Privacy Policy — Veloxis

Effective date: [to be set on first publication] Last revised: 2026-04-16 Data Fiduciary: VKG & Associates, Chartered Accountants Grievance Officer: CA Krishna Gujarathi, krishna@vkg.co.in

This Privacy Policy explains how VKG & Associates ("the Firm", "we", "us", "our") collects, uses, stores, protects, and shares personal data in connection with the Veloxis audit-management platform ("Veloxis", "the Platform"). It is issued under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Rules, 2021, and read together with the Firm's Terms of Service.

Veloxis is a professional-services tool used by the Firm's personnel and authorised clients to conduct statutory audits, tax audits, ITR filings, internal audits, and related engagements. It processes personal data belonging to client organisations, their employees, directors, partners, vendors, and customers — in each case as an authorised sub-processor or data fiduciary under the engagement letter in force between the Firm and the respective client.

1. Who this applies to

  • Authorised staff of the Firm — partners, managers, seniors, articles, and contractors using Veloxis internally.
  • Authorised clients of the Firm — persons and entities with an active engagement letter, who may access Veloxis via the client portal for document upload, query response, and delivery of signed outputs.
  • Third parties whose personal data is processed by Veloxis in the course of audit work — directors, employees, partners, customers, vendors, and counterparties of client organisations, whose data reaches Veloxis through books of account, trial balances, daybooks, registers, and uploaded documents.

Where the third-party personal data is provided by the client organisation under an engagement letter, the client organisation is the data fiduciary and the Firm (through Veloxis) acts as the data processor.

2. Categories of personal data processed

Veloxis processes the following categories, each strictly for the purpose of delivering professional services:

From staff users — name, Firm email, role, ICAI membership number (for partners), login credentials (hashed password, session tokens, optional 2FA secrets), IP address and device fingerprint of authentication events, audit trail of actions performed within the Platform.

From client-portal users — name, contact email, organisation name and relationship to the client, login credentials, IP address, audit trail of portal activity, documents uploaded via the portal.

From client books of account ingested into Veloxis — Permanent Account Number (PAN), Tax Deduction Account Number (TAN), Goods and Services Tax Identification Number (GSTIN), Corporate Identification Number (CIN), Aadhaar number (where present in uploaded documents), bank account numbers, employee salary data, partner capital data, vendor and customer identifiers, transaction narrations, voucher numbers, communication addresses.

From uploaded working-paper documents — whatever personal data the underlying document contains, including photographs, signatures, and identity-proof copies where attached for audit purposes.

The Firm does not knowingly collect personal data of children under eighteen. If such data is present within a client's books of account (e.g., minor beneficiaries of a Trust), it is handled under the same confidentiality and security protections as all other personal data.

3. Lawful basis for processing

The DPDP Act, 2023 recognises two routes for processing personal data: consent under §6, and the certain legitimate uses enumerated in §7. The Firm processes personal data on the following bases:

  • Consent (DPDP §6) — where a data principal (a staff user, a client-portal user, or a member of a client's personnel) provides personal data directly to the Firm for inclusion in the Platform. The notice contemplated by §5 is provided at the point of data collection and consent is recorded.
  • Certain legitimate uses (DPDP §7) — specifically:
    • §7(b): for fulfilling any obligation under any law for the time being in force in India to disclose information to the State or its instrumentalities — applies to retention of audit working papers under the Companies Act 2013, Income-tax Act 1961, GST Act 2017, and the related ICAI Standards on Auditing and Standards on Quality Control.
    • §7(c): for compliance with any judgment, decree, or order — applies if the Firm is required to retain or produce specific personal data in response to a judicial direction.
    • §7(g): for purposes related to employment or for safeguarding the employer from loss or liability — applies to processing personal data of Firm staff for engagement management, time tracking, and review oversight.
  • Performance of the engagement letter — where personal data of third parties (the client's directors, partners, employees, customers, vendors) reaches Veloxis through books of account or supporting documents, the client organisation is the data fiduciary and the Firm acts as the data processor under §8 of the DPDP Act in accordance with the written engagement letter.

