A vendor contract review checklist for India should connect the written agreement to the service the organisation will actually receive. It needs commercial, operational, legal, privacy, security, finance, and exit questions, with a named owner for each answer. A generic clause list cannot replace that cross-functional view.
Start with the proposed use, not the vendor's template. Identify the service, users, systems, information, dependencies, locations, and internal sponsor. Then scale diligence and approvals to those facts. The checklist below is a workflow aid, not a recommended legal position.
What information should be collected before contract review begins?
Incomplete intake creates repetitive negotiation. Ask the sponsor and procurement team for enough context to route the agreement correctly:
| Intake field | Why it changes review | Evidence |
|---|---|---|
| Service and business purpose | Defines scope and expected outcome | Approved request and requirements |
| Users and access | Reveals identity and permission needs | User groups and access model |
| Data handled | Routes privacy and security review | Data categories and flow diagram |
| System connection | Shows technical and continuity dependencies | Architecture and integration notes |
| Geography | Flags location and cross-border questions | Hosting, support, and access locations |
| Criticality | Determines resilience and exit depth | Business impact assessment |
| Commercial model | Frames fees, usage, and adjustment review | Quote, order form, forecast |
| Subcontracting | Identifies delivery chain and oversight | Subprocessor or supplier information |
| Timeline | Helps plan diligence and approvals | Desired start date and dependencies |
Confirm the vendor's legal entity, the contracting customer entity, and signatory authority. Link every order form, statement of work, service description, online policy, and incorporated document. Record the version and access date for web terms. A contract is hard to evaluate when key obligations can move outside the signed package.
Which commercial and service terms need a practical check?
Make the scope testable. Identify deliverables, implementation responsibilities, assumptions, acceptance method, service levels, support windows, dependencies, and the consequence of delay. If a requirement appears only in a sales presentation, decide whether and how it belongs in the contract.
Review the complete fee logic: unit, currency, taxes, usage measures, minimums, credits, pass-through expenses, renewal changes, invoice process, disputes, and suspension. Do not assess price adjustment wording without the commercial owner who understands the operating model.
Use this service checklist:
- Scope, deliverables, and exclusions match the approved requirement.
- Customer and vendor dependencies have owners.
- Acceptance has criteria, timing, and a response process.
- Service levels measure outcomes the business actually needs.
- Support and incident channels fit operating hours and locations.
- Fees and usage measures can be independently checked.
- Renewal, notice, and price-change mechanics are visible.
- Suspension rights include appropriate triggers and process.
- Exit and transition support reflect service criticality.
The Indian Contract Act, 1872 is an official source for general contract concepts. Other laws and sector requirements may apply to the service. Qualified counsel should identify and interpret them in context.
How should privacy and data-use clauses be reviewed?
Map the data flow before negotiating labels. Ask what information the vendor receives, why it is used, who determines the purpose, who can access it, where it is stored, how long it remains, and what happens at exit. Distinguish production data from telemetry, support records, account information, and generated outputs.
The official Digital Personal Data Protection Act, 2023 and materials from the Ministry of Electronics and Information Technology are primary starting points for India's digital personal data framework. Commencement, rules, notifications, sector requirements, and the organisation's role require current assessment. Contract language should follow that analysis rather than rely on a badge marked “DPDP compliant.”
Ask the privacy owner to address permitted processing, instructions, confidentiality, support for relevant requests, retention, deletion, subcontracting, incident cooperation, transfers, audit evidence, and return of data. Where the vendor wants broad rights to use customer content for analytics or model improvement, require a precise description and informed review.
Read vendor privacy information alongside the agreement and technical materials. Public policies should not silently override negotiated commitments.
What cybersecurity questions belong in the contract workflow?
Security review should match the service and access. A tool handling public event registrations presents a different profile from a provider with privileged production access. Connect representations to evidence and operational duties.
The CERT-In directions and guidance page is an official source for directions issued under the Information Technology Act framework. Its application and related contractual needs should be assessed by qualified teams. For regulated financial entities, the Reserve Bank of India publishes directions and guidance that may affect outsourcing, technology, and third-party risk. Do not assume one sector's requirements apply to every customer.
