logo
icons

Data Processing Addendum

This Data Processing Addendum ("DPA" or "Addendum") forms an integral part of, and is governed by, the Terms of Use available at https://tallysolutions.com/terms-of-use/ ("Terms of Use"). For the purposes of this DPA, the Terms of Use and this DPA together constitute the "Agreement". By activating a Tally license, accessing or using any Tally product or service, the Customer is deemed to have accepted the Agreement without the need for a separate signature. This DPA becomes effective on the date the Customer first activates or uses the Tally product or service.

This DPA applies to the extent Tally processes Personal Data on behalf of the Customer in connection with the services provided under the Agreement (the "Services"). It replaces any prior data processing terms or agreements between the Parties relating to the Services.

This Addendum ensures appropriate privacy, security, and data protection in compliance with the The Digital Personal Data Protection Act, 2023 (DPDP Act), as well as global privacy laws such as the Personal Data Protection Law (PDPL) Saudi Arabia, The General Data Protection Regulation GDPR (Regulation (EU) 2016/679), The Data Protection Act, 2019 of Kenya and other applicable privacy regulations.

For clarity, this DPA, including all Annexures and any Exhibits, sets out the respective obligations of the Parties when Tally acts as a Processor.

Definitions:

"Customer" means the person or entity placing an order for or accessing the Service under the Terms of Use.

"Customer Personal Data" means all data (including but not limited to Customer Personal Data and End User data uploaded to or created on Tally platform) that Tally in its capacity as Data Processor processes on behalf of the Data Controller through the provision of its Services.

"Data Controller" also referred as "Data Fiduciary" in applicable laws - means the entity that determines the purposes and means of processing personal data – in this context the Customer entity who collects Personal Data and uses the Services of Tally either free or under paid subscription model who determines the purposes and means of the Processing of Personal Data; For the purposes of this DPA, the term also includes or is referred to as 'Data Fiduciary' under The Digital Personal Data Protection Act, 2023.

"Data Protection Laws" means all applicable laws and regulations governing the Personal Data, including but not limited to the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 or "SPDI Rules" (IT Act), The Digital Personal Data Protection Act, 2023 or "DPDP Act" (India, 2023), Kenya Data Protection Act (2019), General Data Protection Regulation or "GDPR", Personal Data Protection Law or "PDPL", and other relevant data protection laws.

"Data Subject", an identified or identifiable living individual and includes Data Controller's employees, contractors, customers, prospects, suppliers, any relevant end users and subcontractors.

"Erasure" means the permanent deletion of Personal Data so it cannot be recovered or reconstructed.

"Partners" shall mean businesses/individuals who are authorized to sell software and services by Tally including but not limited to Tally Distribution partners (TDP), Master Tally partners (MTP), Direct Tally Partners, Certified partners (CP) and Associate partners (AP).

"Personal Data" refers to any data that can directly or indirectly identify a specific individual such as name, date of birth, government or national ID numbers, credit card details, passwords, and similar identifiers. In the context of this Addendum: includes contact information, the extent of which is determined and controlled by the Customer and its authorised parties in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data; data submitted by Customers for Trouble shooting, product enhancements/testing; system usage data; data used for assistance with activities/products that may interest and benefit the Customer including AI aided processing; application integration data, and other electronic data submitted, stored, sent, or received by end users via the Services.

"Personal Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data related to the Data Controller processed by us and/or our Sub-Processors in connection with the provision of Services under the Terms of Services.

"Process/processing/processed" means any action on Personal Data—automated or manual—such as collection, access, storage, use, sharing, or deletion.

"Services" means the services provided by the Data Processor to the Data Controller under the Terms of Use including user account management, assistance with activities/products that may interest and benefit the Customer including AI aided processing, storage, hosting, troubleshooting, data uploaded for product enhancements/ testing, any Telemetry, metadata/Header information generated through the primary and associated services, consultancy and customer support services on request.

"Special Categories of Personal Data" means sensitive personal information such as race, ethnicity, political views, religion, biometrics, or health that, if misused, could cause significant harm.

"Sub-processor" means the third party service providers engaged by the Data Processor who interact with the Controller's Data (in part or full) to assist the Data Processor in fulfilling its obligations with respect to providing the Services as per the Terms of Service.

"Supervisory Authority" means any competent regulatory authority including data protection authorities and law enforcement agencies.

SCOPE & Purpose:

In General, the license model of Tally ensures that the software and all associated data are hosted entirely within the client's infrastructure or dedicated Cloud infrastructure completely tagged to them and managed by them, the terms of this Addendum apply only when the Data Processor receives or has access to Personal Data while providing the Services. For all Processing under this Addendum, the Customer acts as the Data Controller and Tally acts as the Data Processor, except when the Customer is the Data Processor of their customer / vendor / supplier/ third-party Data and Tally is a Sub processor, acting on behalf of Customer.

Purpose: Personal Data will be Processed for purposes of providing the Services set out in the Agreement.

Duration: Personal Data will be Processed for the duration of the provision of Services under the Agreement as the case may be, including its renewal, expansion to associated and other connected services like Connected Banking, usage of AI features, Tally Capital.

Customer Processing of Customer Personal Data. The Customer agrees that (i) it will comply with its obligations under Data Protection Laws in respect to its processing of Customer Personal Data (ii) it has provided notice, obtained or will obtain all consents and has established the required legal basis necessary for Tally to process Customer Personal Data pursuant to the Addendum.

Tally processing of Customer Personal Data: Tally will process Customer Personal Data only (i) for the purpose of providing the Services and in accordance with the Agreement; (ii) as part of the direct business relationship between the Customer and Tally; (iii) for other services broadly defined under Services.

Data Processor Obligation:

Data Processing: The Data Processor shall process Personal Data as required under applicable Data Protection Legislation, solely for delivering the Services in a manner that helps Customer to use full potential of the Services. The Data Controller retains the right to access, modify, delete, and transfer Personal Data and must provide only the data necessary for the Services. The Processor shall not control, use, transfer, or disclose Personal Data and must implement appropriate technical and organizational measures to protect Data Subject rights and ensure compliance with legal requirements.

Confidentiality: The Data Processor must ensure that all persons authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

Sub-Processor Engagement: The Customer approves all current Tally Sub processors as of the effective date of this DPA. Tally may appoint new Sub processors to process Personal Data under this Agreement. At least 30 days before Tally engages a Sub-processor, Tally will update the applicable section in this DPA. To object to a Sub-processor, Customer can: (i) terminate the Agreement pursuant to its terms; (ii) cease using the Service for which Tally has engaged the Sub-processor.

When Tally engages a Sub processor:

  1. the Sub processor's access to Customer Personal Data will be limited to what is necessary to support the Services and will not include any other use;
  2. Tally will have a written agreement with the Sub processor requiring data protection standards consistent with applicable Data Protection Laws; and
  3. Tally will remain responsible for its obligations under this DPA and for any actions or omissions of the Sub processor that cause Tally to breach this DPA.

Data Subject Rights:

If the Data Controller cannot fulfil a Data Subject's request without assistance, the Data Processor shall, upon written request, provide the necessary Personal Data and support required to help the Controller comply with Data Subject rights under applicable privacy laws, consistent with the functionality of the product and Tally's role as a Processor. If Tally receives a Data Subject request directly, it will redirect the individual to the Data Controller. The Data Controller remains solely responsible for responding to all Data Subject requests and communications relating to Personal Data in a timely manner.

Technical & Organizational Measures and Security Incident Response:

Tally implements and maintains appropriate technical and organizational measures ("Technical and Organizational Measures") to protect Personal Data from Security Incidents and to ensure its security and confidentiality, as detailed in Annex II. Tally may update these measures from time to time to reflect technological developments, provided such changes do not reduce the overall security of the Services.

Where Tally personnel may access Customer Personal Data:

  • Tally will restrict such access to authorized individuals only, and ensure they are bound by suitable confidentiality and nonuse obligations.
  • The Customer remains responsible for its own secure use of the Services, including implementing measures such as protecting authentication credentials, securing Customer Personal Data in transit, maintaining appropriate backup and recovery capabilities, and encrypting or pseudonymizing Customer Personal Data uploaded to the Services.

