Under India's Digital Personal Data Protection Act, 2023 (DPDP Act), a Data Fiduciary (the party that determines the purpose and means of processing personal data) must enter into a written agreement with any Data Processor it engages. The agreement must address the processor's obligations including purpose limitation, security, breach notification, sub-processing, and return or deletion of data on termination. If you collect personal data from individuals in India and someone else processes that data on your instructions (cloud provider, payroll vendor, marketing tool, customer-support tool), you need a DPA with them.

A Data Fiduciary is any person who alone or jointly with others determines the purpose and means of processing personal data — essentially, the party that decides why and how data is processed. A Data Processor is any person who processes personal data on behalf of a Data Fiduciary. For example, if you run a SaaS business, you are the Data Fiduciary for your customers' personal data. If you use AWS to host that data, AWS is your Data Processor. Both parties have distinct obligations under the DPDP Act and the DPA must reflect those obligations clearly.

The DPDP Act requires the Data Fiduciary to notify the Data Protection Board of India and each affected Data Principal in the event of a personal data breach. The exact timing requirements will be specified in the rules issued under the Act (which are still being finalised at the time of writing). Most enterprise contracts in India currently require the Data Processor to notify the Data Fiduciary of a breach within 24 to 72 hours of discovery, so the Data Fiduciary has time to meet its own notification obligations. Verbatra's DPA defaults to a 48-hour processor-to-fiduciary notification.

The DPDP Act permits cross-border transfer of personal data except to countries that the Central Government has specifically restricted by notification. The Act takes a 'blocklist' approach rather than the 'allowlist' approach taken by the EU GDPR. As of writing, no countries have been formally restricted, meaning transfers are broadly permissible. However, sector-specific laws (banking, telecom, healthcare) may impose data-localisation requirements that override this general permission. Verbatra's DPA includes provisions for cross-border transfer that adapt to your stated location and sector.

Both approaches work legally, but a separate DPA is the dominant industry practice and is generally cleaner. A separate DPA: (1) lets you reuse one DPA across multiple commercial contracts with the same vendor, (2) makes audits and compliance reviews easier because data terms are not buried in commercial terms, (3) signals to your customers and auditors that you take data protection seriously as a discrete matter. For high-volume customer onboarding and B2B SaaS, a separate DPA is almost universal.

Yes. Verbatra runs entirely in your browser. The document you build is rendered locally on your device and is never uploaded to Verbatra's servers, stored anywhere, or transmitted to any third party. Verbatra cannot read what you draft. The only data we collect is the contact information you voluntarily provide on the lead-capture form before download.

Verbatra produces a solid, India-specific first draft drafted by a corporate lawyer. For most standard, low-stakes contracts between commercial parties, the generated document is enough. For higher-stakes transactions, contracts that materially deviate from standard terms, contracts involving regulated industries, or anything you would be uncomfortable signing without independent review, you should have a qualified lawyer review the document before execution. Verbatra is not a substitute for advice on your specific facts.

Yes, every generator on Verbatra is free to use, with no payment, subscription, or credit card required. Verbatra was built by a corporate lawyer to give Indian businesses access to enterprise-grade legal drafting without the friction of paying a lawyer for a routine first draft. Verbatra makes money by offering paid contract negotiation and legal-operations services to clients who want a lawyer to take the document further.