Skip to main content
Legal

Data Processing Terms

These terms govern how corpus processes personal and business data on your behalf as a data processor.

Last updated: 28 June 2026 · Effective: 28 June 2026

1. Definitions

Data Controller

You — the customer using corpus to manage your business data. You determine the purposes and means of processing.

Data Processor

corpus (Elanora Group) — we process personal and business data on your behalf, following your instructions and these terms.

Personal Data

Any information relating to an identified or identifiable natural person — including your customers, employees, and vendors stored in corpus.

Business Data

Financial records, accounting entries, GST filings, invoices, and other business records you create or import into corpus.

Processing

Any operation on data — collection, storage, retrieval, use, disclosure, or deletion.


2. Roles & Responsibilities

You are the Data Controller. corpus is the Data Processor. This means:

  • corpus processes data only on your documented instructions (i.e., by your use of the product features).
  • corpus does not determine the purpose or legal basis of processing — you do.
  • You are responsible for ensuring you have a lawful basis for processing your customers' and employees' personal data inside corpus.
  • corpus will not process your data for any purpose other than providing the Services, unless required by Indian law.

3. Processing Details

CategoryData TypesPurposeRetention
Account dataName, email, phone, GSTIN, PANAuthentication, billing, complianceDuration of subscription + 7 years
Financial dataInvoices, ledgers, vouchers, bank statementsAccounting, GST, reporting7 years (Indian CA Act requirement)
Employee dataSalary, PF, TDS, Form 16Payroll processing7 years
Customer / vendor dataName, GSTIN, address, contact detailsInvoicing, GST, payments7 years
Security eventsIP, device fingerprint, login timestampsFraud prevention, audit90 days active + 7 years archive
Usage dataPage views, feature usageProduct improvement2 years (anonymized after 90 days)

4. Sub-processors

corpus uses the following sub-processors to deliver the Services. All sub-processors are bound by Data Processing Agreements and process data only as directed by corpus.

Sub-processorPurposeData location
SupabaseManaged PostgreSQL database, authentication, storageIndia (Mumbai ap-south-1)
VercelApplication hosting and edge deliveryIndia (primary) + edge globally
OpenAIAI-powered features (narration, insights, NL queries)USA — zero-retention API agreement
UpstashRedis caching and Kafka event streamingEU / USA — data classified, no PII stored
RazorpayPayment processing (billing only)India
LangfuseLLM observability and monitoringEU — anonymized traces only

We will notify you 30 days before adding a new sub-processor. You may object by emailing hello@corpuserp.com.


5. Security Measures

corpus implements appropriate technical and organizational security measures including:

  • AES-256 encryption at rest; TLS 1.3 in transit
  • PostgreSQL Row Level Security enforcing per-organization data isolation
  • Immutable audit log for all data modifications
  • Device registry and session management with impossible-travel detection
  • Automated daily backups with 30-day point-in-time recovery
  • Annual penetration testing by independent third parties
  • Role-based access control with granular permissions

Full technical details are available on the Security page.


6. Data Subject Rights

If your customers or employees (data subjects) exercise their rights (access, correction, deletion, portability) against you as Data Controller, corpus will assist you in fulfilling those requests:

  • All your data is exportable in CSV and JSON from the corpus UI at any time.
  • You can delete individual records (customers, vendors, employees) from within the app.
  • For bulk deletion or data subject requests that require corpus assistance, email hello@corpuserp.com. We will respond within 7 days.

7. Breach Notification

In the event of a personal data breach that is likely to affect your data, corpus will notify you without undue delay and in any event within 72 hours of becoming aware of it. The notification will include the nature of the breach, categories and approximate number of records affected, likely consequences, and the measures corpus has taken or proposes to take to address it.


8. Deletion & Return of Data

Upon termination of your subscription, corpus will:

  • Retain your data in read-only form for 30 days, during which you may export all data.
  • After 30 days, delete your data from active systems within 7 business days.
  • Retain only data required by applicable Indian law (Company Act 2013, Income Tax Act, GST Act) for the statutory period.
  • Upon written request, provide a certificate of deletion for the non-statutorily-retained data within 30 days.

9. Contact

corpus (by Elanora Group)

Data Protection Officer

Email: hello@corpuserp.com

Response time: Within 7 business days