Scope note: Under India's DPDP Act 2023, a "Data Processor" is defined in §2(k) as any entity that processes personal data on behalf of a Data Fiduciary — a narrower concept than the GDPR Art. 4(8) definition, which is nearly identical in text but underpinned by a prescriptive Art. 28 contract regime that DPDP does not replicate. This guide covers DPDP processor obligations specifically. For GDPR processor requirements that apply if your clients are EU-regulated, see the DORA and SOC 2 gap analysis for the ICT risk overlap.
India's DPDP Act 2023 requires data processors — platforms that process personal data on behalf of a Data Fiduciary — to act only on documented instructions and implement reasonable security safeguards. If your call recording or CPaaS platform stores or processes voice data for Indian customers, you are likely a data processor under DPDP. Hard enforcement begins November 14, 2026.
Juro (jurocompliant.com) is a compliance scanner that detects DPDP, GDPR, and DORA obligation gaps on your public surface and infrastructure. It produces signed, verifiable artefacts — not a compliance certification.
Call recording platforms sit in an unusual position under India's DPDP Act 2023. They are simultaneously a Data Fiduciary for their own operational data and a Data Processor for every enterprise client whose calls they record. Both roles carry obligations. Most DPDP commentary conflates them.
What does DPDP require of data processors?
Under GDPR, the processor concept is well-established: Art. 28 mandates a written contract specifying processor obligations in prescriptive detail. DPDP takes a different approach. (If you are comparing DPDP to DORA-style ICT risk requirements, see our DORA and SOC 2 gap analysis for a parallel treatment.)
DPDP §2(k) defines a Data Processor as an entity that processes personal data on behalf of a Data Fiduciary. The processor is not independently accountable to the Data Principal — that accountability sits with the Fiduciary. But the processor is bound by three obligations that attach regardless of what the contract says:
- Maintain security safeguards (DPDP §8(5)) — applicable to any entity handling personal data, processor or Fiduciary
- Delete data on instruction (§8(7)) — when the Fiduciary no longer needs the data, or receives an erasure request from a Data Principal, the processor must act on the deletion instruction
- No independent use — a call recording platform cannot use recordings for its own model training or analytics products without explicit Fiduciary authorisation; the processor role is bounded by the Fiduciary's stated purpose
These are not contractual defaults to be negotiated away. They flow from the statute.
A fourth obligation follows from §8(6): breach notification. A processor handling call recordings must have a documented pathway to notify the Data Fiduciary promptly when a breach occurs — the Fiduciary then carries the notification obligation to the Data Protection Board.
GDPR Art. 28 isn't the template
Enterprise clients will arrive with GDPR-shaped Data Processing Agreement checklists. DPDP does not mandate the same Art. 28 structure — but the practical effect is similar. Clients in BFSI and enterprise SaaS will require documented processor terms covering deletion timelines, breach windows, and prohibition on secondary use. Platforms without this documentation will face friction in enterprise deals before enforcement starts.
The gap is not just legal. It is commercial. A BFSI procurement team asking for your DPDP processor agreement cannot be satisfied with a privacy policy that predates the DPDP Rules 2025 notified in November. The documentation has to exist, be dated correctly, and use the right terminology.
Is your platform a Significant Data Fiduciary?
Scale changes the picture significantly. If a platform processes call recordings across many enterprise clients at high volume, it may be designated as a Significant Data Fiduciary (SDF) under DPDP §10. The Central Government determines SDF status based on volume, sensitivity, and national security risk.
SDF designation triggers:
- Data Protection Officer (DPO) appointment (§10(2)(a)) — a named individual; a grievance officer listed on a privacy policy does not qualify
- Data localisation requirements — SDF-specific rules on where data must reside
- Data Protection Impact Assessment (DPIA) obligations — mandatory assessments before high-risk processing activities
No SDF list has been published yet. When it is, designation takes effect immediately — platforms must have a DPO, a DPIA process, and localisation measures operational at that point, not six months later. Building toward SDF readiness now is not early; it is on schedule.
