What is a data processor under DPDP?

Under DPDP Act 2023, a data processor is any person who processes personal data on behalf of a data fiduciary. For Indian B2B SaaS, this means you are almost certainly a data processor for your customers — they decide the purpose and means of processing; you execute. Section 8 of the Act enumerates processor obligations. The data fiduciary remains primarily liable for compliance, but processor obligations are independently enforceable.

How is data fiduciary different from data processor?

Data fiduciary: decides why and how personal data is processed (the customer using your SaaS to process their end-users' data). Data processor: executes processing per fiduciary instructions (your SaaS company). Most Indian B2B SaaS startups are processors with respect to customer data and fiduciaries with respect to their own employee / prospect data. The same company can occupy both roles for different data flows.

What are the Section 8 processor obligations?

Section 8 of DPDP Act 2023 requires data processors to: (1) process personal data only per fiduciary instructions in a written contract, (2) implement reasonable security safeguards to prevent breach, (3) notify the fiduciary of breaches within prescribed timelines, (4) restrict access to authorised personnel only, (5) return or delete personal data on completion of processing, (6) provide audit and inspection support to the fiduciary, (7) not engage sub-processors without fiduciary authorisation, (8) flow processor obligations down to authorised sub-processors.

What should the data processing agreement (DPA) contain?

The fiduciary-processor DPA must include: subject matter and duration of processing, nature and purpose, categories of personal data and data principals, fiduciary obligations and rights, processor obligations under Section 8, breach notification timeline (typically 24-48 hours to fiduciary, shorter than the 72-hour Board clock), sub-processor authorisation policy, return/deletion of data on termination, audit rights, indemnity and liability allocation. Most Indian SaaS vendors are now publishing standard DPAs as part of their MSA.

Does Bachao.AI review processor compliance?

Yes. Our DPDP gap analysis for B2B SaaS includes a Section 8 review: DPA template review, sub-processor flow-down audit, breach notification readiness (24-48 hour fiduciary clock), audit/inspection support readiness, return/deletion workflow correctness. The deliverable doubles as evidence for your fiduciary customers' procurement reviews.

DPDP Section 8 Data Processor Obligations — B2B SaaS Guide

B2B SaaS is a data processor

If you operate a B2B SaaS in India, you are a data processor for your customers under DPDP. Section 8 lists 8 independent obligations.

The fiduciary stays primarily liable, but processor obligations are independently enforceable.

8Section 8 obligations

24-48 hrsfiduciary notify

Freefirst review

DPAtemplate included

Book a free DPDP review Read the pillar

DPDP Section 8DPA template reviewSub-processor flow-down

Why DPDP Section 8 matters for B2B SaaS

Most Indian B2B SaaS startups process personal data on behalf of their customers (the data fiduciaries). When the fiduciary's enterprise procurement team starts the security review of your SaaS, the first DPDP question is: 'show us your processor obligations compliance under Section 8'. Your sales cycle stalls until you have the artifacts. Building Section 8 readiness is now a sales-enablement move, not just a compliance move.

The 8 Section 8 obligations broken down

Each obligation maps to a specific artifact your fiduciaries will request:

Obligation 1 — Written instructions: every processing activity must trace back to a written contract or instruction set. Artifact: DPA + master agreement.
Obligation 2 — Reasonable security safeguards: same as Schedule I but applied per-fiduciary data flow. Artifact: VAPT report + security control documentation.
Obligation 3 — Breach notification to fiduciary: typically 24-48 hours from awareness, shorter than the 72-hour Board clock. Artifact: incident response runbook + SLA-backed breach notification template.
Obligation 4 — Access restriction: only authorised personnel can process personal data; access reviewed periodically. Artifact: access control policy + access review log.
Obligation 5 — Return or delete on completion: when the fiduciary terminates the contract or the purpose ends, personal data must be returned (export) or deleted. Artifact: return/delete workflow + completion certificate.
Obligation 6 — Audit support: provide reasonable access for fiduciary or their auditor to inspect your processing operations. Artifact: audit policy + standard audit response pack.
Obligation 7 — Sub-processor authorisation: no sub-processor without fiduciary's prior authorisation (general or specific). Artifact: sub-processor list + change notification policy.
Obligation 8 — Flow-down to sub-processors: every sub-processor contractually carries equivalent Section 8 obligations. Artifact: sub-processor DPA template.

What a DPDP-aligned DPA contains

The fiduciary-processor DPA is the master artifact. Standard contents:

Subject matter and duration of processing
Nature and purpose of processing
Categories of personal data + categories of data principals
Fiduciary obligations and rights (Section 5 + Section 7)
Processor obligations under Section 8
Breach notification timeline (24-48 hours processor → fiduciary, in advance of the 72-hour Board clock)
Sub-processor authorisation policy (general or specific, change notification period)
Return or deletion of data on contract termination
Audit rights and frequency
Indemnity and liability allocation

Sub-processor management — the most common gap

Most Indian B2B SaaS startups have 10-30 sub-processors (cloud provider, email service, payment gateway, analytics platform, customer support tool, etc.). DPDP requires each to be authorised by the fiduciary, contractually bound to Section 8, and listed in a sub-processor registry the fiduciary can review. The common failure mode: ad-hoc sub-processor addition without fiduciary notification, no flow-down DPAs in place, no central registry. Fix: build the sub-processor list once, get fiduciary general authorisation for the current list, set up change notification (e.g., 30 days notice before adding a new sub-processor).

