# Data Processing Agreement
Effective from 28 April 2026. Version 1.0.0.
This Data Processing Agreement (this "**DPA**") is incorporated into, and forms part of, the Master Services Agreement between **ElevateFinance Private Limited** ("**ElevateFinance**", as **Data Processor**) and the Customer (as **Data Fiduciary**). Capitalised terms not defined here have the meanings given in the MSA or in the DPDP Act 2023.
## 1. Roles of the Parties
1.1 In respect of Personal Data uploaded, transmitted, or generated by the Customer or its End-Users through the Platform, the Customer is the Data Fiduciary and ElevateFinance is the Data Processor.
1.2 In respect of Personal Data ElevateFinance Processes for its own purposes (the Customer's Owner-account credentials, the Customer's billing contact, marketing communications a Customer's representative has opted into), ElevateFinance is the Data Fiduciary; that processing is governed by ElevateFinance's Privacy Policy.
1.3 The Parties shall comply with the DPDP Act 2023 and any rule made
thereunder.
## 2. Scope and Purpose of Processing
2.1 ElevateFinance Processes Customer-controlled Personal Data only for
the following purposes:
(a) hosting and serving the Platform at the Customer's tenant subdomain and any custom domain configured under the MSA;
(b) producing software-driven tax computations, citations, RSU optimiser output, Schedule FA disclosures, Form 67 exports, and signed computation receipts;
(c) maintaining the immutable audit trail required by clause 9;
(d) responding to Data Principal access, correction, and erasure requests
forwarded by the Customer;
(e) generating invoices, payouts, and the per-tenant billing ledger; and
(f) providing tier-1 support to the Customer.
2.2 Categories of Personal Data Processed:
(a) **Identifiers**: PAN; Aadhaar (only if voluntarily shared by the End-User and stored only as masked or last-four digits); email; mobile number; name; date of birth.
(b) **Financial**: Form 16, Form 26AS, AIS, TIS, salary breakup, capital-gains data, business income data, bank-statement metadata, investment holding statements, RSU grant and vest schedules, Schedule FA holdings.
(c) **Transaction logs**: IP address, device fingerprint, user-agent, session identifier, audit-log rows.
(d) **Where collected with explicit consent**: bank account number (stored encrypted with AES-256-GCM), IFSC, GSTIN.
2.3 Categories of Data Principals: the End-Users of the Customer (typically Indian individual taxpayers and the directors or partners of the Customer's client firms).
2.4 Duration of Processing: for the term of the MSA plus the retention
windows in clause 8.
2.5 ElevateFinance shall not Process Customer-controlled Personal Data for any purpose other than those set out in this clause 2 without the Customer's prior written instruction.
## 3. Sub-processors
3.1 ElevateFinance is authorised to engage the sub-processors listed in the Sub-processor List, which is published at the Sub-processor List URL and incorporated by reference. The Customer's acceptance of this DPA constitutes general authorisation for those sub-processors.
3.2 ElevateFinance shall give the Customer no less than thirty (30) days' written notice before adding a new sub-processor. The Customer may object on reasonable data-protection grounds within fourteen (14) days; if the Parties cannot resolve the objection in good faith, either Party may terminate the affected services for material breach without further liability.
3.3 ElevateFinance shall ensure that every sub-processor is bound by written terms imposing materially equivalent data-protection obligations to those in this DPA.
3.4 ElevateFinance remains liable for the acts and omissions of its sub-processors as if they were its own.
## 4. Cross-border Transfers
4.1 Personal Data is primarily Processed within India.
4.2 ElevateFinance may transfer Personal Data outside India only (a) to the extent the Central Government has not restricted such transfer under Section 16 of the DPDP Act 2023, and (b) to a sub-processor listed in the Sub-processor List that is bound by materially equivalent data-protection obligations.
4.3 Some sub-processors (notably Cloudflare R2 and Vercel) operate global edges. The Customer acknowledges that data may transit through these edges. ElevateFinance shall use commercially reasonable efforts to pin Processing to Indian regions where the sub-processor offers that option.
