If a vendor leaks your customer data—say your cloud storage provider, payment processor, or logistics partner—you face regulatory fines under DPDP Act 2023, your customers can file complaints with CERT-In, and your business reputation suffers. A small e-commerce business in Bangalore lost customer trust and ₹50 lakhs in refund claims when a third-party payment gateway failed to protect card data. Without vendor agreements in place, you have no contractual protection and cannot prove you took reasonable security steps, making the regulator more likely to fine you personally.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have vendors handling your customer data but you have never discussed data security with them or asked for any written agreement. No one in your office has a list of who has access to what data.
Initial
You have selected a few critical vendors (like your cloud provider or accountant) and you have asked them verbally or in informal chats to keep data safe, but there are no signed contracts or written terms about data protection requirements.
Developing
You have written contracts with your main vendors that mention data confidentiality and security, but the clauses are generic copied-from-templates language and do not clearly describe what security measures they must use or how they will handle breaches.
Defined
You have formal Data Processing Agreements (DPAs) or vendor security addendums with all vendors who touch customer or employee data; these documents spell out security requirements, breach notification timelines, and audit rights, and you have reviewed them with a lawyer.
Managed
You conduct security assessments of critical vendors before signing (asking for certifications, compliance statements, or audit reports), include detailed security clauses in all contracts, and require vendors to notify you of any security incidents within 24 hours.
Optimised
You maintain an active vendor risk management program that includes annual security re-assessments, documented audit trails of vendor compliance checks, incident response procedures with vendors, and evidence that you have terminated or downgraded vendors who failed security audits.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a list of all vendors and third parties who have access to customer or employee data (accountants, cloud providers, payment gateways, consultants, delivery partners, etc.); send each a written email or letter stating that they must keep this data confidential and secure and asking them to acknowledge in writing. | Business Owner or IT Person | 2-3 days |
| 1 → 2 | Draft or obtain template data protection clauses for your vendor contracts; add clauses requiring vendors to implement reasonable security measures, inform you of breaches within 48 hours, and allow you to audit their data handling practices; include these in all new vendor agreements going forward. | Business Owner with support from a junior lawyer or compliance consultant | 1-2 weeks |
| 2 → 3 | Engage a compliance consultant to review all existing vendor contracts and create formal Data Processing Agreements (DPAs) for any vendor processing personal data; ensure DPAs comply with DPDP Act 2023 and clearly define roles (data controller vs. processor), security obligations, sub-processor rules, and breach notification procedures. | Compliance Consultant or in-house Legal Lead | 3-4 weeks |
| 3 → 4 | Request security certifications, compliance statements, or SOC 2 reports from critical vendors before signing or renewing contracts; create a vendor risk assessment checklist (covering encryption, access controls, backup practices, incident response); document the assessment results and store them with the contract. | IT Person or Compliance Officer | 4-6 weeks for initial assessments; 1-2 weeks per new vendor |
| 4 → 5 | Establish a formal vendor risk management process: schedule annual security re-assessments, maintain a vendor compliance dashboard, document all audit requests and responses, create an incident response plan that includes vendor contact and escalation procedures, and review vendor performance quarterly with documented decisions (keep, improve terms, or terminate). | Compliance Officer or Risk Manager with IT support | Ongoing; 4-6 hours per month |
Documents and records that prove your maturity level.
- Signed Data Processing Agreements (DPAs) or vendor security addendums with all vendors handling personal data, clearly stating security requirements and data protection obligations
- Vendor inventory or register listing all third parties with access to customer/employee data, their data types, and the date of the last security assessment
- Vendor security assessment reports or questionnaire responses (completed by vendors) showing their security controls, certifications (ISO 27001, SOC 2), and compliance status
- Written breach notification acknowledgments or incident logs showing vendors have notified you of any security incidents and your response actions
- Audit trail or checklist documenting your annual vendor risk reviews, including assessment scores, remediation requests, and decisions to continue or terminate the vendor relationship
Prepare for these questions from customers or third-party reviewers.
- "Show me your contracts with vendors who process customer personal data—where are the data protection and security clauses?"
- "How do you ensure that your cloud provider, payment processor, or accountant is actually keeping customer data secure? What certifications or audits have they provided?"
- "If a vendor suffers a data breach, how do you know about it and what is your process for responding? Have you tested this with any vendor?"
- "Do you have written agreements with sub-contractors or sub-processors (e.g., your cloud provider's backup vendor) and do you control who they can share data with?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and store signed vendor contracts and Data Processing Agreements with version control and audit trail | Google Drive with shared folders and document templates; OneNote or Notion for vendor registry | DocuSign (₹8,000–15,000/year) or Adobe Sign for e-signature; Airtable (₹4,000–8,000/year) for vendor management database |
| Conduct vendor security questionnaires and assessments without building forms from scratch | Google Forms for basic questionnaires; NIST Cybersecurity Framework spreadsheet templates available free online | OnAudit or Vanta (₹3,00,000+/year, expensive for small business); Secureframe (₹1,50,000+/year) for automated vendor risk assessment |
| Track and manage vendor compliance, audit schedules, and remediation requests | Excel spreadsheet with conditional formatting; open-source tools like OpenProject for task management | Monday.com (₹5,000–15,000/year) or Asana (₹6,000–12,000/year) for vendor risk workflow; Prevalent or SecurityScorecard (₹5,00,000+/year, enterprise-focused) |
- Assuming that because your vendor is a big company (like AWS or Google) they automatically meet your security needs without checking their security credentials or reading the fine print in their terms of service (many cloud providers limit liability and require you to configure security yourself).
- Signing vendor contracts that have weak or missing data protection clauses and no clause requiring breach notification, leaving you exposed if the vendor is hacked and you are not informed in time to notify customers.
- Not keeping track of sub-processors—for example, your cloud provider uses a third-party backup vendor that you never checked, and that backup vendor gets hacked, but you have no way to know or hold anyone accountable.
- Asking vendors to be GDPR-compliant (Europe's law) instead of DPDP Act 2023-compliant (India's law), or not tailoring vendor requirements to Indian regulatory obligations.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(2) and Section 8(3) — data fiduciaries remain responsible for personal data processed by data processors; Section 8 Clause 5 — data processors must take reasonable security measures; Rule 7 — data processing agreements must be in writing |
| CERT-In 2022 | Direction 4 — organizations must document and audit third-party security practices; Direction 5 — breach notification to CERT-In and affected individuals (vendor breaches count as your breach) |
| ISO 27001:2022 | Clause 5.23 (Information security responsibilities in supplier relationships); Annex A.6.3 (Segregation of duties); Annex A.8.4 (Access management for third parties) |
| NIST CSF 2.0 | Govern (GV) — GV.RO-01 (Supply chain risk and third-party governance); GV.RO-03 (Third-party roles and responsibilities); Manage (MA) — MA.PT-02 (Vendor security assessment and monitoring) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →