We're a payment aggregator — does the December 2025 authorization deadline still affect us?

Yes. The PA Master Direction 2025 came into force during 2025, and PAs that missed the December 2025 authorization deadline are required to wind down operations by February 2026. If you're in the application or response window, technical compliance is what unblocks the authorization — not legal opinion alone. We've worked with PAs racing this exact deadline.

Do you do the formal CERT-In empanelled audit yourselves?

No. We are not on the CERT-In empanelment list — that is a separate accreditation. We prepare your environment so your CERT-In empanelled VAPT firm can complete their audit on the first pass with no critical findings. We can recommend empanelled firms we've worked alongside if you don't already have a relationship.

What if we're operating cross-border — funds flowing through India and overseas?

Cross-border fintech adds RBI's Foreign Exchange Management Act (FEMA) considerations on top of the Master Directions. Your data still has to live in India per the localization rules; the FEMA layer affects what processing can happen overseas and what audit trail is required. We scope this case-by-case with you and a regulatory counsel partner — we cover the technical layer, they cover the legal interpretation.

Our team is 8 engineers and we're pre-revenue. Is this overkill?

Compliance scope is driven by your license, not your headcount. A pre-revenue PA with a sandbox license has the same data-localization and encryption requirements as a Series B PA processing crores of rupees a day. The scope of monitoring and incident response can be lighter, but the data-handling controls are non-negotiable. We size the engagement to your actual surface, not a generic enterprise template.

How much of this can be automated vs human ops?

Roughly 80% of the technical controls — region constraints, encryption, MFA, logging, CI/CD scanning — are Infrastructure-as-Code and ship as Terraform modules + CI workflows you own forever. The remaining 20% — incident-response drills, quarterly access reviews, vendor re-assessments, the annual audit liaison — are human ops that the optional monthly retainer covers.

All Services

RBI Compliance for Fintech Startups in Bangalore

RBI Master Direction technical compliance for payment aggregators, NBFCs, and digital lending platforms headquartered in Bangalore. Data localization, encryption, MFA, 6-hour incident reporting, VAPT readiness, and CERT-In empanelled audit prep — built into your AWS / GCP / Azure infrastructure, not into a binder nobody reads.

10 days for the gap scan, 4-6 weeks for the audit-ready build, plus optional monthly retainer for ongoing compliance maintenance

The Problem

RBI's Master Directions on Payment Aggregators (2025), IT Governance for NBFCs (2024), and Digital Lending (2025) are not legal documents — they are technical specifications. Data must be physically located in India. Encryption must be TLS 1.2+ in transit and AES-256 at rest. Cyber incidents must be reported to RBI within 6 hours. VAPT must be performed by a CERT-In empanelled auditor at least annually. Most fintech founders treat compliance as a legal problem, then their first banking partnership stalls when the partner bank's security team asks for the audit report. By then it's a 3-6 month rebuild instead of a 3-week setup.

Who This Is For

Pre-Series A to Series B fintech startups headquartered in Bangalore (or with major engineering presence here): payment aggregators applying for or holding RBI authorization, NBFCs in Top / Upper / Middle layers, digital lending platforms operating under the 2025 Digital Lending Directions, and prepaid payment instrument (PPI) issuers. Especially relevant if you're 5-30 engineers, on AWS / GCP / Azure, and have a banking partner conversation in the next 6 months.

Typical Outcomes

Pass your first CERT-In empanelled annual IS audit on the first attempt with no Material findings

Banking partnership unblocked — the partner bank's security team gets the audit report they were asking for

RBI inspection readiness — if RBI's Department of Supervision shows up, you can produce evidence inside one working day

Avoid the operational class of penalties RBI has been issuing — Paytm / PhonePe / multiple NBFCs paid 7-figure fines for compliance gaps in FY 2024-25

Engineering velocity preserved — security gates fail-soft (warn, don't block) by default until the team is ready to tighten them

Timeline Options

Compliance Gap Scan (10 days)

Region + encryption + IAM + logging audit
RBI Master Direction gap matrix per applicable framework
Top 10 prioritized findings with remediation cost estimates
1-hour briefing with your founding team + tech lead

Audit-Ready Build (4-6 weeks)

Everything in Compliance Gap Scan
Implementation of all critical + high findings
SOC monitoring stack deployed and tuned
Incident response playbook + CCMP draft
VAPT briefing pack assembled
Annual audit binder ready

Audit + Ongoing Retainer (6 weeks + monthly)

Everything in Audit-Ready Build
Monthly retainer covering quarterly access reviews, monthly DR tests, vendor re-assessments, audit-finding remediation, and pre-RBI-inspection rehearsals
Direct support for your annual VAPT engagement and the CERT-In auditor relationship
First-year coverage of RBI Master Direction updates as they're issued

This might not be a fit if...

