Call recording platforms sit in an unusual position under India's DPDP Act 2023. They are simultaneously a Data Fiduciary for their own operational data and a Data Processor for every enterprise client whose calls they record. Both roles carry obligations. Most DPDP commentary conflates them.
Three processor obligations attach by statute regardless of what any contract says. A fourth — breach notification — follows from §8(6). Enterprise BFSI clients will require evidence of all four before Phase III enforcement begins.
The role distinction matters
Under GDPR, the processor concept is well-established: Art. 28 mandates a written contract specifying processor obligations in prescriptive detail. DPDP takes a different approach.
DPDP §2(k) defines a Data Processor as an entity that processes personal data on behalf of a Data Fiduciary. The processor is not independently accountable to the Data Principal — that accountability sits with the Fiduciary. But the processor is bound by three obligations that attach regardless of what the contract says:
- Maintain security safeguards (DPDP §8(1)) — applicable to any entity handling personal data, processor or Fiduciary
- Delete data on instruction (§8(7)) — when the Fiduciary no longer needs the data, or receives an erasure request from a Data Principal, the processor must act on the deletion instruction
- No independent use — a call recording platform cannot use recordings for its own model training or analytics products without explicit Fiduciary authorisation; the processor role is bounded by the Fiduciary's stated purpose
These are not contractual defaults to be negotiated away. They flow from the statute.
A fourth obligation follows from §8(6): breach notification. A processor handling call recordings must have a documented pathway to notify the Data Fiduciary promptly when a breach occurs — the Fiduciary then carries the notification obligation to the Data Protection Board.
GDPR Art. 28 isn't the template
Enterprise clients will arrive with GDPR-shaped DPA checklists. DPDP does not mandate the same Art. 28 structure — but the practical effect is similar. Clients in BFSI and enterprise SaaS will require documented processor terms covering deletion timelines, breach windows, and prohibition on secondary use. Platforms without this documentation will face friction in enterprise deals before enforcement starts.
The statutory obligations under DPDP are fewer and less prescriptive than GDPR Art. 28. That is not a compliance shortcut — it is a floor, not a ceiling. A call recording platform serving BFSI clients regulated under RBI or IRDAI guidelines will face additional contractual requirements from those clients that go beyond the DPDP statutory minimum. The baseline is the start, not the finish line.
SDF designation risk
Scale changes the picture significantly.
If a platform processes call recordings across many enterprise clients at high volume, it may be designated as a Significant Data Fiduciary (SDF) under DPDP §10. The Central Government determines SDF status based on volume, sensitivity, and national security risk. SDF designation triggers:
- DPO appointment (§10(2)(a)) — a named individual; a grievance officer listed on a privacy policy does not qualify
- Data localisation requirements — SDF-specific rules on where data must reside
- DPIA obligations — mandatory Data Protection Impact Assessments before high-risk processing activities
No SDF list has been published yet. When it is published, designation takes effect immediately — platforms must have DPO, DPIA, and localisation measures operational at that point, not six months later. Building toward SDF readiness now is not early; it is on schedule.
The enforcement window
DPDP Rules 2025 were notified November 2025. The phased structure:
- Phase II — consent manager framework mandatory, November 2026
- Phase III — full operational obligations including processor rules and SDF regime, Q1–Q2 2027
Q2 2027 sounds distant. It is not. Enterprise BFSI clients facing their own DPDP deadlines will require processor compliance evidence from vendors ahead of their own Phase III dates. The procurement pressure arrives before enforcement does.
What to audit now
Six questions a CPaaS or call recording CTO should be able to answer today:
- Does your privacy policy reflect DPDP 2023 terminology and the DPDP Rules 2025 notified in November? A policy dated before that is almost certainly out of date.
- Do your enterprise client contracts include documented processor terms covering deletion obligations, breach notification timelines, and prohibition on secondary use?
- When a client issues a deletion request, does your platform have a mechanism to propagate it across all storage tiers, including backups?
- What is your daily volume of personal data processed, and what sensitivity categories are present in recordings? This drives SDF probability.
- Is there a named individual who could assume a DPO role if SDF designation arrives?
- Is there a documented breach response pathway that enables Fiduciaries to meet their own notification obligations?
