Skip to main content
CA
AskCApro
Legal

Data Processing Agreement

Effective Date: [DATE — UPDATE BEFORE LAUNCH]   |  Last Updated: [DATE — UPDATE BEFORE LAUNCH]   |   Governed by DPDP Act 2023 & IT Act 2000

This Data Processing Agreement ("DPA") is incorporated by reference into the Terms of Service between your CA firm (the Data Fiduciary) and Ledgr Technologies Pvt. Ltd. (the Data Processor). By accepting the Terms of Service, you also agree to this DPA. If there is any conflict between this DPA and the Terms of Service on matters of data protection, this DPA shall prevail.

1. Background & Parties

This Data Processing Agreement is entered into between:

Data Fiduciary

The CA firm or practitioner that has accepted the Ledgr Terms of Service ("the Firm", "you"). As the Data Fiduciary under Section 2(i) of the Digital Personal Data Protection Act, 2023, the Firm determines the purposes and means of processing personal data of its clients on the Ledgr platform.

— and —

Data Processor

Ledgr Technologies Pvt. Ltd. [CIN — UPDATE BEFORE LAUNCH], a company incorporated under the Companies Act 2013, with registered office at [ADDRESS — UPDATE BEFORE LAUNCH] ("Ledgr", "we", "us"). As a Data Processor under Section 2(k) of the DPDP Act 2023, Ledgr processes personal data on behalf of and under the instructions of the Firm.

The purpose of this DPA is to ensure that the processing of personal data on the Ledgr platform is carried out in accordance with the DPDP Act 2023, the Information Technology Act 2000, and applicable rules thereunder, and to set out the rights and obligations of each party with respect to such processing.

2. Definitions

Unless otherwise defined herein, terms used in this DPA have the meanings given to them in the DPDP Act 2023, IT Act 2000, and the Ledgr Terms of Service.

TermMeaning
"Personal Data"Any data about an individual who is identifiable by or in relation to such data, as defined in Section 2(t) DPDP Act 2023.
"Data Principal"The individual to whom the personal data relates — in practice, your clients or their authorised representatives whose financial data is processed on the platform.
"Data Fiduciary"The CA firm that determines the purpose and means of processing personal data of its clients on the Ledgr platform.
"Data Processor"Ledgr Technologies Pvt. Ltd., processing personal data on behalf of the Data Fiduciary under this DPA.
"Processing"Any operation performed on personal data, whether automated or not — including collection, storage, retrieval, use, disclosure, or deletion.
"Sub-Processor"Any third party engaged by Ledgr to process personal data on behalf of the Fiduciary under this DPA.
"Breach"Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
"Services"The Ledgr SaaS platform and associated services as described in the Terms of Service.
"Firm Data"All data (including personal data of clients and staff) uploaded to or processed on the platform by or on behalf of the Firm.

3. Scope & Nature of Processing

3.1 Subject Matter

This DPA governs Ledgr's processing of personal data that the Firm uploads, creates, or causes to be processed on the Ledgr platform in connection with the Services.

3.2 Nature of Processing

Processing activities performed by Ledgr include:

  • Storage and retrieval of Firm Data on AWS infrastructure
  • Encryption and decryption of sensitive data fields
  • Automated processing to populate compliance forms and reconciliation reports
  • Generation of notifications, reminders, and reports based on Firm Data
  • Backup and disaster recovery operations
  • Display of data to authorised Firm users through the platform interface
  • Export of data at the Firm's request

3.3 Processing Purpose

Ledgr processes personal data solely for the purpose of providing the Services to the Firm as described in the Terms of Service. Ledgr shall not process personal data for any other purpose — including for its own commercial benefit, advertising, or data brokering — without the Firm's prior written consent.

3.4 Processing Instructions

Ledgr processes personal data only on documented instructions from the Firm, which are given via: (a) the Firm's use of the platform features; (b) explicit support requests; or (c) written instructions to Ledgr. If Ledgr is required to process data for reasons of legal obligation, it will inform the Firm of that requirement before processing, unless prohibited by law.