If Tally becomes aware of a Security Incident, it will notify the Customer without undue delay, provide relevant information as it becomes available or upon reasonable request, and take reasonable steps to mitigate or remedy the effects of the incident. Neither the Data Controller nor the Data Processor shall be responsible for any non-performance or delay resulting from events beyond the reasonable control of the affected Party, which were not foreseeable and could not reasonably have been avoided or mitigated upon entering into this Addendum.

International Transfers:

Tally may transfer and process Personal Data in India or in any other country where Tally, its Affiliates, or its Subprocessors operate, as necessary to provide the Services. Tally will apply the obligations in this Addendum regardless of where Personal Data is stored or processed. For any Restricted Transfer, Tally will ensure compliance with applicable Data Protection Laws by implementing appropriate safeguards.

Return or Deletion of Personal Data:

Upon expiration or termination of the Agreement, Tally will, at the Customer's choice, delete or return all Customer Personal Data in its possession or control, in accordance with the Agreement. This obligation does not apply where applicable law requires Tally to retain certain Customer Personal Data, or to data stored in backup systems; in such cases, Tally will securely isolate that data and will not process it further except as required by law.

Data Controller Obligations:

The Data Controller is solely responsible for complying with all applicable data protection and privacy laws, including requirements relating to the disclosure, transfer, and lawful Processing of Personal Data. The Data Controller represents and warrants that it will comply with this Addendum and all relevant data protection legislation; that it has obtained all necessary consents, permissions and authorizations. The Data Controller is solely responsible for the accuracy, quality, and legality of the Personal Data it provides and agrees to ensure that its Affiliates using the Services comply with the obligations set out in this Addendum.

General:

Limitation of Liability. Any claims that the Customer may assert against Tally, its Affiliates, employees, agents, or Subprocessors under this DPA including claims for breach, fines imposed on the Customer, or liabilities under applicable Data Protection Laws are subject to the limitation of liability and financial caps set out in the Terms of Use.

Compliance Changes. Tally may amend this DPA to comply with changes in Data Protection Laws or binding guidance issued by courts or regulators with jurisdiction over Tally. Notice of such changes will be provided in advance through a posting on Tally's website or through notification of the updated copy to the Customer, to the extent possible.

Governing Law. This DPA is governed by the governing law and jurisdiction of India and courts at Bengaluru, Karnataka shall have exclusive jurisdiction for all disputes concerning this DPA, except where applicable Data Protection Laws require otherwise.

Precedence. If there is a conflict between the provisions of this DPA and the Terms of Use, the terms of this DPA shall prevail solely to the extent the conflict relates to the processing of Personal Data. Where a conflict exists between this DPA and any subsequent Data Transfer Addendum, the terms that provide greater protection to data subjects will prevail; otherwise, the subsequent Data Transfer Addendum will control.

Severability. Each provision of this DPA is severable. If any clause or portion is found invalid or unenforceable, the remainder of the DPA will continue in full force and effect.

ANNEX I – Nature and Description of Personal Data Processing (Including Transfers)

A. List of Parties

Data Exporter(s)

The Data Exporter is the Customer (and its Affiliates).

Data Importer(s)

The Data Importer is Tally, which provides the Services to the Data Exporter under the Terms of Service.

B. Description of Processing

1. Categories of Data Subjects

Personal Data may relate to the Customer's: employees and contractors, customers and prospects, suppliers and subcontractors, any end users, any other individuals whose data the Customer inputs into the Services.

