TPRM & TPRA under the DPDP Act
Third-party and vendor risk under India's data-protection law
Third-Party Risk Management (TPRM) under India's DPDP Act 2023 is the practice of assessing and monitoring the Data Processors and vendors who handle personal data on your behalf. Because the Data Fiduciary stays accountable, TPRM covers vendor DPDP assessments (TPRA), Data Processing Agreements and sub-processor oversight — best run with TPRM software.
Why third-party risk matters under the DPDP Act
When you share personal data with a vendor, the DPDP Act keeps you — the Data Fiduciary — accountable for it. A processor's weak security or non-compliance becomes your liability, which is why managing third-party risk is central to DPDP compliance.
TPRM vs TPRA
Third-Party Risk Management (TPRM) is the ongoing programme of identifying, assessing and monitoring vendor risk. A Third-Party Risk Assessment (TPRA) is the individual evaluation of a specific vendor's DPDP posture. TPRM is the programme; TPRA is the activity within it.
Data Processing Agreements
Every processor relationship should be governed by a Data Processing Agreement that sets out purpose limitation, security obligations, sub-processing rules, breach notification and audit rights. Tracking DPAs and their renewals is a core TPRM task.
Sub-processors and continuous monitoring
Risk doesn't stop at your direct vendors — the fourth parties behind them matter too. Mature TPRM maintains a sub-processor registry and monitors vendors continuously, reassessing on a cadence and alerting on changes.
Put this into practice
Automate it with TPRM Software.
Frequently asked questions
TPRM (Third-Party Risk Management) is the ongoing programme of managing vendor risk; TPRA (Third-Party Risk Assessment) is the specific assessment of an individual vendor's DPDP posture within that programme.
Ready to act on the DPDP Act?
KavachOne takes you from understanding to certified compliance in 2026.