DPDP Act, CERT-In 6-Hour, RBI Cyber — How Compass Auto-Maps Findings

Every CISO in India has lived through the same scramble. An auditor asks for evidence of security control X for framework Y on date Z. The finding that proves the control was working lives in a pentest report from two months ago. The remediation ticket that closed it is in Jira. The screenshot of the fix is in someone’s Slack DMs. The approval chain is buried in a threaded email. The auditor wants all of it, cross-referenced and timestamped, by end of week.

Compliance today is still mostly a PDF problem. Findings live in one tool, regulatory clauses live in another, evidence is scattered across whatever channels the team happened to use when the work got done. Compass exists to close that gap — to take findings produced by Sentinel, Recon, or any other source you plug in, and automatically map them to the clauses that apply, with evidence attached, so the scramble stops being a scramble.

The compliance problem, mapped honestly

Indian regulated institutions carry a stack of obligations that European peers mostly don’t. The Digital Personal Data Protection Act, 2023. The RBI Cyber Security Framework for Banks (2016) and its updates. SEBI’s Cybersecurity and Cyber Resilience Framework. CERT-In’s 6-hour incident reporting window. IRDAI and PFRDA guidance for insurance and pensions. On top of that, the global frameworks — ISO 27001, SOC 2, PCI DSS v4, HIPAA, GDPR — that customers and partners demand.

No two frameworks speak exactly the same language. DPDP §8 and SOC 2 Common Criteria 6.1 are both about security safeguards, but the way they’re written, the evidence they accept, and the granularity they require are different. A finding that matters for one might be framed in a way that doesn’t obviously fit the other.

GRC teams spend enormous amounts of time doing this mapping by hand. It’s both high-stakes and repetitive, which is the shape of problem AI should handle well — provided it’s grounded in the actual text of the frameworks and doesn’t hallucinate clause numbers.

What Compass does with a finding

When a finding arrives — from Sentinel, from Recon, or from any upstream tool pushing through our API — Compass does three things automatically. It parses the finding for the security properties it touches (confidentiality, integrity, availability, access control, logging, data handling, and so on). It classifies the data involved, including whether personal data under DPDP is in scope. And it runs that against the clause index we maintain for every framework the platform supports.

The clause index isn’t a handwritten lookup table. It’s a structured corpus of the actual regulatory text, parsed into claim-level chunks, each tagged with the control family it addresses. When a finding comes in, the mapping is a retrieval against that corpus, filtered by the frameworks the client subscribes to. A human GRC lead can override any mapping; overrides feed back into the mapping model so similar findings don’t need re-correction.

Compass natively maps DPDP, RBI Cyber 2016, SEBI CSCRF, CERT-In 6-hour reporting, ISO 27001, SOC 2, PCI DSS v4, HIPAA, GDPR, IRDAI, and PFRDA. India-first, global layered on top.

Walking through one finding

Consider a concrete example. Recon raises a finding: an S3 bucket belonging to a subsidiary is world-readable and contains files with customer KYC data — full names, Aadhaar references, and addresses.

Compass ingests that finding. Data classification: personal data under DPDP (identifiers), potentially sensitive personal data depending on Aadhaar handling. Security property: confidentiality failure, access-control misconfiguration.

Mapping, partial list:

• DPDP §8(5) — obligation to implement reasonable security safeguards to prevent personal data breach. A world-readable bucket holding identifiers is a direct safeguard failure.
• DPDP §8(6) — obligation to notify the Data Protection Board and affected principals in case of personal data breach. If exposure is confirmed as a breach, this clock starts.
• SOC 2 CC6.1 — logical access controls. The finding evidences a failure of the access-control element of the Common Criteria.
• ISO 27001 A.8.3 — information access restriction. Same control family, different framework, different clause number.
• CERT-In 6-hour window — if the exposure is confirmed and falls within the scope of reportable incidents under the April 2022 directions, the finding triggers the 6-hour clock for reporting to CERT-In.

The finding lands in the Compass dashboard with those mappings pre-attached, severity calibrated, and the PII categories flagged. The GRC lead doesn’t start from a blank page. They start from a finding that’s already been framed in the language each framework expects.

The evidence locker

A mapping is only as useful as the evidence attached to it. “This finding maps to DPDP §8(5)” helps you know what to write in the next audit pack; it doesn’t help you prove the control is working now or was working at a specific prior date.

Compass stores evidence in a locker attached to each finding. Every artefact — the original scan output, the reproduction recording, the remediation PR, the approval chain, the post-fix verification — is stored with a timestamp and a chain-of-custody hash computed on the artefact content plus the previous artefact’s hash. Tampering shows up as a broken chain rather than an edit nobody notices.

When an auditor asks how you know a finding was closed on the date you claim, you answer by showing the chain. Artefacts can be anything — files, ticketing URLs, screenshots, configuration snapshots, log extracts. Compass cares about the timestamp and the hash, not the format.

The auditor portal

External auditors need access to evidence without getting access to your full platform. That’s what the auditor portal is for.

A GRC lead scopes a portal view — which controls, which findings, which date range, which evidence. The auditor gets a read-only login that expires after the engagement. They can browse controls, drill into findings, request artefacts from the locker, and annotate their own notes, but they can’t see anything outside the scoped view or other auditors’ notes from parallel engagements.

The portal also cuts back-and-forth email. Auditors ask for the same things over and over — mapping documents, evidence for sampled findings, verification that remediation happened. In the portal those are clickable links with structured data behind them, and engagements that used to run on weekly status calls shift to the auditor self-serving most of what they need.

Continuous compliance vs. annual snapshot

Traditional compliance is a snapshot. An auditor shows up, samples a quarter’s worth of findings, checks controls against a point-in-time state, writes a report, and the next snapshot happens a year later.

The gap between snapshots is the problem. Controls that drift between audits drift quietly, and the first signal that something broke is usually the next audit — or, worse, an incident.

Compass surfaces control status continuously. The dashboard shows, in real time, how many findings are open against each control family, median time-to-remediate, evidence freshness (when was the last successful test of this control), and upcoming regulatory deadlines. If the DPDP §8(5) status has drifted — a new finding open, a control not tested in 90 days — the dashboard flags it before an auditor does.

That shifts what “compliant” means. It’s no longer a certificate on the wall that says last year we passed. It’s a live status that says right now, for every control, here’s where we stand and here’s what’s at risk of slipping.

India-first, and why it matters

Most compliance platforms were built with SOC 2 and ISO as the primary frameworks, with everything else bolted on. That ordering shows up in how they handle DPDP and the RBI cyber framework — often as a second-class mapping rather than real clause-level reasoning.

Compass was built with DPDP, RBI Cyber 2016, SEBI CSCRF, and CERT-In as primary frameworks, with ISO and SOC 2 layered on top. For an Indian CISO whose auditor will ask DPDP questions in DPDP language, that ordering matters. Global frameworks still get first-class support — you just don’t have to fight the tool to make it speak Indian.

What changes when you stop scrambling

The scramble — the frantic week before an audit where a GRC team rebuilds the evidence trail — is a signal that the rest of the year, the team is flying blind on control status. Fix the scramble and you haven’t just made audits easier; you’ve made the whole year’s security posture legible.

That’s the argument for continuous compliance, and it’s the argument for Compass. Findings come in with clauses attached. Evidence lives where evidence should live, hashed and timestamped. Auditors self-serve. The dashboard tells you, today, where you actually stand.

The scramble stops. The posture starts being something you can see.