Security & Data Handling

1. Our Data Handling Approach

Report 360 is designed to process business and reporting data required for dashboards, analytics, reconciliations, KPIs, alerts, and AI-assisted explanations.

We do not intentionally ingest or store customer contact details, addresses, or personal profile information from Tally/ERP records unless such information is specifically required for a feature or provided by the customer.

Our platform primarily processes:

• Accounting data.
• GST-related data.
• Sales and purchase data.
• Inventory data.
• Ledger, voucher, invoice, and reporting data.
• Company/entity identifiers.
• GSTIN and PAN/TRN-based licensing references.
• Dashboard and analytics configuration.
• Usage, billing, and technical logs.

However, some limited personal data may still be processed through user accounts, billing details, support communication, technical logs, or individual-linked business identifiers such as GSTIN in some cases.

2. Data Minimisation

We aim to collect and process only the data required to provide the Service.

Customers should avoid uploading unnecessary personal data, contact lists, personal addresses, identity documents, employee records, bank account details, or unrelated confidential information unless specifically required for the feature being used and lawfully permitted.

Customers are responsible for ensuring that the data they connect, upload, or sync with Report 360 is lawful, accurate, authorised, and appropriate for processing.

3. Encryption and Secure Transmission

Report 360 uses secure transmission methods such as HTTPS/TLS for data exchanged between users, browsers, connectors, APIs, and our servers.

Customers should ensure that they access Report 360 only from secure devices, trusted networks, updated browsers, and authorised systems.

4. Access Control

Report 360 uses account-based access controls to restrict access to customer workspaces and data.

Depending on the plan and feature availability, customers may control:

• User access.
• Workspace access.
• Role-based permissions.
• Entity/company access.
• Dashboard or feature-level access.
• API or connector access.

Customers are responsible for granting access only to authorised users and removing access when users leave the organisation or no longer require access.

5. Login and Account Security

Customers are responsible for maintaining the confidentiality of their login credentials.

Customers should:

• Use strong passwords.
• Avoid sharing login credentials.
• Restrict access to authorised personnel.
• Review user access periodically.
• Immediately revoke access for users who leave the organisation.
• Notify Report 360 if they suspect unauthorised access.

Report 360 is not responsible for losses caused by shared passwords, compromised devices, unauthorised customer-side access, weak internal controls, malware, phishing, or customer-side negligence.

6. Connector and API Security

Report 360 may connect with Tally, ERP systems, APIs, files, databases, or other customer-approved data sources.

Customers are responsible for:

• Installing connectors only on authorised systems.
• Providing correct access permissions.
• Ensuring that ERP/Tally access is authorised.
• Securing API keys, tokens, and connector credentials.
• Removing or rotating credentials when no longer required.
• Not exposing API keys or connector credentials publicly.

We may suspend or restrict connector/API access if we detect suspicious activity, excessive usage, security risk, unauthorised access, or violation of fair usage limits.

7. AI Chat and AI Data Handling

Report 360 may provide AI-assisted features for dashboard explanations, summaries, anomaly comments, reconciliation assistance, and chat-based analysis.

We do not permanently store AI chat history as a guaranteed user record.

AI interactions may be held temporarily in browser tab/session storage or short-lived runtime memory to provide the current chat experience. If the user refreshes the page, closes the tab, changes device, clears browser storage, or the session expires, AI chat history may be lost and may not be recoverable.

For billing, credit control, debugging, abuse prevention, and service reliability, we may store limited AI usage metadata such as:

• Tokens consumed.
• Tools/functions used.
• Credit/debit entries.
• Error logs.
• Request timestamps.
• Model/provider usage category.
• Workspace/account reference.
• Technical diagnostic logs.

Users should not treat AI chat as permanent document storage, audit evidence, statutory record, or official working paper. Important outputs should be separately saved by the user.

8. Logs and Monitoring

Report 360 may maintain technical logs, usage logs, API logs, connector logs, error logs, security logs, and billing/credit logs.

These logs help us:

• Troubleshoot issues.
• Monitor performance.
• Detect errors.
• Prevent abuse.
• Calculate usage and credits.
• Investigate security issues.
• Improve reliability.
• Maintain auditability for billing and support.

Logs are not intended to be a permanent business record for customers.

9. Backups and Disaster Recovery

Report 360 may maintain operational backups and recovery controls to support service continuity, data protection, and disaster recovery.

However, Report 360 is not a substitute for the customer’s own accounting software, ERP system, Tally data, statutory records, audit working papers, government filings, source documents, or backups.

Customers must maintain their own backups of:

• Tally/ERP data.
• Accounting records.
• GST and tax records.
• Source invoices and vouchers.
• Statutory filings.
• Financial statements.
• Audit evidence.
• Important downloaded reports.

Operational backups are maintained for service recovery purposes and may not be available for individual customer restore requests in every situation.

10. Staff Access to Customer Data

Report 360 limits internal access to customer data based on business need.

Authorised team members may access limited customer data where necessary for:

• Support.
• Debugging.
• Implementation.
• Security investigation.
• Billing verification.
• Service maintenance.
• Customer-authorised assistance.

Customers should avoid sharing unnecessary sensitive information in support messages, screenshots, attachments, or AI prompts.

11. Third-Party Service Providers

Report 360 may use third-party service providers for hosting, storage, databases, AI models, payment processing, email, notifications, analytics, monitoring, logging, support, and security.

These providers may process data only as required to provide their services to Report 360.

We choose service providers based on operational, security, reliability, performance, and business requirements. Provider locations and infrastructure may change over time.

12. Incident Handling

If we become aware of a security incident affecting customer data, we will take reasonable steps to investigate, contain, mitigate, and communicate as appropriate based on the nature of the incident, applicable law, and available information.

Customers must promptly notify us if they suspect:

• Account compromise.
• Unauthorised access.
• API key exposure.
• Connector misuse.
• Suspicious activity.
• Data leakage.
• Incorrect user permissions.
• Device or credential compromise.

13. Customer Responsibilities

Security is a shared responsibility.

Customers are responsible for:

• Ensuring lawful use of Report 360.
• Providing only authorised data.
• Maintaining accurate source data.
• Managing user access.
• Protecting login credentials.
• Securing local systems and devices.
• Maintaining their own backups.
• Reviewing dashboards and reports before relying on them.
• Saving important AI outputs separately.
• Informing Report 360 about suspected security issues.

14. No Absolute Security Guarantee

We use reasonable safeguards to protect the Service, but no software, cloud system, API, AI system, network, database, or internet-based service can be guaranteed to be fully secure, uninterrupted, or error-free.

Report 360 is provided on a commercially reasonable, best-effort basis unless a separate written enterprise agreement expressly provides otherwise.