Question: Are data-processing agreements (DPAs) or clauses in place with all third parties handling personal data?
Why This Matters
Processors must act only on documented instructions. DPAs formalize security, confidentiality, and breach-notification duties for third parties.
Maturity
0 — Unaware
No privacy clauses in vendor contracts.
No privacy clauses in vendor contracts.
1 — Ad Hoc
Generic NDA covers confidentiality only.
Generic NDA covers confidentiality only.
2 — Defined
Standard DPA template adopted.
Standard DPA template adopted.
3 — Managed
All critical vendors have signed DPAs and breach-notification terms.
All critical vendors have signed DPAs and breach-notification terms.
4 — Integrated
DPAs tracked in contract repository; renewal alerts enabled.
DPAs tracked in contract repository; renewal alerts enabled.
5 — Optimized
Automated DPA compliance checks and vendor maturity scoring.
Automated DPA compliance checks and vendor maturity scoring.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Identify vendors processing personal data. |
| 1 → 2 | Adopt DPA template aligned to DPDP and GDPR. |
| 2 → 3 | Sign DPAs with critical vendors and maintain log. |
| 3 → 4 | Track expiry, renewal, and obligations. |
| 4 → 5 | Integrate maturity scoring and compliance analytics. |
Enablers
- People: Procurement, Legal, DPO
- Process: Vendor onboarding → DPA signing → tracking
- Technology: Contract management or GRC tool
Evidence
- Signed DPAs or contract extracts
- Renewal log
- Vendor compliance reports
KPIs
- Percentage of vendors with signed DPAs
- Number of DPA renewals pending
- Vendor compliance rating average
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Repository | Google Drive / Notion | Contract storage |
| Tracking | Airtable / Odoo | Renewal alerts |
| Analytics | Metabase | Vendor compliance dashboard |
Common Pitfalls
- DPAs not signed for low-value vendors
- Clauses missing notification timelines
- No periodic compliance review
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27701 | 7.8 (Processor agreements) |
| DPDP Act 2023 | Sec 9–10 (Processor obligations) |
| GDPR | Art. 28–29 |
| NIST CSF 2.0 | ID.SC-04 / GV.PO |
| NIRMATA Mapping | PD-Q10 ensures contractual privacy assurance. |