You are not a fintech and the RBI Master Directions don't apply to your business
You are a Series C+ fintech with a dedicated infosec team and a CISO already in place
You only need a single VAPT engagement (we partner with CERT-In empanelled VAPT firms but don't perform the empanelled audit ourselves)
You are operating outside India and have no Indian customer base

What You Get

Cloud region audit — verify all payment data lives in ap-south-1 (AWS Mumbai) / Central India (Azure) / asia-south1 (GCP Mumbai), with Terraform region constraints to enforce it forever

Encryption-at-rest review — every EBS volume, every S3 bucket, every RDS instance, every Cloud SQL DB encrypted with AES-256 via KMS

TLS 1.2+ enforcement — across application Load Balancers, API Gateways, internal service-to-service communication, and any direct database connections

MFA + privileged access management — root account MFA, time-bound elevated access, quarterly access reviews, removal of standing admin rights

24/7 SOC monitoring stack — CloudWatch + GuardDuty + Security Hub on AWS (or equivalent), with alerts wired to PagerDuty / Opsgenie and a documented runbook

Incident response playbook for the RBI 6-hour reporting deadline — automated detection, named on-call rotation, pre-approved RBI notification template, board-approved Cyber Crisis Management Plan (CCMP)

VAPT readiness — internal vulnerability scanning integrated into CI/CD (Trivy + Snyk + OWASP ZAP), plus the formal annual VAPT briefing pack ready for your CERT-In empanelled auditor

Vendor risk register — every third-party SaaS that touches transaction data, with their security attestations and your contractual data-processing agreements

Business continuity + disaster recovery plan — board-approved BCP/DR with documented RTO / RPO and quarterly failover tests

Annual audit binder — the document set your CERT-In auditor will request, prepared and indexed

The Transformation

Before

Payment data scattered across us-east-1 because that was the AWS Console default
Some EBS volumes encrypted, others not, no policy enforcing it
MFA optional, root account used for routine deploys
Cyber incident response = a Slack thread, no documented playbook, no pre-approved RBI notification template
VAPT done once a year by a friend's firm, findings never remediated
Banking partner is asking for the audit report and the team is panicking

After

All payment data in ap-south-1 / Central India / asia-south1, Terraform-enforced region constraints
AES-256 at rest enforced via account-default KMS, no exceptions
MFA required for all human access, root account locked behind alarmed CloudTrail
6-hour RBI notification automated end to end, on-call rotation tested monthly
Continuous vulnerability scanning in CI/CD plus annual CERT-In empanelled VAPT, findings tracked and closed
Banking partner gets the audit binder same day, partnership conversation moves forward

Engagement Models

Project-based

Fixed scope, fixed timeline, fixed price. Ideal for specific security initiatives.

Retainer

Ongoing support with priority response. Perfect for continuous security needs.

What influences pricing?

Team size and environment complexity
Timeline and urgency requirements
Scope of systems and platforms
Ongoing support and maintenance needs

Book a call to discuss your situation

Frequently Asked Questions

Ready to get started?

Book a 20-minute call to discuss your specific situation.

Book Your Free Call

Explore Other Services

Cloud Audit

We audit your AWS, GCP, or Azure environment, finding the ghost costs draining your runway and the security gaps hiding underneath. Most teams find both within the first week.

Pipeline Security

Your pipeline is deploying secrets to production and you probably don't know it. We audit and harden your CI/CD, catching vulnerabilities before they ship, not after.

Incident Readiness

When production breaks, does your team have a playbook, or does everyone just Slack the one person who knows the system? We build the runbooks, alerts, and processes so the next incident doesn't become a war story.

DPDP Compliance

Get your startup ready for the Digital Personal Data Protection Act before May 2027 enforcement. Data inventory, consent management, 72-hour breach notification pipeline, DPO scope, child-data special handling — built into your codebase, not into a privacy policy nobody reads. Penalty exposure up to ₹250 crore.

AWS Baseline (India)

The 12 AWS security controls every Indian seed startup should turn on this afternoon — region-locked to ap-south-1, DPDP-aware, RBI-overlay-ready. Same opinionated baseline we open-sourced as aws-startup-security-baseline. Built for ₹40k-month retainers, not enterprise CAPEX.

K8s Audit (India)

Production Kubernetes cluster audit + hardening for Indian startups: RBAC review, network policies, admission controllers, supply-chain security, pod-security standards. Built for 3-15 node EKS / GKE / AKS clusters running real workloads, not enterprise mesh complexity.

SOC 2 (India)

SOC 2 Type I + Type II readiness for Indian seed startups, priced in rupees. We get you to attestation for ₹15-30L all-in instead of the ₹35L+ Western default. India-empanelled auditor partnerships, Vanta / Drata / Sprinto / Scrut integration, and a build cadence calibrated to Indian engineering economics.

See what your cloud is hiding.

Book a 20-minute infrastructure review. No pitch, just practical insights.

Book a 20-min Infra Review