This Data Processing Addendum ("DPA" or "Addendum") forms an integral part of, and is governed by, the Terms of Use available at https://tallysolutions.com/terms-of-use/ ("Terms of Use"). For the purposes of this DPA, the Terms of Use and this DPA together constitute the "Agreement". By activating a Tally license, accessing or using any Tally product or service, the Customer is deemed to have accepted the Agreement without the need for a separate signature. This DPA becomes effective on the date the Customer first activates or uses the Tally product or service.
This DPA applies to the extent Tally processes Personal Data on behalf of the Customer in connection with the services provided under the Agreement (the "Services"). It replaces any prior data processing terms or agreements between the Parties relating to the Services.
This Addendum ensures appropriate privacy, security, and data protection in compliance with the The Digital Personal Data Protection Act, 2023 (DPDP Act), as well as global privacy laws such as the Personal Data Protection Law (PDPL) Saudi Arabia, The General Data Protection Regulation GDPR (Regulation (EU) 2016/679), The Data Protection Act, 2019 of Kenya and other applicable privacy regulations.
For clarity, this DPA, including all Annexures and any Exhibits, sets out the respective obligations of the Parties when Tally acts as a Processor.
"Customer" means the person or entity placing an order for or accessing the Service under the Terms of Use.
"Customer Personal Data" means all data (including but not limited to Customer Personal Data and End User data uploaded to or created on Tally platform) that Tally in its capacity as Data Processor processes on behalf of the Data Controller through the provision of its Services.
"Data Controller" also referred as "Data Fiduciary" in applicable laws - means the entity that determines the purposes and means of processing personal data – in this context the Customer entity who collects Personal Data and uses the Services of Tally either free or under paid subscription model who determines the purposes and means of the Processing of Personal Data; For the purposes of this DPA, the term also includes or is referred to as 'Data Fiduciary' under The Digital Personal Data Protection Act, 2023.
"Data Protection Laws" means all applicable laws and regulations governing the Personal Data, including but not limited to the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 or "SPDI Rules" (IT Act), The Digital Personal Data Protection Act, 2023 or "DPDP Act" (India, 2023), Kenya Data Protection Act (2019), General Data Protection Regulation or "GDPR", Personal Data Protection Law or "PDPL", and other relevant data protection laws.
"Data Subject", an identified or identifiable living individual and includes Data Controller's employees, contractors, customers, prospects, suppliers, any relevant end users and subcontractors.
"Erasure" means the permanent deletion of Personal Data so it cannot be recovered or reconstructed.
"Partners" shall mean businesses/individuals who are authorized to sell software and services by Tally including but not limited to Tally Distribution partners (TDP), Master Tally partners (MTP), Direct Tally Partners, Certified partners (CP) and Associate partners (AP).
"Personal Data" refers to any data that can directly or indirectly identify a specific individual such as name, date of birth, government or national ID numbers, credit card details, passwords, and similar identifiers. In the context of this Addendum: includes contact information, the extent of which is determined and controlled by the Customer and its authorised parties in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data; data submitted by Customers for Trouble shooting, product enhancements/testing; system usage data; data used for assistance with activities/products that may interest and benefit the Customer including AI aided processing; application integration data, and other electronic data submitted, stored, sent, or received by end users via the Services.
"Personal Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data related to the Data Controller processed by us and/or our Sub-Processors in connection with the provision of Services under the Terms of Services.
"Process/processing/processed" means any action on Personal Data—automated or manual—such as collection, access, storage, use, sharing, or deletion.
"Services" means the services provided by the Data Processor to the Data Controller under the Terms of Use including user account management, assistance with activities/products that may interest and benefit the Customer including AI aided processing, storage, hosting, troubleshooting, data uploaded for product enhancements/ testing, any Telemetry, metadata/Header information generated through the primary and associated services, consultancy and customer support services on request.
"Special Categories of Personal Data" means sensitive personal information such as race, ethnicity, political views, religion, biometrics, or health that, if misused, could cause significant harm.
"Sub-processor" means the third party service providers engaged by the Data Processor who interact with the Controller's Data (in part or full) to assist the Data Processor in fulfilling its obligations with respect to providing the Services as per the Terms of Service.
"Supervisory Authority" means any competent regulatory authority including data protection authorities and law enforcement agencies.
