Meeting RBI's Data Localization Mandate

Executive Summary

India's cybersecurity market is exploding, but so is the regulatory scrutiny. For "CyberGuard Perth" (anonymized), an Australian firm specializing in AI-driven threat detection, a potential contract with a major Indian private bank was a game-changer. However, the bank’s legal team raised a massive red flag: RBI Circular DPSS.CO.OD No. 2785/06.08.005/2017-18 —the mandate that all payment system data must be stored *only* in India.

CyberGuard's platform was built on a global multi-tenant architecture with data processing hubs in Sydney and Singapore. They needed to radically change their operating model to win the Indian business. CorpArray was engaged to design a compliant corporate and data governance framework. This case study details how we helped them achieve 'RBI-Ready' status in 6 months.

The Challenge: The Localization Barrier

The Reserve Bank of India (RBI) is uncompromising when it comes to financial data. The challenges for CyberGuard included:

1. Pure Localization vs. Global Processing

The RBI mandate requires that the *entire* end-to-end transaction data be stored in India. While 'processing' can happen abroad, the data must be deleted from foreign systems within 24 hours and stored permanently only in India. CyberGuard's AI models needed to learn from global data sets, which created a conflict.

2. CERT-In Empanelment

To work with Indian banks, cybersecurity firms are often required to be empaneled with CERT-In (Indian Computer Emergency Response Team). This involves a rigorous audit of the company’s internal security controls and ownership structure.

3. Liability and Jurisdiction

Indian banks insist on contracts governed by Indian law with jurisdiction in Indian courts. For an Australian firm, this creates a 'unlimited liability' risk if not structured correctly with a local subsidiary.

The CorpArray Strategy: The 'India-Cloud' SOC

We advised CyberGuard to pivot from a 'Service from Australia' model to an 'In-India' model.

Step 1: Incorporating CyberGuard India Pvt Ltd

We incorporated a wholly-owned Indian subsidiary. This was not just a sales office; it was structured as a Security Operations Center (SOC) . This local entity became the contracting party with the Indian bank, limiting the liability of the Australian parent.

Step 2: Designing the 'Data Silo' Architecture

We worked with their cloud architects to deploy a standalone instance of their platform on AWS Mumbai. We implemented a 'One-Way Sync' where anonymized metadata could be sent to Australia for AI training, but all PII (Personally Identifiable Information) and transaction logs remained strictly within the Indian borders.

Step 3: Managing the RBI Audit

Indian banks are required to submit an 'Audit Report' to the RBI every six months for their third-party vendors. CorpArray's compliance team prepared the 'System Audit Report' (SAR) template, ensuring it met the specific requirements of the RBI’s Information Technology Framework.

Execution: Securing the Master Service Agreement (MSA)

• FEMA FDI Compliance: We managed the capital infusion from Perth to Mumbai, ensuring the FC-GPR was filed correctly.
• GST Registration: As they were providing 'Export of Services' from their Indian SOC to global clients, we helped them set up a Letter of Undertaking (LUT) to avoid paying 18% GST upfront on exports.
• Employment Strategy: We helped them hire their first 10 local cybersecurity analysts in Pune, managing everything from offer letters to PF (Provident Fund) registrations.

Benefits and Outcomes

• MSA Signed: Secured a 5-year Master Service Agreement with the bank.
• RBI Approval: The bank’s external auditors cleared CyberGuard’s localization model without a single query.
• Regional Hub: The Indian SOC now serves as CyberGuard’s hub for the entire Southeast Asian market, utilizing India’s vast talent pool.
• Scalability: By solving the localization issue once, they were able to sign three more Indian banks within 12 months.