4. Categories of Personal Data

The following categories of personal data may be processed under this DPA. Actual data processed depends on the features used by the Firm:

CategoryData ElementsSensitivityStorage Handling
Identity IdentifiersPAN number; Aadhaar number (last 4 digits only — full Aadhaar masked at storage layer)Highly SensitiveAES-256 encrypted; access-logged
Contact & DemographicClient full name, date of birth, address, email, mobile numberSensitiveEncrypted at rest; RBAC access
Financial IdentifiersBank account number, IFSC, GSTIN, TAN, CIN, LLPINHighly SensitiveAES-256 encrypted; never logged plain
Tax Return DataITR data including income, deductions, tax liability; AIS/26AS data; advance tax computationHighly SensitiveEncrypted at rest; restricted access
GST DataGSTR-1, 3B, 9, 9C return data; GSTR-2B reconciliation; ITC claimsHighly SensitiveEncrypted at rest; audit-logged
TDS DataTDS deduction details (24Q, 26Q, 27Q, 27EQ); TDS certificates; deductee PAN and amountsHighly SensitiveEncrypted at rest
Portal CredentialsGST portal and IT portal login credentials — stored in Credential Vault onlyExtremely SensitiveApp-layer AES-256 + separate KMS key; never logged; never transmitted plain
Financial StatementsBalance sheet, P&L, books of account, supporting documentsHighly SensitiveEncrypted at rest; access-controlled
Employment & PayrollSalary details, TDS on salary (24Q), employee PAN dataSensitiveEncrypted at rest; RBAC
ROC / MCA / FEMADirector DIN, shareholder details, company filings, FEMA declarationsSensitiveEncrypted at rest
Aadhaar handling: In compliance with the Aadhaar Act 2016 and UIDAI guidelines, Ledgr stores only the last 4 digits of Aadhaar numbers. Full 12-digit Aadhaar numbers must not be entered into the platform. If inadvertently submitted, they are automatically masked at the application layer before storage.

5. Processor Obligations

Ledgr, as Data Processor, commits to the following obligations under Section 8 of the DPDP Act 2023:

5.1 Lawful Processing

Ledgr will process personal data only in accordance with the Firm's documented instructions and applicable law. Ledgr will not process personal data inconsistently with the purposes in Section 3.3.

5.2 Confidentiality

All personnel authorised to process personal data are bound by contractual confidentiality obligations. Access is granted only on a need-to-know basis. Obligations survive employment termination.

5.3 Security

Ledgr will implement and maintain the technical and organisational security measures described in Section 8, and will update such measures as the security landscape evolves.

5.4 Sub-Processor Management

Ledgr will not engage any new sub-processor without: (a) informing the Firm at least 30 days in advance; and (b) ensuring the sub-processor is bound by data protection obligations equivalent to this DPA.

5.5 Assistance to the Fiduciary

Ledgr will provide reasonable assistance to the Firm to: (a) respond to Data Principal rights requests (Section 9); (b) implement security measures; (c) conduct data protection impact assessments if required; and (d) comply with applicable data protection law. Assistance beyond standard platform functionality may incur reasonable professional fees.

5.6 Breach Notification

Ledgr will notify the Firm of any data breach within 72 hours of becoming aware, as set out in Section 10.

5.7 Data Return & Deletion

At the end of the engagement, Ledgr will return or delete Firm Data as set out in Section 13.

5.8 Compliance Demonstration

Ledgr will make available, upon written request, documentation sufficient to demonstrate compliance with this DPA, including relevant certifications, audit reports, or security assessments.

