OPERATING LAYER live operator H. ATTRI status accepting engagements IST --:--:-- DPDP 154d

DPDP Rules: soft enforcement ends in 154 days on November 13, 2026. Start by August →

Compliance operations as a service.

You don't need another consultant who hands you a report and disappears. You need someone who runs the operating layer every week, so your enterprise deals close instead of stalling.

I do exactly one job: I run the India GCC compliance operations layer for US SaaS, fintech and healthtech companies. If your buyers are US enterprises and your engineering team is in India, this was built for your exact situation.

The operating layer

Three pillars no platform is accountable for.

Each pillar is a structural gap the leading compliance automation platforms do not close. Active Retainer clients get all three. Foundational clients get evidence-cycle support across all three with optional add-ons.

PANEL 01 Operating layer / three pillarsselect a pillar
live3 pillars monitored

The deadline layer nobody owns.

India's Digital Personal Data Protection Act has no clean overlap with SOC 2, HIPAA or GDPR, and the cross-mapping work is judgment-heavy and platform-untouchable. I map it against the frameworks your buyers actually ask about and build the consent, notice and breach workflows around the statutory clocks.

Soft enforcement ends November 13, 2026. A proper program takes 8 to 16 weeks, which is why the work starts now.

Your platform does

Stores policies. Flags framework controls.

I own and answer for

The statutory mapping no platform reads. The India layer. The deadline.

this is the layer buyers' counsel asks about first.
Map DPDPA to SOC 2, HIPAA, GDPR Flow US-to-India data-flow diagrams In IT Act, labor law, statutory registers SDF Significant Data Fiduciary thresholds Clock 72h DPB / 6h CERT-In runbooks

Dashboards are not evidence.

Auditors in 2026 are increasingly rejecting screenshot evidence because it lacks timestamps, owner attribution and immutability. I close that gap with audit-defensible artifact chains. Your platform's agents collect the signal; I verify it, own it and answer for it when a buyer's security team pushes back.

The agent does

Captures a screenshot. Pulls an API response at a point in time.

I own and answer for

Who ran it, when, from what system, retained where, defensible to whom.

this is the part an auditor actually samples.
Audit every evidence type for timestamp and owner Replace screenshots with logged artifacts Cadence monthly, quarterly, annual re-collection Binder verifiable trails: what, by whom, when

Platforms scan. They do not close.

Compliance platforms ingest vulnerability scanner data. They do not own remediation. I do. The platform's AI agents flag and suggest; I run the finding through closure within an SLA and verify the fix actually landed.

The agent does

Ingests the scan. Flags the finding. Suggests a fix.

I own and answer for

Assignment, the SLA clock, re-scan verification, the closed loop.

"the agent suggested it" is not closure.
SLA critical 7d, high 30d, medium 90d Ticket owner-tagged in your Jira or Linear Close re-scan verified, not assumed Report monthly, audit-defensible

How it runs

I run the layer every week.

Not a report you file and forget. Here is a single vulnerability moving through one operating week, from scanner alert to sealed evidence. The other two pillars run on the same cadence.

PANEL 02 Remediation feed / this weekauto-replays on view
One finding, one weekscanner → sealed evidence

+ REACTIVE LANE incident response, buyer security-review escalations and audit-exception remediation run across the same week, out of band.

Showing: a vulnerability finding

What lands on the India entity

The statutory deliverables, per client.

The DPDPA and US-framework mapping is the judgment-heavy work that runs parallel to your US attestations. This is what you hold at the end of it.

Mapping and flows
  • DPDPA principles mapped against SOC 2 Privacy, HIPAA Privacy and Security, and GDPR articles
  • Data-flow diagrams covering US-to-India boundaries
The India layer
  • India statutory checklist: IT Act, labor law and statutory registers
  • Significant Data Fiduciary thresholds assessment
  • DPIA templates and walkthroughs

Honest boundaries

What I don't do.

A specialist is only valuable if they stay a specialist. These are the jobs I hand to trusted partners rather than learning on your time.

×Generic GCC setup, staffing, recruiting or payroll
×Pure compliance theory or audit work, I refer to auditor partners
×Penetration testing, red team or technical security implementation
×Legal advice or named-officer roles such as Privacy Officer or HIPAA Officer
×HR or labor-law consulting
×Cross-border tax structuring

If you need any of these, ask anyway. I will introduce you to a partner I would trust with my own clients. Or start with the diagnostic →

Engagement tiers

One gateway. A published path.

Every engagement starts the same way, with the diagnostic. Where it goes from there depends on what you actually need.

Which tier fits
Is an enterprise deal in security review right now?
Is your first audit inside the next six months?

Answer both and I will point you at the likely fit. The diagnostic confirms it.

Month to month. Cancel anytime. No termination fees.

See full pricing and what each tier includes →

Not sure you need a retainer at all?

Start with the diagnostic. I will tell you honestly whether this needs an operating layer or your team can carry it from the blueprint alone.

Book your $999 diagnostic →