When does enforcement actually start?
DPDP Rules 2025 were notified in November 2025. The enforcement transition is structured but the key date is close.
Phase 1 soft enforcement is already under way. Hard enforcement begins November 14, 2026. At that point, the Data Protection Board of India transitions from guidance mode to adjudicatory enforcement. Penalties reach INR 250 crore per violation. Processor obligations under §8 and the SDF regime activate at the same transition — there is no separate 2027 window for processor rules.
That is less than six months away. Enterprise BFSI clients facing their own DPDP obligations will require processor compliance evidence from vendors well ahead of November. The procurement pressure arrives before enforcement does.
What to audit now
Six questions a CPaaS or call recording CTO should be able to answer today:
- Does your privacy policy reflect DPDP 2023 terminology and the DPDP Rules 2025 notified in November? A policy dated before that is almost certainly out of date.
- Do your enterprise client contracts include documented processor terms covering deletion obligations, breach notification timelines, and prohibition on secondary use?
- When a client issues a deletion request, does your platform have a mechanism to propagate it across all storage tiers, including backups?
- What is your daily volume of personal data processed, and what sensitivity categories are present in recordings? This drives SDF probability.
- Is there a named individual who could assume a Data Protection Officer role if SDF designation arrives?
- Is there a documented breach response pathway that enables Fiduciaries to meet their own notification obligations?
Use the DPDP compliance checklist to track which of these gaps you have closed and which still need documentation.
What Juro scans for
Juro scans public-facing assets — privacy policies, terms, processor disclosures — for DPDP processor obligation markers: whether the policy addresses the processor role under DPDP 2023, whether deletion and breach obligations are disclosed, and whether DPDP Rules 2025 terminology is present versus pre-Rules language.
It detects gaps in required disclosures. It does not assess your internal systems, processor contracts, or SDF exposure — those require an internal assessment. But knowing which public-facing markers are missing is the first step before an enterprise client audit or a Data Protection Board inquiry.
Frequently asked questions
What are the processor obligations under India's DPDP Act 2023?
Data processors must act only on documented instructions from the Data Fiduciary, implement reasonable security safeguards to prevent personal data breaches, and notify the Data Fiduciary promptly in the event of a breach. They must not engage sub-processors without authorisation and must delete personal data once processing is complete.
When do DPDP processor rules take effect?
The DPDP Act 2023 received presidential assent in August 2023. Hard enforcement begins November 14, 2026 — at which point the Data Protection Board of India transitions from guidance mode to adjudicatory enforcement, with penalties up to INR 250 crore per violation. Processor obligations under §8 and the Significant Data Fiduciary regime activate at that same transition.
Does DPDP apply to call recording platforms serving Indian customers?
Yes, if your platform processes personal data — including voice recordings containing identifiable information — on behalf of a Data Fiduciary operating in India, you are likely a data processor under DPDP. The Act applies to personal data processed in connection with any business operating in India, regardless of where the platform is hosted.
Run the DPDP processor self-assessment
Juro scans your public-facing posture for DPDP processor obligation markers — whether your privacy policy reflects DPDP 2023 terminology, whether deletion and breach obligations are disclosed, and whether DPDP Rules 2025 language is present. No account required.
Scan your public posture →Scan your public-facing privacy policy and processor disclosures at jurocompliant.com to see which DPDP processor obligation markers are present and which are missing — before an enterprise client audit shows you first.
References
- DPDP Act 2023: Ministry of Electronics and Information Technology
- DPDP Rules 2025: Official Gazette Notification — MeitY
- Ministry of Electronics and IT: meity.gov.in
About Juro: Juro scans for DPDP, GDPR, and DORA obligation markers in public-facing assets and generates signed, verifiable scan artifacts. It detects gaps — it does not certify compliance. Note: jurocompliant.com is a compliance scanning tool — not juro.com, which is a contract management platform.