6. Fiduciary Obligations

The Firm, as Data Fiduciary, acknowledges and agrees to the following obligations:

  • Lawfulness: The Firm ensures it has a lawful basis for uploading and processing clients' personal data on the platform.
  • Client consent and transparency: The Firm informs its clients that their data will be processed on a cloud-based SaaS platform and, where required, obtains appropriate consent. The Firm's engagement letters or privacy notices should reference Ledgr's role as Data Processor.
  • Accuracy: The Firm is responsible for the accuracy of data it uploads. Ledgr processes data as provided and is not responsible for inaccuracies in source data.
  • Data minimisation: The Firm uploads only personal data necessary for the compliance workflows the platform supports.
  • Access management: The Firm assigns appropriate permissions to staff users and immediately revokes access when staff depart or change roles.
  • Incident reporting: The Firm promptly reports to Ledgr any suspected security incidents, unauthorised access, or data losses originating from within the Firm's own systems or user accounts.

7. Sub-Processors

The Firm provides general authorisation for Ledgr to engage the following sub-processors. Each is bound by data protection obligations materially equivalent to this DPA:

Sub-ProcessorRoleData ProcessedLocationSafeguards
Amazon Web Services (AWS)Primary cloud infrastructure — compute, RDS (PostgreSQL), S3 storage, KMS key managementAll Firm Data including personal data, encrypted at restIndia (ap-south-1, Mumbai)AWS DPA; SOC 2 Type II; ISO 27001; PCI DSS; data residency in India
Razorpay Software Pvt. Ltd.Payment gateway — subscription billing and invoice generationBilling contact name, email, billing address, tokenised payment method (no full card numbers)IndiaRazorpay DPA; PCI-DSS Level 1; RBI-regulated payment aggregator
Sentry (Functional Software Inc.)Error monitoring and crash reportingError stack traces, anonymised session ID. Sensitive field scrubbing configured at SDK level — no PAN, Aadhaar, or financial data transmitted.EUSentry DPA; data minimisation enforced; PII scrubbing rules active

Ledgr will provide at least 30 days' written notice before engaging any new sub-processor or materially changing sub-processor arrangements. The Firm may object on reasonable data protection grounds within 14 days. If unresolved, the Firm may terminate with 30 days' notice. An up-to-date sub-processor list is maintained on this page and at askcapro.in/security.

8. Technical & Organisational Security Measures

Ledgr implements the following technical and organisational measures (TOMs), reviewed and updated at least annually:

8.1 Encryption

  • At rest: AES-256 via AWS KMS for all storage (S3, RDS). Separate application-layer AES-256 encryption with a distinct KMS Customer Managed Key (CMK) for the Credential Vault — both keys must be compromised for credential exposure.
  • In transit: TLS 1.2 minimum, TLS 1.3 preferred. HSTS enforced. Certificate pinning on mobile apps.
  • Backups: Encrypted with a separate backup key; stored in S3 with Object Lock (WORM) enabled.

8.2 Access Controls

  • Role-Based Access Control (RBAC) at application layer — users access only their own firm workspace
  • MFA mandatory for Firm Admin accounts; strongly recommended for all users
  • Infrastructure access restricted to named engineers with MFA; reviewed quarterly
  • No standing production database access — time-limited credentials via AWS IAM
  • Departing employees' access revoked within 1 hour of termination notification

8.3 Audit Logging

  • All access to personal data logged with: timestamp (UTC), user ID, IP address, action, data category
  • Logs are immutable — append-only S3 with Object Lock; cannot be deleted by platform operators
  • Retained for 7 years per Indian statutory requirements
  • Suspicious access patterns trigger automated alerts to the security team

8.4 Network & Infrastructure Security

  • Application in private AWS VPC; databases not publicly accessible
  • AWS WAF and CloudFront for DDoS mitigation and input filtering
  • AWS GuardDuty for continuous threat detection
  • Security groups on least-privilege basis; all inbound traffic except HTTPS (443) blocked

8.5 Vulnerability Management

  • Automated dependency scanning on every code push
  • Critical/high CVEs patched within 7 days of disclosure
  • Annual third-party penetration test; reports available to PROFESSIONAL/ENTERPRISE customers under NDA
  • Container images rebuilt and patched on a weekly schedule

