api4soc2 .com
About Join the waitlist
India-first compliance automation · Bharat-resident evidence · Bengaluru HQ

The compliance platform
built for India's
regulated SaaS.

Continuous evidence collection across SOC 2, ISO 27001, and the India regulators every other platform skips — DPDP Act 2023, SEBI CSCRF, RBI Master Directions, CERT-In Direction 20(3)/2022. Every byte of evidence resident in Bharat. No dollar pricing, no offshored data flows.

Join the waitlist See the platform
10+
frameworks live · India regulators first-class
200+
controls auto-mapped across frameworks
100%
Bharat-resident evidence · zero offshore flows
INR
priced in rupees · no FX surprise
DPDP Act 2023SEBI CSCRFRBI Master DirectionsCERT-In Direction 20(3)/2022IRDAI GuidelinesSOC 2 · AICPA TSCISO/IEC 27001:2022PCI-DSS v4.0HIPAANIST CSF 2.0OWASP MASVSOWASP API Top 10DPDP Act 2023SEBI CSCRFRBI Master DirectionsCERT-In Direction 20(3)/2022IRDAI GuidelinesSOC 2 · AICPA TSCISO/IEC 27001:2022PCI-DSS v4.0HIPAANIST CSF 2.0OWASP MASVSOWASP API Top 10
Thirteen services · one accountable team

Everything an Indian compliance
function actually needs.

We don't sub-contract. Every assessment is led by a senior engineer (CERT-In empanelment in process) and reviewed by an ISO 27001 lead auditor. Your data, your evidence, your reports — never leave India.

01
SOC 2 Compliance
Type I and Type II readiness, evidence collection and audit, attestation in 12 weeks.
02
ISO 27001:2022
ISMS implementation, Annex A controls, internal audit, and Stage 1 / Stage 2 certification support.
03
VAPT
Manual-led VAPT across infrastructure, applications, APIs, cloud and Active Directory. CERT-In empanelment in process.
04
Web App Security
OWASP ASVS L1–L3, OWASP API Top 10, GraphQL-specific test plans, business-logic testing.
05
Mobile App Security
MASVS L1 & L2, MASTG techniques, OWASP Mobile Top 10, static + dynamic with Frida/Objection.
06
Cloud Security
CIS AWS / Azure / GCP benchmarks, NIST 800-53 mappings, IAM graph analysis, ISO 27017 control mapping.
07
Crypto Exchange Pentest
Hot/cold wallets, smart contracts, custody, KYC/AML pipelines, market-making API hardening.
08
vCISO
Quarterly board pack, monthly risk register, weekly Slack-channel access, audit ownership.
09
Phishing Simulation
India-context payloads (UPI, payroll, WhatsApp, Aadhaar), regional-language pretexts, JIT training.
10
Incident Response
24×7 retainer, sub-15-minute MTTR target, court-admissible forensic imaging, CERT-In reporting.
11
DPDP Compliance
Notice & consent, data principal rights, consent manager integration, DPIA, SDF audit programs.
12
SEBI CSCRF / MSOC
Stock brokers, AMCs, RTAs, mutual funds, depositories — SEBI Cybersecurity & Cyber Resilience Framework.
13
UAE VASP
VARA Category I–IV license preparation, ongoing supervision response, suspicious-activity reporting.
DPDP Act 2023 · India regulator first-class

India's privacy law, operationalised.

Sprinto, Vanta and Drata don't ship DPDP as a first-class framework. We do — because every Indian SaaS handling employee, customer, or lead data is a Data Fiduciary the moment the Act enforces. The platform keeps your data inventory current, surfaces consent-manager gaps, and keeps your DPIA evidence audit-ready continuously.

  • Data inventory, lawful-basis mapping, retention schedules — automated from your cloud
  • DPIA templates, Significant Data Fiduciary audit programmes, Consent Manager wiring
  • Section 33 penalty mapping · Schedule fines up to ₹250 Cr surfaced as control gaps
See DPDP automation
Digital Personal Data
Protection Act, 2023
भारत सरकार · Government of India
Notice & consent
Data principal rights
Significant data fiduciary
Cross-border transfer
Breach notification
DPIA & audits
SEBI CSCRF · Capital markets first-class

SEBI's framework, continuously evidenced.

Stock brokers, AMCs, RTAs, mutual funds, depositories — all squarely inside SEBI's Cybersecurity & Cyber Resilience Framework. The platform tracks evidence across the quarterly cadence so you arrive at audit windows with controls already operating, not scrambling to reconstruct.

