TL; DR
A biometric RFP issued today that does not reference the DPDP Rules 2025 is already outdated. The DPDP Rules were notified on November 14, 2025, and full compliance is required by May 13, 2027. Penalties can reach up to Rs. 250 crore per violation. This guide provides a full RFP structure, mandatory privacy clauses, a weighted evaluation matrix, and ready-to-copy contract language-updated for the current regulatory framework.
Why Most Biometric RFPs in India Fail Before They Start
Government agencies and large private organisations in India are deploying biometric access control, facial recognition, and AI-driven video surveillance at pace. Yet most procurement documents are dangerously outdated:
They ask vendors to specify fingerprint scanner counts and camera resolution, not system architecture.
They do not require integration with HRMS, ERP, or security operations systems.
They ignore compliance requirements, leaving scope for fragmented, un-auditable systems.
The result is predictable: systems that cannot be audited, cannot be integrated, and cannot survive a DPDP inquiry.
What the DPDP Act 2023 Establishes
The Digital Personal Data Protection Act, 2023 received Presidential assent on August 11, 2023. It governs how organisations (Data Fiduciaries) collect, store, process, and share personal data of individuals (Data Principals). Biometric data such as fingerprints, iris scans, and facial geometry is personal data under the Act.
Key obligations for any organisation deploying biometric systems:
Collect only the data needed for the stated purpose (data minimization).
Obtain clear, informed consent from each Data Principal before collecting biometric data.
Delete data once the purpose is fulfilled (Rule 8 of the DPDP Rules 2025).
Maintain security safeguards sufficient to prevent breaches.
Report any personal data breach to the Data Protection Board within 72 hours.
What the DPDP Rules 2025 Add
The DPDP Rules 2025 (notified November 14, 2025) convert the Acta's principles into concrete operational requirements. For biometric systems, the Rules introduce:
Mandatory standalone privacy notices before consent is obtained.
Consent Manager registration-only India-incorporated entities with Rs. 2 crore net worth can be registered (effective November 2026).
Mandatory retention of system logs and processing records for at least one year (Rule 6).
Significant Data Fiduciary (SDF) obligations: audits, DPIAs, and algorithmic transparency.
72-hour breach reporting plus a more detailed report within the same window.
Key Definitions Every Procurement Team Needs
| Term | Definition Under DPDP Act/Rules |
|---|---|
| Data Fiduciary | The organisation deploying the biometric system. Decides why and how data is processed. Bears primary compliance liability. |
| Data Principal | The individual whose biometric data is collected - your employees, visitors, or citizens. |
| Significant Data Fiduciary (SDF) | A Data Fiduciary designated by the Central Government due to the volume or sensitivity of data processed. Subject to mandatory DPIA, audits, and algorithmic accountability requirements. |
| Consent Manager | A registered entity that manages consent on behalf of Data Principals. Must be India-incorporated with Rs. 2 crore minimum net worth (effective November 2026). |
| Data Protection Board of India | The regulatory body established under the DPDP Act. Receives breach reports, adjudicates complaints, and imposes penalties up to Rs. 250 crore. |
| Data Protection Impact Assessment (DPIA) | A structured assessment of privacy risks for high-risk processing activities. Mandatory for Significant Data Fiduciaries. |
DPDP Compliance Timeline
| Milestone | Date | What It Means for Biometric Deployments |
|---|---|---|
| DPDP Act Assent | August 11, 2023 | Act became law. Biometric data processing comes under its scope. |
| DPDP Rules 2025 Notified | November 14, 2025 | Operational requirements now active. Phased compliance clock started. |
| Data Protection Board Operational | November 2025 | Board established. Penalty framework live. Breach reporting required. |
| Consent Manager Registration Opens | November 13, 2026 | Consent management infrastructure must be in place. |
| Full Compliance Deadline | May 13, 2027 | All consent systems, security safeguards, and data principal rights infrastructure must be fully operational. Hard cutoff - no grace period. |
Penalties: Non-compliance penalties reach up to Rs. 250 crore per violation for inadequate security safeguards, and up to Rs. 200 crore for failure to report a breach. The Data Protection Board is already operational.
Why Standard RFPs Create Compliance Problems
Most procurement teams write biometric RFPs the same way they would for any IT hardware. This creates four failure modes:
Device-centric specifications:
Asking only for scanner FAR/FRR rates without requiring a matching engine that handles 5+ million records.
No architecture requirement:
Without a diagram, you cannot evaluate integration, data flows, or who has access to raw biometric data.
Vague data handling language:
Phrases like “data will be stored securely†don’t satisfy DPDP. The Rules require specific retention schedules and deletion routines.
