How we host, retain and protect the data you upload.

This Data Policy is published by Octet Logic OPC Private Limited (“Octet Logic”, “we”, “us”) and explains how we handle the business data you upload to or generate inside GSTFiler (the “Service”) — including invoices, debit notes, credit notes, books of account, purchase registers, GSTIN registrations, ledger balances, GSTR-1 / GSTR-3B return drafts and filed copies, GSTR-2A and GSTR-2B snapshots, e-invoices, e-way bills, IMS records, reconciliation workpapers, journal entries, attachments and audit-trail entries (collectively, “Customer Data”).

This Data Policy is in addition to, and forms part of, the Terms of Use. Personal information about individuals who use the Service (you and your team members) is governed separately by the Privacy Policy.

In the language of the Digital Personal Data Protection Act, 2023, where Customer Data contains personal information about your customers, vendors, employees or other third parties, you are the Data Fiduciary and we are a Data Processor processing that data on your written instructions through the Service.

As between you and us, you own all Customer Data. We claim no proprietary interest in it. You retain all rights, title and interest in and to Customer Data, including all intellectual-property rights.

You grant us a limited, worldwide, royalty-free, non-exclusive, non-transferable licence to host, copy, transmit, process, display and back up Customer Data, solely to the extent necessary to:

• operate the Service and the features you have enabled;
• file returns, e-invoices, e-way bills or other artefacts on your instruction;
• provide customer support and resolve incidents;
• maintain backups, security monitoring and audit trails;
• comply with applicable law and lawful requests from authorities.

We do not sell Customer Data. We do not use Customer Data to train any artificial-intelligence model offered to other customers. Any automation features that operate on Customer Data (such as books-vs-2B reconciliation or rate-suggestion helpers) run within your workspace and do not export Customer Data to a shared model.

Your Customer Data is stored on encrypted infrastructure in the Asia-Pacific region, with document storage anchored in India:

• Production database — books, invoices, ledger entries, return drafts, master data and the audit trail are held in a managed Postgres cluster in the Asia-Pacific region, encrypted at rest with AES-256 and in transit with TLS 1.3.
• Document storage — voucher PDFs, attachments and supporting documents are held in the Mumbai (India) region.
• Encrypted backups — database backups are retained alongside the primary database; document-storage backups are retained in India.

The application code that serves pages and APIs runs on an edge / CDN network so that screens load quickly wherever you sign in from. The code itself does not persistently store Customer Data; every read and write is fetched from or written to the data layers above in real time.

Connectivity to the GSTN goes through our NIC-approved GST Suvidha Provider (GSP) channel. The NIC and the GSTN are Indian government systems and process data inside India.

The Digital Personal Data Protection Act, 2023 permits cross-border processing of personal data to countries that are not subject to a notified restriction. No country in the Asia-Pacific region in which we presently host data is the subject of such a notification. If and when a country is so notified, we will adjust our hosting arrangements to remain compliant and will tell you in advance.

The Service stores the following classes of Customer Data on your behalf:

• Master data — companies, branches, places of business, GSTINs, customers, vendors, items (with HSN/SAC codes), units of measure, chart of accounts.
• Transactional data — sales invoices, purchase bills, credit and debit notes (GST and non-GST), receipts, payments, journals, contra entries, stock entries.
• GST returns — GSTR-1 / IFF / GSTR-3B prepared and filed drafts, downloaded GSTR-2A / GSTR-2B snapshots, IMS inward and outward records.
• Tax artefacts — e-invoices, IRNs, QR codes, e-way bills, EBN numbers.
• Workpapers — reconciliations, validation logs, comments, attachments and supporting documents.
• Audit trail — an immutable log of every create / update / delete / login / filing event with actor, timestamp, IP and old-vs-new values.

To file returns or fetch data from the GST portal we transmit specific payloads (and only those payloads) to the GSTN through our NIC-approved GSP partner. The payload always includes the GSTIN, the return type and period, and the return / lookup body as specified by the NIC API contract. Where a filing requires authentication by Electronic Verification Code (EVC), the OTP entered by your authorised signatory is forwarded immediately to the GSTN; we do not retain the OTP.

Once a return is filed at the GSTN, the GSTN becomes the system of record for that return. Acknowledgement numbers (ARNs) are stored back in your workspace for reference. Cancellation or rollback at the GSTN end is not possible through the Service; corrections must be made through subsequent returns in accordance with the CGST Act, 2017.

We engage a small number of carefully-chosen sub-processors to operate the Service. Each sub-processor is bound by a written data-processing agreement requiring confidentiality, security controls, and processing only on our documented instructions. The current list is:

• Neon Inc. (managed Postgres, Asia-Pacific region, encrypted at rest with AES-256) — production application database and encrypted database backups.
• Microsoft Azure Blob Storage (India region) — storage of voucher PDFs, attachments and supporting documents.
• Vercel Inc. — application hosting, edge network and CDN for the marketing site and the authenticated app.
• NIC-approved GST Suvidha Provider — the regulated channel through which GST return data and EVC OTPs are transmitted to the GSTN. We may move between approved GSPs over time; the channel itself is always one that holds a current NIC GSP licence.
• Postmark (ActiveCampaign LLC) — transactional email delivery (sign-up OTPs, password reset, notifications).
• Cloudflare, Inc. — DNS, CDN, DDoS protection, anti-bot challenges via Cloudflare Turnstile.
• Razorpay (payment-gateway partner) — processing of subscription payments and refunds.
• Wap2b (Octet Logic OPC Private Limited) — only when you enable WhatsApp delivery of voucher PDFs.

