DPDP Act Vendor Liability: Why Third-Party Breaches Sit With You

Rainmaker June 30, 2026 Data Protection & Privacy 6 min read
DPDP Act Vendor Liability: Why Third-Party Breaches Sit With You

TL;DR: Under India’s DPDP Act, a vendor‑side data breach remains the Data Fiduciary’s legal and financial liability. Section 8 makes this accountability non‑delegable, while Rule 6 mandates strict technical safeguards (like encryption and 1-year logs) across your entire supply chain. With a tight 72-hour notification window under Rule 7, token compliance isn’t enough. This article outlines a 6‑step vendor resilience framework and highlights how Rainmaker’s WorkWISE e-module transforms these legal rules into everyday workplace behavior.

At 2:30 PM, on a BPO floor handling customer queries for a fast-growing clothing brand, a support agent received a chat from “IT support.” Nothing about that moment felt dramatic. The agent clicked, logged in, and went back to clearing tickets.

But behind that quiet click, an attacker had just gained access to the brand’s systems using a trusted vendor login. Over the next few weeks, they moved through support tools, pulled records, and quietly exfiltrated millions of customer files.

When the breach surfaced, the headlines did not mention the BPO. They named the clothing brand.

Under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and DPDP Rules, 2025, the law views it the same way. The organisation that decided to collect and use that personal data, the Data Fiduciary, cannot point fingers at its vendor and walk away. A vendor-side failure is still a data fiduciary’s responsibility.

How Supply Chain Attacks Actually Work

This is not a hypothetical horror story. The Google Threat Intelligence Group (GTIG) recently mapped out the mechanics of these specific supply chain attacks. They tracked an advanced threat group, UNC6783, linked to a hacker operating under the moniker, Mr. Raccoon. Crucially, this group rarely attacks primary target companies directly. Instead, they exploit the weaker perimeter: outsourced service providers, BPO hubs, and third-party vendors.

Here is how that playbook plays out in real life:

  1. The Setup: Attackers target a vendor with direct access to the company’s systems. They pretend to be IT support via chat, sending a link to a fake website that looks identical to the company’s real one.
  2. The Break-in: When the vendor employee logs in, attackers steal the credentials and the session tokens—the digital “keys” that prove identity, allowing them to bypass multi-factor authentication (MFA).
  3. Staying Inside: Holding valid tokens, the attackers stay logged in even after passwords are changed. They don’t trigger “failed login” alarms; they just look like a legitimate user doing their job.
  4. The Takeover: From that foothold, they escalate to administrator accounts, pulling private data at scale without setting off traditional perimeter alerts.

This is the exact pattern reportedly used against an Indian BPO provider supporting Adobe, resulting in claims of 13 million stolen customer support tickets and 15,000 employee records being ransomed via Proton Mail.

And it is not just a “tech sector” problem. 

Banks share KYC files with verification partners. E-commerce platforms send shipping data to logistics providers. Healthcare apps pass lab results to billing networks. Your security posture is determined by the discipline of dozens of third parties who sit quietly behind your brand.

The Legal Reality Under the DPDP Act

For most Indian organisations, the role is clear: you decide why personal data is collected and how it is used. That makes you the Data Fiduciary. Your call centres, SaaS tools, cloud platforms, and IT support partners are simply Data Processors. They execute on your instructions, but they do not carry your statutory burden.

Section 8 of the DPDP Act locks this in. It states that the Data Fiduciary remains responsible for compliance “in respect of any processing undertaken by it or on its behalf by a Data Processor,” irrespective of private contracts. You can outsource operations; you cannot outsource accountability.

Rule 6 of the DPDP Rules, 2025 then turns that responsibility into an operational checklist. At a minimum, a Data Fiduciary must:

  • Protect personal data, wherever it sits in your ecosystem using concrete safeguards like encryption, obfuscation, masking or virtual tokens, and strong access controls.
  • Maintain visibility into who is accessing what through logs, monitoring, reviews, backups, and retain those logs for at least one year to support detection and investigation of unauthorised access.
  • Hardwire these expectations into every vendor contract, ensuring processors are legally bound to implement the same security baselines you are judged against.

