Your filing cabinet quietly became a liability

Think about what a mid-sized CA firm actually holds. PANs and Aadhaars for hundreds of individuals. Bank statements, full financial histories, salary details of your clients' employees, digital signature tokens, portal passwords. If you added it up, your practice custodies more sensitive personal data than a small bank branch — and most of it lives in email threads, WhatsApp chats, a shared network drive, and a couple of pen drives that travel home in someone's bag. For decades that was simply how the work got done. It has now become a question you can be asked to answer.

This is not a scare piece. It is a heads-up about a runway that has already started, and about a fix that happens to make your firm run better regardless of the law.

What the DPDP Rules change for a practice

India's Digital Personal Data Protection Act was passed in 2023, and the Digital Personal Data Protection Rules that operationalise it were notified on 13 November 2025, with the Data Protection Board of India being stood up and the substantive obligations phasing in over the following months into 2027. The details will be argued by lawyers for years, and you should take specific advice for your firm. But the direction is not ambiguous. An entity that collects and processes other people's personal data is expected to hold it securely, to be clear about why it was collected, to guard it with reasonable safeguards, and to be able to account for — and where required, erase — it. A CA firm is squarely one of those entities.

  • Identity documents: PAN and Aadhaar for every individual client and, often, their family and staff.
  • Financial records: bank statements, ledgers, investment and loan details — entire financial lives.
  • Credentials: income-tax and GST portal logins, and digital signature tokens held on clients' behalf.
  • Third-party data: payroll and personal details of your clients' own employees, processed through you.
  • Correspondence: the email and chat trails where all of the above currently sits unprotected.

Why email, WhatsApp and a shared drive is the wrong vault

The problem is not that your team is careless. It is that the tools were never built to be a vault. The same client is asked for the same document three times because nobody can find the first copy. An article downloads a client's complete financials onto a personal laptop to work over the weekend, and no record exists that it ever happened. An employee leaves, and their pen drive and email archive leave with them. There is no access control, so everyone can see everything, and no audit trail, so you could not reconstruct who opened what if you tried. None of this is malicious. All of it is exactly what a data-protection regime asks you to have handled.

  • Documents organised per client and per engagement, so nothing is ever re-requested twice.
  • Role-based access that separates what an article can open from what a partner controls.
  • An audit trail recording who viewed, downloaded or shared each document, and when.
  • A secure client upload link, so PAN and bank statements stop arriving over WhatsApp.
  • Retention and erasure controls, so data does not simply accumulate forever by default.
A missed deadline is malpractice you can see. A client's financials on an ex-employee's pen drive is malpractice you will only find out about when it is far too late.
Every client document your team touches is personal data you are now expected to control and account for.
Every client document your team touches is personal data you are now expected to control and account for.
A practice is a custodian of data, not just a producer of returns — and custody has rules now.

This is not what your filing software does

To be clear and fair: CompuTax, Winman, SAG Infotech's Genius, Suvit and Vyapar's TaxOne are strong filing tools, and you should keep them. But a filing engine is not a secure, access-controlled document management system with an audit trail. It is built to compute and submit returns, not to govern who in your firm can open a client's bank statements, or to prove after the fact that only the right person did. That is a different job, and improvising it with folders and passwords shared on a chat is precisely the gap the new rules shine a light on.

How BizRevolt handles it

BizRevolt's CA Practice workspace is built around the idea of running the practice, not just the returns — and a proper client document vault is central to that. Documents live organised by client and engagement, so nothing is re-requested. Access is role-based, separating articles from partners. Every view, download and share is logged in an audit trail. Clients upload sensitive documents through a secure link instead of a chat app, and retention controls mean data does not pile up indefinitely. It sits alongside the deadline tracker, engagements, billing and WIP, so the vault is not a bolt-on but part of how the firm actually works. Pricing stays simple: ₹1,499 a month for a solo practitioner, ₹4,999 for a firm.

There is a quieter benefit that has nothing to do with the law. A practice where every client's documents sit in one organised, searchable place — rather than across three inboxes and a year of WhatsApp history — simply moves faster. Onboarding a new client becomes a checklist instead of a scavenger hunt. A partner reviewing a file at short notice finds what they need without pinging four people. Compliance is the reason you finally fix this; the everyday speed it buys you is the reason you will be glad you did.

If you cannot say today who in your firm can open a given client's bank statements — or prove who already has — that is worth fixing while the DPDP timeline still gives you room to do it calmly. We build BizRevolt in the open with practising CAs, and we would rather learn how your firm handles documents than lecture you about it. Call or WhatsApp +91 91 0657 4865 and tell us where your client data actually lives today.

Image credits: Dave Dugdale, CC BY-SA 2.0, via Wikimedia Commons; Shixart1985, CC BY 2.0, via Wikimedia Commons.