DPDP Rules: soft enforcement ends in soon on November 13, 2026. Start by August →
Field notes from the corridor.
Deep tactical writing for US SaaS, fintech and healthtech founders, operators and security leaders dealing with India GCC compliance, vendor security reviews and the structural gaps in compliance automation.
Every entry carries a serial, a classification and a date. Indexed the way your evidence should be.
Triage
Where are you right now?
Skip the browsing. Three situations, three prescribed reading paths, in order.
A deal is stuck in security review.
Read before your next procurement call.
Your first audit lands inside six months.
The structural decisions come first.
Counsel just flagged the DPDP deadline.
From statute to control set, in order.
The guides · pinned
The references, kept current.
The Compliance Automation Gap: What Automation Platforms Don't Cover
Compliance platforms automate 60–70% of a SOC 2 program. The remaining 30–40%, vulnerability remediation, evidence chain-of-custody, India-specific controls, questionnaire context, is where deals stall. A field guide to the gap and how to close it.
G-02 GUIDEDPDPA Meets SOC 2: The Cross-Mapping Playbook for US SaaS With India Operations
How to map India's DPDP Act 2023 and DPDP Rules 2025 to SOC 2 Trust Services Criteria, notice, consent, Significant Data Fiduciary obligations, cross-border transfers and the unified control set that satisfies both.
G-03 GUIDEThe GCC Compliance Encyclopedia: Operational Compliance for India Global Capability Centers
The complete operational compliance reference for India Global Capability Centers, SOC 2, DPDPA, IT Act, labor law, statutory filings, the 2,000-Filing Churn, Multi-Entity Workspaces and the operating model for mid-market GCCs.
G-04 GUIDEThe Complete Guide to SOC 2 for US SaaS Companies With India Teams
How US SaaS companies with India-based engineering or GCC teams should structure a SOC 2 audit, legal entity scoping, subservice carve-outs, BYOD offshore contractors and the controls auditors actually test.
G-05 GUIDEThe Stalled Enterprise Deal Playbook: How to Unblock Security Reviews in 14 Days
Your enterprise deal is stuck in security review. The 14-day diagnostic-to-unblock sequence: pinpoint the actual blocker, generate the missing artifacts, restart procurement momentum. For US SaaS with India GCC operations.
The register
Every entry, one index.
Chain-of-Custody Evidence for SOC 2: The Audit-Defensible Pattern
The structured evidence pattern that satisfies modern SOC 2 auditors: who ran the check, when, from what system, with what input, producing what output, retained where, accessible to whom. H-04 HOW-TOWhy Auditors Are Rejecting Screenshot Evidence in 2026
Screenshot evidence is increasingly being rejected by SOC 2 auditors. What's changed, what auditors now expect and how to build chain-of-custody evidence. H-03 HOW-TOVulnerability Remediation with Tenable + Jira + Vanta: A Connected Workflow
Step-by-step architecture for connecting vulnerability scanning (Tenable, Snyk, AWS Inspector) to engineering tickets (Jira, Linear) to compliance evidence (Vanta, Drata). H-02 HOW-TOSLA Tracking for SOC 2 Vulnerability Closure: The 7/30/90 Day Standard
The industry-standard 7/30/90 day SLA model for vulnerability remediation. Implementation, exception handling and audit-defensible evidence. H-01 HOW-TOBuilding a Vulnerability Remediation Workflow Compliance Platforms Don't Own
Compliance automation platforms detect vulnerabilities. They don't track them to closure. The workflow architecture that connects scan results to engineering accountability and audit-defensible evidence. V-10 GLOSSARYWhat Is a Multi-Entity Workspace? The US-HQ + Offshore Compliance Pattern
Multi-Entity Workspace features in Vanta, Drata and Sprinto became standard in 2025–2026 specifically to serve US-HQ + India-GCC structures. Definition and implementation. V-09 GLOSSARYWhat Is Identity Sprawl? The Hidden Reason Your Security Reviews Fail
Identity Sprawl, the chaotic web of API tokens, service accounts and third-party SaaS integrations with persistent data access. Why it's a major enterprise deal blocker. V-08 GLOSSARYWhat Is the 2,000-Filing Churn? India GCC Operational Scaling Explained
The administrative burden of scaling an India GCC across multiple states and statutory regimes. Where the 2,000 figure comes from, what's included and how operating models manage it. V-07 GLOSSARYWhat Is the Compliance Automation Gap? Where Automation Stops
The Compliance Automation Gap, the work compliance automation platforms don't do. Definition, scope and the operating layer that closes it. V-06 GLOSSARYWhat Is 'Assess Once, Map to Many'? The Framework-Fatigue Solution
Assess Once, Map to Many, the unified gap-assessment approach that maps single technical controls to multiple regulatory requirements simultaneously. V-05 GLOSSARYWhat Is ITDR (Identity Threat Detection and Response)? Why It's Now Table Stakes
ITDR, Identity Threat Detection and Response, monitors identity behavior after authentication. The new layer of security architecture enterprise buyers now expect. V-04 GLOSSARYWhat Is Shadow AI in SaaS Security? The Non-Human Identity Problem
Shadow AI, employees connecting unvetted AI tools to corporate SaaS via OAuth, emerged as the primary 2026 SaaS threat vector. Definition, detection, governance. V-03 GLOSSARYWhat Is the SARAL Approach to Privacy Notices? (The November 2025 Mandate)
SARAL, Simple, Accessible, Rational, Actionable, is the government's framework for privacy notices under DPDP Rules 2025. How it changes notice design and consent flows. V-02 GLOSSARYWhat Is a Significant Data Fiduciary Under India's DPDP Rules?
Significant Data Fiduciary (SDF) is India's elevated designation under the DPDP Act. The criteria, the obligations and what US SaaS companies should expect. V-01 GLOSSARYWhat Are Nano GCCs? The 2026 Mid-Market Shift Explained
Nano GCCs, small, domain-focused India Global Capability Centers in Tier 2/3 cities, emerged as a defining trend of 2025–2026. The terminology, the model and the compliance implications. X-10 COMPARISONAI-Agent Questionnaire Automation vs. Human Review: When Each Wins
AI-driven questionnaire automation (Vanta AI, Drata AI, ResponseHub) is genuinely useful. Where it accelerates the work, where it introduces risk and the human-in-the-loop pattern that makes it audit-defensible. X-09 COMPARISONVanta vs. Drata Multi-Entity Workspaces: Which Works Better for India GCC Setups
The Multi-Entity Workspace feature is critical for US-HQ + India-GCC structures. How Vanta, Drata, and Sprinto handle entity separation, evidence rollups and audit reporting. X-08 COMPARISONBig 4 Compliance Consulting vs. a Specialist Practice: A Decision Framework
KPMG, EY, Deloitte, PwC vs. specialist solo operators. The real comparison on cost, depth, accountability and outcomes for mid-market SaaS compliance work. X-07 COMPARISONIn-House Compliance Hire vs. Fractional Specialist: The Real Cost at Series A
Should your Series A SaaS hire a compliance lead in-house or work with a fractional specialist? The full economic comparison, including the hidden costs founders miss. X-06 COMPARISONSOC 2 vs. ISO 27001 vs. DPDPA: A Mapping Guide for Cross-Border Operations
Three frameworks, partial overlap, different audiences. When you need which, how they map to each other and how to design one control set that satisfies all three. X-05 COMPARISONFractional CISO vs. Compliance Operations Lead: Which Role Do You Actually Need?