Breach notification to fiduciary — the 24-48 hour clock

The fiduciary has 72 hours to notify the Data Protection Board. The processor has 24-48 hours (typically) to notify the fiduciary so the fiduciary has time to prepare the Board notification. Build the runbook: detection alert → fiduciary incident notification template → fiduciary contact roster → status update cadence → forensic evidence package handover. Test annually via tabletop exercise.

How Bachao.AI helps B2B SaaS meet Section 8

Our DPDP gap analysis for B2B SaaS includes: DPA template review against current draft DPDP rules, sub-processor list audit + flow-down DPA template, breach notification runbook authoring with 24-48 hour fiduciary clock, audit response pack template, return/deletion workflow review. The deliverable doubles as evidence pack you can hand to fiduciary procurement teams to clear DPDP review without back-and-forth.

Get your DPDP processor compliance reviewed

Free first review covers DPA + sub-processor list + breach SLA. Audit-ready pack for fiduciary procurement.

Book a free review Read the pillar

Explore more products

Bachao.AI covers your entire security surface — from code to cloud to compliance.

AI VAPT Scanner

Automated penetration testing for web apps and APIs. Results in under 2 hours.

Learn more →

API Security Testing

OWASP API Top 10 coverage for REST and GraphQL endpoints.

Learn more →

Cloud Security Audit

AWS, Azure & GCP misconfiguration detection with DPDP mapping.

Learn more →

Why DPDP Section 8 matters for B2B SaaS

The 8 Section 8 obligations broken down

Each obligation maps to a specific artifact your fiduciaries will request:

Obligation 1 — Written instructions: every processing activity must trace back to a written contract or instruction set. Artifact: DPA + master agreement.

Obligation 2 — Reasonable security safeguards: same as Schedule I but applied per-fiduciary data flow. Artifact: VAPT report + security control documentation.

Obligation 3 — Breach notification to fiduciary: typically 24-48 hours from awareness, shorter than the 72-hour Board clock. Artifact: incident response runbook + SLA-backed breach notification template.

Obligation 4 — Access restriction: only authorised personnel can process personal data; access reviewed periodically. Artifact: access control policy + access review log.

Obligation 5 — Return or delete on completion: when the fiduciary terminates the contract or the purpose ends, personal data must be returned (export) or deleted. Artifact: return/delete workflow + completion certificate.

Obligation 6 — Audit support: provide reasonable access for fiduciary or their auditor to inspect your processing operations. Artifact: audit policy + standard audit response pack.

Obligation 7 — Sub-processor authorisation: no sub-processor without fiduciary's prior authorisation (general or specific). Artifact: sub-processor list + change notification policy.

Obligation 8 — Flow-down to sub-processors: every sub-processor contractually carries equivalent Section 8 obligations. Artifact: sub-processor DPA template.

What a DPDP-aligned DPA contains

The fiduciary-processor DPA is the master artifact. Standard contents:

Subject matter and duration of processing

Nature and purpose of processing

Categories of personal data + categories of data principals

Fiduciary obligations and rights (Section 5 + Section 7)

Processor obligations under Section 8

Breach notification timeline (24-48 hours processor → fiduciary, in advance of the 72-hour Board clock)

Sub-processor authorisation policy (general or specific, change notification period)

Return or deletion of data on contract termination

Audit rights and frequency

Indemnity and liability allocation

Sub-processor management — the most common gap

Breach notification to fiduciary — the 24-48 hour clock

How Bachao.AI helps B2B SaaS meet Section 8

DPDP Section 8 — Data Processor Obligations for Indian B2B SaaS

Why DPDP Section 8 matters for B2B SaaS

The 8 Section 8 obligations broken down

What a DPDP-aligned DPA contains

Sub-processor management — the most common gap

Breach notification to fiduciary — the 24-48 hour clock

How Bachao.AI helps B2B SaaS meet Section 8

Get your DPDP processor compliance reviewed

Explore more products

AI VAPT Scanner

API Security Testing

Cloud Security Audit

DPDP Section 8 — Data Processor Obligations for Indian B2B SaaS

Why DPDP Section 8 matters for B2B SaaS

The 8 Section 8 obligations broken down

What a DPDP-aligned DPA contains

Sub-processor management — the most common gap

Breach notification to fiduciary — the 24-48 hour clock

How Bachao.AI helps B2B SaaS meet Section 8

Get your DPDP processor compliance reviewed

Explore more products

AI VAPT Scanner

API Security Testing

Cloud Security Audit