Under the DPDP Act, 2023, one uncomfortable truth is now clear:
You are responsible for your vendors’ mistakes.
If a background verification agency leaks data,
If an HRMS retains data forever,
If a payroll vendor uses employee data beyond purpose – The liability comes back to you.
This is why vendor due diligence is no longer a procurement checkbox.
It is a core DPDP compliance requirement.
This playbook breaks down:
- What DPDP expects from HR when working with vendors
- What must exist in your DPA (Data Processing Agreement)
- A practical processor checklist you can actually apply
1. First, Get the Roles Right (This Changes Everything)
Under DPDP:
Your company = Data Fiduciary
HR vendors = Data Processors
Clarification:
“HR vendors” is an industry shorthand for third-party vendors used by HR (such as HRMS, ATS, payroll, BGV, benefits providers). HR itself is not a vendor and remains part of the Data Fiduciary.
This means:
- Vendors can process data only on your instructions
- Vendors cannot decide why or how long data is used
- You must ensure vendors follow DPDP principles
If your contracts don’t reflect this clearly, you already have a gap.
2. Why Vendor Risk Is the Biggest DPDP Blind Spot for HR
Most HR teams assume: “The vendor is DPDP-compliant, so we’re safe.”
DPDP does not work like that.
The law expects you to ensure that:
- Vendors collect only necessary data
- Vendors retain data only for defined periods
- Vendors delete data when you instruct them to
- Vendors protect data with reasonable safeguards
If you cannot demonstrate this, compliance fails – even if the vendor caused the issue.
3. DPDP-Ready DPA Clauses HR Must Insist On
Your Data Processing Agreement (DPA) is your first line of defence.
Here are the non-negotiable clauses every HR DPA should include:
Purpose Limitation Clause
Vendor can process personal data only for the specific purpose defined in the contract (No reuse, analytics, training or benchmarking unless explicitly allowed)
Data Retention & Deletion Clause
Retention timelines must be clearly defined
Vendor must delete data:
- On completion of purpose
- On contract termination
- On your written instruction
Silence on retention = risk
Sub-Processor Control Clause
- Vendor cannot appoint sub-processors without approval
- Same DPDP obligations must flow down to sub-processors
Security Safeguards Clause
Vendor must implement:
- Access controls
- Encryption (at rest & in transit)
- Role-based access
- Incident logging
DPDP expects “reasonable security safeguards” – not vague promises.
Breach Notification Clause
- Vendor must notify you without undue delay
- Clear escalation timelines
- Cooperation in investigation and response
Delayed disclosure = compounded risk.
Audit & Compliance Support Clause
You should have the right to:
- Seek compliance evidence
- Conduct audits (or third-party audits)
- Request DPDP-related documentation
If audits are “not allowed”, that’s a red flag.
4. HR Vendor Due Diligence Checklist (Processor Playbook)
Use this before onboarding and during annual reviews.
A. Data Collection & Purpose
✔ What employee/candidate data does the vendor collect?
✔ Is every data point strictly necessary?
✔ Is the purpose documented clearly?
If the vendor says “this is standard for us” – push back.
B. Data Storage & Retention
✔ Where is the data stored?
✔ Is retention period defined or “indefinite”?
✔ Can data be deleted on demand?
No deletion mechanism = non-compliance.
C. Access & Security Controls
✔ Who can access the data internally?
✔ Is access role-based?
✔ Are logs and monitoring in place?
“Trusted employees” is not a control.
D. Sub-Processors & Third Parties
✔ Does the vendor use cloud providers or partners?
✔ Are they contractually bound to DPDP standards?
✔ Are you informed about changes?
Hidden sub-processors = hidden risk.
E. Data Subject Rights Support
✔ Can the vendor help with:
- Access requests
- Correction
- Deletion requests?
If they can’t support rights requests, you can’t comply either.
F. Exit & Data Deletion
✔ What happens to data after contract termination?
✔ Is deletion certified or evidenced?
✔ Is any data retained “for internal use”?
Exit clauses matter more than onboarding clauses.
📥 Download: DPDP Vendor Due Diligence Resources
To help HR and People teams move from understanding DPDP to actually implementing it, we’ve created two ready-to-use resources you can apply immediately:
- HR Vendor DPDP Due Diligence Checklist (PDF)
A practical checklist to evaluate HR vendors before onboarding and during annual reviews. - DPDP DPA Clause Template for HR Vendors (PDF)
A DPDP-aligned Data Processing Agreement clause template tailored for HRMS, ATS, payroll, BGV and benefits vendors.
DPDP Vendor Due Diligence Resources
5. High-Risk HR Vendors (Prioritise These First)
If you’re short on time, start here:
- Background Verification (BGV) agencies
- HRMS / ATS platforms
- Payroll & benefits providers
- Health insurance & wellness vendors
- Engagement, survey & voice-of-employee tools
These vendors handle large volumes of sensitive personal data.
6. The New HR Compliance Mindset
DPDP shifts HR responsibility from:
❌ “We’ve signed a vendor contract”
to
✅ “We actively govern how vendors handle people data”
The strongest HR teams:
- Ask uncomfortable questions
- Push back on vague answers
- Build DPDP checks into vendor onboarding itself
Final Thought
Under DPDP, vendor compliance is not optional and not transferable.
If a vendor processes your employee data, their compliance is your responsibility.
The safest HR teams are not the ones with more vendors – They are the ones with fewer, well-governed, accountable vendors.