In General, the license model of Tally ensures that the software and all associated data are hosted entirely within the client's infrastructure or dedicated Cloud infrastructure completely tagged to them and managed by them, the terms of this Addendum apply only when the Data Processor receives or has access to Personal Data while providing the Services. For all Processing under this Addendum, the Customer acts as the Data Controller and Tally acts as the Data Processor, except when the Customer is the Data Processor of their customer / vendor / supplier/ third-party Data and Tally is a Sub processor, acting on behalf of Customer.
Purpose: Personal Data will be Processed for purposes of providing the Services set out in the Agreement.
Duration: Personal Data will be Processed for the duration of the provision of Services under the Agreement as the case may be, including its renewal, expansion to associated and other connected services like Connected Banking, usage of AI features, Tally Capital.
Customer Processing of Customer Personal Data. The Customer agrees that (i) it will comply with its obligations under Data Protection Laws in respect to its processing of Customer Personal Data (ii) it has provided notice, obtained or will obtain all consents and has established the required legal basis necessary for Tally to process Customer Personal Data pursuant to the Addendum.
Tally processing of Customer Personal Data: Tally will process Customer Personal Data only (i) for the purpose of providing the Services and in accordance with the Agreement; (ii) as part of the direct business relationship between the Customer and Tally; (iii) for other services broadly defined under Services.
Data Processing: The Data Processor shall process Personal Data as required under applicable Data Protection Legislation, solely for delivering the Services in a manner that helps Customer to use full potential of the Services. The Data Controller retains the right to access, modify, delete, and transfer Personal Data and must provide only the data necessary for the Services. The Processor shall not control, use, transfer, or disclose Personal Data and must implement appropriate technical and organizational measures to protect Data Subject rights and ensure compliance with legal requirements.
Confidentiality: The Data Processor must ensure that all persons authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
Sub-Processor Engagement: The Customer approves all current Tally Sub processors as of the effective date of this DPA. Tally may appoint new Sub processors to process Personal Data under this Agreement. At least 30 days before Tally engages a Sub-processor, Tally will update the applicable section in this DPA. To object to a Sub-processor, Customer can: (i) terminate the Agreement pursuant to its terms; (ii) cease using the Service for which Tally has engaged the Sub-processor.
When Tally engages a Sub processor:
If the Data Controller cannot fulfil a Data Subject's request without assistance, the Data Processor shall, upon written request, provide the necessary Personal Data and support required to help the Controller comply with Data Subject rights under applicable privacy laws, consistent with the functionality of the product and Tally's role as a Processor. If Tally receives a Data Subject request directly, it will redirect the individual to the Data Controller. The Data Controller remains solely responsible for responding to all Data Subject requests and communications relating to Personal Data in a timely manner.
Tally implements and maintains appropriate technical and organizational measures ("Technical and Organizational Measures") to protect Personal Data from Security Incidents and to ensure its security and confidentiality, as detailed in Annex II. Tally may update these measures from time to time to reflect technological developments, provided such changes do not reduce the overall security of the Services.
Where Tally personnel may access Customer Personal Data:
If Tally becomes aware of a Security Incident, it will notify the Customer without undue delay, provide relevant information as it becomes available or upon reasonable request, and take reasonable steps to mitigate or remedy the effects of the incident. Neither the Data Controller nor the Data Processor shall be responsible for any non-performance or delay resulting from events beyond the reasonable control of the affected Party, which were not foreseeable and could not reasonably have been avoided or mitigated upon entering into this Addendum.
Tally may transfer and process Personal Data in India or in any other country where Tally, its Affiliates, or its Subprocessors operate, as necessary to provide the Services. Tally will apply the obligations in this Addendum regardless of where Personal Data is stored or processed. For any Restricted Transfer, Tally will ensure compliance with applicable Data Protection Laws by implementing appropriate safeguards.
Upon expiration or termination of the Agreement, Tally will, at the Customer's choice, delete or return all Customer Personal Data in its possession or control, in accordance with the Agreement. This obligation does not apply where applicable law requires Tally to retain certain Customer Personal Data, or to data stored in backup systems; in such cases, Tally will securely isolate that data and will not process it further except as required by law.
The Data Controller is solely responsible for complying with all applicable data protection and privacy laws, including requirements relating to the disclosure, transfer, and lawful Processing of Personal Data. The Data Controller represents and warrants that it will comply with this Addendum and all relevant data protection legislation; that it has obtained all necessary consents, permissions and authorizations. The Data Controller is solely responsible for the accuracy, quality, and legality of the Personal Data it provides and agrees to ensure that its Affiliates using the Services comply with the obligations set out in this Addendum.
