Do I need vendor risk assessments under DPDP?

Yes. Under the DPDP Act 2023, Data Fiduciaries are responsible for ensuring their Data Processors comply with the law. This requires contracts specifying data protection obligations and periodic vendor assessments.

What should a DPDP-compliant vendor contract include?

A DPDP-compliant vendor contract must include: scope of processing, data protection obligations, sub-processor restrictions, breach notification timelines, data erasure on contract end, and audit rights.

Free Vendor Risk Scorecard — DPDP Act 2023 Vendor Assessment

Quick Answer

What is a DPDP Vendor Risk Scorecard? A DPDP Vendor Risk Scorecard evaluates third-party vendors who process personal data on your behalf against the requirements of India's Digital Personal Data Protection Act 2023. It assesses each vendor across five dimensions: contractual protections (DPA in place), security controls, breach notification capabilities, cross-border transfer safeguards, and sub-processor management. Under the DPDP Act, Data Fiduciaries remain responsible for the acts of their Data Processors, making vendor due diligence a legal obligation — not just a best practice.

How many vendors do you want to assess?

Each vendor is scored across 6 DPDP risk dimensions. Vendor 1 is always free.

Please select the number of vendors to assess.

Vendor Risk Assessment

Answer 6 questions per vendor. Select the option that best reflects your current situation.

Please answer all questions before continuing.

✅

Scorecard sent!

Your Vendor Risk Scorecard has been sent to . Expect it within 2 minutes.
Check your spam folder if it doesn't arrive.

Unlock the Full Vendor Risk Scorecard

Get the complete PDF report for all vendors — includes risk matrix, remediation actions, and DPA template guide.

What's included

Full risk scorecard for all vendors (side-by-side comparison)
Remediation action plan per vendor
Data Processing Agreement (DPA) template guide
Priority ranking: which vendor poses the highest DPDP risk
Checklist: 12 vendor due-diligence checks under DPDP Act 2023

Please enter a valid name and email address.

🔒 Razorpay secured 📧 Delivered in <2 min ✅ 100% DPDP-compliant PDF

Why vendor risk matters under DPDP Act 2023

The Digital Personal Data Protection Act 2023 places direct obligations on Data Fiduciaries for all personal data processed on their behalf — including by third-party vendors. A vendor handling sensitive personal data without a proper Data Processing Agreement exposes your organisation to regulatory penalties of up to ₹250 crore per instance.

What does this scorecard assess?

Six critical DPDP risk dimensions: existence of a Data Processing Agreement (DPA), whether sensitive personal data is involved, cross-border data transfer risk, sub-processing exposure, prior breach history, and the vendor's own privacy policy compliance posture.

How are risk levels determined?

Each vendor receives a score from 0 to 100. Scores of 75 and above indicate Low risk. 50–74 is Medium risk, warranting closer monitoring. 25–49 is High risk, requiring remediation. Below 25 is Critical — immediate action needed before the May 2027 DPDP enforcement deadline.