Skip to content
Now taking design partners.Roadmap →
← Home

CERT-In, DPDP, SEBI CSCRF, RBI, IRDAI, NCIIPC

Compliance evidence · India

Sekeye is being built to produce the inventory, exposure, and IR evidence Indian regulators demand, with data residency and self-hosted deployment. Formats validating with design partners during MVP.

Request evidence pack

What we mean by "produces evidence"

Sekeye does not grant compliance. It is being built to produce the artefacts these clauses require you to demonstrate: inventory, exposure, and incident-response timeline. All inside your data-residency perimeter.

CERT-In (April 2022 Directions)

  • Six-hour reporting. A launched campaign identifies affected endpoints and the exposure window per machine, feeding the incident report.
  • 180-day log retention, within India. Inventory deltas, findings, and campaign results are retained in-region for self-hosted deployments.
  • In-scope events. Malicious code, data breaches, and supply-chain incidents are named explicitly. Shai-Hulud-class npm worms fall squarely inside the reporting obligation.

DPDP Act 2023 (with Rules 2025)

  • Section 8(5) reasonable safeguards. Documented control over endpoint-installed software supports the safeguards defence.
  • Monitoring for unauthorised access. Inventory deltas and findings logs are audit-ready evidence.
  • Breach scope determination. Campaign results identify which endpoints ran an exfiltrating artefact in the exposure window. Required for a defensible DPIA.
  • Penalty exposure. Failures to implement safeguards can attract penalties up to ₹250 crore. Documented posture reduces that exposure.

SEBI CSCRF (August 2024)

  • Asset inventory including software, with critical / non-critical classification. Fleet inventory plus tagging.
  • SBOM mandate for critical systems, including transitive dependencies. Exportable CycloneDX per endpoint.
  • Vulnerability management with timely closure. Continuous CVE match, closure-state tracking, evidence trail.
  • May 2026 AI advisory. Adopt AI-based vulnerability detection and maintain SBOM upkeep. The agentic-surface coverage lands here.

RBI Cyber Security Framework (2016 and 2023 Master Direction)

  • Up-to-date inventory of authorised and unauthorised software. Fleet inventory of the self-installed layer that EDRs skip.
  • Mechanism to control software installation. V2 policy engine and unauthorised-artefact alerts.
  • Vulnerability and patch management, rapid incident reporting. Findings queue and RBI-facing evidence exports.

IRDAI (2023) and NCIIPC (CII)

Mirrors RBI and SEBI on asset management, vulnerability management, and incident reporting. Self-hosted and air-gapped deployment qualify for CII data-locality requirements.