DPDP-compliant CA software
Built for the DPDP Act — data in India, isolation you can prove.
A practice holds its clients’ PAN, Aadhaar and returns. FirmsNest is built around that responsibility under the Digital Personal Data Protection Act, 2023 — data kept in India, sensitive data minimised, and tenant isolation enforced in the database and checked before every release.
India data residency Data minimised by default Provable tenant isolation
Data residency
Your clients’ data stays in India.
Under the DPDP Act, 2023, personal data is not transferred outside India. Everything FirmsNest holds is hosted in an India region — by design, not by a setting you have to remember to switch on.
Hosted in an India region
Database, document storage and backups all run in an India region. Data residency is not a toggle — it is where the platform runs, by design.
No personal data sent abroad
Personal data is stored, processed and backed up within India. Even the AI assistant runs on an in-India model, so documents are not shipped out to be read.
Seven-year retention
Documents and audit records are retained for seven years, so an engagement stays searchable and defensible long after its season has closed.
Data minimisation
The most sensitive data is minimised or not collected at all.
The DPDP Act asks you to collect only what you need. FirmsNest holds the least it can — and keeps the rest out of logs.
Aadhaar — last-4 only
We never store a full Aadhaar number. Only the last four digits are kept, for matching and reference, so the identifier that matters most stays out of the database.
Bank-account details — not collected
The collection flow for bank-account numbers was removed platform-wide. Data you do not hold cannot leak — minimisation is the simplest protection there is.
Audit logs — ids and amounts, not PII
The audit trail records identifiers and amounts in paise, never personal-data strings. The record of an action stays clean of the personal data the action touched.
Role-based access
People see only what their role allows — a client sees their own engagement, a team member the work assigned to them, within their firm and nowhere beyond.
Provable tenant isolation
One firm can never see another firm’s data — and we can prove it.
Most software asks you to trust that the application code remembers to separate one customer from the next. FirmsNest enforces the separation in the database itself, through row-level security — every record is bound to its firm, and a query can only ever return that firm’s rows.
And it is not taken on faith: an automated isolation test re-checks the rule on every change, and that test must pass before any release ships.
Read the full security modelSealed at the database, checked before release
- Row-level security on every table binds each record to its firm
- Isolation lives in the database, not only in application code
- An automated isolation test must pass before any release ships
- Encrypted storage and an immutable audit trail behind every action
Roles under the DPDP Act
We are the software. You remain the advisor.
Compliance is a partnership, with a clear line between the two roles.
FirmsNest — the processor
We host the platform in an India region, keep data encrypted and isolated by firm, maintain the audit trail, and process the data only on the firm’s instructions.
The firm — the controller
The CA firm is the controller of its clients’ data and remains the professional advisor — it decides what is collected, manages who on its team has access, and owns the accounting, tax and audit work itself.
Questions
What firms ask about DPDP compliance.
What does “DPDP-compliant CA software” mean here?
It means software a CA firm can use as a data processor under the Digital Personal Data Protection Act, 2023 — with data kept in India, personal data minimised, access scoped by role, and a clean audit trail. FirmsNest is built around those obligations rather than retrofitting them.
Is my clients’ data stored in India?
Yes. The database, document storage and backups all run in an India region, and personal data is not transferred outside India. The AI assistant also runs on an in-India model, so documents are not shipped abroad to be read.
How does FirmsNest minimise sensitive data?
Aadhaar is stored as last-4 only, bank-account details are not collected at all, and audit logs carry identifiers and amounts rather than personal-data strings. The principle is to hold as little sensitive data as the work allows.
Could another firm ever see my clients’ data?
No. Tenant isolation is enforced in the database itself through row-level security — every record is bound to its firm, and a query can only return that firm’s rows. An automated isolation test verifies the rule and must pass before any release ships.
Who is the controller and who is the processor under the DPDP Act?
The CA firm is the data controller — it decides what is collected and owns the professional work. FirmsNest is the processor: it hosts the platform in India, keeps data encrypted and isolated by firm, maintains the audit trail, and processes data only on the firm’s instructions.
Questions about how we handle your firm’s data?
We are happy to walk your team through residency, minimisation and tenant isolation — on a call, or in a demo of the real product.