Legal
Data Processing Agreement
Last updated: June 25, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Sri Anant Enterprises (“Processor,” “we,” “us,” “our”) and the customer (“Controller,” “you,” “your”) who uses the SALARIER platform (“the Service”). This DPA applies when we process personal data on your behalf as part of providing the Service.
1. Definitions
Capitalized terms not defined in this DPA shall have the meanings given in the Terms of Service or applicable data protection laws (including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”), and the Indian Digital Personal Data Protection Act, 2023 (“DPDP Act”)).
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller under the Terms.
- “Processing” means any operation performed on Personal Data, whether or not by automated means.
- “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Nature and Purpose of Processing
The Processor will process Personal Data solely for the purpose of providing the Service as described in the Terms. The nature of the processing includes:
- Collection, storage, and retrieval of payroll and employee data;
- Generation of payslips, invoices, and GST-compliant documents;
- Account authentication and user management;
- Customer and billing record management;
- Technical support, monitoring, and service improvement activities.
3. Categories of Data Subjects and Personal Data
The categories of Data Subjects whose Personal Data may be processed include:
- Your employees (for payslip generation);
- Your authorized users of the Service;
- Your customers (for invoicing);
- Your business contacts.
The categories of Personal Data that may be processed include:
- Identification data: names, employee IDs, usernames;
- Contact data: email addresses, phone numbers, physical addresses;
- Financial data: salary details, bank account numbers, PAN numbers, GST numbers;
- Employment data: job titles, department, compensation details;
- Authentication data: login credentials (hashed passwords);
- Technical data: IP addresses, log data, usage information.
4. Duration of Processing
Personal Data will be processed for the duration of the Terms (i.e., while your account is active). Upon termination of the Terms, the Processor will delete or return all Personal Data in accordance with Section 9 (Data Retention and Deletion) of this DPA.
5. Controller Obligations
The Controller represents and warrants that:
- It has a lawful basis for the processing of Personal Data, including obtaining all necessary consents from Data Subjects;
- The Personal Data provided to the Processor is accurate and lawfully collected;
- It will comply with all applicable data protection laws in its use of the Service;
- It is responsible for responding to Data Subject requests, including requests for access, rectification, erasure, and data portability, to the extent such requests relate to data under the Controller's control.
6. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country;
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality;
- Implement and maintain appropriate technical and organizational security measures as described in Section 7;
- Assist the Controller in fulfilling its obligations regarding Data Subject rights requests, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the processing and information available to the Processor;
- Notify the Controller without undue delay upon becoming aware of a Data Breach affecting Personal Data;
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable data protection laws.
7. Technical and Organizational Security Measures
The Processor implements the following technical and organizational measures to protect Personal Data:
7.1 Access Control
- Role-based access controls with least-privilege principles;
- Multi-factor authentication support for user accounts;
- Secure password hashing using industry-standard algorithms;
- Automatic session expiration and account lockout policies.
7.2 Transmission Control
- Encryption of all data in transit using TLS 1.2+ (HTTPS);
- Secure API endpoints with HMAC-signed URLs for sensitive document rendering.
7.3 Storage Control
- Encryption of data at rest on all storage systems;
- Secure cloud infrastructure with physical security controls;
- Regular automated backups with encrypted backup storage.
7.4 Organizational Measures
- Regular security awareness training for personnel;
- Confidentiality agreements with all employees and contractors;
- Incident response and business continuity plans;
- Regular review and audit of security policies and procedures.
8. Sub-processors
8.1 Authorization. The Controller provides general authorization for the Processor to engage Sub-processors to assist in delivering the Service. A current list of Sub-processors is available upon request.
8.2 Sub-processor Obligations. The Processor shall:
- Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA;
- Remain fully liable to the Controller for the performance of each Sub-processor's obligations.
8.3 Changes. The Processor will notify the Controller of any intended changes concerning the addition or replacement of Sub-processors. The Controller may object to such changes on reasonable grounds relating to data protection within fourteen (14) days of notification.
9. Data Retention and Deletion
9.1 Retention. Personal Data will be retained for the duration of the Terms and for any additional period required by applicable law (such as tax record-keeping requirements under Indian law).
9.2 Deletion. Upon termination of the Terms, or upon the Controller's written request, the Processor shall, at the Controller's election:
- Return a complete copy of all Personal Data to the Controller in a standard, machine-readable format; or
- Securely delete all Personal Data, except where retention is required by applicable law.
Any deletion shall be completed within sixty (60) days of the termination date, subject to backup cycle limitations.
10. International Data Transfers
The Processor may transfer Personal Data to countries outside the European Economic Area (EEA), the United Kingdom, or India, provided that adequate safeguards are in place in accordance with applicable data protection laws. Such safeguards may include:
- EU Standard Contractual Clauses (SCCs);
- Binding Corporate Rules;
- Adequacy decisions issued by relevant regulatory authorities;
- Other lawful transfer mechanisms recognized under applicable data protection laws.
11. Audit Rights
The Controller may, no more than once per calendar year and upon at least thirty (30) days' written notice, request an audit of the Processor's compliance with this DPA. Such audit shall be:
- Conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations;
- At the Controller's sole expense (unless the audit reveals material non-compliance, in which case the Processor shall bear its reasonable costs);
- Limited in scope to those systems, processes, and records directly relevant to the processing of Personal Data.
The Processor may satisfy audit requests by providing a third-party audit report (e.g., SOC 2, ISO 27001) conducted within the previous twelve (12) months, where available.
12. Data Breach Notification
12.1 Notification. Upon becoming aware of a Data Breach, the Processor shall notify the Controller without undue delay and in any event within forty-eight (48) hours.
12.2 Contents. The notification shall include:
- A description of the nature of the Data Breach;
- The categories and approximate number of Data Subjects and Personal Data records concerned;
- The likely consequences of the Data Breach;
- Measures taken or proposed to be taken to address the Data Breach and mitigate its effects.
12.3 Cooperation. The Processor shall cooperate with the Controller and take such reasonable steps as directed by the Controller to assist in the investigation, mitigation, and remediation of each Data Breach.
13. Liability
Each party's liability under this DPA shall be subject to the limitations and exclusions set forth in the Terms of Service, except where such limitations are prohibited by applicable data protection laws. Nothing in this DPA limits either party's liability for damages caused by its intentional misconduct or gross negligence.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws applicable to the Terms of Service, unless otherwise required by applicable data protection laws.
15. Order of Precedence
In the event of any conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA shall prevail.
16. Contact
For any questions regarding this DPA or to exercise your rights, please contact:
Data Protection Officer
Sri Anant Enterprises
Email: dpo@salarier.com