Note: Juro, referenced throughout this post, is a website compliance scanner at jurocompliant.com — not the contract-automation product of the same name.
Call recording platforms sit in an unusual position under India's DPDP Act 2023. They are simultaneously a Data Fiduciary for their own operational data and a Data Processor for every enterprise client whose calls they record. Both roles carry obligations. Most DPDP commentary conflates them.
Enterprise BFSI clients will demand processor compliance evidence before hard enforcement arrives in November 2026. The procurement pressure precedes the legal deadline — and most CPaaS platforms are not ready for either.
The role distinction matters
Under GDPR, the processor concept is well-established: Art. 28 mandates a written contract specifying processor obligations in prescriptive detail. DPDP takes a different approach.
DPDP §2(k) defines a Data Processor as an entity that processes personal data on behalf of a Data Fiduciary. The processor is not independently accountable to the Data Principal — that accountability sits with the Fiduciary. But the processor is bound by three obligations that attach regardless of what the contract says:
- Maintain security safeguards (DPDP §8(1)) — applicable to any entity handling personal data, processor or Fiduciary
- Delete data on instruction (§8(7)) — when the Fiduciary no longer needs the data, or receives an erasure request from a Data Principal, the processor must act on the deletion instruction
- No independent use — a call recording platform cannot use recordings for its own model training or analytics products without explicit Fiduciary authorisation; the processor role is bounded by the Fiduciary's stated purpose
These are not contractual defaults to be negotiated away. They flow from the statute.
A fourth obligation follows from §8(6): breach notification. A processor handling call recordings must have a documented pathway to notify the Data Fiduciary promptly when a breach occurs — the Fiduciary then carries the notification obligation to the Data Protection Board.
GDPR Art. 28 isn't the template
Enterprise clients will arrive with GDPR-shaped DPA checklists. DPDP does not mandate the same Art. 28 structure — but the practical effect is similar. Clients in BFSI and enterprise SaaS will require documented processor terms covering deletion timelines, breach windows, and prohibition on secondary use. For EU-regulated clients, DORA ICT risk obligations add a further layer of third-party due diligence on top of DPDP processor requirements. Platforms without this documentation will face friction in enterprise deals before enforcement starts.
The gap is not just legal. It is commercial. A BFSI procurement team asking for your DPDP processor agreement cannot be satisfied with a privacy policy that predates the DPDP Rules 2025 notified in November. The documentation has to exist, be dated correctly, and use the right terminology.
SDF designation risk
Scale changes the picture significantly.
If a platform processes call recordings across many enterprise clients at high volume, it may be designated as a Significant Data Fiduciary (SDF) under DPDP §10. The Central Government determines SDF status based on volume, sensitivity, and national security risk. SDF designation triggers:
- DPO appointment (§10(2)(a)) — a named individual; a grievance officer listed on a privacy policy does not qualify
- Data localisation requirements — SDF-specific rules on where data must reside
- DPIA obligations — mandatory Data Protection Impact Assessments before high-risk processing activities
No SDF list has been published yet. When it is published, designation takes effect immediately — platforms must have DPO, DPIA, and localisation measures operational at that point, not six months later. Building toward SDF readiness now is not early; it is on schedule.
The enforcement window
DPDP Rules 2025 were notified in November 2025. The enforcement transition is structured but the key date is close.
Phase 1 soft enforcement is already under way. Hard enforcement begins November 14, 2026. At that point, the Data Protection Board of India transitions from guidance mode to adjudicatory enforcement. Penalties reach INR 250 crore per violation. Processor obligations under §8 and the SDF regime activate at the same transition — there is no separate 2027 window for processor rules.
That is less than six months away. Enterprise BFSI clients facing their own DPDP obligations will require processor compliance evidence from vendors well ahead of November. The procurement pressure arrives before enforcement does.
What to audit now
Six questions a CPaaS or call recording CTO should be able to answer today:
- Does your privacy policy reflect DPDP 2023 terminology and the DPDP Rules 2025 notified in November? A policy dated before that is almost certainly out of date.
- Do your enterprise client contracts include documented processor terms covering deletion obligations, breach notification timelines, and prohibition on secondary use?