No consent architecture:
DPDP Rules require a standalone privacy notice before consent; RFPs that don’t specify this create a compliance gap from day one.
Define Your Scope Before You Write a Single Clause
A clear scope prevents post-award negotiations and gives evaluators a consistent baseline. Require bidders to respond against fixed numbers, not vague descriptions.
| Scope Element | What to Specify |
|---|---|
| Business Objectives | Access control, attendance tracking, ABIS, AI video analytics, watchlist screening-list exactly which functions are in scope. |
| Geographic Footprint | Number of sites, locations, remote/offline zones, and connectivity assumptions per site. |
| Identity Volume | Expected enrollments at go-live (e.g., 100,000 users) and projected growth over 3–5 years. |
| Concurrent Load | Peak authentication events per second and per site-this drives infrastructure sizing. |
| Integration Targets | HRMS, ERP, SIEM, SOC, VMS, third-party APIs-list each by name. |
| Regulatory Context | DPDP Act 2023, DPDP Rules 2025, ISO 27001, SOC 2, and any sector-specific rules (RBI, NHA, etc.). |
| SDF Assessment | Whether the organisation expects to be designated a Significant Data Fiduciary (triggering DPIA and audit obligations). |
Technical Architecture Requirements
Require every bidder to submit a complete architecture diagram with a written narrative explaining each layer. Submissions without a diagram should be disqualified.
-
Identity and Biometric Layer
Multi-modal capture: fingerprint, face, and iris, with automatic image quality assessment at capture time.
1:1 verification and 1:N identification using a purpose-built matching engine (not a generic database query).
Real-time de-duplication at enrollment to block duplicate records across the entire database (single source of truth per Data Principal).
Template generation compliant with ISO/IEC 19794 standards, encrypted with AES-256 at rest.
Published latency benchmarks: e.g., under 500 ms for a 1:N search across 10 million records.
Raw biometric images must not be retained after template generation unless required by specific law (DPDP data minimization requirement).
-
Access Control Layer
Policy engine supporting zone-based, time-based, and role-based access rules.
Instant credential revocation via a secure API, with confirmation receipt to the administrator.
Offline authentication mode for sites with intermittent connectivity, using locally cached templates and secure hash verification.
-
AI Surveillance Layer
Configurable event analytics: intrusion detection, tailgating, unattended-object detection, facial re-identification.
Edge versus centralized processing options, with documented latency and bandwidth trade-offs for each.
M4del governance documentation: version history, retraining schedule, bias-monitoring dashboards, rollback mechanism.
Algorithmic accountability report (mandatory for organisations likely to be designated SDF under the DPDP Rules 2025).
-
Integration Layer
Fully documented REST or GraphQL APIs, SDKs, and webhooks.
Certified integration with SIEM, SOC, VMS, and HR/ERP provisioning systems.
Data export in JSON, CSV, or PDF for compliance reporting.
High-availability design: active-active clusters, geo-replication, documented failover procedures.
DPDP Compliance Controls
Under the DPDP Act, biometric data is personal data. The organisation deploying the system is the Data Fiduciary and bears primary liability. The vendor is a data processor acting under your instructions. Your RFP must embed the following controls as mandatory requirements-not options.
-
Consent Architecture
A consent capture module that issues a standalone privacy notice clearly stating: what data is collected, why it is processed, how the Data Principal can withdraw consent, and how complaints can be raised.
An auditable consent record per Data Principal-digital signature or verified OTP confirmation, timestamped and tamper-evident.
A withdrawal mechanism: consent must be as easy to withdraw as it was to give. The system must support this technically.
-
Data Minimisation
Collection limited to data elements necessary for the stated purpose. Any additional fields must be justified in writing.
Raw biometric images deleted after template generation unless retention is required under specific law.
Data fields collected during enrollment mapped against purpose-vendor must provide a data-flow diagram at submission.
-
Encryption and Key Management
TLS 1.2 or higher for all data in transit.
AES-256 encryption for all biometric templates and personal data at rest.
Hardware Security Modules (HSMs) for cryptographic key material.
Key rotation policy-vendor must document frequency and procedure.
-
Retention and Deletion
Under Rule 8 of the DPDP Rules 2025, personal data must be erased once the purpose of collection is fulfilled.
Configurable retention schedules per data type-e.g., biometric templates retained for the duration of employment plus 12 months.
Automated deletion routines with verifiable confirmation-the system must produce a deletion log.
Exception handling for legal holds-the system must support placing specific records on hold while others are deleted on schedule.
-
Audit Trails
Rule 6 of the DPDP Rules 2025 requires organisations to retain system and processing logs for a minimum of one year. Your RFP must require:
Tamper-evident, hash-chained audit logs capturing: who accessed which record, when, from where, and what decision was taken.
