Back to home
Case study

India fintech — CERT-In & DPDP compliance in 4 weeks

A pre-Series A Indian fintech SaaS needed to get compliant before an enterprise sales push. Starting from zero, with an Aadhaar KYC flow and individual consumer data in scope, we ran the full engagement: regulatory mapping, data privacy, VAPT, and policies.

Client profile

Client identity withheld by request.

SectorFintech SaaS — service fees only, no money movement
UsersIndividual consumers, Aadhaar-verified
KYC3rd-party provider (licensed Sub-AUA)
StagePre-Series A, ~15 person team
GeographyIndia
PackageStandard
Timeline4 weeks

The challenge

The company was 18 months into building. They had a working product, paying users, and an Aadhaar KYC flow — but no formal compliance posture. A potential enterprise customer had asked for a security questionnaire. A VC due diligence checklist had flagged DPDP Act readiness as a gap.

They needed to know: what actually applies to us, and what does it take to be compliant? Not a list of every possible regulation — a precise answer for their specific business model.

They also needed it done quickly. Not a 6-month consulting project. Practical, implemented compliance — not a thick report.

What we mapped first

Before any work began, we ran a regulatory profile assessment. The goal: confirm what's mandatory, what's not yet triggered, and what will never apply to this business model.

Mandatory — act now

  • CERT-In Directions 2022
  • DPDP Act 2023
  • IT Act 2000 / IT Rules 2011
  • Aadhaar KYC compliance (via Sub-AUA)

Not applicable — confirmed

  • RBI licence / Digital Lending Guidelines
  • Payment Aggregator licence
  • PCI DSS
  • ISO 27001 (no enterprise clients yet)
  • SOC 2 (no US investors or clients)

What we delivered

1

Regulatory profile assessment

Mapped the exact regulatory obligations for their business model — what applied, what didn't, and why. The team left that first session knowing precisely what they needed to do and what they could stop worrying about.

2

Mandatory legal baseline

Got the non-negotiable legal requirements in place — incident reporting readiness, log retention, data residency confirmation. The items that carry legal liability if missed, completed in the first two weeks.

3

DPDP Act 2023 compliance

Full data inventory across all systems. Plain-language privacy notice written for their users. Consent flows reviewed and corrected. Grievance mechanism set up. Breach response procedure documented. Vendor agreements updated.

4

Third-party KYC compliance

Reviewed and confirmed their KYC integration met applicable legal requirements — the right provider relationships in place, the right data handling practices, the right consent flows.

5

Security testing

Ran a full security assessment of their application and infrastructure. Delivered a prioritised findings report. Worked with their engineering team through remediation and ran a second assessment to confirm closure.

6

Security policies

Five core security policies written and adopted by the team — practical documents that reflect how they actually work, not generic templates lifted from the internet.

7

Forward roadmap

A clear, honest roadmap — ISO 27001, SOC 2, PCI DSS mapped to the business events that would actually trigger them. No unnecessary work recommended.

Outcomes

CERT-In Directions 2022 — fully compliant
DPDP Act 2023 — readiness plan implemented
Aadhaar KYC flow — legally compliant
VAPT v2 — zero Critical or High findings
5 core policies — in place and signed off
Security monitoring — logs centralised, 180-day retention
Enterprise security questionnaire — ready to respond
Trigger roadmap — ISO 27001, SOC 2 gates defined

Similar situation? Let's map your regulatory exposure in a free 30-minute call.

Book a free scoping call