4. Purposes for which personal data is used

Exclusively for:

  • Performing the audit, tax, ITR, internal audit, or other professional service covered by the engagement letter.
  • Generating signed outputs — audit reports, Form 3CA/3CB/3CD, CARO, IFC report, ITR forms, financial statements, working papers, and related deliverables.
  • Maintaining the audit trail and working papers required under SA 230 and the ICAI Code of Ethics.
  • Communicating with the client organisation and its authorised representatives regarding the engagement.
  • Invoicing and collection of professional fees.
  • Ensuring the security and integrity of the Platform.
  • Regulatory compliance, including responding to lawful requests from the Institute of Chartered Accountants of India, Central Board of Direct Taxes, Goods and Services Tax authorities, Ministry of Corporate Affairs, and other competent authorities.

Personal data is not used for marketing, profiling, advertising, training of artificial intelligence models, or any commercial purpose outside the engagement.

5. Retention period

Personal data is retained for the minimum period required to discharge professional obligations:

  • Working papers and audit evidence — seven (7) years from the date of the auditor's report, as required by ICAI Standard on Auditing SA 230 and the ICAI Standard on Quality Control SQC 1.
  • Books of account and related records — eight (8) years as required by Section 128(5) of the Companies Act 2013 and parallel provisions under Section 44AA of the Income-tax Act 1961.
  • Invoices and accounting records of the Firm — eight (8) years under Goods and Services Tax Act Section 36.
  • Authentication logs and access trails — retained for the duration of the engagement plus seven years for audit-trail tamper-evidence under SA 230.
  • Portal user account data (login credentials, session tokens) — retained for the duration of the portal access plus one year for post-engagement dispute resolution.

After the applicable retention period elapses, personal data is purged or irreversibly anonymised. The Veloxis retention job runs on a scheduled basis and flags records for archival 96 months (8 years) after engagement sign-off, with a 30-day grace period before irreversible deletion.

6. Storage location and sub-processors

Veloxis stores personal data on infrastructure operated by the following sub-processors:

  • Cloudflare R2 (document storage) — object storage with region configuration set to automatic selection by the provider. The Firm is working to pin this to an Indian region in a forthcoming release; data principals who object to automatic cross-border routing may exercise their rights under Section 7 below.
  • Anthropic PBC (United States) — provider of the Claude API used by AI features of the Platform. As of 2026-05, the Firm operates a Tokenisation Pipeline v2 with full pseudonymisation: every plaintext name (client, counterparty, individual) is replaced with a deterministic synthetic Indian-style name and every format-strict identifier (PAN, GSTIN, Aadhaar, TAN, CIN, IFSC, bank account, mobile, e-mail, pincode, UPI handle) is replaced with an opaque bracketed token before any data leaves the Firm's servers. See docs/legal/ai-usage-disclosure.md for the full methodology and docs/privacy-and-tokenization.md for the technical reference. The Firm has reviewed Anthropic's published commercial terms and relies on the "no training on customer data by default" position. Data principals who wish their data never to be processed by AI features may opt out per Section 7.
  • Google LLC (United States) — fall-back provider of the Gemini API used as a secondary route for AI features when configured. The same Tokenisation Pipeline v2 controls apply. The Firm relies on Google's published "no training on customer data by default" position for the API surface.
  • Upstash (Redis-backed rate-limiting) — stores ephemeral counters only, no personal data.
  • Sentry (error tracking) — error metadata with PII redaction applied at the SDK layer. Stack traces and error contexts may incidentally contain personal data; such data is retained by Sentry for 90 days.
  • Cloudflare (DNS, no CDN proxy) — no personal data storage; DNS-only configuration.
  • Hosting infrastructure at 103.13.113.43 (Ubuntu server, India) — primary compute and database.

