Last updated: April 29, 2026
Why this module exists. DPDP §8(7) requires every Data Fiduciary to enter into a contract with every Data Processor. The contract must contain specific elements, and the Data Fiduciary remains liable for processor failures. Most Indian businesses signed vendor agreements years ago; few of those agreements meet §8(7). This module is the rebuild playbook.
Who is a Data Processor in your stack
Anyone who processes personal data on your behalf. Not just “the vendor that explicitly says they’re a processor.” The list is longer than most teams realise:
- Cloud providers (AWS, Azure, GCP)
- Customer support platforms (Zendesk, Intercom, Freshdesk)
- Email infrastructure (SES, Postmark, Resend, Mailgun)
- Marketing platforms (MoEngage, CleverTap, WebEngage)
- Payment processors (Razorpay, Stripe, Cashfree)
- Analytics (GA4, Mixpanel, Amplitude, Posthog)
- SMS providers (Msg91, Twilio)
- SaaS used internally that touches customer data (HubSpot, Salesforce, Slack with shared channels, Notion docs about customers)
- Outsourced services — call centres, KYC verification, fraud-detection vendors
- IT support / managed services that have admin access
Inventory all of them. Most Indian SaaS have 30-80 data processors.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.