When a breach starts at a vendor, your DPDP obligations are triggered from the moment you, as the Data Fiduciary, become aware of that personal data breach—not when the vendor finishes its internal analysis. 

Rule 7 of the DPDP Rules requires a strict two-stage response from the moment of awareness. You must notify both the Data Protection Board of India (“Board”) and all affected individuals without delay with an initial assessment. You then have a 72-hour window to submit a comprehensive, updated forensic follow-up report to the Board detailing root causes and structural remediation.

The penalty regime further reflects how seriously this duty is viewed. Failing to maintain reasonable security safeguards can attract penalties up to ₹250 crore, while failing to notify the Board or affected individuals can separately attract penalties up to ₹200 crore. 

A 6-Step Vendor Resilience Framework

Vendor management can no longer be treated as a once-a-year compliance checklist. Under the DPDP regime, it must evolve into a live, auditable, and continuously monitored governance system. Organisations that manage vendor risk well do not simply rely on contractual language. They build resilience across legal, technical, operational, and human layers of the data supply chain.

Here are six critical steps every Data Fiduciary should prioritise:

1. Rewrite Vendor Agreements
Clearly define the Data Fiduciary–Data Processor relationship in every contract. Move beyond vague references to “industry best practices” and mandate specific obligations around security safeguards, access controls, incident reporting, audits, and breach escalation.

2. Manage Cross-Border Risk
Keep track of Central Government notifications on restricted jurisdictions for cross-border data transfers. Vendor risk today is not just about who processes your data, but also where that processing happens.

3. Audit Technical Safeguards
Regularly assess whether vendors are implementing robust technical controls such as encryption in transit and at rest, role-based access, token management, and privileged access monitoring.

4. Enforce Log Visibility
Require vendors to maintain detailed access and activity logs for at least one year (or longer if required as per other sectoral regulations). More importantly, ensure those logs can be shared quickly during investigations or incident response.

5. Include Rapid Reporting in SLAs
Breach reporting timelines should not begin when a vendor completes its internal investigation. Contracts must require vendors to escalate incidents, anomalies, and suspicious activity immediately to protect your 72-hour reporting window.

6. Deploy Ecosystem-Wide Training
Technology alone cannot stop social engineering attacks. Extend DPDP awareness and cyber-risk training to vendor teams that access your systems, enabling them to recognise and respond to phishing, impersonation, and credential theft attempts.

Building a Culture of Readiness with Rainmaker

Most organisations today have DPDP clauses in their vendor contracts. Far fewer can confidently demonstrate that their vendor ecosystem can withstand a real-world attack. True compliance goes beyond policies and paperwork. It requires evidence that your organisation actively monitors, strengthens, and defends its entire data supply chain.

This is where Rainmaker helps bridge the gap between legal obligations and everyday behaviour.

Through WorkWISE, our scenario-based DPDP awareness e-module, we equip both your internal teams and vendor processors to identify, resist, and report real-world risks. Combined with Rainmaker’s Policy Drafting, Privacy Audits, DPDP Readiness Assessments, and DPO Consultation Services, we help organisations build privacy programs that are practical, defensible, and resilient.

The real question is no longer whether your vendors handle personal data. They already do.

The real question is: Are they prepared to protect it?

Connect with Rainmaker to learn how WorkWISE can help you build a stronger, more resilient privacy culture.

Suggested Reading

  1. India’s DPDP Act 2023 & Rules 2025: Cross‑Border Data Transfer Rules, Negative List Risks & Compliance Action Plan for Indian Businesses | Rainmaker 
  2. Significant Data Fiduciary Under India’s DPDP Act: Boardroom Duties, DPO Role, DPIAs and AI Risk Governance | Rainmaker 
  3. Reimagining Consent in India’s Digital Age: What the DPDP Act & Rules 2025 Mean for Data Privacy and Compliance | Rainmaker 
  4. DPDP Rules, 2025 Compliance: 2026 FAQs for Indian Companies | Rainmaker
  5. The DavaIndia Data Breach: Why India’s DPDP Act Makes Compliance Culture Your Strongest Firewall
Data Fiduciary vs Data Processor DPDP Act 2023 DPDP Rules 2025 compliance Rule 6 security safeguards Third-Party Risk Management vendor data breach WorkWISE e-module
WhatsApp