Structure the security review around decisions:
| Area | Contract question | Supporting diligence |
|---|---|---|
| Access | Who can access customer systems and data? | Role model, privileged-access process |
| Protection | Which safeguards are maintained? | Architecture, control evidence, test scope |
| Incidents | What must be reported, when, and through which route? | Incident plan and contact process |
| Subcontractors | How are material providers selected and monitored? | Current list and oversight process |
| Vulnerabilities | How are findings triaged and remediated? | Policy and representative evidence |
| Resilience | How is service restored after disruption? | Continuity and recovery materials |
| Exit | How are access and data removed? | Offboarding and deletion process |
| Assurance | What evidence can the customer receive? | Reports, summaries, audit mechanism |
Avoid copying control names without understanding scope. Ask what systems, locations, and periods the evidence covers. Gotham's security overview demonstrates the kind of deployment and protection context teams may consider during diligence.
How should intellectual property and confidentiality be handled?
Separate background materials, customer content, configured deliverables, custom development, feedback, and generated outputs. For each category, identify ownership, licence scope, restrictions, duration, and what remains available after termination. Check whether the operational team can comply with usage restrictions.
Confidentiality terms should define protected information, permitted recipients and use, safeguards, exclusions, compelled disclosure, duration, and return or deletion. Test the provisions against support access, subcontractors, logs, backups, and professional advisers.
Review infringement claims, defence control, cooperation, settlement authority, exclusions, and available remedies as a connected system. Do not treat an indemnity heading as proof of complete protection. The right allocation depends on the service, leverage, insurance, and transaction.
The NDA clause checklist for Indian legal teams provides a more detailed workflow for confidentiality review. Decisions involving intellectual property should be routed to counsel with the relevant expertise.
Which liability, termination, and boilerplate terms require escalation?
Read liability limits together with exclusions, indemnities, service credits, warranties, insurance, data duties, and termination rights. Identify the claims and remedies that fall inside or outside any cap. The contract's allocation should be assessed against the actual loss scenarios and available controls, not a universal multiplier.
Termination review should cover cause, insolvency, prolonged disruption, convenience, notice, cure, charges, refunds, data return, transition, continued access, and assistance. A right to terminate is less useful if data cannot be exported in time or the business has no replacement plan.
Check governing law, dispute resolution, notices, assignment, change of control, subcontracting, publicity, force majeure, order of precedence, amendment, waiver, severability, and entire agreement. For online policies, establish which document prevails and how changes are communicated.
Escalate when:
- a key fact or incorporated document is missing;
- the service differs from the approved intake;
- the vendor rejects a control tied to material risk;
- a business owner proposes an exception outside authority;
- legal and specialist conclusions conflict;
- an exit dependency lacks a feasible mitigation; or
- the final wording differs from the approved decision.
How should approvals and post-signature handoff work?
Prepare a decision packet, not an email chain. Include the clause, connected terms, business facts, vendor position, available options, specialist input, recommendation, and required decision. Record who approved the outcome and any conditions.
Before signature, run this closure checklist:
- Final documents match the reviewed versions.
- Every open issue is closed, accepted, or assigned.
- Required legal, privacy, security, finance, and business approvals are recorded.
- Incorporated links and policy versions are captured.
- Notice details and signatory authority are confirmed.
- Renewal and termination windows have owners.
- Operational, reporting, payment, and control obligations are handed off.
- Data return, access removal, and transition tasks have exit owners.
- Final documents and evidence are stored under approved controls.
The Gotham workflow overview shows how structured review and approvals can remain connected to matter context. Teams evaluating tooling can use the guide to contract review software in India to assess traceability, deployment, and validation.
A useful vendor checklist shortens decisions because it brings the right facts and owners together. It does not lower standards to close procurement faster. To build a vendor review workflow around your own policies and approval matrix, contact Gotham.



