Call recording platforms sit in an unusual position under India's DPDP Act 2023. They are simultaneously a Data Fiduciary for their own operational data and a Data Processor for every enterprise client whose calls they record. Both roles carry obligations. Most DPDP commentary conflates them.
Enterprise BFSI clients will demand processor compliance evidence before Phase III enforcement arrives in Q1 2027. The procurement pressure precedes the legal deadline — and most CPaaS platforms are not ready for either.
The role distinction matters
Under GDPR, the processor concept is well-established: Art. 28 mandates a written contract specifying processor obligations in prescriptive detail. DPDP takes a different approach.
DPDP §2(k) defines a Data Processor as an entity that processes personal data on behalf of a Data Fiduciary. The processor is not independently accountable to the Data Principal — that accountability sits with the Fiduciary. But the processor is bound by three obligations that attach regardless of what the contract says:
- Maintain security safeguards (DPDP §8(1)) — applicable to any entity handling personal data, processor or Fiduciary
- Delete data on instruction (§8(7)) — when the Fiduciary no longer needs the data, or receives an erasure request from a Data Principal, the processor must act on the deletion instruction
- No independent use — a call recording platform cannot use recordings for its own model training or analytics products without explicit Fiduciary authorisation; the processor role is bounded by the Fiduciary's stated purpose
These are not contractual defaults to be negotiated away. They flow from the statute.
A fourth obligation follows from §8(6): breach notification. A processor handling call recordings must have a documented pathway to notify the Data Fiduciary promptly when a breach occurs — the Fiduciary then carries the notification obligation to the Data Protection Board.
GDPR Art. 28 isn't the template
Enterprise clients will arrive with GDPR-shaped DPA checklists. DPDP does not mandate the same Art. 28 structure — but the practical effect is similar. Clients in BFSI and enterprise SaaS will require documented processor terms covering deletion timelines, breach windows, and prohibition on secondary use. Platforms without this documentation will face friction in enterprise deals before enforcement starts.
The gap is not just legal. It is commercial. A BFSI procurement team asking for your DPDP processor agreement cannot be satisfied with a privacy policy that predates the DPDP Rules 2025 notified in November. The documentation has to exist, be dated correctly, and use the right terminology.
SDF designation risk
Scale changes the picture significantly.
If a platform processes call recordings across many enterprise clients at high volume, it may be designated as a Significant Data Fiduciary (SDF) under DPDP §10. The Central Government determines SDF status based on volume, sensitivity, and national security risk. SDF designation triggers:
- DPO appointment (§10(2)(a)) — a named individual; a grievance officer listed on a privacy policy does not qualify
- Data localisation requirements — SDF-specific rules on where data must reside
- DPIA obligations — mandatory Data Protection Impact Assessments before high-risk processing activities
No SDF list has been published yet. When it is published, designation takes effect immediately — platforms must have DPO, DPIA, and localisation measures operational at that point, not six months later. Building toward SDF readiness now is not early; it is on schedule.
The enforcement window
DPDP Rules 2025 were notified November 2025. The phased structure:
- Phase II — consent manager framework mandatory, November 2026
- Phase III — full operational obligations including processor rules and SDF regime, Q1–Q2 2027
Q2 2027 sounds distant. It is not. Enterprise BFSI clients facing their own DPDP deadlines will require processor compliance evidence from vendors ahead of their own Phase III dates. The procurement pressure arrives before enforcement does.
What to audit now
Six questions a CPaaS or call recording CTO should be able to answer today:
- Does your privacy policy reflect DPDP 2023 terminology and the DPDP Rules 2025 notified in November? A policy dated before that is almost certainly out of date.
- Do your enterprise client contracts include documented processor terms covering deletion obligations, breach notification timelines, and prohibition on secondary use?
- When a client issues a deletion request, does your platform have a mechanism to propagate it across all storage tiers, including backups?
- What is your daily volume of personal data processed, and what sensitivity categories are present in recordings? This drives SDF probability.
- Is there a named individual who could assume a DPO role if SDF designation arrives?
- Is there a documented breach response pathway that enables Fiduciaries to meet their own notification obligations?
What processors must do before Q1 2027
Pre-deadline checklist — six concrete steps
- Update your privacy policy to DPDP Rules 2025 terminology. Review your privacy policy against DPDP 2023 and the Rules notified in November 2025. Any policy dated before the November 2025 notification almost certainly uses pre-Rules language and will not satisfy a BFSI client audit or a Data Protection Board review.