2. Categories of Data Processed

Data may include such as the below:

2.1. Contact Details and User Account Information of Customer

Examples:

  • Full name; Email address; Phone numbers (mobile/landline); Country/region; Username / login ID; Account ID or customer ID; Password (hashed/encrypted); GST, PAN, VAT or other details provided in the course of registration and usage; Tally Serial Number, Tall.net User ID

2.2. Personal Data Determined and Controlled Solely by the Customer

(Customer-originated data where the company acts as a processor)

Examples:

  • Customer uploaded documents (invoices, reports, images, internal records); Customer employee details (names, emails, phone, roles); Any content entered into forms, notes, fields, or databases; Customer-specific business records processed through the service; Any data imported by the customer from their own systems

2.3. Data Processed as Part of Account Management

Examples:

  • Account creation data (user role, access level); Subscription plan details; Payment status and billing history; License allocations and renewals; Communication logs regarding account changes; Organization-level settings and preferences; GST, PAN, VAT details where relevant as part of registration and usage

2.4. Product Usage Data (including data used for testing or enhancements)

Examples:

  • Login timestamps and session duration; Features accessed and frequency of usage; Button clicks, navigation paths, workflow patterns; Error reports generated during usage; Performance metrics (load times, latency); Test logs generated during beta feature trials; Device and environment configuration used during product testing

2.5. Data Used for Assistance with Activities/Products Benefiting the Customer

Examples:

  • Recommendations based on past activity, product/service usage; User journey patterns used for personalization; Notification and alert preferences; Saved items, drafts, templates; Customer Account details and contacts details for Related Product/Feature suggestions based on segment and usage of features; Details such as recipient email IDs, Bank details, Payments and associated activities powered by usage of specific features

2.6. Data provided while using AI Assisted Features

Examples:

  • Input text or prompts submitted by the user (including image, video, voice, text inputs); Uploaded content used for analysis or generation; AI model interaction history; Query logs for improving AI responses; Feedback provided on AI outputs; System generated summaries or insights based on user data (depending on controls)

2.7. Data provided for Troubleshooting

Examples:

  • Diagnostic logs; System identifiers (device ID, browser version, OS version), product identifiers; Crash reports; User-provided issue descriptions; Screenshots or files shared to resolve a problem; Recordings of calls/screen captures, videos uploaded for issue resolution; Temporary debugging/technical support logs & data shared by customer for troubleshooting

2.8. Telemetry Data

Examples:

  • Device type, OS, browser type; IP address (for technical routing or regional compliance); App performance metrics (CPU/memory usage); Background processes and load behaviors; Interaction metrics (click paths, feature heatmaps); Headers of invoices/filing related activities generated by product/service like GSTIN, timestamps; Data captured as part of messaging/Exchange services powered by Tally for generating invoices, payment receipts such as recipient data, payment details

2.9. Metadata / Header Information

Examples:

  • Date/time stamps of requests; Communication protocol metadata; File metadata (name, size, type, timestamp); Email header metadata; API call logs and tokens (non-sensitive); basic account details

2.10. Customer Support Services Requested by the Customer

Examples:

  • Support ticket content; Customer-provided context and attachments; Chat or call transcripts/recordings; Training or consulting session history; Implementation notes and configuration instructions; Feedback, surveys, ratings submitted during service interactions

3. Sensitive Personal Data (If Applicable)

Sensitive data is transferred only if submitted by the Customer. Where applicable, Tally will apply enhanced safeguards such as strict purpose limitation, access controlled staff, audit logs, restrictions on onward transfers, and additional security measures.

4. Frequency of Transfers

Transfers may occur continuously during the Customer's use of the Services and for the duration of the Terms of Service, subject to applicable laws.

5. Nature of Processing

Processing consists of providing the Services under the Terms of Service, which requires storage, hosting, transmission, analysis, and other operations necessary to deliver, maintain, and support the Services.

6. Purpose of Processing and Transfers

Personal Data is processed solely for delivering and supporting the Services as described in the Terms of Service.

7. Data Retention Period

Personal Data will be retained only for the duration of the Services. Upon termination or expiry of the Agreement, data will be deleted or returned except for copies retained as required by law or for audit and compliance purposes, which will be securely isolated and not further processed.

8. Sub-processor Transfers

Where Subprocessors are used, they receive only the limited Personal Data necessary to perform the relevant portion of the Services. All such processing is carried out under confidentiality obligations, data protection agreements, and applicable safeguards.

