HomeAI OfferingsAuditCase studiesAboutContact
AI & DATA COMPLIANCE

The regulator doesn’t wait for your roadmap.

The DPDP Act 2023 makes your AI a regulated entity. ₹250 crore is the maximum penalty. RBI FREE-AI Phase 3 makes AI audits mandatory by 2027–28. We map your exposure, build the documentation layer, and keep it current.

coveringDPDP Act 2023RBI FREE-AIRBI Digital LendingISO/IEC 42001NIST AI RMFEU AI Act
Jump to the three tiers ↓

Most businesses are building fast and documenting nothing.

Three forces collided in the last 18 months. Any one of them is a deal-stopper. Together they are the new floor for serious AI businesses.

DPDP

DPDP Act 2023 is live

Every business processing Indian personal data with AI is a Data Fiduciary. The penalty for a single violation reaches ₹250 crore. Most AI teams have no consent framework, no breach plan, and no right-to-erasure implementation.

RBI

RBI FREE-AI is coming

Phase 3 makes AI audits mandatory for RBI-regulated entities by 2027–28. Most NBFCs and banks have neither the Annex V board policy nor the Annex VI incident runbook. The documentation gap alone triggers non-compliance.

ENT

Enterprise buyers ask

ISO/IEC 42001 is becoming a procurement requirement. Security questionnaires now include an AI governance section. Without an AI policy, model inventory, and data handling register, the deal waits.

THREE TIERS

From exposure mapping to full compliance.

Same regulators. Same evidence. Different depth. Pick the tier that matches where you are — move up only when there is a reason to.

READINESS ASSESSMENT · 2 WEEKS

Find out exactly where you stand before the regulator does.

₹2,50,000
$3,000 USD outside India
BEST FOR

Businesses that deployed AI without a regulatory review. Indian startups in fintech, SaaS, or any sector touching personal data. Teams answering enterprise procurement questions about AI governance.

DPDP ACT GAP ANALYSIS
  • Data Fiduciary classification — including Significant Data Fiduciary trigger
  • Personal-data inventory across every AI system
  • Consent flows — omnibus consent issues, AI-specific purposes
  • Breach notification capability against the 72-hour window
  • Right-to-erasure feasibility for training and inference data
  • Data localisation posture — what leaves India via LLM APIs
  • ₹250 crore penalty exposure mapped to clauses
AI GOVERNANCE BASELINE
  • AI policy existence and coverage check
  • Model inventory — every production model documented
  • AI decision logging detail vs. regulator expectations
REGULATORY BRIEFING
  • Sector-specific regulations that apply to you
  • Upcoming enforcement milestones on a single timeline
  • Priority remediation order ranked by penalty exposure
WHAT YOU GET
  • Gap register — regulation, clause, severity, penalty
  • Plain-English exposure summary for founders and the board
  • 30-day priority action plan
  • 60-minute debrief with founders, legal, and compliance lead
ONGOING RETAINER · MONTHLY

Regulations change. Your AI keeps shipping. We keep you current.

Retainer pricing
From ₹1.5L / month · $1,800 USD
BEST FOR

Businesses that have completed the Full Compliance Program or a Deep Audit and need ongoing compliance maintenance.

EVERY MONTH
  • Regulatory monitoring — DPDP rules, RBI circulars, sector AI guidance
  • Monthly briefing — what changed, what it means, what to update
  • Policy and documentation maintenance as your stack evolves
  • Compliance pre-check on new AI features before production
  • Evidence pack kept current and audit-ready
WHEN SOMETHING HAPPENS
  • On-call for compliance questions during a security incident
  • Breach notification drafting against the DPDP 72-hour clock
  • Quarterly review with founders, legal, and compliance lead
WHAT YOU GET
  • Always-current documentation set
  • Direct line to a compliance lead
  • Quarterly board-ready compliance summary

Different questions. Same AI system.

A security audit and a compliance program look at the same model from two ends. One asks “what breaks?” The other asks “what gets fined?” Bundle them and you stop paying twice for the same scoping work.

THE BUNDLE

The Deep Audit + Full Compliance bundle covers both surfaces in a single 8–10 week engagement. One kickoff. One delivery. One team.

Five steps. No mystery weeks.

Every engagement runs on the same rails — even when the regulation mix is different. You always know where we are and what comes next.

  1. 01

    SCOPING CALL

    30 minutes. We confirm the tier, the sector, the people involved, and sign.

  2. 02

    DATA COLLECTION

    Inventory of AI systems, current documents, and vendor list. No production access required.

  3. 03

    GAP ANALYSIS & DRAFT

    Parallel tracks across regulations. Urgent exposures flagged immediately — not at the end.

  4. 04

    REVIEW CYCLES

    Legal, compliance, and engineering review every document. Two cycles included.

  5. 05

    DELIVERY & BRIEFING

    Walk through every document. Implementation guidance, not just paper.

URGENT EXPOSURE POLICY

If we find a clause-level exposure that could be fined today, you hear about it the day we find it — not at the end of the engagement.

REGULATION REFERENCE

Specific frameworks. Named.

Every tier maps to specific clauses in specific regulations. No generic “industry best practice” — we tell you which paragraph of which framework drives every requirement.

FrameworkWhat it coversTiers
DPDP Act 2023Personal data, consent, breach, erasure, ₹250cr exposureAll tiers
RBI FREE-AIAnnex V board policy, Annex VI incident runbook, Phase 1/2/3Full Program · Retainer
RBI Digital LendingModel risk, duty of explanation, fair lendingFull Program · Retainer
ISO/IEC 42001AI management system gap analysis and roadmapFull Program
NIST AI RMFGovern, Map, Measure, Manage functionsAll tiers (lens)
EU AI ActHigh-risk AI classification for EU-facing productsOn request

Most engagements have a next step.

We tell you which one fits before you finish the current tier — so the next move is a decision, not a sales call.

READINESSFULL PROGRAM

Close every gap.

Most teams who run the Readiness Assessment move to the Full Compliance Program within 60 days. Same regulator, same evidence, no re-scoping.

FULL PROGRAMRETAINER

Stay current as it ships.

Regulations move. Your AI moves faster. The retainer keeps your documentation set and evidence pack production-ready as both change.

COMPLIANCE+AUDIT

Bundle the surfaces.

The Deep Audit + Full Compliance bundle covers technical risk and regulatory exposure in one 8–10 week engagement. One kickoff. One delivery.

The questions founders and compliance leads ask first.

  1. The Act is in force. The Data Protection Board is being constituted and rules are being notified. The teams that wait for the first ₹250 crore enforcement order to act will not have enough runway to comply when it lands. The right answer is to be ready before the deadline, not after the first fine.
BOOK A DISCOVERY CALL

30 minutes. No pitch.