Put the data map into duties

Data processing agreements

A data processing agreement should follow the real processing chain. Roles, instructions, purpose, security, subprocessors, incidents, rights requests, retention, return, and deletion need operational owners.

A data processing agreement is useful when it translates a known data relationship into contract duties. It cannot repair an unknown product flow. Before drafting, the parties should identify personal data, purposes, people concerned, systems, locations, access, subprocessors, retention, security, and the main agreement that creates the service. The Digital Personal Data Protection Act, final 2025 Rules, commencement schedule, sector requirements, and other applicable regimes can affect the allocation. Contract labels borrowed from another law may not answer the Indian position by themselves. The factual schedule must come from product, privacy, security, procurement, and commercial teams before counsel drafts. The current legal status and the complete cross-border arrangement should be reviewed before the agreement is signed or personal data is shared.

Start with a record-level data map

List the personal data fields or clear categories, whose data they concern, where each field comes from, why it is used, which system receives it, who can access it, where it is stored, who else receives it, and when it is deleted. Separate account setup, service delivery, support, security logs, analytics, billing, marketing, and product-improvement purposes. A processor may also act for its own purpose in part of the relationship, which needs separate analysis. Map test, backup, and support environments, not only production. Identify sensitive business information that is not personal data because confidentiality still matters. The map should be owned jointly by product and operations, with security and privacy review. If the team cannot explain a data field's purpose or retention, pause collection. Independent counsel can then assess current roles and required terms against facts rather than a generic questionnaire.

  • Personal data fields and people concerned
  • Purpose for each processing activity
  • Systems, locations, and access
  • Support, test, backup, and analytics use
  • Retention and deletion event

Define instructions and permitted use

State the subject, nature, purpose, duration, data categories, and people concerned in a schedule that can be updated through a controlled process. The service provider should process data only for documented permitted purposes, subject to any lawful duties that require another step. Clarify whether aggregated, de-identified, statistical, security, or product-improvement use is allowed and what technical or contractual controls apply. A broad own-business right can conflict with customer notices and expectations. Deal expressly with AI training, human review, telemetry, and cross-customer insights where relevant. Identify the customer's responsibilities for lawful collection, notices, instructions, and data quality without using them to excuse the provider's own duties. The main agreement, privacy notice, product settings, sales materials, and DPA should describe the same use. Current DPDP and sector analysis should determine the final role and wording.

  • Documented purpose and instructions
  • Controlled schedule-change process
  • Analytics, de-identification, and AI use
  • Customer collection and notice duties
  • Consistency with product and privacy text

Make security and incident work executable

Attach security commitments the provider can evidence. Cover access control, authentication, encryption where used, secure development, vulnerability work, logging, backups, personnel confidentiality, vendor controls, incident response, and recovery at a level suited to the service. Avoid naming a certification or exact control that is not current. Define a security incident for the contract. Then set the notice route, information to be supplied, cooperation, containment, evidence preservation, customer communications, and regulatory decision process. A very short notice period is useless if nobody monitors the address. Name operational contacts outside the contract and test them. Audit rights can use reports, certifications, questionnaires, and targeted inspection in a staged way that protects other customers and security. The DPDP Act and Rules include security and breach requirements whose current commencement and application should be confirmed for the facts.

  • Evidence-based security schedule
  • Monitored incident contact
  • Notice, containment, and cooperation steps
  • Staged audit evidence
  • Current regulatory-notification analysis

Control subprocessors, requests, and deletion

Keep a current subprocessor list with service, entity, location, and access description. Set the notice and objection process at a level the service can operate, and require equivalent relevant duties through the chain. The provider should have a route for helping with individual requests, consent withdrawal, correction, erasure, complaints, and authority inquiries where applicable to its role. State response channels, identity safeguards, costs, and limits. At termination, define export, format, timing, access, return, deletion, backup cycling, legal retention, and written confirmation. Test the process against a customer that needs a complete migration while a billing dispute remains open. Retention exceptions should be narrow and tied to a duty or defensible need. Review subprocessors and deletion evidence periodically. Current DPDP Rules, sector directions, and cross-border conditions may change, so the DPA needs an owner and review date.

  • Current subprocessor register
  • Notice and objection workflow
  • Individual-rights assistance route
  • Export and deletion timetable
  • Narrow retention exceptions

Primary sources and further reading

Rules and procedures change. Check the current official source and obtain advice for the facts of your matter.