AutoFS
HomeFeaturesPricingSecuritySupport
Start free
HomeFeaturesPricingSecuritySupportStart free
Legal

Data Processing Agreement

This DPA supplements the Terms of Service and applies whenever the Customer (the CA firm) uses AutoFS to process personal data of Data Principals on behalf of its own clients.

Last updated 2026-05-14 · Version 1.0

1. Roles

  • Customer — Data Fiduciary (DPDP §2(i)).
  • AutoFS — Data Processor (DPDP §2(k)).

2. Scope of processing

  • Subject matter — provision of financial-statement preparation software.
  • Duration — for the term of the subscription, plus the retention windows in §6.
  • Categories of Data Principals — Customer users, end-clients of Customer, partners/proprietors named in client profiles, portal recipients.
  • Categories of personal data — names, emails, PAN, GSTIN, financial statement line items, audit events, MFA secrets, FCM tokens.

3. AutoFS obligations

We will:

  • Process personal data only on Customer instructions.
  • Ensure persons authorised to process are bound by confidentiality.
  • Implement appropriate technical and organisational measures (TOMs) — see /security.
  • Not engage sub-processors without prior general written authorisation; current list at /subprocessors; 30-day notice for any addition.
  • Assist Customer with Data-Principal requests (access, correction, erasure).
  • Assist Customer with breach notification within the DPDP §8(6) 72-hour window.
  • Delete or return all personal data on Customer's choice at end of services.
  • Make available all information necessary to demonstrate compliance.

4. Customer obligations

Customer warrants that it has the lawful basis to process the personal data uploaded to the service, has notified affected Data Principals as required by law, and will respond to grievances raised against the Customer's own processing.

5. International transfer

Primary processing happens in India. Some sub-processors operate outside India (US, EU). Customer authorises such transfers subject to the protections in each sub-processor's standard contractual terms.

6. Retention

Audit engagement documentation, UDIN records, and related audit events are retained for at least 7 years under ICAI SA 230. Company books and relevant records may require preservation for not less than 8 financial years under Companies Act 2013, section 128(5); Customer remains responsible for maintaining the statutory repository and any longer record-specific hold. Operational data (sessions, FCM tokens, request logs) is retained for the durations in the Privacy Policy.

7. Security incidents

We notify Customer of any personal-data breach affecting Customer's data without undue delay, in any case within 24 hours of detection, to enable Customer's own 72-hour DPDP notification.

8. Audit

On reasonable notice and at Customer's expense, we will respond to written audit queries about our TOMs and provide the latest SOC-style report once issued.

9. Acceptance

Acceptance of the Terms of Service constitutes acceptance of this DPA. A counter-signed PDF is available on request at legal@autofs.in.

AutoFSFinancial Statements

From Tally or Trial Balance to review-ready financial statements.

Made in India • autofs.in

Product

HomeFeaturesPricingSecuritySupport

Resources

DocumentationHelp centreRoadmapChangelog

Company

AboutContactBook a demo

Legal

TermsPrivacyRefundDPA

© 2026 AutoFS. All rights reserved.

Built for Indian finance teams