Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller / CA Firm: The Chartered Accountant, Tax Consultant, or licensed tax professional ("you" or "User") who registers an account on TaxIQ and uploads client data.
• Data Processor: TaxIQ ("we", "us", "Platform").

Key Definitions:

• Personal Data: Any information relating to an identified or identifiable natural person (your client), including PAN, Aadhaar, income details, and tax-related financial records.
• Processing: Any operation performed on Personal Data, including collection, storage, use, analysis, and AI-assisted drafting.
• Sub-Processor: Any third-party service used by TaxIQ to assist in Processing (e.g., AI providers, cloud infrastructure).

The User (as Data Controller) instructs TaxIQ to process the following categories of Personal Data:

• Client Personally Identifiable Information: Name, PAN, Aadhaar (if provided), address, contact details.
• Financial Records: Income Tax Returns (ITR), Form 26AS, AIS, TIS, bank statements, balance sheets.
• Legal Correspondence: Income Tax notices, orders, assessment records, appeal documents.
• Any other documents voluntarily uploaded by the User to the Platform.

Processing is carried out exclusively on behalf of and under the instructions of the User for the following purposes:

1. AI-assisted analysis of tax notices and legal documents.
2. Generation of draft responses and submissions.
3. Retrieval-Augmented Generation (RAG) research using the User's uploaded documents.
4. Case and compliance timeline management.
5. Secure client portal communication.

By using TaxIQ to process your clients' data, you confirm and warrant that:

1. You have obtained all necessary consent or have a valid legal basis under the Digital Personal Data Protection (DPDP) Act, 2023 and applicable professional rules (ICAI Code of Ethics) to share your clients' Personal Data with this Platform.
2. You will inform your clients that their data may be processed using AI-powered software tools for the purpose of providing tax compliance services.
3. You will not upload documents belonging to persons who have not engaged you for professional services.
4. You are responsible for maintaining the accuracy of data uploaded to the Platform.
5. You will promptly notify TaxIQ of any instruction that, in your view, would violate applicable law.

TaxIQ shall:

1. Process only on instruction: Process Personal Data only in accordance with your documented instructions and not for any other purpose.
2. Confidentiality: Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
3. Security: Implement technical and organisational measures to protect Personal Data, including encryption at rest and in transit, Row-Level Security (RLS) in the database to enforce strict account-level data isolation, and access controls.
4. No training on your data: Your uploaded documents and client data are never used to train any AI model. Documents are sent to AI providers solely for the purpose of generating a response to your specific query and are governed by those providers' API data policies.
5. Data subject requests: Assist you in responding to requests from data subjects (your clients) exercising rights under the DPDP Act, 2023.
6. Breach notification: Notify you without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data breach affecting your clients' data.
7. Deletion: Upon termination of your account, delete or anonymise all Personal Data (documents and their embeddings) within 30 days, unless retention is required by law.

You authorise TaxIQ to engage the following categories of Sub-Processors, each of whom is bound by data processing terms no less protective than this DPA:

TaxIQ will notify you at least 14 days before adding any new Sub-Processor that processes Personal Data, giving you the opportunity to object.

You acknowledge that TaxIQ's infrastructure and Sub-Processors are located outside India. By agreeing to this DPA, you provide the necessary authorisation for transfer of Personal Data to these jurisdictions for the limited purposes described in this Agreement. TaxIQ ensures that appropriate safeguards are in place for such transfers in accordance with the DPDP Act, 2023 and any applicable RBI/SEBI guidance on data localisation (where applicable).

TaxIQ implements the following security measures:

• Encryption: AES-256 encryption at rest for all stored documents and database records; TLS 1.3 in transit.
• Access Control: Row-Level Security (RLS) at the database level ensures that each CA firm's data is strictly isolated — no firm can access another's data, even in the event of an application-layer bug.
• Document Access: Uploaded documents are stored in private Supabase Storage buckets. Signed URLs (valid for max 1 hour) are generated only when needed to send documents to AI providers.
• Vector Embeddings: Document embeddings are mathematical representations that cannot be reversed to reconstruct the original document text.
• Authentication: Multi-factor authentication support; session management with auto-expiry.
• Audit Logs: Activity logs maintained for all significant data processing events within the Platform.

This DPA commences on the date you accept it at registration and continues for the duration of your account. Upon termination of your account:

• You may request an export of all your data in a standard format within 30 days of termination.
• TaxIQ will permanently delete all Personal Data (including document embeddings) within 30 days after the export window, unless legal obligations require retention.

TaxIQ's liability under this DPA is subject to the limitations set out in the Terms of Service. The User, as Data Controller, bears primary responsibility for compliance with the DPDP Act, 2023 with respect to the lawfulness of processing their clients' Personal Data. TaxIQ is responsible only for breaches of its obligations as Data Processor under this DPA.

For any queries, contact:

TaxIQ
Email: privacy@iknowincometax.com

Grievances will be acknowledged within 48 hours and resolved within 30 days of receipt.