Aurva data security platform India: a Mumbai NBFC pilot Day 3 diary
Last updated: 14 June 2026
09:14 AM Wednesday. A printed risk heatmap on Hiren’s desk
I walked into the BKC office at 09:14 AM. Hiren had the Aurva Day 2 scan printed in colour, laid out across the conference table, three lines circled in red pen. “Priya. The bucket from Q3 2023. We never closed that ticket, did we?”
This is Day 3 of an Aurva pilot at a 280-person Mumbai NBFC. 31,400 active borrowers, a digital lending stack that doubled its book since the DPDP draft floated in January 2025, a CIO who has been calling me weekly since MeitY notified the DPDP Rules 2025 on 13 November 2025. Hiren keeps a notebook of unfinished things. The bucket from Q3 2023 is one of them.
The Aurva console put it on page two, scored 9.1 out of 10 on risk weight. Public-read S3 bucket, 4,118 objects, classifier hits on Aadhaar (74%), PAN (61%), address strings (88%). Created 14 November 2023 for a vendor reconciliation nobody removed. Arre. The kind of finding that lands a regulator letter if someone external runs the same scan first.
What Aurva actually does on Indian estates
DSPM read like a translated GDPR brochure for two years. Most tools on Gartner’s first DSPM grid were built for HIPAA, PCI, and European data shapes. Indian markers were not native.
Aurva is built in Bengaluru with DPDP as the design centre. The classifier knows what an Aadhaar 12-digit pattern looks like in OCR output. It catches PAN inside scanned KYC PDFs. Reports map to the DPDP fiduciary worksheet and the SEBI CSCRF data-asset register. INR billing, local engineering.
On Hiren’s estate we wired six connectors on Day 1. AWS (S3 plus RDS), Snowflake on AWS Mumbai, Salesforce Sales Cloud, Workday HCM, on-prem Oracle for loan origination, and the M365 tenancy. Read-only roles, no agent on any data store. On-prem Oracle needed a lightweight scanner inside the DMZ. 90 minutes including the firewall change request.
Day 2 in numbers: what the first scan returned
By Tuesday 22:30 IST the first full scan was done. The console showed 247 data stores discovered across the six connectors, 11 of them tagged as containing personal data at high confidence. The risk queue was sorted by audit weight, not alphabet, which is the small thing that matters when you have 30 minutes to brief a Board sub-committee.
| Store type | Stores scanned | Personal data hits | Top risk score | Notes |
|---|---|---|---|---|
| AWS S3 buckets | 118 | 47 | 9.1 | Public-read on 1 bucket. KYC archive. Aadhaar + PAN visible. |
| AWS RDS instances | 14 | 9 | 7.4 | One borrower DB readable by 11 IAM roles. Three of them stale. |
| Snowflake | 38 | 22 | 6.8 | Masking policy on Aadhaar column missing in one schema. |
| Salesforce Sales Cloud | 1 org | 1 | 5.2 | Loan officer profile with export-all permission. 14 users. |
| Workday HCM | 1 tenant | 1 | 4.1 | HR analytics report exporting Aadhaar to weekly CSV. |
| On-prem Oracle | 1 schema | 1 | 6.0 | Customer table mirrored to a reporting view without column masking. |
| Microsoft 365 | 1 tenancy | 3 | 5.5 | SharePoint sites with PAN in shared CSVs. Anonymous link enabled on one. |
The S3 archive bucket was the headline. The vulnerability beat I always name in these write-ups: I had assumed Snowflake column masking was live everywhere because we asked for it last March. The scan showed it missing on one schema provisioned in June. I had not verified. I had taken the answer. Six months of unmasked Aadhaar in a reporting view because I did not check.
The conversation at 10:20 IST
Hiren picked up the room phone and asked Karan, Head of Risk, to join. Karan brought his Compliance counterpart, Meera. By 10:35 four of us were standing at a whiteboard.
Karan started where finance people start. “What is the worst case if a regulator finds this before we do?” The honest answer is the DPDP statutory cap at INR 250 crore per instance of significant non-compliance, the RBI circular on data leakage, and reputational damage that does not have a number on it. The realistic worst case is a Board notification, a Letter from the Joint Secretary, and a public disclosure obligation. Add the CERT-In 6-hour incident reporting requirement on top. Bas. The risk math wrote itself.
Meera asked the next question. “If we remediate this today, do we have anything left to show the auditor?” A scan that finds 11 high-confidence personal-data stores in 36 hours is also an inventory. The fiduciary worksheet asks for the inventory first. Aurva delivers it as an export.
Book my free 4-hour DPDP readiness check
200+ Indian businesses. Response within 8 hours. No card, no contract, no sales call.
Why the Aurva data security platform India teams pick fits the DPDP shape
Most DSPM tools quote a list of regulations. DPDP shows up after CCPA and PIPL on the third tile. The classifier under those tiles is the same Western one with a regex bolted on.
The difference on Indian estates shows in three places. OCR on KYC PDFs scanned at 200 DPI on a five-year-old MFP. Aurva read 96% of the 4,118 PDFs in the archive bucket clean. Two tools we benchmarked last quarter read 71% and 74%. Address-string patterns that wrap and use building names. And report templates shaped for the DPDP worksheet and the CSCRF data-asset register, native, not bolted on.