  • NIST CSF 2.0 mapping native · CERT-In Direction overlay built-in
  • Quarterly VAPT cadence, half-yearly audit, annual cyber-resilience drill — all evidence-tracked
  • Built for Market Infrastructure Institutions, Qualified REs, and SEBI-registered intermediaries
See SEBI CSCRF coverage
S
SEBI CSCRF
Cybersecurity & Cyber Resilience Framework
01
Identify
02
Protect
03
Detect
04
Respond
05
Recover
06
Govern
Audit readiness · 82%
CERT-In Direction 20(3)/2022 · Six-hour reporting

When the breach is happening, minutes matter.

The six-hour CERT-In reporting window is the hardest deadline in Indian compliance. The platform pre-stages the report templates, the regulator coordinator contacts, and the evidence-preservation workflow — and integrates with the CERT-In empanelled IR firms in our partner network for the 24×7 response itself.

  • Pre-staged reporting templates · CERT-In, RBI, SEBI, IRDAI sectoral coordinators
  • Incident classification, evidence preservation, regulator notification workflow
  • Partner network of CERT-In empanelled IR firms · 24×7 retainer integrations
See CERT-In automation
Detect
00:04
Contain
00:18
Eradicate
01:42
Recover
04:20
Lessons
<15m MTTR target
24×7 retainer
SOC 2 · Type I & Type II

SOC 2 in twelve weeks.
Stay audit-ready forever.

The platform automates evidence collection across cloud, identity, code, and ticketing systems. Your CPA firm pulls evidence directly through the auditor portal — no email chains, no spreadsheet back-and-forth, no last-minute remediation crunch.

  • All five Trust Service Criteria — Security, Availability, Confidentiality, Processing Integrity, Privacy
  • Continuous evidence collection — drift detected before the audit window closes
  • Auditor portal · your CPA firm pulls evidence directly · no email chains
See SOC 2 automation
SOC 2 Type II · Active
REPORT NO.
SOC2-IN-2026-0418
Service Organization
Control 2 — Type II
Security
Availability
Confidentiality
Processing Integrity
Privacy
AUDIT WINDOW
Apr 2025 — Apr 2026
ISSUED BY
API4SOC2 · Bengaluru
128 controls
tested · 0 exceptions
ISO 27001:2022 · ANSI accredited certification

ISO 27001:2022, continuously certified.

The 2022 revision added 11 new controls and reorganised Annex A into four domains. The platform maps every control to your existing systems, tracks operating effectiveness, and keeps the surveillance-audit clock running so your certification body finds an evidenced posture, not a pre-audit panic.

  • 93 Annex A controls auto-mapped from cloud, identity, ticketing, and HR systems
  • Internal audit, management review, and corrective action workflows tracked
  • Surveillance audit cadence — every 12 months, evidence pre-staged
See ISO 27001 automation
AWS
A
14regions
318controls
Azure
A−
9regions
212controls
GCP
B+
7regions
186controls
CIS · NIST · ISO 27017 · CSA STAR
Vulnerability management · partner-network led

VAPT through our partner network — evidence in your platform.

We are not a VAPT vendor; we are the platform that schedules, evidences, and audit-trails VAPT across our partner network of CERT-In empanelled firms. Findings flow into the platform, get auto-mapped to the controls they evidence, and stay in your continuous-monitoring loop.

  • Schedule and evidence VAPT through CERT-In empanelled partners in the network
  • Findings auto-mapped to SOC 2 / ISO / DPDP / SEBI control evidence
  • Re-test cycles tracked until findings close · audit-ready output
See VAPT integration
scan@api4soc2 ~ recon
$ isec scan --target prod.acme.in
↳ enumerating · 247 hosts · 6 perimeters
CRIT CVE-2024-3094 · openssh-9.2 · 2 hosts
HIGH exposed .git directory · web-03
MED tls-1.0 supported · gateway-01
LOW server banner disclosure · 14 hosts
OK 1,438 controls passed
───────────────────────────────────
generating evidence pack
Application & API security · OWASP-mapped

Application-layer findings, compliance-mapped.

OWASP ASVS and API Top 10 findings auto-map to the SOC 2 CC7 controls, ISO 27001 A.8.29 evidence, and DPDP Section 8 reasonable security safeguards. One finding, four frameworks evidenced.

