Legal · Data

Data Processing Addendum

This Data Processing Addendum (DPA) forms part of the SaathiX ERP Terms of Service and describes how SaathiX ERP processes personal data under the Digital Personal Data Protection Act, 2023 ('DPDP Act').

Last updated 1 July 2026 8 sections dpo@saathix.com
1

1. Roles of the parties

For end-customer personal data (buyers' names, phone numbers, addresses) uploaded by the business ('Customer'):

  • The Customer is the Data Fiduciary.
  • SaathiX ERP Technologies is the Data Processor.

For account, billing and shop-owner data, SaathiX ERP is itself a Data Fiduciary and processes such data as described in the Privacy Policy.

2

2. Scope & purpose of processing

SaathiX ERP processes personal data only to (a) provide the SaathiX ERP services, (b) prevent fraud, (c) comply with legal obligations (e.g., GST invoice retention), and (d) generate aggregated, anonymised analytics. No processing occurs for advertising or resale.

3

3. Sub-processors

SaathiX ERP engages the following categories of sub-processors, each bound by contractual data-protection obligations:

  • Cloud infrastructure (India regions only, primary: Mumbai, secondary: Hyderabad).
  • Payment gateways for subscription and payment collection (Razorpay, PhonePe).
  • Communication rails (WhatsApp Business, transactional SMS/email).
  • KYC and background verification partners for CA network.

An up-to-date list is available on request from dpo@saathix.com. SaathiX ERP will notify Customers of material changes at least 30 days in advance.

4

4. Security measures

SaathiX ERP implements administrative, physical and technical safeguards including AES-256 encryption at rest, TLS 1.3 in transit, principle-of-least-privilege access, quarterly VAPT, and 24×7 monitoring. See the Security Policy for details.

5

5. Breach notification

SaathiX ERP will notify affected Customers and the Data Protection Board of India of a Personal Data Breach without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with the DPDP Act and applicable rules.

6

6. Data-principal rights

SaathiX ERP will provide reasonable assistance to Customers in responding to requests from Data Principals (end customers) exercising their rights of access, correction, erasure, or grievance redressal under the DPDP Act.

7

7. Data residency & transfers

Personal data of Indian Data Principals is stored on servers physically located within India. SaathiX ERP does not transfer such data outside India except as permitted by the Central Government under Section 16 of the DPDP Act.

8

8. Termination & deletion

Upon termination, SaathiX ERP will, at the Customer's option, return or delete Customer personal data within 90 days, except where retention is required by law (e.g., 8 years for GST invoices under Section 36 of the CGST Act).

Questions on this policy?

Reach the SaathiX ERP legal and privacy desk at dpo@saathix.com. We respond within 2 working days.