// INDIAN REGULATORY COMPLIANCE

Data Localisation Audit

Audit for data localisation compliance under DPDP Act, RBI, and SEBI data residency requirements.

RBI2018 Circular
DPDPAct 2023
MultiRegulator Coverage
CERT-InEmpanelled
Overview

Data Localisation Compliance Audit

India's data localisation landscape spans multiple regulators with distinct and sometimes overlapping requirements. The RBI's April 2018 circular mandates that all payment system data — including the full end-to-end transaction data — must be stored exclusively within India. SEBI requires market and trade data residency within India. The DPDP Act 2023 introduces cross-border transfer restrictions for Significant Data Fiduciaries and requires cross-border data flows to be governed by approved transfer mechanisms.

Intelliroot's Data Localisation Audit provides a comprehensive, multi-regulator assessment of your data storage, processing, and cross-border transfer practices. We map every data flow, identify data categories and applicable regulatory mandates, test cloud provider configurations for localisation compliance, and deliver a remediation roadmap that addresses all applicable Indian data residency obligations in a single co-ordinated programme.

RBI Localisation Circular 2018 SEBI Data Requirements DPDP Act 2023 IT Act 2000
Why This Matters

Why Data Localisation Compliance Is Urgent

RBI Enforcement Is Active

The RBI has taken enforcement action against payment system operators who failed to comply with its 2018 localisation circular. For payment businesses, non-compliance can result in licence suspension — a non-negotiable business risk.

Cloud Complexity Creates Hidden Gaps

Many organisations assume cloud provider region selection equals compliance. In practice, data replication, backup routing, CDN edge nodes, and SaaS vendor sub-processors frequently cause data to leave India without the organisation's awareness.

DPDP Introduces New Transfer Rules

The DPDP Act 2023 enables the government to restrict cross-border transfers for significant data fiduciaries through notified country restrictions. Organisations must have the data flow visibility and governance mechanisms to comply when these restrictions are activated.

Multi-Regulator Complexity

An organisation regulated by both RBI and SEBI may face conflicting or additive localisation requirements. Our audit provides a consolidated view across all applicable mandates, eliminating duplicated effort and compliance gaps from siloed assessments.

Scope

What the Data Localisation Audit Covers

Data Flow Discovery & Mapping

  • End-to-end data flow mapping across all systems
  • Identification of cross-border data transfers
  • Sub-processor and SaaS vendor data residency review
  • Cloud provider regional configuration verification

Regulatory Mandate Assessment

  • RBI payment data localisation compliance
  • SEBI market and trade data residency verification
  • DPDP Act cross-border transfer mechanism review
  • Multi-regulator obligation gap analysis

Cloud & Infrastructure Review

  • Cloud provider region and replication configuration
  • Backup and DR data residency verification
  • CDN and edge node data exposure assessment
  • Third-party API data transfer review

Governance & Controls

  • Data classification and residency policy review
  • Contractual data residency obligations with vendors
  • Data transfer impact assessment process
  • Monitoring and alerting for cross-border transfers
Methodology

Our Data Localisation Audit Approach

01

Regulatory Applicability Mapping

Identify all applicable data localisation mandates based on your regulatory licences, data categories, and sector. Produce a consolidated requirements matrix covering RBI, SEBI, DPDP, and any sector-specific obligations.

02

Data Inventory & Flow Mapping

Build a comprehensive inventory of personal and regulated data categories. Map all data flows — including cloud replication, backups, third-party SaaS, and API integrations — to identify every instance where data crosses India's borders.

03

Technical Configuration Review

Verify cloud provider region configurations, database replication settings, CDN origin configurations, and SaaS vendor data residency representations against the mapped regulatory requirements. Identify discrepancies between stated and actual data residency.

04

Gap Analysis & Risk Classification

Classify each data localisation gap by regulator, severity, and remediation complexity. Prioritise findings that represent active regulatory breaches (e.g., RBI payment data outside India) versus forward-looking compliance requirements (e.g., DPDP transfer restrictions).

05

Compliance Evidence Pack & Roadmap

Compile evidence of localisation compliance for each applicable mandate and deliver a phased remediation roadmap addressing both active breaches and proactive compliance obligations.

Regulatory Coverage
RBI Payment Data Localisation SEBI Data Residency DPDP Act 2023 Cross-Border Transfers Cloud Compliance Data Flow Mapping Sub-Processor Risk IT Act 2000 CERT-In Empanelled
FAQ

Frequently Asked Questions

The RBI's April 2018 circular covers the full end-to-end transaction details of payment systems — not just card numbers. This includes the complete transaction data, beneficiary and remitter details, and any data related to the payment leg. Foreign entities processing Indian payments may mirror a copy abroad but must store the complete end-to-end data in India.
Not necessarily. Selecting an Indian region reduces risk but does not guarantee compliance. Common issues include: automated backups replicating to foreign regions, CDN caching of sensitive data on foreign edge nodes, SaaS tools processing data on foreign infrastructure, and analytics platforms routing data through global processing pipelines. Our technical assessment verifies the actual data residency, not just the region selection.
The DPDP Act 2023 permits cross-border transfers to countries notified by the Central Government as permissible destinations. The government may also restrict transfers to specific countries. The Act does not adopt a BCR or SCCs model like GDPR. Organisations must monitor the notified country list and ensure their transfer practices align with the current permitted destinations.
This is a common challenge. Our audit documents the risk associated with each non-compliant SaaS vendor and assesses whether the data categories involved are covered by the applicable localisation mandate. We then help you develop a contractual and technical remediation strategy — which may include vendor replacement, data masking before transfer, or seeking formal written assurance from the vendor.

Deliverables

Data Flow Map & Residency Report

Comprehensive data flow diagrams annotated with regulatory applicability and residency status for all data categories and transfer pathways.

Multi-Regulator Gap Register

Risk-rated gap register mapping each localisation non-compliance to its applicable regulatory mandate (RBI, SEBI, DPDP) with evidence and remediation recommendations.

Cloud Provider Compliance Report

Technical review of cloud provider region configurations, replication settings, CDN configuration, and sub-processor data flows with compliance verdicts for each.

Compliance Evidence Pack

Compiled evidence bundle demonstrating data residency compliance for each regulatory mandate — suitable for RBI, SEBI, and DPDP regulatory submissions and audit trails.

Remediation Roadmap

Phased remediation plan prioritising active regulatory breaches, with technical implementation guidance, vendor engagement recommendations, and compliance deadline alignment.

Related Services in Indian Regulatory Compliance

CERT-In Empanelled Audit RBI Information Security Audit SEBI CSCRF Audit IRDAI Information Security Audit
GET STARTED
Accepting New Engagements · 24h Response

Request a Security Assessment

Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.

Scoping Call with a Certified Consultant 45-minute deep-dive with a senior practitioner — no sales pitch.
Proposal Delivered in 48 Hours Fully scoped engagement plan with pricing and timeline.
Free Attack Surface Analysis Preliminary external exposure report at no cost.
Fully Confidential. NDA Available. No obligation. Your data is never shared.
200+ Engagements
40+ Services
98% Satisfaction
CERT-In Empanelled ISO 27001 OSCP · CEH · CISSP
1
You
2
Service
3
Details

About You

We'll use this to route you to the right expert.

What Do You Need?

Select all that apply — you can pick multiple.

Select at least one area to continue.

Final Details

Optional context to help us scope your engagement.

By submitting, you agree to our Privacy Policy. We'll never share your data.