  • OWASP ASVS L1–L3, OWASP API Top 10, GraphQL-specific test plans
  • Findings imported from Burp / OWASP ZAP / Nuclei / your existing scanners
  • Severity, CVSS, and remediation owner tracked through to closure
See app-security mapping
app.client.com/checkout
A01
Broken Access Control
A02
Cryptographic Failures
A03
Injection
A04
Insecure Design
A05
Security Misconfig
A06
Vulnerable Components
A07
Auth Failures
A08
Data Integrity
A09
Logging Failures
A10
SSRF
Mobile app security · MASVS L1 / L2

iOS and Android, tracked end-to-end.

MASVS L1 / L2 controls mapped to your binary, runtime, API gateway, and backend services. Findings from your partner-network mobile testing flow into the same evidence loop as web and API findings.

  • MASVS L1 & L2, MASTG techniques, OWASP Mobile Top 10 control coverage
  • iOS and Android · static + dynamic findings tracked through closure
  • Backend & API surface tracked alongside the binary
See MASVS coverage
iOS
acme-pay.ipa
v3.4.1 · 84 MB
SSL pinning
Jailbreak detection
Insecure storage · 2
Reverse engineering · 1
API auth · OAuth2
MASVS · 72/100
Crypto exchange · FIU-IND + VARA

Wallet to API to smart contract — every layer in the trade.

Indian crypto exchanges face FIU-IND registration plus VARA expansion plus SEC posture all at once. The platform tracks evidence across hot/cold wallet flows, custody segregation, smart contract review, withdrawal logic, and KYC/AML pipelines — one place, all regulators.

  • Smart contract review · on-chain forensics · address risk scoring
  • Hot/warm/cold wallet flows · custody segregation · withdrawal logic
  • FIU-IND registration evidence · UAE VARA license-prep workflow
See crypto coverage
BTC / INR
live
Wallet Audit · Live
HOT WALLET
94 audited
SMART CONTRACTS
12 verified
API ENDPOINTS
38 hardened
Cloud security · AWS / Azure / GCP

AWS, Azure, GCP — posture, not just config.

Cloud benchmark drift surfaces as compliance evidence gaps, not as a separate alert stream. One IAM misconfiguration triggers SOC 2 CC6, ISO 27001 A.5.15, and DPDP Section 8 evidence regeneration in the same workflow.

  • CIS AWS / Azure / GCP benchmarks · NIST 800-53 mappings · ISO 27017
  • IAM graph analysis · privilege escalation paths · key rotation hygiene
  • Configuration drift surfaced as control gaps — not as a separate dashboard
See cloud automation
AWS
A
14regions
318controls
Azure
A−
9regions
212controls
GCP
B+
7regions
186controls
CIS · NIST · ISO 27017 · CSA STAR
10+
Frameworks live · India regulators first-class
200+
Controls auto-mapped across frameworks
100%
Bharat-resident evidence · zero offshore flows
INR
Priced in rupees · no FX surprise on renewal
vCISO partner network · advisory layer

The strategic security office, through partners.

The platform handles continuous evidence; the strategic layer comes from our vCISO partner network. Board pack every quarter. Risk register every month. Vendor questionnaire responses generated from the platform's evidence base — not retyped from spreadsheets.

  • Quarterly board reporting · risk register · roadmap maintenance
  • vCISO partners pulled from our network · Series-A to Series-D experience
  • Vendor and acquirer security questionnaire response built into the platform
See vCISO partner network
V
Strategic CISO Office
On retainer · weekly cadence
ACTIVE
Q1
Risk register · Board pack
Q2
ISO 27001 readiness
Q3
SOC 2 Type II audit
Q4
DPDP rollout · DPIA
14 policies
3 audits/yr
24×7 advisory
Phishing simulation · India-context payloads

Train your people on the attacks your people will see.

India-context payloads — UPI, payroll, WhatsApp pretexts, Aadhaar phishing — not generic Microsoft-365 templates. Quarterly campaigns produce SOC 2 CC1 (control environment) and ISO 27001 A.6.3 (security awareness) evidence directly, no manual transcription.

  • Localised payloads in English, Hindi, and major regional languages
  • Click-rate, credential-submit and report-rate trended over time
  • Just-in-time micro-training delivered on click — fed into SOC 2 CC1 evidence
See phishing module
[email protected]
Action required: Verify your salary credit
Dear Employee, please verify your bank details before 6 PM today to avoid delay in salary credit…
412
delivered
37
clicked
9
credentials
Delta vs. last quarter: −68%
UAE VASP · VARA license preparation

Cross-border VARA, run from Bengaluru.

