Security & compliance, explained plainly

Kawacha makes security and compliance practical for businesses. Instead of thick reports that sit on a shelf, we deliver implemented compliance: the actual policies, configurations, privacy notices, and VAPT findings your business needs to be legally compliant and secure — and we make sure they are actually in place, not just documented.

Any business operating digitally in India — fintechs, healthtechs, B2B SaaS, e-commerce. Especially useful before your first enterprise client asks for a security audit, before a fundraise due diligence, or before you start processing significant volumes of user data.

A full engagement runs 3–5 weeks: regulatory profiling and mandatory baseline in Week 1, data privacy compliance in Weeks 1–2, VAPT in Weeks 1–3, and policy set delivery in Weeks 3–5. The free self-scan takes under 2 minutes.

Fixed-fee engagements from ₹1.5L (Starter — data privacy and regulatory baseline) to ₹9L (Complete — security, compliance, framework prep, and a quarterly retainer). No hourly billing. No surprise invoices. The scan is always free.

Yes. CERT-In Directions 2022 and the DPDP Act 2023 apply to every organisation in India regardless of size or revenue. There is no small-business exemption. A data breach or a complaint from a user can result in fines up to ₹250 crore under DPDP — and CERT-In non-compliance is a criminal liability.

CERT-In Directions 2022 are issued by India's Computer Emergency Response Team and are legally binding on all organisations operating in India. The three most commonly missed requirements: (1) report cyber incidents to CERT-In within 6 hours of detection, (2) retain all ICT system logs for 180 days and store them in India, (3) sync all servers to the Indian NTP servers (samay1.nic.in, samay2.nic.in). No size threshold — a 3-person startup and a listed bank have the same obligations.

The Digital Personal Data Protection Act 2023 is India's comprehensive data privacy law, modelled on GDPR. If your product collects any personal data — names, email addresses, phone numbers, device IDs, location, or Aadhaar — you are a Data Fiduciary and must: collect data only for a stated, specific purpose; publish a plain-language privacy notice; obtain free, specific, informed, and withdrawable consent; allow users to access, correct, and erase their data; appoint a grievance officer; and notify users and the Data Protection Board in the event of a breach. Penalties go up to ₹250 crore per violation.

Vulnerability Assessment and Penetration Testing. Kawacha conducts VAPT using industry-standard open-source tools: Semgrep for static code analysis (OWASP Top 10), gitleaks for hardcoded secrets in repository history, Trivy for container and filesystem vulnerabilities, and npm/pip audit for dependency CVEs. We also run a manual checklist for auth, session management, IDOR, API security, payment flows, and sensitive data handling. Output: a findings report with severity ratings, affected file and line references, and remediation guidance — not just a list of issues.

The Information Technology Act 2000 and the IT Rules 2011 form the foundational digital compliance layer in India. Key obligations for businesses: reasonable security practices for personal data (SPDI rules), a publicly accessible privacy policy, and data handling agreements with third-party processors. The DPDP Act 2023 builds on top of this.

Email security (SPF, DKIM, DMARC — are you protected against email spoofing?), HTTPS enforcement and redirect behaviour, TLS version (TLS 1.0/1.1 are deprecated), SSL certificate validity and days to expiry, security headers (HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy), exposed subdomains via Certificate Transparency logs, publicly accessible sensitive files (.env, .git, backup files), data breach history via Have I Been Pwned, DPDP compliance signals (privacy policy, grievance contact, consent language), WCAG accessibility checks, and a cookie & tracker audit.

We fetch your homepage and inspect two things: (1) what cookies are set before the user takes any action — and whether they have the correct security flags (Secure, HttpOnly, SameSite); (2) what third-party tracking scripts load on first visit, including Google Analytics, Meta Pixel, LinkedIn Insight Tag, Hotjar, Intercom, and ~30 other known trackers. Under the DPDP Act 2023, non-essential cookies and trackers that collect personal data require explicit user consent before they load. If your site drops tracking pixels on the first page load with no consent banner, that is a violation.

WCAG — Web Content Accessibility Guidelines — are the international standard for accessible web design. We check your homepage for Level A violations (the baseline): images without alt text (screen readers cannot describe them), form inputs with no associated label (users cannot identify the field), missing or incorrect document language, page without a title, heading hierarchy gaps (h1 jumping to h3), vague link text ('click here', 'read more'), buttons and links with no accessible name, invalid ARIA roles, viewport settings that block user zoom, and duplicate element IDs. These are not cosmetic issues — they block users with visual impairments, motor disabilities, or cognitive differences from using your site.

Open-source libraries are the single largest source of known vulnerabilities in modern web applications. We scan your package.json (npm/yarn) and requirements.txt (pip) for packages with published CVEs — Common Vulnerabilities and Exposures tracked in the National Vulnerability Database. A critical-severity CVE in a dependency you haven't updated can be directly exploited without touching your own code. We report severity, affected package, vulnerable version range, and the fixed version to upgrade to.

We scan your homepage for the public-facing signals that the DPDP Act requires: a visible link to a privacy policy, a grievance officer name and contact email, and consent language on data collection forms. This is not a substitute for a full DPDP implementation audit — it is a first-pass check of what a regulator or a prospective enterprise client would see when they visit your site.

We analyse a pasted WhatsApp chat export for compliance and security issues: PII exposure (Aadhaar numbers, PAN, card numbers, OTPs sent in plaintext), TRAI TCCCPR 2018 opt-out compliance (are you honouring DND requests?), bulk spam patterns, DPDP Act consent signals, hardcoded credentials or API keys, and whether the account appears to be a verified WhatsApp Business account. Chat text is never stored — only the findings.

Completely safe. All domain scans are entirely passive — we query publicly available data sources (DNS records, Certificate Transparency logs, Have I Been Pwned, Shodan) and fetch your public homepage. We do not send attack traffic, do not probe ports, and do not interact with your backend systems in any way. The scan is indistinguishable from a normal website visit.

Scan results are stored in our database to generate your report and allow you to receive it by email. For code scans, the cloned repository is deleted immediately after scanning. For WhatsApp scans, the chat text is never stored — only the metadata (domain/phone, finding categories, timestamp). We do not share results with third parties.