Email DLP cost in India: a 230-user NBFC quote breakdown
Email DLP cost in India: a Mumbai NBFC’s 230-user quote breakdown
Last updated: 18 June 2026
07:42 AM. The vendor quote was already open on Rohan’s screen.
Mumbai, May 2026. Rohan is the finance head at an NBFC, about 230 users, lending against gold. I was there for the quarterly security review when the email dlp cost in india question landed on the table. He turned the laptop towards me before I could sit down. “Priya, just tell me one thing. Rs 150 per user. That is the whole cost, na?”
Arre, no. That is the sticker. The actual email dlp cost in india question is a different one, and it took us the next ninety minutes to walk through it. This piece is that walkthrough, with the numbers his finance team eventually signed off on. I have seen this conversation play out at four NBFCs this year. The shape is real, the names are not.
If you are sitting where Rohan was, this should save you the surprise.
Why the sticker price is the wrong number to budget against
The headline rate from most email DLP vendors in India falls in the Rs 140 to Rs 250 per user per month band. Microsoft Purview is bundled inside the M365 E5 SKU. Google Workspace has its DLP in the Enterprise tier. Trellix, Forcepoint, Proofpoint quote standalone. The brand-specific maths is on our Email DLP in India page.
What that sticker does not show, and what Rohan’s quote did not split out cleanly, is the work around the licence. I had assumed the quote was complete when I first scanned it. It was not.
Here is the part the procurement note skipped:
- Setup and rule design. Somebody has to sit with HR, finance, ops and ask which data patterns matter. Aadhaar, PAN, customer lists, salary sheets, KYC packets. That is two to three workshops, then a build week. For 230 users we priced it at Rs 85,000 one-time.
- Tuning. First two weeks are noisy. Genuine business mail gets flagged, the team complains, the rules need to be loosened in the right places without going soft on the real risk. Allow Rs 45,000 for this.
- Audit-grade log retention. If a regulator asks you to prove who tried to send what and when, the default 30-day log is not enough. We added 180-day retention. Rs 35 per user per month, separate line.
- Encryption for sensitive sends. The block-only rule is fine until the CFO needs to mail a real KYC packet to the lender. Then he wants the option to encrypt and send. That is an add-on SKU on most vendors. Rs 25 per user per month if you only enable it for a finance subset.
- Named support SLA. When a rule breaks at 4 PM on a Friday, you do not want to be in a generic queue. A named consultant from us on a 4-working-hour reply costs Rs 60,000 a year for the size of his estate.
None of these are optional. They show up later as urgent purchase orders or as a board question nobody can answer.
The email DLP cost in India, line by line for a 230-user NBFC
This is the table Rohan and I built on his whiteboard. Year 1 versus Year 2, all in INR, all real.
| Line item | Year 1 | Year 2 (renewal) |
|---|---|---|
| Email DLP licence (230 users at Rs 150/user/month) | Rs 4,14,000 | Rs 4,14,000 |
| Setup and rule design (one-time) | Rs 85,000 | 0 |
| First-two-weeks tuning (one-time) | Rs 45,000 | 0 |
| Audit log retention (60 of 230 users, Rs 35/user/month) | Rs 25,200 | Rs 25,200 |
| Encryption add-on (24 finance users, Rs 25/user/month) | Rs 7,200 | Rs 7,200 |
| Named support SLA (annual) | Rs 60,000 | Rs 25,000 |
| Year total | Rs 6,36,400 | Rs 4,71,400 |
Year 1 came in 54 per cent over the sticker total. Year 2 came in 14 per cent over. That gap is where the budget conversation lives.
Rohan did the thing finance heads do. He under-reacted to the breach risk and over-reacted to the renewal price. Achha, fair enough. He is paid to do that.
200+ Indian businesses trust us. Response within 4 working hours.
The amber alert nobody wanted to look at
While we were arguing the encryption SKU, I asked his IT lead to pull the last six months of outbound mail volume from finance and ops. We were looking for the pattern, not a specific incident.
There it was. An accounts assistant had mailed a customer master file, 4,100 rows, to what looked like a vendor distribution list, at 8:47 PM on a Tuesday in March. Nobody had flagged it. The recipient was an internal alias that also forwarded to a third-party auditor’s intake address. The data had left the building.
This is the amber signal that DLP exists for. Not the dramatic hack. A tired assistant, a late evening, an autocompleted recipient, a routine attachment that was not routine. Nobody on the team had seen the export at the time, yaar.
Once we showed Rohan that slide, the encryption SKU stopped being a line item to argue with. It became the thing he wanted on by Monday.