- When a client issues a deletion request, does your platform have a mechanism to propagate it across all storage tiers, including backups?
- What is your daily volume of personal data processed, and what sensitivity categories are present in recordings? This drives SDF probability.
- Is there a named individual who could assume a DPO role if SDF designation arrives?
- Is there a documented breach response pathway that enables Fiduciaries to meet their own notification obligations?
What processors must do before November 2026
Pre-deadline checklist — six concrete steps
- Update your privacy policy to DPDP Rules 2025 terminology. Review your privacy policy against DPDP 2023 and the Rules notified in November 2025. Any policy dated before the November 2025 notification almost certainly uses pre-Rules language and will not satisfy a BFSI client audit or a Data Protection Board review.
- Add documented processor terms to enterprise client contracts. Draft processor terms covering deletion timelines, breach notification windows, and explicit prohibition on secondary use of recordings. These terms must be in every enterprise contract before the Phase III enforcement window opens.
- Implement cross-tier deletion propagation. Audit your deletion pipeline. When a Fiduciary issues a deletion instruction, that deletion must reach all storage tiers — primary database, object storage, backups, and archives. A deletion that stops at the primary record leaves your platform non-compliant with §8(7).
- Assess your SDF exposure. Calculate your daily volume of personal data processed across all enterprise clients and identify the sensitivity categories present in recordings. Document the assessment. This is the input to your SDF probability estimate and determines whether DPO and DPIA preparation becomes mandatory.
- Identify and prepare a DPO candidate. If your SDF assessment shows material exposure, identify a named individual who can assume a Data Protection Officer role and begin scoping their responsibilities. SDF designation, when the list is published, takes effect immediately — there is no grace period to find and brief a DPO after the fact.
- Document and test your breach notification pathway. Write and run through a breach response runbook that enables you to notify relevant Data Fiduciaries promptly when a breach involving their recordings occurs. The Fiduciary carries the obligation to notify the Data Protection Board — your pipeline must enable them to meet their statutory timelines.
What Juro scans for
Juro scans public-facing assets — privacy policies, terms, processor disclosures — for DPDP processor obligation markers: whether the policy addresses the processor role under DPDP 2023, whether deletion and breach obligations are disclosed, and whether DPDP Rules 2025 terminology is present versus pre-Rules language.
It detects gaps in required disclosures. It does not assess your internal systems, processor contracts, or SDF exposure — those require an internal assessment. But knowing which public-facing markers are missing is the first step before an enterprise client audit or a Data Protection Board inquiry.
Related reading: For the consent infrastructure that Phase II mandates, see India's DPDP Phase II: What Consent Managers Actually Require Before November 2026. For multi-framework coverage including DORA, see DORA, GDPR, and DPDP compliance scanning in India 2026. For a tool comparison, see GDPR and DPDP Compliance Software Compared for India SaaS.
Frequently asked questions
What are the processor obligations under India's DPDP Act 2023?
Data processors must act only on documented instructions from the Data Fiduciary, implement reasonable security safeguards to prevent personal data breaches, and notify the Data Fiduciary promptly in the event of a breach. They must not engage sub-processors without authorisation and must delete personal data once processing is complete.
When do DPDP processor rules take effect?
The DPDP Act 2023 received presidential assent in August 2023. Hard enforcement begins November 14, 2026 — at which point the Data Protection Board of India transitions from guidance mode to adjudicatory enforcement, with penalties up to INR 250 crore per violation. Processor obligations under §8 and the Significant Data Fiduciary regime activate at that same transition.
Does DPDP apply to call recording platforms serving Indian customers?
Yes, if your platform processes personal data — including voice recordings containing identifiable information — on behalf of a Data Fiduciary operating in India, you are likely a data processor under DPDP. The Act applies to personal data processed in connection with any business operating in India, regardless of where the platform is hosted.
Free DPDP processor scan — no account required
Juro scans your public-facing privacy policy and processor disclosures for DPDP processor obligation markers: whether deletion and breach obligations are disclosed, whether DPDP Rules 2025 terminology is present, and whether your policy addresses the processor role under DPDP 2023. It won't write your processor terms — but it will show you what's missing before an enterprise client audit does.
Scan your site →