Without clear written security responsibilities in vendor contracts, you cannot hold vendors accountable when they leak your data, fail to secure customer information, or cause a breach. For example, if a Delhi-based e-commerce business outsources payment processing to a vendor without a security clause, and that vendor's server is hacked exposing customer credit card data, the business has no contractual basis to demand compensation or corrective action—and may face customer lawsuits and RBI penalties for failing to enforce vendor security. An audit by a large customer or insurance company will fail if you cannot show written security agreements with your third parties, potentially losing contracts worth lakhs of rupees.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You don't have any formal written contracts with most vendors, or the contracts mention nothing about security. Vendor agreements are verbal or basic purchase orders with no clauses about data protection, confidentiality, or incident reporting.
Initial
You have some written contracts with key vendors, but security responsibilities are vague or buried in generic clauses. Vendors know they shouldn't lose data, but there's no specific language about encryption, access control, breach notification timelines, or audit rights.
Developing
Your main vendor contracts include basic security clauses like 'protect customer data' and 'notify us of breaches,' but the language is not detailed and covers fewer than half your critical vendors. You have contracts with IT service providers and payment processors mentioning security, but not with logistics, hosting, or maintenance vendors.
Defined
You have written security agreements (standalone or embedded in contracts) with all critical vendors that spell out specific duties: data encryption, access logging, annual audits, 48-72 hour breach notification, and your right to audit. Contracts define what data each vendor touches and how long they keep it.
Managed
Every vendor contract includes a detailed Data Security Addendum (or similar document) listing specific security controls, compliance requirements (DPDP Act, ISO 27001), incident response steps, liability caps, and termination rights if security fails. You conduct annual reviews of vendor compliance and update contracts when regulations change.
Optimised
You maintain a vendor security matrix showing each vendor, data they access, security responsibilities, audit dates, and compliance status. Contracts are reviewed every 12 months, updated for new threats or regulations, and enforced through quarterly security assessments. You have a documented vendor offboarding process that includes data deletion verification.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | List all your active vendors (IT, hosting, payment, logistics, cleaning, office supplies, etc.) and identify which ones touch customer data or business systems. Draft a simple one-page 'Security Responsibilities' addendum covering data confidentiality, breach notification, and your audit rights. Have your lawyer review it for compliance with DPDP Act 2023. Start adding this addendum to new vendor contracts immediately. | Business owner + company lawyer or freelance legal consultant | 3-5 days |
| 1 → 2 | Review your existing vendor contracts and flag those with vague or missing security clauses. Contact your top 10 vendors (by data sensitivity and business criticality) and request they sign an updated agreement that specifies: what data they access, encryption during transit and storage, annual security audits, incident notification within 72 hours, and your right to audit them on-site. Create a vendor contract tracker spreadsheet. | IT person or operations manager + legal counsel | 2-3 weeks |
| 2 → 3 | Draft a comprehensive Data Security Addendum template (2-3 pages) that covers: types of data, security controls (encryption, access logging, MFA), compliance standards (DPDP Act Section 6-8, ISO 27001 A.12-A.14), vendor sub-contractor rules, incident response procedures, liability, and termination clauses. Have a lawyer specializing in data protection review it. Roll it out to all remaining vendors with renewal negotiations. | IT manager + data protection lawyer | 4-6 weeks |
| 3 → 4 | Conduct a vendor security assessment program: for each critical vendor, request security certifications (ISO 27001, SOC 2, or a filled security questionnaire), review audit reports if available, and document their security posture in a vendor matrix. Update contracts to include annual certification requirements and define audit frequency based on data sensitivity. Create a vendor compliance dashboard. | IT manager or dedicated compliance person | 6-10 weeks |
| 4 → 5 | Establish a continuous vendor governance process: conduct quarterly compliance reviews (request updated attestations, review audit logs if applicable), update all contracts annually for new regulatory changes (e.g., DPDP Act clarifications, NIST CSF updates), maintain detailed records of vendor incidents and corrective actions, and define escalation procedures for security failures. Schedule six-monthly reviews of the vendor security matrix with your leadership team. | Dedicated compliance/security officer or outsourced compliance consultant | Ongoing (4-6 hours per month) |
Documents and records that prove your maturity level.
