Most insurers still think a signed SLA protects them if their TPA gets breached.
It doesn't. Not anymore.
Under India's DPDP Rules (notified Nov 2025), insurers are the Data Fiduciary — full stop. If your TPA's systems leak policyholder health data, the Data Protection Board comes after you, with penalties up to ₹250 crore. Your vendor's mistake is now legally your liability.
This changes what a "compliant" TPA contract actually needs to include — purpose-locked data use, encrypted access with logging, faster-than-required breach notification, and hard erasure deadlines.
We broke down exactly what needs to change in your Data Processing Agreements, including where DPDP and IRDAI's April 2026 guidelines overlap (and where they don't).
If you're on the compliance or legal side of an insurer or TPA — worth 5 minutes.
read more..