Back to Home
Legal Document

Data Processing Agreement

GDPR Article 28 compliant agreement governing how Fininvo processes personal data on your behalf

Last Updated

February 28, 2026

Effective Date

March 1, 2026

Version

1.0

Quick Navigation

DefinitionsScope & PurposeProcessor ObligationsSub-processingData Subject RightsBreach NotificationData TransfersSecurity MeasuresData DeletionAudit RightsTerm & Termination

This Data Processing Agreement is published by Fininvo, a trade name of Prashbi Global Services Pvt. Ltd., a company incorporated under the laws of India (CIN: U52100KA2020PTC133490), with its registered office at Tholons Tower, 346 HIG, 17th Cross Rd, Dollars Colony, R.M.V. 2nd Stage, Bengaluru, Karnataka 560094, India. References to "Fininvo", "we", "us", or "our" in this document refer to Prashbi Global Services Pvt. Ltd..

How to Execute This DPA: To sign and execute this Data Processing Agreement, contact us at legal@fininvo.com or download a pre-signed copy directly from your account settings under Privacy & Compliance.

1

Definitions

The following terms shall have the meanings set forth below when used in this Data Processing Agreement ("DPA"):

"Controller"

The entity (you, the Customer) that determines the purposes and means of the processing of Personal Data.

"Processor"

Fininvo (Prashbi Global Services Pvt. Ltd.), which processes Personal Data on behalf of the Controller.

"Data Subject"

An identified or identifiable natural person whose Personal Data is processed under this agreement.

"Personal Data"

Any information relating to a Data Subject, including names, email addresses, employee records, and financial information.

"Processing"

Any operation performed on Personal Data, including collection, storage, modification, retrieval, use, disclosure, or deletion.

"Sub-processor"

A third party engaged by Fininvo to process Personal Data on behalf of the Controller in connection with the Services.

2

Scope & Purpose of Processing

This DPA applies to all Personal Data processed by Fininvo on behalf of the Controller in connection with the provision of the Fininvo SaaS platform, including ERP, HRMS, Payroll, and related enterprise services.

Categories of Data Processed

  • Employee data: names, contact details, employment records, salary information
  • Customer and vendor data: business contact details, transaction records
  • Financial data: invoices, payment records, bank account details
  • User account data: login credentials, access logs, preferences

Lawful Basis for Processing

Fininvo processes Personal Data solely for the following purposes:

  • • Performance of the service agreement between Controller and Processor
  • • Compliance with legal obligations applicable to the Controller
  • • Legitimate interests of the Controller in managing business operations
3

Obligations of the Processor

Fininvo, as the Processor, undertakes the following obligations in accordance with GDPR Article 28:

Confidentiality

All personnel authorized to process Personal Data are bound by confidentiality obligations and have received appropriate training.

Documented Instructions

Processing is carried out only on documented instructions from the Controller, unless required by applicable law.

DSAR Assistance

Fininvo assists the Controller in fulfilling Data Subject Access Requests (DSARs) through technical and organizational measures.

Compliance Support

Fininvo assists with DPIAs, prior consultations with supervisory authorities, and regulatory compliance obligations.

GDPR Compliance Commitment

Fininvo is fully committed to GDPR compliance and maintains ongoing programs to ensure that all data processing activities meet or exceed the requirements of the General Data Protection Regulation (EU) 2016/679, as well as applicable national data protection laws.

4

Sub-processing

The Controller provides general authorization for Fininvo to engage Sub-processors for the purpose of delivering the Services, subject to the following conditions:

Sub-processor List: A current list of all Sub-processors is maintained and available at our Subprocessors page.

Notification of Changes: Fininvo will notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-processors.

Right to Object: The Controller may object to a new Sub-processor within 14 days of notification. If the objection is not resolved, the Controller may terminate the affected Services.

Equivalent Obligations: All Sub-processors are bound by data protection obligations no less protective than those in this DPA.

5

Data Subject Rights

Fininvo assists the Controller in responding to Data Subject requests exercising their rights under GDPR, including:

Right of Access

Providing copies of Personal Data processed, including categories and recipients.

Right to Rectification

Correcting inaccurate or incomplete Personal Data without undue delay.

Right to Erasure

Deleting Personal Data where no lawful basis for continued processing exists.

Right to Portability

Exporting Personal Data in a structured, machine-readable format (JSON, CSV).

Right to Restriction

Restricting processing of Personal Data when accuracy is contested or processing is unlawful.

Right to Object

Ceasing processing where the Data Subject objects on grounds relating to their particular situation.

Response Timeline: Fininvo will assist the Controller in responding to Data Subject requests within the timeframes mandated by GDPR (typically 30 days). Requests can be submitted via the platform dashboard or by emailing dpo@fininvo.com.

