DPDP Act 2023 is live
Every business processing Indian personal data with AI is a Data Fiduciary. The penalty for a single violation reaches ₹250 crore. Most AI teams have no consent framework, no breach plan, and no right-to-erasure implementation.
The DPDP Act 2023 makes your AI a regulated entity. ₹250 crore is the maximum penalty. RBI FREE-AI Phase 3 makes AI audits mandatory by 2027–28. We map your exposure, build the documentation layer, and keep it current.
Three forces collided in the last 18 months. Any one of them is a deal-stopper. Together they are the new floor for serious AI businesses.
Every business processing Indian personal data with AI is a Data Fiduciary. The penalty for a single violation reaches ₹250 crore. Most AI teams have no consent framework, no breach plan, and no right-to-erasure implementation.
Phase 3 makes AI audits mandatory for RBI-regulated entities by 2027–28. Most NBFCs and banks have neither the Annex V board policy nor the Annex VI incident runbook. The documentation gap alone triggers non-compliance.
ISO/IEC 42001 is becoming a procurement requirement. Security questionnaires now include an AI governance section. Without an AI policy, model inventory, and data handling register, the deal waits.
Same regulators. Same evidence. Different depth. Pick the tier that matches where you are — move up only when there is a reason to.
“Find out exactly where you stand before the regulator does.”
Businesses that deployed AI without a regulatory review. Indian startups in fintech, SaaS, or any sector touching personal data. Teams answering enterprise procurement questions about AI governance.
“Build the documentation and processes that let you say yes to any compliance question.”
Fintech on RBI rails. SaaS companies selling to enterprise with AI features. Any business that completed the Readiness Assessment and needs to close the gaps.
“Regulations change. Your AI keeps shipping. We keep you current.”
Businesses that have completed the Full Compliance Program or a Deep Audit and need ongoing compliance maintenance.
A security audit and a compliance program look at the same model from two ends. One asks “what breaks?” The other asks “what gets fined?” Bundle them and you stop paying twice for the same scoping work.
Vulnerabilities an attacker exploits in your AI
Gaps a regulator fines you for
CTO, engineering lead
Founder, legal, compliance, CFO
Findings, PoCs, remediation roadmap
Policies, registers, runbooks, evidence pack
Breach, data exposure, stalled enterprise deal
Regulatory penalty, procurement questionnaire
The Deep Audit + Full Compliance bundle covers both surfaces in a single 8–10 week engagement. One kickoff. One delivery. One team.
Every engagement runs on the same rails — even when the regulation mix is different. You always know where we are and what comes next.
30 minutes. We confirm the tier, the sector, the people involved, and sign.
Inventory of AI systems, current documents, and vendor list. No production access required.
Parallel tracks across regulations. Urgent exposures flagged immediately — not at the end.
Legal, compliance, and engineering review every document. Two cycles included.
Walk through every document. Implementation guidance, not just paper.
If we find a clause-level exposure that could be fined today, you hear about it the day we find it — not at the end of the engagement.
Every tier maps to specific clauses in specific regulations. No generic “industry best practice” — we tell you which paragraph of which framework drives every requirement.
| Framework | What it covers | Tiers |
|---|---|---|
| DPDP Act 2023 | Personal data, consent, breach, erasure, ₹250cr exposure | All tiers |
| RBI FREE-AI | Annex V board policy, Annex VI incident runbook, Phase 1/2/3 | Full Program · Retainer |
| RBI Digital Lending | Model risk, duty of explanation, fair lending | Full Program · Retainer |
| ISO/IEC 42001 | AI management system gap analysis and roadmap | Full Program |
| NIST AI RMF | Govern, Map, Measure, Manage functions | All tiers (lens) |
| EU AI Act | High-risk AI classification for EU-facing products | On request |
We tell you which one fits before you finish the current tier — so the next move is a decision, not a sales call.
Most teams who run the Readiness Assessment move to the Full Compliance Program within 60 days. Same regulator, same evidence, no re-scoping.
Regulations move. Your AI moves faster. The retainer keeps your documentation set and evidence pack production-ready as both change.
The Deep Audit + Full Compliance bundle covers technical risk and regulatory exposure in one 8–10 week engagement. One kickoff. One delivery.