- Master list of all active vendors with contact details, data types accessed, and contract expiry dates
- Signed vendor contracts or Data Security Addenda for all critical vendors (at minimum: IT, hosting, payment processor, logistics, accountant/bookkeeper) specifying security responsibilities, breach notification timelines, and audit rights
- Filled security questionnaires or signed attestations from vendors confirming they meet specified controls (encryption, access logging, incident response, etc.)
- Vendor security matrix or spreadsheet documenting each vendor's security certifications, last audit date, compliance status, and any open issues or non-compliance items
- Records of at least one annual review or audit of a critical vendor's security controls (email correspondence, audit report summary, or compliance checklist completed)
Prepare for these questions from customers or third-party reviewers.
- "Show me your vendor contracts. Which vendors have written security clauses? For those without, how do you enforce security requirements?"
- "Do you have a Data Security Addendum or similar document that all vendors handling sensitive data must sign? What specific security controls does it require?"
- "How do you verify that vendors are actually following the security responsibilities in your contracts? When was the last time you audited a vendor or reviewed their security certification?"
- "What happens if a vendor breaches your data or fails a security audit? Show me the termination or remediation clauses in your contracts and any past enforcement examples."
- "Do you have a documented process for reviewing and updating vendor contracts when regulations change (e.g., new DPDP Act guidance or RBI rules)? Can you show me evidence of contract reviews in the last 12 months?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Vendor contract template and security addendum creation | Google Docs templates (search 'Data Processing Addendum template' or use NIST vendor risk management templates); CERT-In vendor security guidelines | LawSikho vendor contract templates (₹2,000-5,000 one-time); specialized data protection lawyers in India (₹10,000-25,000 per contract review) |
| Vendor security questionnaire and assessment tool | ISO 27001 Annex A questionnaire checklist (DIY Google Form); NIST Cybersecurity Framework vendor risk template | OneTrust Vendor Risk Management (₹5-10 lakhs per year); Panorays vendor security monitoring (₹8-15 lakhs per year); local Indian cybersecurity consultancies offering vendor assessment services (₹50,000-2 lakhs per vendor) |
| Vendor contract and compliance tracking spreadsheet or system | Google Sheets or Excel with shared access; Airtable free tier for vendor matrix and tracking | Jira for contract milestone tracking (₹7,500-15,000 per year); ServiceNow Vendor Management module (₹20+ lakhs per year); Icertis Contract Management (enterprise, ₹50+ lakhs per year) |
- Relying on verbal assurances or informal agreements with vendors without written contracts—when a breach happens, you have no legal basis to claim damages or demand corrective action, and you cannot prove you exercised due diligence for DPDP Act compliance or insurance claims.
- Using generic vendor agreements without data-specific security clauses—contracts may say 'maintain confidentiality' but don't specify encryption standards, backup frequency, access logging, or incident notification timelines, leaving room for vendors to claim they met obligations while your data was inadequately protected.
- Signing vendor contracts once and never reviewing or updating them—regulations like DPDP Act and RBI guidelines evolve, and new threats (ransomware, phishing) emerge, but your 2019 vendor contract may not address these; you also fail to catch vendors who no longer meet your security standards.
- Failing to distinguish between critical and non-critical vendors—you may require detailed security clauses from your IT provider but neglect your logistics partner or office cleaner, who may have physical or digital access to sensitive systems or data, creating unprotected gaps.
- Not enforcing vendor contracts or conducting audits—you may have well-written security clauses but never verify vendors are following them (no audit rights exercised, no security certifications requested, no compliance checks), so the contract is just paper with no real protection.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (consent for processing) and Section 8 (data processor obligations): processors must be contractually bound to follow security standards and notify the data fiduciary of breaches; Section 6(3) requires written agreements with processors |
| CERT-In 2022 | Direction 2 (incident handling, breach notification) and Direction 4 (audit and security assessment): vendors handling critical infrastructure or sensitive data must be audited for compliance; breach notification to CERT-In within 6 hours applies to all data handlers |
| ISO 27001:2022 | Clause A.5.22 (relationships with suppliers) and A.5.23 (addressing information security in supplier relationships): contracts must define security requirements; Clause A.12.4 (logging) requires vendors to maintain access logs; Clause A.6.6 (supplier relationships) requires periodic security reviews |
| NIST CSF 2.0 | Govern (GV) category GV.RO-01 (organizational risk from third parties): establish relationships with third parties that have aligned security responsibility and accountability; Protect (PR) category PR.AC-06: define contractor access and responsibilities in writing |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →