Skip to content
SignSetu
TemplatesPricingAboutBlogContact
Home/eSign/Data Processing Agreement

eSign Your Data Processing Agreement with Aadhaar

Get DPDP Act 2023 compliant with a clear Data Fiduciary and Data Processor DPA. Legally valid, Rs. 15 per signature.

Powered by eMudhra · CCA-licensed ESPIT Act 2000 CompliantMade in India 🇮🇳
By Aditi Sharma, Legal & Compliance Counsel·Last updated April 2026
eSign your data processing agreement
Drop the PDF. Sign with Aadhaar in 2 minutes.

By proceeding, you agree to our Terms of Service and Privacy Policy.

What is a Data Processing Agreement?

A Data Processing Agreement (DPA) is a contract between a Data Fiduciary (the party that determines the purposes and means of processing personal data) and a Data Processor (the party that processes personal data on behalf of the Data Fiduciary). DPAs are the legal mechanism by which the Data Fiduciary passes down its obligations under data protection law to the Data Processor, ensuring that personal data is handled with the same level of care throughout the processing chain. DPAs are a standard component of any SaaS deal, cloud services contract, BPO engagement, or outsourcing arrangement that involves personal data.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data protection law and came into force progressively starting 2024. It replaces the earlier patchwork of data protection rules under the IT Act, 2000 with a modern framework that recognizes the roles of Data Fiduciary and Data Processor, sets out data protection principles (lawful processing, purpose limitation, data minimization, storage limitation, accuracy, accountability), grants rights to individuals called Data Principals (right to access, correction, erasure, grievance redressal), and imposes significant penalties for non-compliance (up to Rs. 250 crore per instance for certain breaches). Any Indian business that processes personal data, or that offers goods or services to Indian residents, must comply with the DPDP Act.

Under Section 8(5) of the DPDP Act, a Data Fiduciary can only engage a Data Processor under a valid contract. This contractual requirement is the legal basis for Data Processing Agreements in India. The DPA must cover specific elements: the nature and purpose of processing, the types of personal data being processed, the categories of Data Principals, the duration of processing, the obligations of the Data Processor including security safeguards, assistance with Data Principal rights requests, assistance with breach notification, sub-processing restrictions, and return or deletion of personal data at the end of processing.

For businesses that operate internationally, DPAs often have to satisfy multiple regimes simultaneously: the DPDP Act in India, the General Data Protection Regulation (GDPR) in the EU, the UK GDPR in the UK, and state privacy laws in the US (CCPA, CPRA, VCDPA). A well-drafted DPA uses a common base of obligations that satisfies all applicable regimes, with regime-specific annexes for standard contractual clauses where cross-border transfers are involved.

Cross-border transfer of personal data is a sensitive area under the DPDP Act. The Central Government can restrict transfer of personal data to specific countries by notification. DPAs should include a change-of-law clause that allows the Data Fiduciary to direct the Data Processor to suspend cross-border transfers if required by notification.

Aadhaar eSign works well for DPAs executed between Indian parties, and for the Indian side of cross-border DPAs using a hybrid signing approach. DPAs are typically executed alongside the main commercial agreement (SaaS agreement, MSA, vendor agreement) and SignSetu allows both documents to be signed in the same session.

Who needs a data processing agreement?

SaaS and cloud providers

Offer DPDP-compliant DPAs to Indian enterprise customers as a standard part of your onboarding and procurement process.

Data Fiduciaries (enterprises)

Put DPAs in place with every vendor that touches your customer or employee personal data, to comply with Section 8(5) of the DPDP Act.

BPO and managed services providers

Execute DPAs with each client where you process personal data on their behalf, covering security, breach response, and sub-processing.

Compliance and legal officers

Maintain a DPA inventory for all third party data processors as part of your DPDP Act compliance framework.

Legal framework

Legally valid under Indian law

Data Processing Agreements are fully eligible for Aadhaar eSign under Section 3A of the IT Act, 2000. The Digital Personal Data Protection Act, 2023 (DPDP Act) is the primary data protection law in India and applies to any processing of digital personal data within India, as well as processing outside India if it is in connection with offering goods or services to Data Principals in India. Section 8(5) of the DPDP Act requires that a Data Fiduciary may engage a Data Processor only under a valid contract. This is the legal basis for DPAs. The contract must ensure that the Data Processor processes personal data only on documented instructions from the Data Fiduciary, maintains appropriate security safeguards, assists with Data Principal rights requests, notifies the Data Fiduciary of personal data breaches, and returns or deletes personal data at the end of processing. The DPDP Act recognizes the role of 'Significant Data Fiduciary' for entities that process large volumes of sensitive data, and such entities have additional obligations including appointment of a Data Protection Officer, conduct of Data Protection Impact Assessments, and independent data audits. The Act imposes significant penalties for non-compliance, including up to Rs. 250 crore for failure to implement security safeguards, up to Rs. 200 crore for failure to notify breaches, and up to Rs. 50 crore for other specified contraventions. Cross-border transfer of personal data is permitted by default, but the Central Government can notify specific countries to which transfers are restricted. DPAs should include a mechanism to handle such notifications. The DPDP Act does not replace sectoral laws (SPDI Rules under the IT Act, banking secrecy under the Banking Regulation Act, health data rules under the Clinical Establishments Act) and DPAs in regulated sectors should address both. DPAs do not require stamp paper for enforceability, though some businesses use Rs. 100 stamp paper for evidentiary weight. They do not require notarization or registration.

Primary reference: DPDP Act 2023, Section 8(5) + Indian Contract Act 1872 + Section 3A, IT Act 2000

Important note

The DPDP Act 2023 is being implemented progressively. Significant Data Fiduciaries have additional obligations including DPIAs and data audits. Always align your DPA with the current state of the law and applicable sectoral rules.

Essential clauses

  • Identification of the Data Fiduciary and Data Processor
  • Subject matter, nature, and purpose of processing
  • Types of personal data and categories of Data Principals
  • Duration of processing
  • Documented instructions requirement (processor only processes on documented instructions)
  • Confidentiality obligations on processor personnel
  • Security safeguards (technical and organizational measures)
  • Sub-processor restrictions and prior authorization requirement
  • Assistance with Data Principal rights requests (access, correction, erasure, grievance)
  • Personal data breach notification obligations and timelines
  • Return or deletion of personal data at the end of processing
  • Cross-border transfer restrictions and change-of-law clause
  • Audit and inspection rights for the Data Fiduciary
  • Liability and indemnification for data protection breaches

Ready to eSign your data processing agreement?

Drop your PDF and get it signed with Aadhaar in 2 minutes. Data Fiduciary + Data Processor = Rs. 30.

Upload PDF now

Common mistakes

Treating the DPA as an optional addendum when Section 8(5) of the DPDP Act makes it a legal requirement
Drafting a DPA that only satisfies GDPR but misses the specific DPDP Act requirements like grievance officer assistance
Leaving sub-processing unrestricted, so the processor can onboard new sub-processors without notifying the Data Fiduciary
Missing the breach notification timeline, leading to delayed notifications that violate both the DPA and the DPDP Act
Not specifying how personal data will be returned or deleted at the end of processing
Skipping the cross-border transfer change-of-law clause, leaving both parties exposed when the government restricts transfers
Failing to align security safeguards with the sensitivity of the personal data being processed

How to eSign online

  1. 1

    Upload the DPA PDF

    Draft the DPA covering DPDP Act and any applicable foreign regimes. Save as PDF and upload to SignSetu, often alongside the main commercial agreement.

  2. 2

    Add Data Fiduciary and Data Processor as signers

    Enter the name and email of authorized signatories from both parties. Each receives a secure signing link.

  3. 3

    Both parties sign with Aadhaar OTP

    Each party signs independently from their office. Aadhaar OTP verifies identity. For foreign signatories, use a hybrid approach with DocuSign. The signed DPA is delivered to both parties.

FAQs

Is a DPA required under Indian law?
Yes. Section 8(5) of the DPDP Act 2023 requires that a Data Fiduciary may engage a Data Processor only under a valid contract. That contract is the Data Processing Agreement. Without a DPA, both parties are exposed to DPDP Act penalties.
What is the difference between a Data Fiduciary and a Data Processor?
A Data Fiduciary determines the purposes and means of processing personal data (it decides why and how the data is used). A Data Processor processes personal data on behalf of the Data Fiduciary (it acts on instructions). In GDPR terminology, these roughly correspond to Controller and Processor.
Can a GDPR DPA also work for DPDP Act compliance?
Partially. A well-drafted GDPR DPA covers most of the DPDP Act requirements but needs to be supplemented with DPDP-specific provisions, including Data Principal rights terminology, grievance officer assistance, cross-border transfer restrictions under Section 16, and references to Indian law.
Does the DPA need to be signed separately from the main agreement?
Not necessarily. Many businesses include the DPA as an annex or schedule to the main commercial agreement (SaaS agreement, MSA, vendor agreement) and sign everything together. Others execute a standalone DPA for clarity and reusability. Both approaches are legally valid.
What should the breach notification timeline be?
The DPA should require the Data Processor to notify the Data Fiduciary without undue delay (typically 24 to 72 hours) after becoming aware of a personal data breach. This gives the Data Fiduciary time to assess the breach and notify the Data Protection Board of India and affected Data Principals as required by the DPDP Act.
Can the Data Processor use sub-processors?
Only if the DPA allows it. Most DPAs require either prior written authorization from the Data Fiduciary for each sub-processor, or a general authorization with a list of approved sub-processors and a right for the Data Fiduciary to object to new additions. The Data Processor remains liable for the acts of its sub-processors.
What happens to personal data at the end of processing?
The DPA should specify that the Data Processor will, at the Data Fiduciary's choice, either return all personal data to the Data Fiduciary or securely delete it, and provide written confirmation of deletion. Backups and technical copies should also be addressed.

On this page

What is a Data Processing Agreement?Who needs a data processing agreement?Legal frameworkEssential clausesCommon mistakesHow to eSign onlineFAQs

Powered by eMudhra

Every signature is processed via eMudhra, a CCA-licensed eSign Service Provider (ESP) authorized under the IT Act, 2000.

Related document guides

Master Service Agreement

Read guide

Service Level Agreement

Read guide

Service Agreement

Read guide

Non-Disclosure Agreement

Read guide

Vendor Agreement

Read guide
SignSetu

Pay-per-use Aadhaar eSign for Indian businesses, landlords, and individuals. Sign PDFs in 2 minutes at ₹15 per signature.

LinkedIn →

Product

  • Pricing
  • Templates
  • Rent Agreement eSign
  • Verify Signature
  • eSign Quiz

Company

  • About
  • eSign Guide
  • Blog
  • FAQ
  • Contact
Powered by eMudhra (CCA-licensed ESP)·IT Act 2000 Compliant·Aadhaar OTP Authenticated·Made in India 🇮🇳

© 2026 Real Craft Tech Pvt Ltd·CIN: U72900CH2014PTC035110·GST: 03AAGCR9435B1ZM

Regd. Office: H.NO. 3355, 2nd Floor, Sector 37-D, Chandigarh, Chandigarh - 160036

Op. Office: Office 46, 10th Floor, Sushma Infinium, Chandigarh Ambala Highway, Zirakpur, Punjab - 140603

TermsPrivacyRefundCookie