General:
Limitation of Liability. Any claims that the Customer may assert against Tally, its Affiliates, employees, agents, or Subprocessors under this DPA including claims for breach, fines imposed on the Customer, or liabilities under applicable Data Protection Laws are subject to the limitation of liability and financial caps set out in the Terms of Use.
Compliance Changes. Tally may amend this DPA to comply with changes in Data Protection Laws or binding guidance issued by courts or regulators with jurisdiction over Tally. Notice of such changes will be provided in advance through a posting on Tally's website or through notification of the updated copy to the Customer, to the extent possible.
Governing Law. This DPA is governed by the governing law and jurisdiction of India and courts at Bengaluru, Karnataka shall have exclusive jurisdiction for all disputes concerning this DPA, except where applicable Data Protection Laws require otherwise.
Precedence. If there is a conflict between the provisions of this DPA and the Terms of Use, the terms of this DPA shall prevail solely to the extent the conflict relates to the processing of Personal Data. Where a conflict exists between this DPA and any subsequent Data Transfer Addendum, the terms that provide greater protection to data subjects will prevail; otherwise, the subsequent Data Transfer Addendum will control.
Severability. Each provision of this DPA is severable. If any clause or portion is found invalid or unenforceable, the remainder of the DPA will continue in full force and effect.
A. List of Parties
Data Exporter(s)
The Data Exporter is the Customer (and its Affiliates).
Data Importer(s)
The Data Importer is Tally, which provides the Services to the Data Exporter under the Terms of Service.
B. Description of Processing
1. Categories of Data Subjects
Personal Data may relate to the Customer's: employees and contractors, customers and prospects, suppliers and subcontractors, any end users, any other individuals whose data the Customer inputs into the Services.
2. Categories of Data Processed
Data may include such as the below:
2.1. Contact Details and User Account Information of Customer
Examples:
2.2. Personal Data Determined and Controlled Solely by the Customer
(Customer-originated data where the company acts as a processor)
Examples:
2.3. Data Processed as Part of Account Management
Examples:
2.4. Product Usage Data (including data used for testing or enhancements)
Examples:
2.5. Data Used for Assistance with Activities/Products Benefiting the Customer
Examples:
2.6. Data provided while using AI Assisted Features
Examples:
2.7. Data provided for Troubleshooting
Examples:
2.8. Telemetry Data
Examples:
2.9. Metadata / Header Information
Examples:
2.10. Customer Support Services Requested by the Customer
Examples:
3. Sensitive Personal Data (If Applicable)
Sensitive data is transferred only if submitted by the Customer. Where applicable, Tally will apply enhanced safeguards such as strict purpose limitation, access controlled staff, audit logs, restrictions on onward transfers, and additional security measures.
4. Frequency of Transfers
Transfers may occur continuously during the Customer's use of the Services and for the duration of the Terms of Service, subject to applicable laws.
5. Nature of Processing
Processing consists of providing the Services under the Terms of Service, which requires storage, hosting, transmission, analysis, and other operations necessary to deliver, maintain, and support the Services.
6. Purpose of Processing and Transfers
Personal Data is processed solely for delivering and supporting the Services as described in the Terms of Service.
7. Data Retention Period
Personal Data will be retained only for the duration of the Services. Upon termination or expiry of the Agreement, data will be deleted or returned except for copies retained as required by law or for audit and compliance purposes, which will be securely isolated and not further processed.
8. Sub-processor Transfers
Where Subprocessors are used, they receive only the limited Personal Data necessary to perform the relevant portion of the Services. All such processing is carried out under confidentiality obligations, data protection agreements, and applicable safeguards.
Categories of sub-Processors who may handle Customer Personal Data:
Tally currently implements the following technical and organisational measures to ensure the security, confidentiality, integrity and availability of Personal Data, the same applied to the limited extent where Tally processes Customer Personal Data:
1.1 Security Management
1.2 Incident Response & Business Continuity
1.3 Human Resources
2.1 Access Control & Authentication
2.2 Logging & Monitoring
2.3 Security of Data at Rest
Server/Database Security
Workstation Security
2.4 Network & Communication Security
2.5 Backups
2.6 Mobile & Portable Device Security
2.7 Application Lifecycle Security
2.8 Data Deletion & Disposal
2.9 Physical Security
3. Additional Safeguards
3.1 Sub-processors
3.2 Data Segregation
3.3 Customer Responsibilities
3.4 Review of Measures