Categories of sub-Processors who may handle Customer Personal Data:

  • Partners who they chose for assistance or assigned in special cases
  • Customer support centres managed by Tally, Partners and associates
  • Cloud Service Providers as selected by Customer
  • Connected Banking and Lending partners engaged to assess relevance, enable and initiate applicable services, and support their ongoing delivery.
  • Any other third-party hosting, maintenance, trouble shooting service providers including Account Management, Customer Personal Data enhancing partners for better outreach and Account Management, feedback, testimonial and Profile Management partners

ANNEX II – Technical and Organisational Measures Implemented by Tally

Tally currently implements the following technical and organisational measures to ensure the security, confidentiality, integrity and availability of Personal Data, the same applied to the limited extent where Tally processes Customer Personal Data:

1. Organisational Security Measures

1.1 Security Management

  • Tally maintains documented security policies governing the processing of Customer Personal Data.
  • Roles and responsibilities for data processing are clearly defined, assigned, and updated during internal reorganisations or role changes.
  • Access control rights are defined for each role based on the need to know principle.
  • Tally maintains an up to date inventory of IT assets used for processing Personal Data, with a designated owner responsible for maintaining it.
  • All system changes are recorded, monitored, and reviewed as part of a formal change management process.

1.2 Incident Response & Business Continuity

  • Tally has an incident response plan with procedures to manage and respond to security incidents affecting Personal Data.
  • Any personal data breach involving Customer Personal Data is reported to the Customer without undue delay.
  • Tally has business continuity measures to ensure availability and resilience of systems that process Personal Data.

1.3 Human Resources

  • All personnel are subject to confidentiality obligations and receive clear communication about their data handling duties.
  • Employees receive regular security and data protection training and awareness relevant to their roles.

2. Technical Security Measures

2.1 Access Control & Authentication

  • Tally uses an access control system to create, approve, monitor, and remove user accounts.
  • Common/shared accounts are avoided; where unavoidable, users have identical roles.
  • Access rights follow the least privilege principle.
  • Passwords follow strong requirements (minimum length, complexity, non-reuse).
  • Authentication credentials are never transmitted over the network in unprotected form.

2.2 Logging & Monitoring

  • System and application logs are enabled, recording access events such as viewing, modification, or deletion of Personal Data.

2.3 Security of Data at Rest

Server/Database Security

  • Servers operate using restricted OS level privileges and process only the Customer Personal Data necessary for the Services.

Workstation Security

  • Users cannot disable security settings or install unauthorised software.
  • Antivirus tools and security signatures are regularly updated.
  • System timeouts and OS security patches are regularly applied.

2.4 Network & Communication Security

  • Internet based access is encrypted using industry standard cryptographic protocols.
  • Firewalls and intrusion detection systems monitor and control traffic to and from Tally systems.

2.5 Backups

  • Backup and restoration procedures are documented with clear roles and responsibilities.
  • Backups receive appropriate physical and environmental protection.
  • Backup execution is monitored for completeness.

2.6 Mobile & Portable Device Security

  • Rules for the use of mobile and portable devices are documented.
  • Only pre-registered and authorized devices may access Tally systems.

2.7 Application Lifecycle Security

  • Tally follows industry standard secure development practices throughout the software development lifecycle.

2.8 Data Deletion & Disposal

  • Media is securely overwritten before disposal; where overwriting is not possible, physical destruction is applied.
  • Paper and portable media containing personal data are shredded or destroyed securely.

2.9 Physical Security

  • Physical infrastructure is secured against unauthorised access using technical controls and/or organisational controls (e.g., security personnel) as applicable.

3. Additional Safeguards

3.1 Sub-processors

  • Sub-processors, if engaged, are subject to written agreements requiring security measures no less protective than those set out in this Annex.

3.2 Data Segregation

  • Logical and/or physical controls are implemented to segregate Customer Personal Data from that of other customers.

3.3 Customer Responsibilities

  • The Customer is responsible for the lawfulness of processing, providing lawful instructions, and managing access by its users.

3.4 Review of Measures

  • Tally may update its technical and organisational measures to address evolving risks, provided such updates do not materially reduce the overall level of security.