Who Is Liable When Your India Outsourcing Vendor Fails?

Outsourcing in India looks clean on paper until something breaks. When a vendor stops paying staff, files GST late, mishandles data, or quietly shuts down, the question of who carries the legal exposure does not have a simple answer.

In many cases, the foreign client ends up holding more risk than they expected. Indian labor codes, tax law, and the new data protection regime all have provisions that pull the principal employer or the data fiduciary back into the picture when a service provider defaults.

This guide breaks down where the real liabilities sit, what the laws actually say, and which protections hold up when a vendor relationship goes sideways.

What does vendor failure actually look like in India?

Vendor failure is rarely a single dramatic event. It builds quietly across statutory payments, tax filings, and contracts that nobody reviews until something goes wrong.

The patterns we see most often:

• Wages or final settlement delays for the vendor's employees working on your account.
• Provident Fund (PF), Employees' State Insurance (ESI), and gratuity dues not deposited with the authorities.
• GST returns unfiled or TDS not deposited, which then blocks your input tax credit.
• IP assignment clauses missing from the vendor's contracts with its own staff and freelancers.
• Sudden exit, restructuring, or insolvency that leaves you scrambling for continuity.
• Data incidents involving vendor employees who had access to customer or product data.

From our experience helping foreign companies clean up vendor exits in India, the first sign of trouble is almost always a payroll delay or a missed statutory filing, not a formal notice from the vendor.

Who is the principal employer under Indian law?

The principal employer is the company that engages a contractor to supply labor for work performed on its behalf. The concept has long sat at the center of liability disputes in India.

Under the Occupational Safety, Health and Working Conditions Code, 2020, which now subsumes the older Contract Labour (Regulation and Abolition) Act, 1970, principal employer liability has been preserved. The same liability framework continues under the new labor codes that came into force in 2025.

For foreign companies, this matters in a few specific ways:

• You do not always need an Indian entity to be treated as a principal employer in a dispute. Regulators can look at who the work was actually done for.
• If the work happens on your behalf and you control deliverables, regulators may look through the vendor to you.
• The risk is highest in IT services outsourcing, BPO, staffing, and dedicated team arrangements where workers function as an extended part of your team.

Companies often underestimate how broad the principal employer concept becomes in real disputes, especially when payroll trails and audit records show the foreign client as the ultimate beneficiary of the work.

Are you liable for unpaid wages and statutory dues if your vendor defaults?

In many cases, yes. Indian law has explicit provisions that push secondary liability onto the principal employer when the contractor fails to pay.

A practical view of the main statutes:

• Provident Fund (EPF Act, 1952): The principal employer can be required to deposit PF contributions for contract workers if the contractor fails to do so, with the right to recover from the contractor afterwards.
• Employees' State Insurance (ESI Act, 1948): Section 40 allows the ESI Corporation to recover unpaid contributions from the principal employer when the immediate employer defaults.
• Wages (Code on Wages, 2019): Where the contractor fails to pay wages, the principal employer becomes liable to make payment, again with a right of recovery.
• Gratuity (Payment of Gratuity Act, 1972 / Code on Social Security, 2020): Primary liability sits with the contractor, but principal employer exposure widens when the contractor is insolvent or untraceable.

The practical effect for foreign companies is uncomfortable. Even if your invoice with the vendor has been paid in full, Indian regulators can still pursue you for unpaid worker dues if the vendor pocketed the funds rather than remitting them to the authorities.

What happens to GST and TDS when your vendor doesn't file?

Vendor non-compliance on indirect and direct tax hits your finances more directly than most companies expect.

On the GST side:

• If your Indian vendor does not file their GSTR-1 and GSTR-3B returns or fails to pay output GST, the input tax credit you claimed on their invoices can be reversed under the matching framework.
• Your finance team usually sees this only when monthly reconciliations break, often two or three quarters after the issue began.
• For Indian subsidiaries of foreign companies, lost credits and interest can quickly add up to meaningful amounts.

On the TDS side:

• If you pay through an Indian subsidiary or with an Indian PAN, you are expected to deduct TDS on vendor payments and deposit it.
• If the vendor in turn fails to deduct and deposit TDS on payments to its own workers or sub-vendors, those parties can come back through legal channels and indirectly involve you.

One pattern we've consistently noticed: when a vendor starts struggling financially, statutory filings are usually the first thing to slip. GST and TDS lapses are an early warning, not a one-off.

Who owns the IP if your vendor's contracts are weak?

You only own the IP that has been validly assigned to you through a chain that holds up under Indian contract and copyright law.

The risk plays out like this:

• Your contract with the vendor says all IP transfers to you on delivery and payment.
• But the vendor's own contracts with its developers, designers, or short-term contractors do not include clear work-for-hire or IP assignment language.
• When something goes wrong, the original creator may still hold a residual claim over the code, design, or content.