For Indian exchanges, custodians and broker-dealers operating into the UAE under VARA. License preparation, ongoing supervision response, suspicious-activity reporting, and the technology controls VARA actually inspects — all tracked alongside your India-regulator evidence.

  • VARA license categories I–IV · readiness and submission workflow
  • Custody, exchange, broker-dealer and advisory playbooks · evidence-tracked
  • Operationally delivered from India · all evidence resident in Bharat
See VARA workflow
IN UAE
REGULATOR
VARA · Dubai
LICENSE TYPE
VASP Category II
STATUS
Advisory engaged
Why API4SOC2

India's compliance platform, built India-first.

We started this platform because Indian SaaS founders kept paying first-world rates for second-world tooling — and shipping their evidence to S3 buckets they couldn't legally inspect. We built API4SOC2 to keep evidence resident in Bharat, treat DPDP / SEBI / RBI / CERT-In as first-class frameworks, and price in rupees.

  • India regulators as first-class frameworks — not a "custom framework" upsell
  • Bharat-resident evidence · zero offshore data flows · zero FX surprise
  • Auditor portal designed for Indian CPA firms · CERT-In empanelled IR partner network
  • Priced in INR · transparent tiers · no dollar pass-through
Talk to an auditor
DPDP
India regulators as first-class frameworks
10+
frameworks · one unified control set
SEBI
CSCRF mapped end-to-end
RBI
Master Directions baked in
INR
priced in rupees · zero FX surprise
100%
Bharat-resident evidence · zero offshore data flows
How the platform delivers

One platform. Every framework. Continuous evidence.

Every framework, regardless of regulator, follows the same four-step rhythm. You always know which step you're in, what evidence is being collected this week, and which controls have drifted out of compliance.

  • Day 0 · Connect cloud, identity, ticketing, and HR systems · auto-evidence begins
  • Days 1–14 · Framework controls map to your environment · gaps surfaced
  • Days 15–60 · Remediation tracked · continuous evidence accumulates
  • Day 61+ · Auditor portal opens · CPA firm pulls evidence directly
Talk to an auditor
01
Scope
Discovery, asset map, threat model
02
Assess
Tests, control walkthrough, evidence
03
Remediate
Findings, fixes, retest
04
Certify
Report, attestation, board pack

They closed our SOC 2 Type II in eleven weeks — including a control-gap remediation that two larger firms had quoted six months for. The audit pack was delivered in Bengaluru, reviewed by a partner who actually answered Slack on weekends, and didn't once ask us to export logs to a US S3 bucket.

P
Pranav Iyer
Co-founder & CTO · Series-B fintech, Bengaluru
Common questions

Things teams ask before signing.

Compliance procurement is fraught. Here's what most CISOs, CFOs and founders need to know in the first call. If your question isn't here, write to the partners directly.

[email protected]
Same frameworks, same rigour, fundamentally different economics. Our CERT-In empanelment is in process. Engagements are led by partners (not staffed to graduate consultants), priced in INR, and every artifact stays inside India.
For audit-ready teams, yes. We run readiness, evidence collection, control walkthroughs and the observation window in parallel where the framework allows. For greenfield engagements expect 6–9 months — we publish the timeline before we sign.
AWS Mumbai (ap-south-1) and on-prem Bengaluru. Nothing is replicated outside Indian jurisdiction. We sign a data-residency clause into every MSA. Clients with stricter requirements get a dedicated VPC.
No. Around a third of our clients are India-incorporated subsidiaries of US/EU parents. We also handle UAE VASP and cross-border DPDP advisory. Every engagement is delivered from India.
Weekly partner sync, asynchronous Slack channel, Jira-tracked findings, and a single shared dashboard with control status. Board pack is generated automatically every quarter — you don’t have to ask for it.
Design-partner cohort · first 10 free for 6 months

Be one of the first ten Indian SaaS, BFSI, or fintech teams on the platform.

India regulators as first-class frameworks. Bharat-resident evidence. Pricing locked in INR for the first 12 months. We are onboarding ten design partners through Q2-Q3 2026 ahead of general availability.

You will be contacted by a founder within two business days. We do not run sales sequences.

Bengaluru HQ · L149 Sector 6, HSR Layout