Logs covering authentication attempts, administrative actions, policy changes, and data access events.
Exportable compliance reports in CSV and PDF formats.
Minimum 12-month log retention by default, with configurable extension.
-
Breach Response
The DPDP Rules 2025 require immediate notification to the Data Protection Board on discovery of a breach, with a detailed report within 72 hours. Require vendors to demonstrate:
A breach detection capability built into the platform-not a manual process.
A contractual commitment to notify the Data Fiduciary within 4 hours of breach discovery.
Forensic support included in the contract-not charged separately.
Evaluation Criteria Matrix
Embed a weighted scoring rubric in the RFP. This makes the evaluation process defensible and signals that compliance is a primary criterion.
| Category | Weight | What to Evaluate |
|---|---|---|
| Technical Architecture | 30% | Completeness of architecture diagram, matching engine performance at stated database size, scalability roadmap, high-availability design. |
| DPDP Compliance (Data Protection) | 25% | Consent architecture, data minimisation controls, encryption standards, retention automation, audit trail completeness, breach response capability. |
| Performance and Benchmarks | 15% | 1:N search latency at target scale, AI alert processing time, false-positive rate, uptime SLA, disaster recovery RTO and RPO. |
| Standards Certification | 10% | ISO 27001, SOC 2 Type II, ISO/IEC 19794 (biometric data formats), NIST IREX or equivalent results for facial recognition accuracy. |
| Integration Capability | 10% | API documentation completeness, SDK quality, demonstrated integration with target systems (HRMS, SIEM, VMS). |
| Support and Operations | 10% | P1 incident SLA, patch cadence, training provision, local support capability. |
Note: Price alone will not secure the award. Technical merit and DPDP compliance carry 55% of the total score.
Performance and Scalability Benchmarks
Require hard evidence, not marketing claims. Every performance figure in the vendor response should be backed by a third-party audit report or a reproducible test methodology.
| Metric | Minimum Requirement | Notes |
|---|---|---|
| 1:N Biometric Search Latency | Under 500 ms at 10 million records | Under peak concurrent load. Vendor must provide test methodology. |
| False Accept Rate (FAR) | Below 0.01% | At the stated operating threshold. Supported by NIST IREX or equivalent independent results. |
| False Reject Rate (FRR) | Below 0.1% | At the same threshold as FAR. Vendors should provide the FAR-FRR operating curve. |
| AI Alert Processing Time | Under 2 seconds per event | End-to-end from camera capture to alert delivery. |
| AI False-Positive Rate | Below 5% | For each configured event type. Reported separately. |
| System Uptime SLA | 99.9% or higher | With documented incident classification and response procedures. |
| Recovery Time Objective (RTO) | 4 hours or less | Full system recovery from declared disaster. |
| Recovery Point Objective (RPO) | 15 minutes or less | Maximum data loss window at point of failure. |
Vendors must submit case studies of comparable deployments. Reference third-party certification standards where possible (e.g., ISO 19795 for biometric testing, NIST IREX for facial recognition, ISO/IEC 30107 for presentation attack detection).
Mandatory Submission Documents
Incomplete submissions should be rejected without evaluation. Required documents:
- Complete architecture diagram with legend, showing all logical layers and data flows.
- DPDP compliance matrix signed by the vendor's Data Protection Officer (or legal counsel if no DPO is designated), mapping each DPDP requirement to a specific product feature.
- Current ISO 27001 and SOC 2 Type II certificates.
- Minimum two case studies of comparable deployments including data volumes, user counts, and integration points.
- API documentation and SDK samples.
- Data-flow diagram marking every point where personal data moves, is stored, or is deleted.
- Third-party biometric accuracy test results (NIST IREX, STQC, or equivalent).
- Draft Data Processing Agreement (DPA) covering all DPDP Rules 2025 obligations.
Ready-to-Copy RFP Contract Clauses
Copy these clauses directly into your RFP document. They are written to be enforceable under the DPDP Act 2023 and updated for the DPDP Rules 2025.
Clause
Biometric Matching Performance
The system shall support real-time 1:N identification for a minimum of ten million (10,000,000) enrolled identities without performance degradation, with a maximum end-to-end query latency of five hundred milliseconds (500 ms) under peak concurrent load conditions as defined in Schedule A. The vendor must provide evidence from independent third-party testing (NIST IREX or equivalent) that the claimed FAR and FRR are achievable at the stated operating threshold.