## 5. Security Measures
5.1 ElevateFinance shall implement and maintain commercially reasonable technical and organisational security measures, including:
(a) AES-256-GCM encryption at rest for sensitive PII columns (PAN, Aadhaar where retained, bank account number, IFSC, OIDC client secrets, SAML signing certificates) using a 256-bit key managed via the Platform's `ENCRYPTION_KEY` secret;
(b) TLS 1.2 or higher in transit, with HSTS for tenant subdomains;
(c) HMAC-SHA256 tamper-evidence on every signed computation receipt and
every issued invoice;
(d) per-tenant rate-limit buckets and noisy-neighbour isolation;
(e) cross-tenant isolation enforced at the tRPC procedure boundary plus a dedicated cross-tenant security test corpus;
(f) the platform-admin reservation, the two-Owner cap, and the last-Owner safety constraint described in the MSA;
(g) TOTP step-up on every super-admin mutation;
(h) immutable audit logging of every privileged mutation;
(i) role-based access at the OrgMember level with least-privilege
defaults;
(j) backup, disaster-recovery, and incident-response procedures
documented in the operational runbooks (including the CERT-In
notification runbook).
5.2 ElevateFinance shall reasonably co-operate with the Customer's internal data-protection audits, at no more than annual frequency, on no less than thirty (30) days' written notice, during normal business hours, and subject to a reasonable confidentiality undertaking. The Customer shall bear its own costs and shall reimburse ElevateFinance's reasonable costs of the audit. The right of audit does not extend to ElevateFinance's source code, proprietary configurations, production environments, or any data that does not relate to the Customer's Processing under this DPA.
## 6. Personal Data Breach Notification
6.1 ElevateFinance shall notify the Customer in writing without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data breach within the meaning of Section 8(6) of the DPDP Act 2023. The notification shall describe (a) the nature of the breach, (b) the categories and approximate number of Data Principals and Personal Data records concerned, (c) the likely consequences, and (d) the measures taken or proposed to address the breach.
6.2 ElevateFinance shall co-operate with the Customer in the Customer's notification to the Data Protection Board of India and to affected Data Principals within the timeframes required by the DPDP Act 2023 and the Rules.
6.3 ElevateFinance separately complies with its CERT-In notification obligations under Section 70B of the IT Act 2000 read with the CERT-In Direction of 28 April 2022.
## 7. Data Principal Rights
7.1 The Platform exposes the following Data Principal rights through the Customer's tenant Owner surface:
(a) right of access (the DPDP self-service data export at
`tenantSelfService.requestDataExport`);
(b) right of correction (in-product editing of profile and filing data);
(c) right of erasure (post-termination purge under clause 8 and the
in-product erasure flow);
(d) right of nomination (a feature reserved for a future release in line with Section 14 of the DPDP Act 2023);
(e) right of grievance redressal (the Grievance Officer named in the
Privacy Policy).
7.2 If a Data Principal contacts ElevateFinance directly with a request that is the Customer's responsibility under the MSA, ElevateFinance shall (a) acknowledge receipt without confirming or denying the existence of any specific Data Principal, and (b) forward the request to the Customer within three (3) Working Days.
## 8. Retention, Return, and Deletion
8.1 ElevateFinance shall retain Personal Data only for as long as necessary for the purposes set out in clause 2.1, the duration of the MSA, and the retention windows mandated by Applicable Law (including the six-year retention under the Income-tax Act 1961 and the CGST Act 2017).
8.2 On termination of the MSA, ElevateFinance shall, at the Customer's written election within thirty (30) days of termination:
(a) provide a Customer-Data export through the DPDP self-service portability surface for ninety (90) days; or
(b) delete the Customer's Personal Data, subject to the retention
windows in clause 8.1.
8.3 Once the retention windows in clause 8.1 expire, ElevateFinance shall purge the Customer's Personal Data via deterministic null-token overwrite on every PII column.
## 9. Audit Trail
9.1 ElevateFinance maintains a per-tenant immutable audit log capturing (a) every privileged mutation, (b) the actor's user identifier, (c) the IP address and user-agent of the request (where available), and (d) a metadata payload describing the action.
9.2 The Customer may read its own tenant audit log through the
self-service procedure (`tenantSelfService.listAuditLog`) or via a data
export.
## 10. Liability
The limitation of liability in clause 14 of the MSA applies to this DPA on the same terms. The Parties agree that this DPA does not expand ElevateFinance's liability beyond the cap in the MSA.
## 11. Order of Precedence
In case of conflict between this DPA and the MSA on a data-protection matter, this DPA prevails. In case of conflict between this DPA and the DPDP Act 2023 or its Rules, the Act and Rules prevail.
---
This DPA is binding on the Parties from the date the Customer accepts the MSA, and remains in force for the term of the MSA plus the retention windows in clause 8.