We may add, replace or remove sub-processors as the Service evolves. We will keep the list above current and notify customers of material changes by email or in-app banner at least 15 days in advance.

In transit. All API traffic uses TLS 1.3 with strong cipher suites. We disable insecure protocols and weak ciphers at the load-balancer level.

At rest. Database storage and object storage are encrypted using AES-256. Database backups are encrypted with separate keys and key rotation is performed quarterly.

Secrets. GSP credentials, database passwords, third-party API keys and similar are held in a managed secret store. No secret is committed to source code or to log lines.

Internal access. Access to production systems is restricted to a small set of Octet Logic engineers, each with a personal account and least-privilege role. Production access is reviewed quarterly and revoked on departure or role change. All production-system access is logged.

Customer access. Your team uses the role-based-access-controls (RBAC) you configure in the Service. Workspace Owners are responsible for assigning, reviewing and revoking access.

We retain Customer Data for as long as your account is active. When you delete a record inside the Service, it is soft-deleted and remains recoverable from your workspace for 30 days, after which it is hard-deleted (subject to the backup window in clause 9).

When your account is terminated — whether by you or by us — we move your workspace to a read-only state and retain it for the periods set out below, after which it is irretrievably deleted:

• Books, vouchers and master data — up to 90 days from termination, to allow restoration in case of disputed cancellation. After that, exported on request and deleted.
• Filed GST returns and acknowledgement numbers — retained for 8 years from the end of the relevant financial year, to align with the audit-trail-retention requirements of Section 35 and Rule 56 of the CGST Act, 2017 and the 6-year minimum under Section 36, plus a safety margin.
• Audit-trail entries — retained for the same period as the underlying records they describe.
• Billing and tax records — up to 8 years, in line with the Income-tax Act, 1961 and the Companies Act, 2013.

You may request earlier deletion at any time. We will honour such requests except where law requires us to retain the data, in which case we will tell you and delete the rest.

We take daily encrypted backups and maintain point-in-time recovery for the last 30 days. Backups are stored in the same region (Mumbai) and are encrypted independently of the live database.

Once a month, we restore the most recent backup into a parallel staging environment and verify that the restore completes and that key data is intact. The results of this exercise are reviewed by engineering.

We target a recovery-point objective (RPO) of 15 minutes and a recovery-time objective (RTO) of 4 hours for the production database. These are targets, not warranties.

You can take your Customer Data out of the Service at any time:

• Self-service exports — CSV and Excel exports for ledgers, vouchers, returns and reconciliation reports.
• JSON exports — for filed return payloads (in NIC schema) on demand.
• Bulk export — on written request to support@octetlogictech.com, we will provide a one-time bulk export of your workspace in CSV, JSON or both, within 15 working days. Charges may apply for very large workspaces.

You can ask us to delete your workspace at any time. After we acknowledge your request:

• we close the workspace within 7 working days;
• Customer Data is purged within 30 days from the live system;
• encrypted backups age out within an additional 30 days;
• data we are required to retain by law (see clause 8) is segregated, access-restricted and deleted at the end of the statutory period.

Every read, write, login and filing event in the Service is recorded in an immutable audit log with the actor identifier, timestamp, IP address, user-agent, and (for writes) the old-and-new values. The audit log is available to you inside the Service and can be exported as CSV the moment a regulator or auditor asks for it.

The audit trail is designed to satisfy Section 35 of the CGST Act, 2017 and the corresponding rules, as well as the audit-trail requirement that applies to certain companies under the Companies (Accounts) Rules, 2014.

We maintain a documented incident-response runbook and an on-call rotation. In the event of a security incident:

• we contain and investigate the incident as a priority;
• we preserve forensic evidence;
• we notify affected customers within 72 hours of confirming that a breach has occurred and that it is likely to result in a risk to Customer Data;
• we notify the Indian Computer Emergency Response Team (CERT-In) and the Data Protection Board of India within the timelines required by the CERT-In Directions, 2022 and the Digital Personal Data Protection Act, 2023;
• we publish a written post-incident report describing the root cause, the remediation and the preventive measures.

Notifications are sent to the technical and billing contacts registered with your workspace.

We comply with lawful requests from Indian authorities. We disclose Customer Data only:

• on the basis of a valid summons, notice, warrant or court order from a body of competent jurisdiction, or a written request under a specific statute that compels disclosure; and
• limited to the specific data the authority has demanded.

Where law allows, we will notify you in advance of any disclosure so you can seek protective relief. Where the law prohibits notice (e.g. an explicit gag order) we will not notify, but we will publish aggregate transparency information at intervals where doing so does not breach the law.

As set out in clause 3, your document storage and encrypted document backups are held in India, and your production database is held on encrypted infrastructure in the Asia-Pacific region. Some sub-processors (such as our email-deliverability provider) may also process limited operational metadata — for example, email envelope, delivery status and bounce reports — outside the Asia-Pacific region.

We will not transfer Customer Data to any country that has been notified as restricted under the Digital Personal Data Protection Act, 2023. Every cross-border processing arrangement is supported by a written data-processing agreement that imposes the same confidentiality, security and processing-limitation obligations that bind us under these terms.

We may amend this Policy from time to time. Material changes — including any addition of a new sub-processor, a change in residency, or a change in retention — will be notified to you by email or in-app banner at least 15 days before they take effect. The current version is always published at www.gstfiler.com/data-policy.

For any question about this Data Policy — including export requests, deletion requests, sub-processor questions, or to request a copy of our standard data-processing addendum:

Octet Logic OPC Private Limited
Hyderabad, Telangana, India
Email: support@octetlogictech.com
Telephone: +91 98490 11005