What we eventually signed, and what we left out
Rohan signed for the full Year 1 stack at Rs 6.36 lakh, with one cut. He pushed back on the 180-day log retention for the full estate and capped it at 60 users (finance, HR, ops leadership). That dropped the licence line by about Rs 71,000 over a year. Reasonable trade. The people who handle the regulated data carry the longer log. The rest carry the standard 30-day.
What he left out: the data classification training piece. Some vendors push a Rs 250-per-user training module. We do not think it earns the spend at NBFC scale. A 45-minute live session by the consultant covers what people actually need to know. The vendor module sits unwatched.
What we added later: a quarterly rule review. Forty-five minutes on a Zoom every three months, walking through the false positives and the new patterns that appeared. Rs 18,000 a year. Cheap insurance.
How the cost shape changes with size
The 230-user maths does not scale linearly. Three quick patterns from the last twelve months of similar quotes:
- 50 to 100 users. Setup and tuning dominate. The licence is small. Year 1 sits around 2.2x the sticker, Year 2 close to 1.3x. The named SLA is the line worth fighting for at this size.
- 200 to 400 users. Rohan’s band. Year 1 around 1.5x the sticker, Year 2 close to 1.15x. Encryption add-on for a subset is the real lever.
- 800-plus users. Setup amortises, the licence dominates. Year 1 around 1.2x the sticker. Negotiate the per-user rate harder here, the vendor has room.
The takeaway is uncomfortable: the smaller your estate, the higher the proportional cost of doing email DLP right. That is fine. The penalty cap does not scale down with your headcount.
Free. No card, no contract, no sales call.
What this costs you to ignore
The math against the quote is straightforward. Year 1 at Rs 6.36 lakh is roughly 0.25 per cent of one regulated customer list, valued at the IBM India data breach average of Rs 19.5 crore. Per IBM’s Cost of a Data Breach 2024, that number has risen 28 per cent over the last three years for the financial sector specifically.
Against the DPDP cap of Rs 250 crore, the email DLP cost in India for Rohan’s estate is one fortieth of one per cent of a single worst-case fine. That is the frame that closed the conversation.
One more piece, this one from RBI. Their cyber security framework for NBFCs already expects email-based data loss controls as part of the standard. So the spend is not a discretionary upgrade. It is the cost of staying in the auditor’s good books, and the cost of not having to write a long apology email to a customer whose KYC packet went somewhere it should not have.
The customer who proved the case
Rohan was not a hypothetical. Six months in, his audit committee asked for the DLP log on a sample week. It pulled clean. Two blocked sends, both genuine catches, both reviewed by him. The auditor moved on. That is the proof you are paying for, not the licence.
Key takeaways and next steps to book a call
- Budget against the Year-1 total, not the sticker. For a 230-user firm, expect roughly 1.5x the listed per-user-per-month spend.
- Setup, tuning, retention, encryption, named SLA. Five line items. Make the vendor split them out before you sign.
- The encryption add-on is the line you will want, even if you do not want it now. Quote it for the subset that handles regulated data.
- Year 2 renewal is what your CFO should benchmark against. The one-time costs fall away, the recurring lines stay.
- The amber signal you should run your quote against: when did a real customer list last leave your firm by mail? Find that pattern before the vendor demo.
FAQ
Q: Is email DLP cost in India cheaper if we already pay for Microsoft 365 E5?
A: Yes for the licence line. Purview email DLP is included in E5. You still pay separately for setup, tuning and named support. The all-in delta versus a standalone vendor narrows to about 25 to 30 per cent at our size band.
Q: Can we run email DLP only for finance and HR to save cost?
A: We discourage it. The leaks we see most come from ops and customer-care users, not finance. The licence saving is small and the coverage gap is large. Better to cover everyone on the standard tier and add encryption only for the regulated subset.
Q: How fast does this go live?
A: Microsoft 365 or Google Workspace estates, 7 to 10 working days for the core ruleset. Standalone vendors, 14 to 21 days. Tuning runs alongside, not before.
200+ Indian businesses. 30+ in BFSI. Reply within 4 working hours. Reach us on WhatsApp at +91 91375 93228 during 10 to 7 IST.
Related reading from Sirius Star:
- Email DLP in India: how we set it up inside M365 and Google Workspace
- How to stop data leaks over email in India
- Microsoft Purview vs Microsoft 365 DLP
- DPDP Act penalties for mid-size Indian companies
- A Mumbai BFSI IT head’s DPDP audit day
P.S. Sudeep here. Rohan’s NBFC went live on the build last month. The first false positive came on day 3, a genuine HR file. We tuned the rule the same afternoon. The first real catch came on day 11, an outbound mail with a 600-row customer extract to an external freelancer. Blocked. He called me to say thanks. That is the only call you want from your IT head about DLP. If you want the same Year-1 number worked out for your estate, the popup form gets you on my call list within four working hours.