processor list obtained and reviewed

STEP 04

📑

DPA Adequacy Review

Review existing Data Processing Agreements for DPDP compliance — identifying missing mandatory clauses, inadequate breach notification timelines, and absent audit rights.

DPA exists and has been signed (not just ToS)

Processing purpose and scope restrictions present

72-hour breach notification obligation included

Data deletion / return on termination included

Audit rights and inspection clauses present

Sub-processor restrictions and consent clauses present

STEP 05

📊

Risk Scoring & Report

Combine DDQ findings, DPA adequacy, certification status, and data exposure profile into a final vendor risk score — with specific findings classified by severity and remediation recommendations.

Vendor risk score calculated (0–100)

Critical / High / Medium / Low findings documented

DPA gaps mapped to specific remediation actions

TPRA report issued to vendor and TPRM register updated

STEP 06

🔄

Remediation & Continuous Monitoring

Track vendor remediation of identified findings, monitor for new risks or changes in vendor posture, and trigger re-assessments when material changes occur.

Remediation deadlines set per finding severity

Vendor re-assessment triggered on material changes

Automated monitoring for vendor breach news

TPRM register kept current with assessment outcomes

DPA Requirements

9 Mandatory Clauses in Every DPDP Data Processing Agreement

Every Data Processing Agreement must include these nine clauses to satisfy DPDP §8(3) — gaps in any one of them creates material regulatory exposure.

Mandatory 🎯

Processing Purpose & Scope Restriction

Processor may only process personal data for the specific, documented purposes instructed by the Data Fiduciary — no secondary use permitted without express written consent.

Example: "Processor shall process personal data solely for the provision of email marketing services as described in Schedule A…"

Mandatory 🔐

Security Safeguards Obligations

Processor must implement and maintain security measures at least equivalent to those of the Data Fiduciary — including encryption, access controls, and vulnerability management.

Example: "Processor shall maintain ISO 27001:2022 certification and implement AES-256 encryption for all personal data at rest and TLS 1.3 in transit…"

Mandatory 🚨

Breach Notification — 24-Hour Obligation

Processor must notify the Data Fiduciary within 24 hours of discovering any personal data breach — giving the Fiduciary adequate time to meet the 72-hour DPB reporting deadline.

Example: "Processor shall notify Data Fiduciary within 24 hours of becoming aware of any actual or suspected personal data breach…"

Mandatory 🔗

Sub-Processor Restrictions & Consent

Processor may not engage sub-processors without prior written consent — and must bind all sub-processors to equivalent data protection obligations.

Example: "Processor shall not engage any sub-processor without prior written approval. All approved sub-processors are listed in Annex B…"

Mandatory 🗑️

Data Deletion & Return on Termination

Upon termination, the processor must securely delete or return all personal data within a defined timeframe — with documented certification of deletion.

Example: "Within 30 days of termination, Processor shall delete all personal data and provide a signed certificate of destruction…"

Mandatory 🌍

Cross-Border Transfer Restrictions

Clear specification of data storage locations — with prohibitions on transferring to countries not approved under DPDP rules without express Data Fiduciary authorisation.

Example: "Processor shall store all personal data within India unless Data Fiduciary provides prior written approval for specific cross-border transfers…"

Mandatory 🔍

Audit Rights & Inspection

Data Fiduciary must have the right to audit the processor's compliance — either directly or via an approved third-party auditor — with reasonable notice provisions.

Example: "Data Fiduciary may conduct or commission an annual audit of Processor's data protection practices with 30 days' written notice…"

Mandatory 👤

Data Principal Rights Assistance

Processor must cooperate with and assist the Data Fiduciary in responding to DSAR requests — access, correction, erasure — within defined timeframes.

Example: "Processor shall respond to Data Fiduciary's DSAR requests within 5 business days and provide all personal data in a portable format…"

Recommended 📋

Liability & Indemnification

Clear allocation of liability for breaches caused by the processor's negligence or non-compliance — with indemnification provisions protecting the Data Fiduciary from third-party claims.

Example: "Processor shall indemnify and hold harmless Data Fiduciary from any losses, claims, or regulatory penalties arising from Processor's breach of this Agreement…"

Risk Scoring

TPRA Risk Scoring — 4 Outcome Levels

Every completed TPRA produces a vendor risk score from 0–100 — mapped to one of four outcome levels that drives re-assessment frequency, DPA requirements, and escalation decisions.

Critical 🔴

0–30

Score 0 to 30

Immediate escalation. Suspend data sharing until critical findings resolved. Re-assess within 30 days of remediation.

Re-assess: 30 days

High Risk 🟠

31–55

Score 31 to 55

Remediation plan required within 30 days. Enhanced monitoring applied. Escalate to DPO and procurement leadership.

Re-assess: 6 months

Medium 🟡

56–75

Score 56 to 75

Remediation plan agreed within 90 days. Standard monitoring maintained. Annual re-assessment scheduled.

Re-assess: 12 months

Low Risk 🟢

76–100

Score 76 to 100

Vendor approved. Standard monitoring and annual re-assessment. Document approval in TPRM register.

Re-assess: 12–24 months

Common Vendor Risks

6 Most Common Third-Party Risk Findings

These are the most frequently identified gaps when Indian organisations conduct their first systematic TPRA programme.

📄

No DPA in Place — Just Terms of Service

The majority of vendor relationships rely on the vendor's standard Terms of Service — which rarely meet DPDP §8(3) requirements. This is the most common critical finding.

Mitigation: Execute a DPDP-compliant DPA before any further data sharing

🌍

Data Stored Outside India Without Controls

Many popular SaaS tools store data in the US or Europe by default — without any cross-border transfer mechanism or Data Fiduciary approval documented.