What Juro scans for
Juro scans public-facing assets — privacy policies, terms, processor disclosures — for DPDP processor obligation markers: whether the policy addresses the processor role under DPDP 2023, whether deletion and breach obligations are disclosed, and whether DPDP Rules 2025 terminology is present versus pre-Rules language.
It detects gaps in required disclosures. It does not assess your internal systems, processor contracts, or SDF exposure — those require an internal assessment. But knowing what your public-facing posture signals to clients and regulators is the starting point.
Frequently asked questions
What is a Data Processor under DPDP versus a Data Fiduciary?
Under DPDP §2(k), a Data Processor is an entity that processes personal data on behalf of a Data Fiduciary. Unlike GDPR, where processors carry independent statutory obligations, DPDP makes the Data Fiduciary primarily accountable to the Data Principal. The processor's obligations flow through the Fiduciary — but three statutory duties attach to the processor regardless of what any contract says: maintaining security safeguards under §8(1), acting on deletion instructions under §8(7), and limiting processing to the Fiduciary's stated purpose. The processor does not have a direct accountability relationship with Data Principals, but it cannot contract away these three duties.
What are a call recording processor's deletion obligations under DPDP §8(7)?
Under DPDP §8(7), a Data Processor must delete personal data when the Data Fiduciary no longer needs it for the stated purpose, or when the Fiduciary receives an erasure request from a Data Principal and passes that instruction to the processor. For call recording platforms, this means deletion must propagate across all storage tiers — primary storage, backup, and any secondary processing systems. The processor cannot retain recordings beyond what the Fiduciary's instruction permits. This obligation attaches by statute, not by contract — a client agreement that omits deletion timelines does not remove the §8(7) duty; it only creates ambiguity about when the instruction arrives.
What is a Significant Data Fiduciary and what triggers SDF designation under DPDP §10?
Under DPDP §10, the Central Government may designate an entity as a Significant Data Fiduciary based on the volume and sensitivity of personal data processed, the potential risk to Data Principals, and national security considerations. SDF designation triggers additional obligations including appointment of a Data Protection Officer (§10(2)(a)), mandatory Data Protection Impact Assessments for high-risk processing, and data localisation requirements. No SDF list has been published as of May 2026. When the list is published, designation takes effect immediately — there is no grace period to implement DPO, DPIA, and localisation measures after designation. Call recording platforms processing at high volume across many enterprise clients carry elevated SDF designation risk.
When do DPDP processor obligations come into force?
DPDP Rules 2025 were notified in November 2025 and introduce a phased compliance structure. Phase II, covering the consent manager framework, is mandatory by November 2026. Phase III, which activates the full operational obligations including processor-specific rules and the SDF regime, is expected in Q1–Q2 2027. However, enterprise BFSI clients subject to their own DPDP Phase III deadlines will require processor compliance evidence from vendors ahead of those dates. Procurement pressure from clients arrives before formal enforcement does — platforms that wait for Phase III to begin preparing will face friction in enterprise deals from late 2026 onward.
Does DPDP require a Data Processing Agreement like GDPR Article 28?
DPDP does not mandate a formal Data Processing Agreement equivalent to GDPR Article 28. Under GDPR, Article 28 requires a written contract specifying processor obligations in prescriptive detail — including subject matter, duration, nature of processing, and instructions. DPDP takes a lighter-touch approach: the processor's three statutory obligations (security safeguards, deletion on instruction, and no independent use) flow from the Act itself, not from a required contractual instrument. In practice, however, enterprise clients in BFSI and regulated SaaS will arrive with GDPR-shaped DPA checklists and require equivalent documented terms covering deletion timelines, breach notification windows, and prohibitions on secondary use. The absence of a statutory mandate does not reduce commercial pressure to have this documentation in place.
Run the DPDP processor self-assessment
Juro scans your public-facing posture for DPDP processor obligation markers — whether your privacy policy reflects DPDP 2023 terminology, whether deletion and breach obligations are disclosed, and whether DPDP Rules 2025 language is present. No account required.
Scan your public posture →References
- DPDP Act 2023: Ministry of Electronics and Information Technology
- DPDP Rules 2025: Official Gazette Notification — MeitY
- Ministry of Electronics and IT: meity.gov.in