What we mean by "produces evidence"
Sekeye does not grant compliance. It is being built to produce the artefacts these clauses require you to demonstrate: inventory, exposure, and incident-response timeline. All inside your data-residency perimeter.
CERT-In (April 2022 Directions)
- Six-hour reporting. A launched campaign identifies affected endpoints and the exposure window per machine, feeding the incident report.
- 180-day log retention, within India. Inventory deltas, findings, and campaign results are retained in-region for self-hosted deployments.
- In-scope events. Malicious code, data breaches, and supply-chain incidents are named explicitly. Shai-Hulud-class npm worms fall squarely inside the reporting obligation.
DPDP Act 2023 (with Rules 2025)
- Section 8(5) reasonable safeguards. Documented control over endpoint-installed software supports the safeguards defence.
- Monitoring for unauthorised access. Inventory deltas and findings logs are audit-ready evidence.
- Breach scope determination. Campaign results identify which endpoints ran an exfiltrating artefact in the exposure window. Required for a defensible DPIA.
- Penalty exposure. Failures to implement safeguards can attract penalties up to ₹250 crore. Documented posture reduces that exposure.
SEBI CSCRF (August 2024)
- Asset inventory including software, with critical / non-critical classification. Fleet inventory plus tagging.
- SBOM mandate for critical systems, including transitive dependencies. Exportable CycloneDX per endpoint.
- Vulnerability management with timely closure. Continuous CVE match, closure-state tracking, evidence trail.
- May 2026 AI advisory. Adopt AI-based vulnerability detection and maintain SBOM upkeep. The agentic-surface coverage lands here.
RBI Cyber Security Framework (2016 and 2023 Master Direction)
- Up-to-date inventory of authorised and unauthorised software. Fleet inventory of the self-installed layer that EDRs skip.
- Mechanism to control software installation. V2 policy engine and unauthorised-artefact alerts.
- Vulnerability and patch management, rapid incident reporting. Findings queue and RBI-facing evidence exports.
IRDAI (2023) and NCIIPC (CII)
Mirrors RBI and SEBI on asset management, vulnerability management, and incident reporting. Self-hosted and air-gapped deployment qualify for CII data-locality requirements.