Data Processing Agreement · AskBooks

1. Definitions

Capitalised terms have the meaning given to them in the Digital Personal Data Protection Act 2023 (India) and the EU General Data Protection Regulation 2016/679 (where applicable). “Personal Data” has the meaning given in DPDPA s 2(t).

2. Roles

The Customer is the Data Fiduciary / Controller in respect of Personal Data uploaded into the Service. AskBooks is the Data Processor and processes such Personal Data only on documented instructions from the Customer.

3. Scope of processing

Subject-matter: provision of the AskBooks Service (accounting, invoicing, GST filing, payroll, banking).
Duration: for the term of the underlying subscription, plus the retention windows defined in the Privacy Policy.
Categories of data subjects: Customer’s end-users, employees, customers, and vendors whose data Customer enters.
Categories of data: identification data, contact data, financial transaction data, tax identifiers (GSTIN, PAN, TAN), employee statutory data (PF, ESI, UAN).

4. Processor obligations

Process Personal Data only on the Controller’s documented instructions.
Ensure persons authorised to process the data are bound by confidentiality.
Implement appropriate technical and organisational measures (Annexe A).
Engage subprocessors only with the Controller’s general written authorisation, providing notice of new subprocessors with at least 30 days to object.
Assist the Controller in responding to data subject requests within 7 days.
Notify the Controller of any Personal Data Breach without undue delay, no later than 72 hours after becoming aware.
On termination, return or delete all Personal Data, and delete existing copies, unless required by law to retain them.

5. Subprocessors

The Controller authorises the use of the subprocessors below. Updates are posted on this page and notified by email at least 30 days before they take effect.

Subprocessor	Purpose	Location
AWS (Amazon Web Services India Pvt Ltd)	Primary cloud infrastructure	ap-south-1 Mumbai, ap-south-2 Hyderabad
Cloudflare	WAF, CDN, DDoS protection	Global edge · India PoPs preferred
PostgreSQL (managed by AWS RDS)	Primary database	ap-south-1 Mumbai
Razorpay Software Pvt Ltd	Payment processing	India
Twilio India	OTP / SMS / WhatsApp delivery	India
Postmark / SendGrid	Transactional email	India / EU
Sentry	Error monitoring (PII-scrubbed)	EU/US
GSP partners (NSDL, Karvy, Cygnet)	GST return / e-invoice / e-Way Bill	India

6. International transfers

Customer Content is stored exclusively in India. Limited operational metadata may be processed by subprocessors in other jurisdictions; in such cases, AskBooks ensures appropriate safeguards (Standard Contractual Clauses or DPDPA-equivalent) are in place.

7. Audit rights

The Controller may, upon 30 days’ written notice and not more than once per year, audit AskBooks’ compliance with this DPA. AskBooks may satisfy this obligation by sharing its current SOC 2 (planned) report and ISO 27001 (planned) certificate.

8. Liability

Each party’s liability under this DPA is subject to the limitations set out in the underlying Terms of Service.

9. Annexe A — Security measures

Encryption in transit (TLS 1.3) and at rest (AES-256-GCM).
JWT RS256 authentication; mandatory MFA for admin/super-admin roles.
Argon2id password hashing with per-user salt.
Multi-tenant isolation enforced at every database query (tenant_id in JWT claim and predicate).
Token blacklist in Redis indexed by JTI; logout invalidates tokens.
Daily encrypted backups; quarterly restore tests.
SIEM with 24×7 SOC monitoring; quarterly penetration tests by CERT-In empanelled vendors.
Documented incident response plan; tabletop exercise twice a year.

To execute a counter-signed copy of this DPA on your entity’s letterhead, write to legal@askbooks.in.