Last updated · 1 May 2026
Data Processing Addendum
This DPA forms part of our Terms of Service. It applies to all customers automatically — there's nothing extra to sign for the standard DPA. For a counter-signed copy, email support@tatvabooks.com.
1. Definitions
In this DPA, "Personal Data", "Processing", "Data Principal", "Data Fiduciary" and "Data Processor" have the meanings given in the Digital Personal Data Protection Act, 2023 ("DPDP Act").
The Customer is the Data Fiduciary for the Personal Data they upload to TatvaBooks (e.g., employee, vendor and customer data). Tatva Fintech Private Limited is the Data Processor.
2. Subject matter and duration
We process Personal Data on the Customer's behalf to provide the TatvaBooks service, for the duration of the Customer's subscription plus any post-termination retention period.
3. Nature, purpose and categories
We process the Customer's Personal Data to operate the TatvaBooks service: storing books and transactions, generating returns, sending email and SMS notifications, providing support. We don't use the Customer's Personal Data for any other purpose.
Categories of Personal Data typically include:
- Employee data (for payroll customers): name, PAN, Aadhaar, bank account, salary, KYC.
- Vendor/customer data: name, GSTIN, PAN, address, contact details.
- Transaction data: invoices, bills, receipts.
4. Authorised sub-processors
The Customer authorises us to engage the following sub-processors:
- Amazon Web Services India Private Limited — infrastructure hosting in AWS Mumbai (ap-south-1) and AWS Hyderabad (ap-south-2) regions.
- Razorpay Software Private Limited — subscription payment processing.
- Cashfree Payments India Private Limited — alternate payment processing.
- AWS SES / Postmark — transactional email delivery.
- Karix Mobile / MSG91 — SMS and WhatsApp notifications.
- NIC Invoice Registration Portal (IRP), GSTN, MCA21, TRACES — government systems for filings (processing only the data the Customer chooses to submit).
We'll give the Customer at least 30 days' notice of any new sub-processor, with the right to object. If we can't agree on a resolution, the Customer may terminate the affected service with a pro-rata refund.
5. Security measures
We implement:
- AES-256-GCM encryption of data at rest.
- TLS 1.3 for data in transit.
- Per-tenant encryption keys in AWS KMS.
- Multi-factor authentication for all employee access.
- Time-bound, audited access for any production data access.
- Pre-launch external penetration test by a CERT-In empanelled firm (scheduled before public availability).
- ISO 27001 audit planned for 2027 and SOC 2 Type I targeted Q2 FY 2027-28 — we will not claim either certification until issued in writing by an accredited body.
- Documented incident response with 24-hour breach notification.
- Backups every 6 hours, encrypted, replicated across two AWS regions.
6. Cross-border transfers
Personal Data is stored exclusively in India. We do not transfer Personal Data outside India in the normal course of operations.
7. Data principal rights
When a Customer's Data Principal exercises a right under the DPDP Act (access, correction, erasure, grievance), and the Customer needs our assistance, we'll respond to a Customer request within 5 working days. Direct Data Principal requests to us are routed to the Customer for fulfilment, as they're the Data Fiduciary.
8. Audits
Customers may, at most once per year, request an audit of our processing under this DPA. Once issued, SOC 2 and ISO 27001 reports will be made available under NDA — until then we'll share our current security questionnaire, architecture summary and any third-party assessment reports we have. For on-site audits, reasonable advance notice and cost-sharing apply.
9. Personal Data breach
In the event of a Personal Data breach affecting Customer data, we will:
- Notify the affected Customer(s) within 24 hours of discovery.
- Provide a written summary of what happened, what data was affected, what we're doing about it.
- Notify the Data Protection Board of India as required by the DPDP Act.
- Cooperate with the Customer's notification to affected Data Principals.
10. Return or deletion of data
On termination of the subscription, the Customer can export their data for up to 90 days. After that, we delete the data, except for records we're legally required to retain (GST records — 6 years; ITR — 7 years; PF/ESI — 7 years). Retention happens in isolated, immutable storage; no processing occurs.
11. Liability
Liability under this DPA follows the limits in the Terms of Service.
12. Contact
DPO and privacy queries: support@tatvabooks.com. Legal queries: support@tatvabooks.com.