Clause
Biometric Template Encryption and Retention
All biometric templates shall be encrypted using AES-256 at rest and transmitted using TLS 1.2 or higher. Raw biometric images shall not be retained after template generation unless retention is expressly required by applicable law. Biometric templates shall be deleted within thirty (30) days of the termination of the Data Principal's relationship with the organisation, unless a legal hold has been placed on the relevant record in accordance with Clause [X]. Deletion shall be logged and the log retained for a minimum of twelve (12) months in accordance with Rule 6 of the DPDP Rules, 2025.
Clause
DPDP Consent Architecture
Prior to enrolment, the system shall issue a standalone privacy notice to each Data Principal in plain language, clearly stating: (a) the categories of personal data to be collected; (b) the specific purposes for which it will be processed; (c) the procedure for withdrawing consent; and (d) the contact details of the Data Fiduciary's grievance officer. Consent shall be recorded digitally with a timestamp and a unique reference number. The vendor shall provide the Data Fiduciary with an exportable record of all consents for audit purposes.
Clause
Audit Trail Requirements
The solution shall generate tamper-evident, hash-chained audit logs capturing: authentication attempts (successful and failed), administrative actions, policy modifications, data access events, and deletion events. Logs shall be retained for a minimum of twelve (12) months. The system shall provide exportable compliance reports in CSV and PDF formats, filterable by date range, user, event type, and location.
Clause
Breach Notification
In the event of a personal data breach as defined under the DPDP Act 2023, the vendor shall notify the Data Fiduciary within four (4) hours of discovery of the breach. Notification shall include the nature of the breach, the categories and approximate volume of personal data affected, the likely consequences, and the measures taken or proposed to address it. The vendor shall provide forensic support to the Data Fiduciary in preparing the mandatory report to the Data Protection Board of India within the 72-hour regulatory window.
Clause
Data Minimisation Undertaking
The vendor warrants that the system collects and retains only the personal data elements necessary for the purposes specified in Schedule A. Any proposed collection of additional data elements requires prior written approval from the Data Fiduciary's Data Protection Officer. The vendor shall provide a data-field inventory document at contract signing and update it within five (5) business days of any system change that affects data collection.
Clause
AI Model Governance
The vendor shall maintain a version-controlled AI model registry documenting: model version history, training data sources, bias-monitoring results, retraining schedule, and rollback procedures. The Data Fiduciary shall have the right to request the AI model governance report at any time and to require the vendor to pause or rollback a model update where bias metrics exceed the thresholds defined in Schedule B. For organisations designated as Significant Data Fiduciaries under the DPDP Rules 2025, the vendor shall provide the algorithmic accountability documentation required under those Rules.
Operational and Support Requirements
Biometric systems are long-term infrastructure. An RFP that evaluates deployment capability but ignores post-go-live operations is setting the organisation up for failure. Require bidders to describe:
Common Procurement Mistakes to Avoid
These are the failure patterns that consistently appear in biometric procurement in India. Address each one explicitly in your RFP as an exclusion criterion.
| Mistake | Why It Causes Problems | How the RFP Prevents It |
|---|---|---|
| Device-centric specifications | Creates fragmented systems that cannot be audited or governed. | Require a complete architecture diagram. Disqualify submissions without one. |
| No API documentation requirement | Results in vendor lock-in and costly custom integration work. | Make sample API documentation a mandatory submission document. |
| Vague retention language | Breaches DPDP data principal rights on erasure. | Specify retention schedules per data type. Require automated deletion with a logged confirmation. |
| No consent module specified | System cannot support DPDP-compliant enrolment. | Require a consent capture module with auditable records as a mandatory feature. |
| Price-only selection | Low-cost vendors often lack the compliance maturity needed for DPDP accountability. | Cap price at 10% of evaluation weight. Compliance and architecture carry 55%. |
| No breach response SLA | Vendor notifies days later; Data Fiduciary misses the 72-hour regulatory window. | Require a 4-hour vendor notification SLA contractually. Include forensic support. |
| Missing data-flow diagram | Cannot verify where personal data moves, is stored, or is deleted. | Require a data-flow diagram at submission. Treat missing diagrams as a disqualifying defect. |
Final Note
A biometric RFP is the first and most important decision in any biometric or AI surveillance deployment. It determines whether you end up with a governed identity platform or a collection of devices that cannot be audited, integrated, or defended in a DPDP inquiry.
The DPDP Rules 2025 are now the operative regulatory framework. The Data Protection Board is operational. The May 13, 2027 deadline is firm. Any procurement document issued today that does not reflect the Rules is not fit for purpose.
Use the clauses, matrices, and checklists in this guide as the starting point for your RFP. Have the draft reviewed by a qualified Data Protection Officer or legal counsel familiar with the DPDP Act before issue.
Comments