Data Processing Agreement

1. Definitions

• Data Controller (“Controller”) — the business entity that has subscribed to and uses the Brihat Books platform. The Controller determines the purposes and means of processing Personal Data.
• Data Processor (“Processor”) — Brihat Infotech Pvt. Ltd., which processes Personal Data on behalf of the Controller through the Brihat Books platform.
• Personal Data — any information relating to an identified or identifiable natural person. In the context of Brihat Books, this includes names, phone numbers, and email addresses of the Controller's customers, vendors, and employees stored in the platform.
• Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• Sub-processor — any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.

2. Scope

This DPA applies to all Personal Data processed by Brihat Infotech Pvt. Ltd. on behalf of the Controller through the Brihat Books platform, for the duration of the service agreement.

This DPA does not apply to data that the Controller processes independently, outside of the Brihat Books platform.

3. Data Controller & Processor Roles

The parties acknowledge that for the purposes of applicable data protection law:

• The Controller alone determines the purposes for which Personal Data is collected and entered into the platform.
• The Processor (Brihat Infotech) processes Personal Data only on documented instructions from the Controller. The service agreement and the Controller's use of platform features constitute those instructions.
• The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes applicable data protection law.

4. Processing Details

Purpose of processing:

Providing GST billing, invoicing, and accounting services through the Brihat Books platform, including generating invoices, filing GST returns, managing vendor and customer records, and producing financial reports.

Categories of data subjects:

• The Controller's customers and clients.
• The Controller's vendors and suppliers.
• The Controller's employees (where payroll or expense data is entered).

Categories of personal data processed:

• Names of individuals.
• Phone numbers.
• Email addresses.
• Postal and business addresses.
• Financial transaction data (invoice amounts, payment records).
• GSTIN and PAN numbers (where applicable).

5. Sub-processors

The Controller grants general authorisation for the Processor to engage sub-processors, subject to the notification requirements below.

Current approved sub-processors:

The Controller will be notified of any intended changes to sub-processors (addition or replacement) with at least 30 days' notice, giving the Controller the opportunity to raise reasonable objections.

6. Security Measures

The Processor implements and maintains appropriate technical and organisational security measures, including:

• Encryption: data encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Access control: role-based access control (RBAC) ensuring staff access only the data necessary for their role.
• Backups: regular automated backups with point-in-time recovery capability.
• Penetration testing: annual third-party penetration testing of the platform.
• Incident response: documented incident response plan with notification procedures.
• Confidentiality: all staff with access to personal data are bound by confidentiality agreements.
• Vulnerability management: regular security patching and dependency updates.

In the event of a personal data breach, the Processor will notify the Controller without undue delay and within 72 hours of becoming aware of the breach, providing sufficient information for the Controller to meet its own notification obligations.

7. Data Subject Rights

The Processor will provide reasonable assistance to the Controller in fulfilling obligations to respond to data subject requests, including requests for access, correction, portability, and erasure.

If a data subject contacts the Processor directly, the Processor will promptly forward the request to the Controller and will not respond directly to the data subject without the Controller's authorisation, except as required by law.

The Processor will respond to Controller requests for assistance within the timeframes required by applicable data protection law.

8. Data Transfers

All Personal Data is stored and processed in India (AWS Mumbai region).

The sub-processors listed in Section 5 (Razorpay and MSG91) are Indian-registered entities that process data within India. No transfer of Personal Data outside India is made for sub-processor purposes.

If a future operational requirement necessitates any cross-border data transfer, the Processor will notify the Controller in advance and ensure appropriate safeguards are in place before any such transfer occurs.

9. Duration

This DPA remains in effect for the full duration of the service agreement between the parties.

Upon termination or expiry of the service agreement, the Processor will, at the Controller's election and within 30 days of receiving written instruction:

• Return all Personal Data to the Controller in a machine-readable format; or
• Securely delete all Personal Data, with written confirmation of deletion.

Financial records and GST data that the Processor is required to retain by Indian law (including the CGST Act, 2017) are exempt from deletion until the legally mandated retention period has elapsed.

10. Contact

For questions relating to this DPA, or to request a signed copy for your records, contact:

• Email: legal@brihatbooks.in
• Company: Brihat Infotech Pvt. Ltd., India