Where Aurva sits against the alternatives
I have run paid bake-offs against Varonis, BigID, and Cyera on three Indian estates in the last 18 months. The honest call depends on stack shape.
Varonis fits SharePoint-heavy enterprises with a strong on-prem file estate. Deeper crawler on unstructured shares. Costs more. DPDP reporting is a six to eight week custom build.
BigID fits multi-country enterprises running GDPR, CCPA, and DPDP in parallel. The workflow engine is strong. Aadhaar OCR lags Aurva on our last benchmark.
Cyera is sharp on cloud-native estates with a fast agentless scanner on AWS and Azure. Newer to India, DPDP templates on a roadmap.
Aurva fits an Indian fiduciary in the 200 to 5,000 band, audit horizon May 2027 or earlier, stack including Indian SaaS or on-prem ERP, INR billing on a contract you can read in English.
What we put on the Day 4 to Day 60 plan
By 11:50 IST we had a sequenced remediation queue. The same five items show up on most Indian DPDP-readiness reviews.
- Day 4 to Day 7. The KYC archive bucket. Move from public-read to private. Snapshot for forensics. The Aurva access timeline showed two non-AWS IPs that touched the bucket in the last 90 days. Both turned out to be internal VPN egress. The team did not have the visibility to answer that yesterday.
- Day 7 to Day 14. The 11 IAM roles on the borrower DB. Reduce to two service roles plus one human-break-glass with logging. Three stale service accounts rotated and revoked.
- Day 14 to Day 30. Snowflake column masking applied to the missing schema. Re-test with a dummy query. Document on the data-asset register against ISO 27001 A.8 controls.
- Day 30 to Day 45. The Workday HR analytics report. Move Aadhaar out of the weekly CSV. Replace with a token. Log the change in the consent-and-purpose register.
- Day 45 to Day 60. The Salesforce loan officer export-all permission. Reduce to view-only on personal-data fields. 14 users get a re-permissioning email.
Aurva re-scans weekly and tracks closure on the same risk queue. The fiduciary worksheet exports from the console at the end of the 60-day window. The audit conversation gets a document, not a story.
See the Aurva India scoping call
Free 8-hour scoping call. Written quote in one business day.
The amber alert nobody had been listening to
Hiren asked at 12:15 IST why we did not catch the public S3 bucket sooner. The inventory question never had a tool behind it. The compliance team kept a spreadsheet. The cloud team kept tags. The lending team kept the runbook. Nobody had read across the three views at once. The Aurva scan did that in 36 hours.
I have watched this pattern across the eight DSPM rollouts we have done in the last two years. The interesting finding is rarely the new exposure. It is the old one nobody had the inventory to see. Personal-data risk in Indian estates accumulates inside vendor reconciliations, archive buckets, reporting views, and weekly CSVs. The fiduciary worksheet surfaces them at once.
For Hiren, the Day 4 morning starts with the archive bucket. The Day 14 conversation moves up his SIEM renewal. The Day 60 export lands the fiduciary worksheet on Karan’s desk in a shape Karan can defend. The Aurva pilot moves from a Q4 budget line into Q2 procurement. The amber alert is now an entry in the closure log.
Key takeaways
- An Indian DSPM is the inventory tool the DPDP fiduciary worksheet has been waiting for. Pick one with a classifier tuned for Aadhaar, PAN, IFSC, and Indian address shapes.
- Day 1 connector wiring. Day 3 the conversation. Most findings are old exposure, not new. Plan the cleanup for 60 days, not 6.
- Read the risk score, not the alphabet. Spend the first week on the top three by weight.
- The remediation queue is the deliverable. A scan that finds nothing actionable in 36 hours is not the right scan.
FAQ
How long does an Aurva deployment take in India?
Connector wiring on AWS, Azure, GCP, Salesforce, and Workday takes 1 to 2 working days. On-prem Oracle adds a half day. First full scan completes in 36 to 72 hours on a 200 to 5,000 person estate. The fiduciary worksheet export is available from the console after the first scan.
Does Aurva replace our existing DLP and SIEM?
No. Aurva sits next to both. DLP enforces at the exit point. SIEM correlates incidents. Aurva owns the at-rest data inventory and the access posture. Email DLP remains the right answer for outbound personal-data leakage on email and chat.
What does Aurva cost in INR?
Price on request, billed in INR. A 200 to 5,000 person Indian fiduciary with under 50 connected data stores typically lands inside a defensible Q3 budget line. Sirius Star handles licensing, deployment, and a quarterly retainer. Scoping call returns a written quote in one business day.
How does Aurva fit a Significant Data Fiduciary designation?
An SDF owes an annual DPIA and an independent audit. Aurva supplies the data inventory, the access map, and the risk register the DPIA and audit start from. For the audit-prep workflow, a DPO-as-a-service retainer is the cleanest pairing.
Book my free 4-hour DPDP readiness check
200+ Indian businesses. Response within 8 hours. No card, no contract, no sales call.
P.S. Sudeep here. We shipped a similar Aurva pilot for a Mumbai cooperative bank last week. The biggest finding was the archive bucket nobody had thought about since 2023. Most of the high-risk findings on Indian estates are old, not new. The auditor will find them eventually. The question is who finds them first. Tell us what you want me to find on your stack.
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������