1. Definitions
Data Controller
You — the customer using corpus to manage your business data. You determine the purposes and means of processing.
Data Processor
corpus (Elanora Group) — we process personal and business data on your behalf, following your instructions and these terms.
Personal Data
Any information relating to an identified or identifiable natural person — including your customers, employees, and vendors stored in corpus.
Business Data
Financial records, accounting entries, GST filings, invoices, and other business records you create or import into corpus.
Processing
Any operation on data — collection, storage, retrieval, use, disclosure, or deletion.
2. Roles & Responsibilities
You are the Data Controller. corpus is the Data Processor. This means:
- corpus processes data only on your documented instructions (i.e., by your use of the product features).
- corpus does not determine the purpose or legal basis of processing — you do.
- You are responsible for ensuring you have a lawful basis for processing your customers' and employees' personal data inside corpus.
- corpus will not process your data for any purpose other than providing the Services, unless required by Indian law.
3. Processing Details
| Category | Data Types | Purpose | Retention |
|---|---|---|---|
| Account data | Name, email, phone, GSTIN, PAN | Authentication, billing, compliance | Duration of subscription + 7 years |
| Financial data | Invoices, ledgers, vouchers, bank statements | Accounting, GST, reporting | 7 years (Indian CA Act requirement) |
| Employee data | Salary, PF, TDS, Form 16 | Payroll processing | 7 years |
| Customer / vendor data | Name, GSTIN, address, contact details | Invoicing, GST, payments | 7 years |
| Security events | IP, device fingerprint, login timestamps | Fraud prevention, audit | 90 days active + 7 years archive |
| Usage data | Page views, feature usage | Product improvement | 2 years (anonymized after 90 days) |
4. Sub-processors
corpus uses the following sub-processors to deliver the Services. All sub-processors are bound by Data Processing Agreements and process data only as directed by corpus.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Supabase | Managed PostgreSQL database, authentication, storage | India (Mumbai ap-south-1) |
| Vercel | Application hosting and edge delivery | India (primary) + edge globally |
| OpenAI | AI-powered features (narration, insights, NL queries) | USA — zero-retention API agreement |
| Upstash | Redis caching and Kafka event streaming | EU / USA — data classified, no PII stored |
| Razorpay | Payment processing (billing only) | India |
| Langfuse | LLM observability and monitoring | EU — anonymized traces only |
We will notify you 30 days before adding a new sub-processor. You may object by emailing hello@corpuserp.com.
5. Security Measures
corpus implements appropriate technical and organizational security measures including:
- AES-256 encryption at rest; TLS 1.3 in transit
- PostgreSQL Row Level Security enforcing per-organization data isolation
- Immutable audit log for all data modifications
- Device registry and session management with impossible-travel detection
- Automated daily backups with 30-day point-in-time recovery
- Annual penetration testing by independent third parties
- Role-based access control with granular permissions
Full technical details are available on the Security page.
6. Data Subject Rights
If your customers or employees (data subjects) exercise their rights (access, correction, deletion, portability) against you as Data Controller, corpus will assist you in fulfilling those requests:
- All your data is exportable in CSV and JSON from the corpus UI at any time.
- You can delete individual records (customers, vendors, employees) from within the app.
- For bulk deletion or data subject requests that require corpus assistance, email hello@corpuserp.com. We will respond within 7 days.
7. Breach Notification
In the event of a personal data breach that is likely to affect your data, corpus will notify you without undue delay and in any event within 72 hours of becoming aware of it. The notification will include the nature of the breach, categories and approximate number of records affected, likely consequences, and the measures corpus has taken or proposes to take to address it.
8. Deletion & Return of Data
Upon termination of your subscription, corpus will:
- Retain your data in read-only form for 30 days, during which you may export all data.
- After 30 days, delete your data from active systems within 7 business days.
- Retain only data required by applicable Indian law (Company Act 2013, Income Tax Act, GST Act) for the statutory period.
- Upon written request, provide a certificate of deletion for the non-statutorily-retained data within 30 days.
9. Contact
corpus (by Elanora Group)
Data Protection Officer
Email: hello@corpuserp.com
Response time: Within 7 business days