6

Data Breach Notification

In accordance with GDPR Article 33, Fininvo maintains robust breach detection and notification procedures:

72h

Maximum Notification Time

24/7

Breach Monitoring

100%

Incident Documentation

Breach Notification Contents

  • • Nature of the breach, including categories and approximate number of Data Subjects affected
  • • Name and contact details of the Data Protection Officer
  • • Description of likely consequences of the breach
  • • Measures taken or proposed to address the breach and mitigate adverse effects

Cooperation

Fininvo will cooperate fully with the Controller and any supervisory authority in investigating and remediating any Personal Data breach, including providing all information necessary for the Controller to meet its own notification obligations.

7

Data Transfer Mechanisms

Where Personal Data is transferred outside the European Economic Area (EEA), Fininvo ensures adequate safeguards are in place:

Standard Contractual Clauses

EU Commission-approved SCCs (2021/914) are incorporated into all Sub-processor agreements for international transfers.

Adequacy Decisions

Where available, transfers rely on EU Commission adequacy decisions recognizing equivalent data protection standards.

Supplementary Measures

  • Transfer Impact Assessments (TIAs) conducted for all cross-border transfers
  • End-to-end encryption for all data in transit between jurisdictions
  • Pseudonymization applied where technically feasible
  • Data residency options available for EU, US, and India regions

UK Transfers: For transfers to or from the United Kingdom, Fininvo applies the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as appropriate.

8

Technical & Organizational Measures

Fininvo implements the following technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk of processing:

Encryption

  • • AES-256 encryption at rest
  • • TLS 1.3 encryption in transit
  • • Encrypted database backups

Access Control

  • • Role-based access control (RBAC)
  • • Multi-factor authentication (MFA)
  • • Principle of least privilege

Monitoring

  • • 24/7 intrusion detection systems
  • • Real-time security event logging
  • • Automated vulnerability scanning

Backup & Recovery

  • • Automated daily backups
  • • Point-in-time recovery
  • • Geo-redundant backup storage

Personnel Security

  • • Background checks for all staff
  • • Annual security awareness training
  • • Confidentiality agreements

Network Security

  • • Web application firewall (WAF)
  • • DDoS protection
  • • Network segmentation and VPC isolation
9

Data Deletion & Return

Upon termination or expiry of the Services agreement, Fininvo will handle Personal Data as follows:

Data Export

The Controller has a 30-day window after termination to export all Personal Data in standard formats (JSON, CSV, PDF).

Certified Deletion

After the 30-day export window, all Personal Data is permanently deleted from all systems, including backups and replicas.

Deletion Certificate: Upon request, Fininvo will provide a written certificate confirming the permanent deletion of all Personal Data, including the date of deletion and the methods used.

Exceptions to Deletion

Fininvo may retain Personal Data beyond the deletion timeline only where required by applicable law (e.g., tax records, legal hold requirements). In such cases, the Controller will be informed of the legal basis and expected retention period.

10

Audit Rights

The Controller has the right to verify Fininvo's compliance with this DPA through audits and inspections:

Audit Reports

Fininvo's security practices are aligned with SOC 2 Type II and ISO 27001 standards. Formal certification is in progress, and audit reports will be made available upon completion under NDA.

On-site Audits

Controllers may conduct on-site audits with 30 days written notice, during business hours, subject to reasonable confidentiality requirements.

Third-Party Audits

The Controller may engage an independent third-party auditor (bound by confidentiality) to conduct audits on their behalf. Fininvo will cooperate fully and provide access to relevant facilities, systems, and documentation.

Audit Costs: Each party bears its own costs for audits. If an audit reveals material non-compliance, Fininvo will bear the reasonable costs of any follow-up audit to verify remediation.

11

Term & Termination

Effective Date

This DPA becomes effective upon execution of the underlying Services agreement between the Controller and Fininvo.

Survival

Data protection obligations under this DPA survive termination of the Services agreement for as long as Fininvo retains any Personal Data.

Termination Provisions

  • • This DPA terminates automatically upon termination of all Services agreements between the parties
  • • Either party may terminate this DPA if the other party materially breaches its obligations and fails to cure within 30 days of written notice
  • • Obligations regarding data deletion, return, and confidentiality survive termination indefinitely

LEGALLY BINDING DOCUMENT

This Data Processing Agreement constitutes a legally binding contract between the Controller and Fininvo (Prashbi Global Services Pvt. Ltd.) regarding the processing of Personal Data. By executing this DPA or using the Services, both parties agree to comply with all obligations set forth herein.

If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect. This DPA shall be governed by the laws specified in the underlying Services agreement.

Contact Our Data Protection Team

Legal Inquiries

legal@fininvo.com

Data Protection Officer

dpo@fininvo.com

CIN

U52100KA2020PTC133490

Registered Office

Prashbi Global Services Pvt. Ltd.
Tholons Tower, 346 HIG, 17th Cross Rd, Dollars Colony,
R.M.V. 2nd Stage, Bengaluru, Karnataka 560094, India

Privacy PolicyTerms of Service