Mitigation: Confirm data residency, document transfer basis, or migrate to India-hosted alternatives

🔔

No 24-Hour Breach Notification Obligation

Standard vendor contracts rarely include specific breach notification timelines. Without a 24-hour notification obligation, Data Fiduciaries cannot meet the DPDP 72-hour DPB deadline.

Mitigation: Negotiate breach notification addendum requiring 24-hour notification in all future DPAs

🔗

Unknown Sub-Processors

Vendors often use their own sub-processors — cloud infrastructure, support tools, analytics platforms — without disclosing them. This creates an invisible layer of data exposure.

Mitigation: Require complete sub-processor list in DPA and notification of sub-processor changes

🔐

No Security Certification or Evidence

Many smaller SaaS vendors and BPOs claim strong security without ISO 27001, SOC 2, or equivalent third-party certification — leaving security controls unverified.

Mitigation: Require ISO 27001 or SOC 2 Type II as a contract condition for Tier 1–2 vendors

🗑️

No Data Deletion Process on Termination

Former vendors frequently retain personal data long after a contract ends — because no deletion obligation or verification process was included in the original agreement.

Mitigation: Include mandatory 30-day deletion with certificate of destruction in all DPAs going forward

KavachOne TPRM

KavachOne's TPRM Programme — What You Get

End-to-end third-party risk management — from vendor discovery to ongoing monitoring — built specifically for India's DPDP Act compliance.

🗺️

Complete Vendor Inventory

KavachOne's PII Scanner automatically identifies data flows to third parties — creating a complete, ROPA-linked vendor inventory you can maintain and update in real time.

Auto-Discovery

📋

Standardised TPRA Questionnaires

KavachOne issues pre-built, DPDP-aligned DDQs to your vendors — and manages response tracking, follow-ups, and scoring in a single dashboard.

DDQ Management

📑

DPDP DPA Templates & Review

KavachOne provides DPDP-compliant DPA templates for all vendor tiers — and reviews your existing vendor contracts for compliance gaps, prioritising by vendor risk tier.

DPA Compliant

📊

Automated Risk Scoring

DDQ responses are automatically scored against KavachOne's TPRA framework — producing a vendor risk score, tier assignment, and prioritised findings report without manual analysis.

Auto-Scoring

🔔

Ongoing Vendor Monitoring

Continuous monitoring of vendor breach news, certification changes, and regulatory actions — with automated alerts when a vendor's risk profile changes materially.

Always-On

🔗

ROPA & ConsentiQo Integration

TPRM findings automatically update the ROPA third-party section — and flag consent mechanisms in ConsentiQo when vendor data flows require new consent purposes.

Platform-Integrated

Build a DPDP-Compliant TPRM Programme with KavachOne

KavachOne's expert TPRM service gives you complete vendor visibility, automated TPRA assessments, DPDP-compliant DPA templates, and ongoing monitoring — so your third-party risk never becomes your regulatory liability.

🔗 Start Your TPRM Programme Explore ConsentiQo →

FAQs

Common Questions About TPRM & TPRA Under DPDP

Does the DPDP Act explicitly require a TPRM programme? ▾

The DPDP Act §8(3) explicitly requires Data Fiduciaries to bind all data processors through lawful contracts — effectively mandating DPAs. The Act also holds Data Fiduciaries accountable for processor breaches, which creates an implicit legal obligation to assess and manage processor risk. A formal TPRM programme is the only practical way to meet these obligations at scale across multiple vendors.

Is a standard vendor Terms of Service sufficient as a DPA under DPDP? ▾

No. Standard vendor Terms of Service almost never contain the mandatory clauses required by DPDP §8(3) — including purpose restriction, breach notification timelines, sub-processor controls, data deletion obligations, and audit rights. A separate, signed Data Processing Agreement meeting DPDP requirements is required for every processor that handles personal data on your behalf. KavachOne can provide DPDP-compliant DPA templates for all vendor tiers.

What is the difference between a data processor and a data fiduciary under DPDP? ▾

A Data Fiduciary is the organisation that determines the purpose and means of processing personal data — typically the business that collects data from customers or employees. A Data Processor is any person or entity that processes personal data on behalf of a Data Fiduciary under a contract — your CRM provider, analytics platform, or payment processor. The same organisation can be both a Fiduciary (to its own customers) and a Processor (to other organisations whose data it processes).

How many vendors does a typical Indian enterprise need to assess? ▾

Our experience across Indian enterprise TPRM programmes shows that the typical mid-sized organisation has 40–80 active vendors processing personal data — though many are unaware of this number before conducting a formal inventory. Large enterprises and Significant Data Fiduciaries often have 150–300+ processors. KavachOne's PII Scanner-assisted vendor discovery typically finds 25–35% more vendors than organisations self-reported before the exercise.

Can we use a global vendor's standard DPA for DPDP compliance? ▾

Global vendors like AWS, Microsoft, Google, and Salesforce offer standard DPAs or Data Processing Addendums — but these are typically designed for GDPR compliance and may not fully address DPDP-specific requirements. KavachOne reviews global vendor DPAs against DPDP obligations and, where gaps exist, provides DPA addendum templates that can be negotiated with the vendor to achieve full DPDP compliance alongside the global DPA.

TPRM India DPDP Third Party Risk Management DPDP TPRA India Third Party Risk Assessment DPDP Data Processing Agreement DPDP Vendor Risk India DPDP Data Processor Compliance KavachOne TPRM Vendor Due Diligence DPDP Supply Chain Privacy Risk India DPDP Third Party Obligations ConsentiQo DPDP Compliance 2025 Cross-Border Transfer India DPDP Act 2023