- Add documented processor terms to enterprise client contracts. Draft processor terms covering deletion timelines, breach notification windows, and explicit prohibition on secondary use of recordings. These terms must be in every enterprise contract before the Phase III enforcement window opens.
- Implement cross-tier deletion propagation. Audit your deletion pipeline. When a Fiduciary issues a deletion instruction, that deletion must reach all storage tiers — primary database, object storage, backups, and archives. A deletion that stops at the primary record leaves your platform non-compliant with §8(7).
- Assess your SDF exposure. Calculate your daily volume of personal data processed across all enterprise clients and identify the sensitivity categories present in recordings. Document the assessment. This is the input to your SDF probability estimate and determines whether DPO and DPIA preparation becomes mandatory.
- Identify and prepare a DPO candidate. If your SDF assessment shows material exposure, identify a named individual who can assume a Data Protection Officer role and begin scoping their responsibilities. SDF designation, when the list is published, takes effect immediately — there is no grace period to find and brief a DPO after the fact.
- Document and test your breach notification pathway. Write and run through a breach response runbook that enables you to notify relevant Data Fiduciaries promptly when a breach involving their recordings occurs. The Fiduciary carries the obligation to notify the Data Protection Board — your pipeline must enable them to meet their statutory timelines.
What Juro scans for
Juro scans public-facing assets — privacy policies, terms, processor disclosures — for DPDP processor obligation markers: whether the policy addresses the processor role under DPDP 2023, whether deletion and breach obligations are disclosed, and whether DPDP Rules 2025 terminology is present versus pre-Rules language.
It detects gaps in required disclosures. It does not assess your internal systems, processor contracts, or SDF exposure — those require an internal assessment. But knowing which public-facing markers are missing is the first step before an enterprise client audit or a Data Protection Board inquiry.
Frequently asked questions
Does DPDP apply to data processors, or only to Data Fiduciaries?
DPDP applies to both. A Data Processor is defined under §2(k) as any entity that processes personal data on behalf of a Data Fiduciary. Processors carry statutory obligations independent of contract: security safeguards under §8(1), deletion obligations under §8(7), and breach notification duties under §8(6). These are not contractual defaults — they flow directly from the statute and cannot be negotiated away.
Can a call recording platform use recordings for its own model training or analytics?
No — not without explicit authorisation from the Data Fiduciary. The processor role is bounded by the Fiduciary's stated purpose. Using recordings for independent model training, analytics products, or any purpose beyond what the Fiduciary has authorised constitutes a breach of DPDP processor obligations, regardless of what the service agreement says.
What is Significant Data Fiduciary (SDF) designation and who is at risk?
SDF designation is determined by the Central Government under DPDP §10 based on volume of personal data processed, sensitivity of data categories, and national security considerations. A CPaaS or call recording platform processing at high volume across many enterprise clients is at material SDF risk. Designation triggers a DPO appointment requirement, data localisation obligations, and mandatory DPIA before high-risk processing. No SDF list has been published yet — when it is, designation takes effect immediately.
When do DPDP processor obligations become enforceable?
The DPDP Rules 2025 were notified in November 2025. Full operational obligations including processor rules and the SDF regime are expected in Phase III, targeted at Q1–Q2 2027. However, enterprise BFSI clients facing their own DPDP Phase III deadlines will require processor compliance evidence from vendors ahead of their own dates — procurement pressure arrives before enforcement does.
What does DPDP require when a Data Principal requests deletion of their personal data?
Under DPDP §8(7), when a Data Fiduciary no longer needs personal data for the purpose it was collected, or when a Data Principal exercises erasure rights, the processor must act on the deletion instruction. This means the deletion must propagate across all storage tiers — including backups and archive stores — not just the primary database. A deletion mechanism that stops at the primary record and leaves backups intact does not meet the statutory obligation.
Does DPDP require the same Art. 28 processor contract structure as GDPR?
No. DPDP does not mandate the prescriptive Art. 28 structure that GDPR requires. However, enterprise clients — particularly in BFSI and SaaS — will arrive with GDPR-shaped DPA checklists and require documented processor terms covering deletion timelines, breach notification windows, and prohibition on secondary use. Platforms without this documentation will face deal friction before formal enforcement begins.
Free DPDP processor scan — no account required
Juro scans your public-facing privacy policy and processor disclosures for DPDP processor obligation markers: whether deletion and breach obligations are disclosed, whether DPDP Rules 2025 terminology is present, and whether your policy addresses the processor role under DPDP 2023. It won't write your processor terms — but it will show you what's missing before an enterprise client audit does.
Scan your site →