Data Processing Addendum

The CA-firm customer is the Data Fiduciary and determines the purpose of processing. Stratilon Private Limited is the Data Processor, processing taxpayer data only on the firm’s documented instructions to provide Taxrithm.

Processing is limited to preparing Income-tax Returns: storage, computation, document parsing, and generation of the filing JSON.

The Data Fiduciary authorises the sub-processors listed at /sub-processors. We will give notice before adding a new sub-processor that handles personal data.

AES-256 encryption at rest (PAN additionally column-encrypted), TLS 1.3 in transit, row-level-security tenant isolation, append-only audit logging, and least-privilege access.

We will assist the Data Fiduciary in responding to data-principal access / correction / erasure requests within the agreed timelines.

We will notify the Data Fiduciary without undue delay on becoming aware of a personal-data breach, with the information needed for their CERT-In (6-hour) and DPDP reporting obligations.

On termination, data is handled per the 7-year statutory retention (Section 149) and then hard-deleted, unless the Data Fiduciary instructs earlier deletion permitted by law.

This DPA is governed by the laws of India.