HomeGuidesApplication & Product Security › AD-18
AD-18 Application & Product Security 6% of OML score

Is data sharing with external parties limited and controlled?

Do you have rules about who outside your company can see your business data, and do you actually enforce those rules? This is about making sure customer information, financial records, and trade secrets don't get handed over to vendors, partners, or consultants without clear permission and protection agreements.

Why This Matters to Your Business

If your data walks out the door without controls, a vendor or partner might sell it, lose it in a breach, or use it to compete with you—and you're still legally responsible. Many Indian SMEs have suffered reputation damage and lost customer trust after data shared with 'trusted' logistics or marketing partners leaked online. You could also face fines under DPDP Act 2023 if you can't prove you managed third-party access properly. Customer contracts now often include audits specifically checking how you control their data with external parties.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You hand over data to vendors and partners whenever they ask, with no written agreements or records of what was shared. No one tracks where sensitive information goes or who has access to it.

Level 1
Initial

You have basic contracts with some vendors that mention data confidentiality, but there's no consistent process for reviewing or approving new data sharing arrangements. You sometimes ask partners to sign NDAs, but it's not systematic.

Level 2
Developing

You have a simple written policy requiring approval before sharing customer or sensitive data with external parties. Most vendors have signed confidentiality agreements, but you don't regularly audit whether they're actually following the rules.

Level 3
Defined

You maintain a documented list of all external parties who access your data, what data they access, and have signed data processing agreements with each one. You conduct annual audits or spot-checks to confirm vendors are keeping data secure.

Level 4
Managed

You have automated controls limiting what data each external party can access (role-based or technical restrictions). You regularly audit third-party access logs, conduct security assessments before onboarding vendors, and have incident response plans for data breaches by partners.

Level 5
Optimised

You continuously monitor third-party data access in real-time, automatically revoke access when relationships end, and conduct quarterly security assessments of all external parties. You have contractual penalties and insurance coverage for third-party data breaches, and regularly test incident response scenarios.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Write down all external parties who currently have access to any company data (vendors, consultants, clients, cloud providers). Create a simple one-page confidentiality agreement template and have the top 5 vendors sign it. Business owner or office manager 2-3 days
1 → 2 Create a written Data Sharing Policy that requires written approval from the owner/manager before any external party gets access to customer data, financial records, or trade secrets. Document what data each vendor has access to. Owner with IT support (if available) 1 week
2 → 3 Upgrade all vendor agreements to formal Data Processing Agreements (DPA) that specify data protection responsibilities, audit rights, and breach notification timelines. Create and maintain a Data Sharing Register showing each vendor, data types, and agreement dates. Owner or HR/Admin with legal template review 3-4 weeks
3 → 4 Set up a simple annual vendor security checklist audit process. Configure access controls in your systems (Google Workspace, Office 365, databases) so vendors only see data they need. Document security assessment results for each vendor. IT person or hired consultant 6-8 weeks
4 → 5 Implement automated access logs and monitoring dashboards for third-party data access. Set up automated de-provisioning when vendor contracts end. Conduct quarterly penetration tests simulating vendor account compromise. Establish third-party breach insurance. IT person with managed security service provider support Ongoing (quarterly reviews and updates)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Data Sharing Register or spreadsheet listing every external party (vendor, consultant, client, partner) who accesses company or customer data, with dates and types of data shared
  • Signed Data Processing Agreements (DPA) or Confidentiality Agreements with each vendor who handles sensitive information—file them centrologically
  • Data Sharing Policy document approved and signed by owner/board showing the approval process for external data access
  • Annual vendor security assessment forms or checklists with signed confirmation that vendors are maintaining agreed data protection standards
  • Access control logs or reports showing who accessed what data when, especially for cloud storage and databases, covering the past 12 months
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your list of all third parties who have access to customer or sensitive company data. How do you control what each one can see?"
  • "Do you have signed data processing agreements or confidentiality clauses with your major vendors? Can you produce them?"
  • "How do you verify that your vendors are actually protecting data the way they promised? When was the last time you audited a vendor's security?"
  • "What happens if a vendor loses or leaks data we shared with them? Do you have procedures to detect and respond to that?"
  • "How do you make sure access is removed when a vendor relationship ends? Can you show me evidence of recent access revocations?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and store signed vendor agreements and data processing agreements in one secure location Google Drive with folder structure and access controls, or OneDrive Ironclad or Docuseal (vendor contract management, ~₹50,000–150,000/year) or basic Zoho CRM document storage (~₹20,000/year)
Track which vendors have what access and when, plus audit checklist automation Google Sheets template with shared access controls, or Airtable free tier Airtable paid (~₹1,000–2,000/month) or Zoho Creator (~₹30,000–50,000/year)
Monitor and log data access by external parties (who accessed what, when) Built-in audit logs in Google Workspace or Microsoft 365 (if already licensed) Varonis Data Classification (~₹500,000+/year) or Imperva (enterprise-level, custom pricing) or mid-tier Exabeam (~₹100,000–300,000/year)
Create simple confidentiality and data processing agreement templates NASSCOM/CII sample DPA templates, or free templates from Indian Bar Association websites LegalWiz or Lex Warqi legal template library (~₹10,000–20,000/year), or hire lawyer for custom DPA (~₹15,000–50,000 one-time)
Manage vendor security assessments and track compliance over time Google Forms for annual security questionnaire + Sheets for tracking responses Vendor risk management platforms like SecurityScorecard or BitSight (India-friendly, ~₹300,000–800,000/year for SME tier)
🛡
How This Makes You More Resilient
When you control data sharing, a vendor breach or dishonest partner doesn't become your crisis—you can prove to customers and regulators that you did your due diligence and limited their exposure. You also avoid the expensive scenario where customer data spreads across the internet and your business is blamed for poor vendor management, which can kill customer trust faster than almost any other incident.
⚠️
Common Pitfalls in India
  • Trusting a 'reputable' vendor with data just because they're big or established in India—many breaches happen at 'trusted' logistics, HR outsourcing, or IT support firms that have weak internal security.
  • Sharing data with consultants or agencies informally (WhatsApp, email, cloud links without passwords) and forgetting to ask them to delete it after the project ends—data lingers in their systems and gets breached months or years later.
  • Having one person (often the owner) approve all data sharing with no documented policy, so when that person is busy or leaves, critical data gets handed out with no audit trail, and you can't prove what happened.
  • Not updating vendor agreements when business relationships change (e.g., a logistics partner now also handles accounting data, but the old 1-page NDA from 5 years ago never got upgraded).
  • Assuming cloud vendors (Google, AWS, Microsoft) take care of all security, so you don't put controls in place—you still need to control WHO in your own company and which partners can access that cloud data.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 6 (data principal's rights), Section 8 (consent and data sharing), Schedule 1 (processing rules for data fiduciaries)
CERT-In Directions 2022 Para 4(d) – maintains access control and logs for third-party access; Para 6 – incident reporting if third-party compromise occurs
ISO 27001:2022 Annex A, Control 5.3 (Segregation of duties), 6.5 (Access control), A.5.1.2 (Management of third-party relationships and responsibilities)
NIST CSF 2.0 Govern (GV.RO-04 – External dependencies and third-party access), Protect (PR.AC-01 – Identity and access management for external parties)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →