Data Processing Agreement
This DPA supplements the Terms of Service and applies whenever the Customer (the CA firm) uses AutoFS to process personal data of Data Principals on behalf of its own clients.
Last updated 2026-05-14 · Version 1.0
1. Roles
- Customer — Data Fiduciary (DPDP §2(i)).
- AutoFS — Data Processor (DPDP §2(k)).
2. Scope of processing
- Subject matter — provision of financial-statement preparation software.
- Duration — for the term of the subscription, plus the retention windows in §6.
- Categories of Data Principals — Customer users, end-clients of Customer, partners/proprietors named in client profiles, portal recipients.
- Categories of personal data — names, emails, PAN, GSTIN, financial statement line items, audit events, MFA secrets, FCM tokens.
3. AutoFS obligations
We will:
- Process personal data only on Customer instructions.
- Ensure persons authorised to process are bound by confidentiality.
- Implement appropriate technical and organisational measures (TOMs) — see /security.
- Not engage sub-processors without prior general written authorisation; current list at /subprocessors; 30-day notice for any addition.
- Assist Customer with Data-Principal requests (access, correction, erasure).
- Assist Customer with breach notification within the DPDP §8(6) 72-hour window.
- Delete or return all personal data on Customer's choice at end of services.
- Make available all information necessary to demonstrate compliance.
4. Customer obligations
Customer warrants that it has the lawful basis to process the personal data uploaded to the service, has notified affected Data Principals as required by law, and will respond to grievances raised against the Customer's own processing.
5. International transfer
Primary processing happens in India. Some sub-processors operate outside India (US, EU). Customer authorises such transfers subject to the protections in each sub-processor's standard contractual terms.
6. Retention
Audit engagement documentation, UDIN records, and related audit events are retained for at least 7 years under ICAI SA 230. Company books and relevant records may require preservation for not less than 8 financial years under Companies Act 2013, section 128(5); Customer remains responsible for maintaining the statutory repository and any longer record-specific hold. Operational data (sessions, FCM tokens, request logs) is retained for the durations in the Privacy Policy.
7. Security incidents
We notify Customer of any personal-data breach affecting Customer's data without undue delay, in any case within 24 hours of detection, to enable Customer's own 72-hour DPDP notification.
8. Audit
On reasonable notice and at Customer's expense, we will respond to written audit queries about our TOMs and provide the latest SOC-style report once issued.
9. Acceptance
Acceptance of the Terms of Service constitutes acceptance of this DPA. A counter-signed PDF is available on request at legal@autofs.in.