Two emerging roles that get confused. What each actually does, when you need which and the cost-effectiveness trade-offs for mid-market SaaS. X-04 COMPARISONVanta vs. Drata vs. Sprinto: An Honest 2026 Comparison for US SaaS With India Teams
A direct comparison of the three platforms for US SaaS with India operations, framework coverage, India-specific support, AI features, multi-entity, pricing and the decision factors that matter. X-03 COMPARISONAttriEdge vs. Sprinto: India-Specific Considerations
Sprinto is the strongest India-context platform. Where its automation handles India-specific work well, where operational gaps remain and how AttriEdge complements it. X-02 COMPARISONAttriEdge vs. Drata: The Offshore Implementation Gap
Drata is strong on framework breadth and AI-driven automation. Where the implementation gap appears for US SaaS with India operations, and how AttriEdge complements rather than competes. X-01 COMPARISONAttriEdge vs. Vanta: When You Need a Human Layer
How AttriEdge's compliance operations service compares to Vanta's automation platform, when to use Vanta alone, when to combine and when each makes sense. F-15 FIXWhy a 100% Vanta Dashboard Doesn't Equal a Closed Deal
A 100% Vanta dashboard score does not guarantee you'll pass audit or close enterprise deals. The gaps a green dashboard doesn't capture, and how to close them. F-14 FIXShadow AI and Non-Human Identities: The New Questionnaire Section Stalling Deals
Employees connecting unvetted AI tools to corporate systems via OAuth. The procurement question of 2026, what an OAuth audit reveals and how to actually govern it. F-13 FIXIdentity Sprawl in 2026: Why Buyers Are Auditing Your API Tokens and Service Accounts
Non-human identities, API tokens, service accounts, AI agents, are the new vendor-risk frontier. The questions enterprise buyers are asking in 2026 and how to answer them. F-12 FIXThe Reverse Questionnaire Strategy: A Trust Center That Deflects SIG Spreadsheets
Stop filling out 400-question SIG spreadsheets. The trust center architecture that gets enterprise procurement to waive their custom questionnaire entirely. F-11 FIXShould You Skip SOC 2? A Decision Framework for Pre-Enterprise Startups
Not every startup needs SOC 2. The honest framework for when to invest, when to defer and when to skip entirely, for founders tired of being told they 'should' have it. F-10 FIXHow Manual Are SOC 2 Access Reviews Really? An Honest Look in 2026
The dirty secret of compliance automation: access reviews remain stubbornly manual. What automation actually delivers, what doesn't and how to make the quarterly work bearable. F-09 FIXSOC 2 With Overseas Development Teams: Three Ways to Structure the Audit
Inclusive scope, carve-out subservice, or separate-entity audit, the three structural choices for SOC 2 with overseas dev teams, when each works and the buyer-acceptance reality of each. F-08 FIXWhy Your AI Section in Security Questionnaires Keeps Stalling Deals
The AI/ML section is the new questionnaire bottleneck. The framework references, vendor documentation and control narratives that satisfy enterprise security teams and stop the 3-week delays. F-07 FIXThe Three-Week Procurement Stall: A Playbook for Founders Already in It
Your deal has been 'in security review' for three weeks with no clear blocker. Specific tactical moves to diagnose, escalate and unblock it in the next seven days. F-06 FIXLost a $2M Deal Because We Couldn't Get SOC 2 Fast Enough: A Reverse-Engineered Analysis
A $2M deal died because SOC 2 wasn't ready. The timeline, the decisions that should have been different and the lessons for founders chasing large logos with offshore teams. F-01 FIXAre Security Questionnaires Still Killing Your Deals? Six Patterns That Save 30 Hours Per Buyer
Enterprise security questionnaires can consume 30+ hours per buyer. Six patterns that cut response time, deflect duplicate questions and turn questionnaires from a deal-blocker into a deal-accelerator. F-02 FIXHow to Pass a SOC 2 Audit With an Unmanaged Offshore Engineering Team (BYOD)
Your offshore engineers use personal laptops, no MDM, no company hardware. Can you still pass SOC 2? Yes, the compensating controls auditors accept, the technical architecture and the policies you need. F-03 FIX"Our Compliance Platform Wanted $12K/year and Assumed We Had a Security Team": A Six-Person Startup's Alternative
Compliance automation platforms are priced for companies with dedicated security teams. For 5–15 person startups, the platform sometimes costs more than it saves. Here's the alternative architecture that works. F-04 FIXWhy SOC 2 Is Weirdly Painful for Indian SaaS Selling to US Enterprise
The specific structural issues that make SOC 2 harder for Indian SaaS than US-headquartered SaaS, entity structure, auditor licensing, US CPA partnerships and the workarounds that actually work. F-05 FIX"We Lost a $40K Deal Because We Didn't Have SOC 2": A Founder's Recovery Playbook
If a deal just died because you don't have SOC 2, here's what to do this week. The 30-day pivot that turns a lost deal into the next three closed deals.No entries in this classification yet.
The GCC Compliance Brief
One India compliance problem a week. The principle behind it and what I'd do on Monday. Four minutes, Friday morning.
Stop reading about stalled deals. Unstick yours.
Start with the $999 diagnostic. A live call plus a 48-hour Evidence Index Blueprint mapping your top 10 gaps and a 30/60/90 day plan.
Book your diagnostic →Month to month after. Cancel anytime. No termination fees.