Under the Indian Copyright Act, 1957, ownership generally vests in the author unless there is a valid written assignment. Section 19 sets out what makes an assignment enforceable: it must be in writing, signed, identify the work, and specify rights, duration, and territory.

In many cases, global employers realize this gap only during due diligence for fundraising or acquisition, when investor counsel asks to see the full chain of IP assignments and the vendor cannot produce them. The clean fix is upstream, not downstream.

Can a failing vendor trigger permanent establishment risk in India?

Yes, and this is one of the most expensive risks tied to long-running vendor relationships.

Permanent establishment (PE) is a tax concept under India's double taxation avoidance treaties with the US, UK, and most other major economies. If your business is found to have a fixed place of business or a dependent agent in India, the profits attributable to that activity become taxable in India.

A vendor relationship can drift into PE territory when:

• The vendor works exclusively or almost exclusively for you.
• Their staff function as a direct extension of your team, with you setting work priorities and reviewing performance.
• Approvals, sign-offs, and contracts are routed through your management, not the vendor's.
• The vendor uses your brand, email domain, or tools to interact with customers or partners.

While the vendor is healthy, this drift often goes unnoticed. When the vendor fails, contracts, emails, and operational records get reviewed, and tax authorities can use that trail to argue you had a dependent agent PE all along. A PE finding brings back taxes, interest, penalties, and an ongoing requirement to file corporate tax returns in India.

Who is responsible for data protection when a vendor mishandles data?

Under the Digital Personal Data Protection Act, 2023, your company remains the data fiduciary even when a vendor processes data on your behalf.

The structure is straightforward:

• The data fiduciary is the entity that decides the purpose and means of processing personal data.
• The data processor is the vendor that handles data on the fiduciary's instructions.
• The DPDP Act holds the data fiduciary accountable to the Data Protection Board of India and to affected individuals, even where the breach occurred at the processor.

The Act allows for significant penalties, with the upper end of certain categories reaching ₹250 crore per instance.

What this means for foreign companies:

• A vendor breach does not insulate you from regulatory exposure or customer claims.
• You are expected to maintain a data processing agreement, security standards, and audit rights with your vendors.
• If the vendor fails, you cannot point at them and walk away. You will likely face the regulator first.

What contractual protections actually hold up when a vendor fails?

Most foreign companies discover that their vendor contracts were written for a normal relationship, not a failing one. The clauses that actually matter when things break:

• Step-in rights: The right to temporarily take over the vendor's role or critical assets to preserve continuity.
• Statutory compliance indemnity: Covering principal employer exposure, GST, TDS, and labor code liabilities arising from vendor default.
• IP chain warranties: The vendor warrants that IP has been validly assigned from its own staff to itself, with audit rights to verify.
• Data processing agreement: Clear terms on processing scope, security standards, breach notification, and sub-processor approvals.
• Audit rights: Direct access to statutory filings, payroll registers, and PF/ESI challans on request.
• Termination for cause: Defined triggers for insolvency, repeated compliance failures, or data incidents.
• Transition assistance: A structured exit plan covering documentation, code handover, and worker continuity.

From what we've seen, the difference between a clean vendor exit and a six-month operational mess is almost always the quality of these clauses, plus how seriously they were tracked while the relationship was healthy.

How does an Employer of Record change the liability picture?

An Employer of Record (EOR) moves the employment layer onto a regulated, India-native partner like Wisemonk, whose entire business is built on getting compliance right. The shape of the relationship is fundamentally different from a traditional vendor arrangement.

With an EOR, your contract is with an Indian entity that is professionally responsible for payroll, tax, and statutory filings for each named hire. You see the payslips, PF and ESI challans, and TDS filings at the employee level. When something is off, you know within days, not quarters.

That visibility is what changes the liability picture. You stop relying on a vendor's word that the back office is in order.

How Wisemonk helps foreign companies reduce vendor liability risk in India

When an outsourcing vendor fails in India, the cleanest outcome usually comes down to how the relationship was structured from day one. Companies that relied on a single outsourcing contract often end up chasing missing filings, weak IP, and regulators who treat them as the principal employer regardless of where they are based.

Wisemonk is an India-native Employer of Record platform built specifically to remove this kind of exposure. We legally employ your team in India through contracts that include clear IP assignment, confidentiality, and statutory coverage. PF, ESI, gratuity, TDS, and labor code filings are managed end to end through our own infrastructure, with full transparency at the employee level. Payroll runs in-house with clean FX, and contractor payments are handled with GST, TDS, and FEMA compliance built in.

For companies transitioning out of a failed or failing vendor, we also support fast onboarding of in-flight staff onto our EOR so you can preserve continuity without inheriting the vendor's compliance problems. When you are ready to set up your own entity in India, we guide that transition as well, so you do not get locked into one model.

You direct the work. Wisemonk carries the employment layer underneath it.