8.6 Business Continuity

  • Database backups every 6 hours; point-in-time recovery enabled (35-day window)
  • Recovery Time Objective (RTO): 4 hours; Recovery Point Objective (RPO): 6 hours
  • Disaster recovery plan tested annually; results shared with ENTERPRISE customers on request

8.7 Personnel & Process

  • All engineering staff handling production data undergo identity verification and sign confidentiality agreements
  • Annual security awareness training for all staff
  • Documented incident response plan with defined roles and escalation paths
  • Security-by-design integrated into the software development lifecycle (SDLC)

9. Data Subject Rights Assistance

The Firm, as Data Fiduciary, is responsible for responding to Data Principal rights requests under the DPDP Act 2023. Ledgr will assist the Firm in fulfilling such requests:

Right (DPDP Act 2023)Ledgr's ObligationSLA
Right to Access (S.11)Provide a complete extract of all personal data for the specified Data Principal in machine-readable format (JSON or CSV)Within 72 hours of request
Right to Correction (S.12)Update or correct specified personal data fields as instructed by the FirmWithin 72 hours of instruction
Right to Erasure (S.12)Delete specified personal data as instructed by the Firm, subject to legal minimum retention periods. Provide written confirmation.72 hours to action; confirmation within 7 days
Right to PortabilityExport all personal data for a specified Data Principal in structured format (JSON/CSV)Within 72 hours of request
Right to Nominate (S.14)Recognise and facilitate nominations registered by the Firm on behalf of Data PrincipalsPer Firm instruction
Right to Withdraw ConsentCease processing specified personal data (where consent-based) upon Firm instructionWithin 24 hours of instruction

To submit a rights assistance request, the Firm emails privacy@askcapro.in with subject "DPA Rights Assistance Request", specifying: (a) the Data Principal identifier (PAN or name); (b) the right being exercised; (c) the Firm's instruction for Ledgr to fulfil. Ledgr will not fulfil rights requests directly from Data Principals — all requests must be channelled through the Data Fiduciary.

10. Personal Data Breach Notification

10.1 Notification to Fiduciary

In the event of a Personal Data Breach affecting Firm Data, Ledgr will:

  • Notify the Firm Admin by email within 72 hours of becoming aware of the breach, even if full details are not yet available
  • Provide an initial notification containing: (a) description of the nature of the breach; (b) categories and approximate number of Data Principals affected; (c) likely consequences; (d) measures taken or proposed to contain and remediate the breach
  • Provide ongoing updates as additional information becomes available

10.2 Breach Response Steps

Upon detecting a breach, Ledgr's incident response team will:

  1. Immediately contain the breach — isolate affected systems, revoke compromised credentials
  2. Preserve forensic evidence for investigation
  3. Assess scope, severity, and root cause
  4. Notify affected Firms within 72 hours
  5. Remediate the vulnerability and implement preventive measures
  6. Provide a detailed post-incident report to affected Firms within 14 days of containment

10.3 Fiduciary's Notification Obligations

The Firm is responsible for notifying the Data Protection Board of India (once constituted) and affected Data Principals in accordance with the DPDP Act 2023. Ledgr will provide all information in its possession to assist in such notifications.

10.4 Breach Originating from Firm

If a breach originates from the Firm's user accounts, devices, or actions (e.g., a compromised staff login), the Firm is responsible for notification to Data Principals. Ledgr will provide all available technical information to assist the Firm's investigation.

11. Audits & Inspections

Ledgr will make available to the Firm, upon written request with at least 30 days' notice, the following compliance evidence:

  • Annual security audit or penetration test executive summaries (PROFESSIONAL/ENTERPRISE customers; subject to NDA)
  • Current sub-processor list (maintained on this page)
  • Evidence of sub-processor data protection agreements
  • AWS compliance certifications (SOC 2, ISO 27001) — publicly available from AWS
  • Confirmation of encryption and access control implementations

On-site audits may be permitted for ENTERPRISE customers, subject to 30 business days' advance notice, an NDA, and reimbursement of Ledgr's reasonable costs. Audits shall be conducted during business hours and shall not unduly disrupt Ledgr's operations or the data of other customers.