Cross-border transfers to the United States (Anthropic, Google, Sentry) are made under appropriate contractual safeguards. The Firm shall notify data principals before any new sub-processor is added for routine processing of their data.

The full AI-related disclosure, including what data classes leave the Firm's servers in which form, lives at docs/legal/ai-usage-disclosure.md.

7. Rights of the data principal

Under the DPDP Act, every data principal whose personal data is processed by Veloxis has the following rights. These may be exercised by contacting the Grievance Officer at krishna@vkg.co.in:

  • Right to access — to obtain a summary of the personal data being processed, the purposes of processing, and the third parties with whom it has been shared.
  • Right to correction, completion, updating, and erasure — to have inaccurate data corrected, incomplete data completed, outdated data updated, and unnecessary data erased, subject to the Firm's retention obligations under law and the engagement letter.
  • Right to grievance redressal — to have any complaint acknowledged within seven (7) working days and substantively addressed within thirty (30) days.
  • Right to nominate — to designate another individual to exercise these rights in the event of death or incapacity.
  • Right to withdraw consent — where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal, nor does it affect processing required for legal obligations.

The Firm's response to any exercised right will be communicated in English and, where reasonably possible, in the data principal's preferred language.

8. Security safeguards

The Platform implements the following safeguards, commensurate with the sensitivity of the data processed:

  • Transport Layer Security (TLS 1.2 and 1.3) for all network communication.
  • Password hashing via bcrypt with cost factor 12.
  • JSON Web Token session management with short expiry and revocation on role change.
  • Role-based access control with six-tier firm hierarchy and engagement-scoped authorisation.
  • Append-only audit log of all state-changing actions.
  • Tamper-evident working paper assembly with SHA-256 content hashing and 60-day soft-lock followed by hard-lock under SA 230.
  • Principle of least privilege enforced for sub-processor API credentials.
  • Regular security review and code audit (most recent: 2026-04-16).

The Firm does not warrant absolute security. In the event of a personal data breach, the Firm undertakes to notify the Data Protection Board and affected data principals within seventy-two (72) hours of becoming aware of the breach, as required by Section 8(6) of the DPDP Act.

9. Grievance Officer

Any complaint, rights-exercise request, or concern regarding personal data may be addressed to:

CA Krishna Gujarathi
Managing Partner and Grievance Officer
VKG & Associates, Chartered Accountants
Email: krishna@vkg.co.in

Complaints are acknowledged within seven (7) working days of receipt. Substantive response or resolution is provided within thirty (30) days.

If the data principal is not satisfied with the Firm's response, they may escalate to the Data Protection Board of India under the DPDP Act.

10. Updates to this policy

The Firm may revise this Policy from time to time. Material changes will be communicated to registered users and posted with at least thirty (30) days' prior notice before taking effect. The "Last revised" date above reflects the most recent update.

Firm-specific blanks to fill before publication

Before this Policy is made available at /privacy in the Veloxis UI, the following items need to be confirmed or filled in:

  1. Firm's registered address — to be added after the "Data Fiduciary" line in the header.
  2. Effective date — set to the day of first Privacy Policy publication.
  3. Cloudflare R2 region — confirm whether the current region: "auto" configuration has been updated to apac or in per the Phase E item. If still auto, leave the cross-border disclosure in Section 6 as drafted.
  4. Sentry retention — verify 90 days matches the actual Sentry project plan in use.
  5. Upstash region — confirm data-plane region (recommended: AP-South-1 / Mumbai).
  6. Aadhaar handling — confirm whether Veloxis ever stores the full 12-digit Aadhaar number or only the last four digits. If full, reconsider under the UIDAI "data minimisation" guideline and update Section 2.
  7. Sub-processor agreements — confirm that DPA / sub-processor agreements are in place with Cloudflare, Anthropic, Upstash, and Sentry before external-user rollout.

Veloxis is operated by VKG & Associates, Chartered Accountants. Concerns about this document may be raised with the Grievance Officer at krishna@vkg.co.in.