12. Cross-Border Data Transfers

Ledgr's primary data infrastructure is hosted in the AWS ap-south-1 (Mumbai) region. All personally identifiable financial data is stored and processed within India.

Limited, anonymised technical data (error stack traces with PII scrubbing) may be processed by Sentry's EU infrastructure for error monitoring. Sentry's SDK is configured to scrub sensitive field names before transmission. No PAN, Aadhaar, financial figures, or client names are transmitted to Sentry.

In the event that the DPDP Act 2023 or subsequent rules impose restrictions on cross-border data transfers, Ledgr will comply with all applicable requirements, including any whitelisting, adequacy, or consent requirements notified by the Government of India.

13. Data Return & Deletion

13.1 Export on Request

At any time during the subscription, the Firm may export all Firm Data via the platform's export functionality in structured, machine-readable formats (JSON, CSV, or PDF as appropriate).

13.2 Post-Termination Export Window

Following termination or expiry of the subscription, the Firm has a 30-day export window during which the account is accessible in read-only mode for data export. Ledgr will send email reminders at 14 days and 7 days before the window closes.

13.3 Deletion After Export Window

After the 30-day export window:

  • Active processing ceases immediately; data moves to secure archival storage
  • Data retained in archival for the periods specified in the Privacy Policy (principally 7 years for tax-related records)
  • On expiry of the retention period, data is permanently and irreversibly deleted using NIST SP 800-88 compliant methods
  • Encrypted AWS S3 backups deleted on the same schedule
  • Written deletion confirmation provided to Firm Admin upon completion

13.4 Early Deletion Requests

The Firm may request early deletion of specific data sets (subject to legal minimum retention requirements) by emailing privacy@askcapro.in. Requests processed within 30 days; written confirmation provided.

14. Liability

Liability between the parties under this DPA is governed by the Limitation of Liability provisions in Section 11 of the Terms of Service, incorporated herein by reference.

Where a data breach or violation is caused by Ledgr's negligence or wilful misconduct as Data Processor, Ledgr's liability shall not be limited to the extent applicable law prohibits such limitation (including any penalty provisions under the DPDP Act 2023).

Each party is solely responsible for penalties, fines, or regulatory sanctions imposed on that party by the Data Protection Board of India or any other regulatory authority arising from that party's breach of its obligations under the DPDP Act 2023 or this DPA.

15. Duration & Termination

This DPA comes into effect on the date the Firm accepts the Terms of Service and remains in force for as long as Ledgr processes personal data on behalf of the Firm under the Terms of Service ("coterminous with the Agreement").

This DPA automatically terminates upon termination of the Terms of Service. Termination does not affect obligations that expressly survive, including: Section 10 (breach notification for pre-termination incidents), Section 13 (deletion obligations), and Section 14 (liability).

If Ledgr is unable to comply with this DPA due to a change in applicable law, Ledgr will notify the Firm within 30 days, and the Firm may terminate the Agreement in accordance with Section 13 of the Terms of Service.

16. Governing Law

This DPA is governed by the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Any disputes arising under this DPA are subject to the dispute resolution provisions in Section 15 of the Terms of Service (arbitration, Mumbai seat).

If any provision of this DPA conflicts with any provision of the Terms of Service, the DPA shall prevail with respect to data protection and personal data processing matters.

Acceptance

This DPA does not require a separate signature. By accepting the Ledgr Terms of Service — whether by clicking "I Agree", by registering for an account, or by continuing to use the Service — the Firm accepts the terms of this DPA. The individual accepting represents they have authority to bind the Firm. For ENTERPRISE plans requiring a separately executed, countersigned DPA, contact legal@askcapro.in.