What our readiness reviews find
Of Indian Microsoft 365 tenants we review have over-permissioned SharePoint sites holding PII, unlabelled sensitive documents, or external sharing links never revoked. Under the DPDP Act, every one of those is a notifiable data fiduciary risk. Fix the tenant, then turn on DLP. In that order.
Source: Sirius Star DPDP readiness reviews of 100+ Indian SMB tenants, FY26 Q1, anonymised.
Five layers of data protection every Indian business should run
DPDP is not a single product. It is a stack. We run the review, we recommend the layers, we deploy the ones you need. Microsoft-native where it fits, non-Microsoft where it does not.
Secure Data Guard (our flagship DLP)
Secure Data Guard is our managed data loss prevention service layered on Microsoft 365. It deploys Purview sensitivity labels, document-level DLP policies, conditional access on classified content, and Defender for Cloud Apps rules across Email, OneDrive, SharePoint, and Teams. Sirius Star configures, deploys, monitors, and tunes monthly. You keep the keys.
Sized per managed device because that is how it lands in an Indian deal. Real protection is not per-user, it is per-endpoint. A laptop that handles PII is the unit at risk, not a licence seat.
From ₹749 per device per month, layered on M365
DPDP Compliance Services
Written information security policy, breach notification workflow, data fiduciary register, consent capture mapping, data principal request handling. The paperwork the DPDP Act requires plus the operational drills to make it real.
Fixed-fee project, scoped after readiness review
See DPDP compliance scope →
Microsoft Purview + Defender
If you are on M365 Business Premium, E3, or E5, you already own most of this. Purview Information Protection, Insider Risk Management, Defender for Cloud Apps, audit logs. We turn it on, tune it, and document what each setting actually does for your tenant.
Included in M365 Premium / E3 / E5
Fortra Digital Guardian DLP + DSPM
Where Purview does not extend (legacy file servers, on-prem databases, agent-based endpoint DLP), Fortra Digital Guardian fills the gap. DSPM (Data Security Posture Management) discovers where sensitive data sits across cloud + on-prem so you stop guessing.
SatCom-route, scoped per tenancy
Aurva DSPM + Backup posture
Aurva is an Indian DSPM startup with mid-market pricing. Data discovery, classification, access governance. We pair it with cloud backup (Veeam, Acronis, M365 backup) so a DPDP breach response includes a clean restore path, not just an incident report.
Aurva trial available , backup from ₹250/user/mo
The Sirius Star DPDP readiness methodology
Four steps. The first is free, read-only, and finishes in 28 working hours. We never recommend a single tool until we have seen your tenant.
-
01
Read-only 24-hour readiness reviewFREE
You add care@siriusstar.in as a Global Reader in your Microsoft 365 admin centre. Five-minute setup, no install, no agent, no commitment. We can see SharePoint site age and permissions, OneDrive size per user, sharing-link sprawl, sensitivity-label coverage, Defender posture, conditional access policies, and audit-log retention. We cannot change a single setting.
Within 28 working hours we send you a PDF report covering nine things: where your PII sits today, which SharePoint sites are over-permissioned, which sensitive documents have no sensitivity labels, which external sharing links are still live, whether your audit log retention meets the DPDP three-year window, whether breach notification logging is on, whether MFA coverage is universal, where DLP rules are needed first, and the rupee value of the cleanup before any tool is deployed.
-
02
Tenant hygiene project (fixed-fee, 4 to 8 weeks)
If you decide to proceed, we quote a fixed-fee tenant-hygiene project to close the gaps the review found. SharePoint sprawl cleanup, Purview sensitivity-label deployment, conditional access tuning, MFA coverage to 100 percent, audit-log retention to three years, Defender policy alignment. We work alongside your IT team, hand back full ownership, and document every change in a runbook your team can read after we leave.
For tenants that need DLP beyond what Purview offers, we layer Secure Data Guard at ₹749 per device per month with a 30-day hypercare window. For tenants that need DSPM across on-prem too, we bring in Fortra Digital Guardian or Aurva. Pricing scoped per environment.
-
03
DPDP compliance documentation + drills
The DPDP Act expects more than tools. It expects a written information security policy, a data fiduciary register, a breach notification workflow with named roles, consent capture mapping for any new data collected, and a data principal request handling process. We draft the policies, train the named roles, and run a tabletop breach drill so the workflow is rehearsed before you need it for real. Fixed-fee project, usually 3 to 5 weeks.
-
04
Quarterly DPDP posture review (included)
Every 90 days we re-run the readiness review and compare against the last cycle. New SharePoint sprawl, new sensitive-data exposure, new DPDP-relevant Microsoft features, new vendor risks from third-party integrations. We update the policies, retune the labels, and re-train any new joiners in the named breach-response roles. Included in our annual support fee. Pricing is per tenant flat, not per seat.
Representative example. 412-seat Pune pharma manufacturer. Free review surfaced 71 over-permissioned SharePoint sites, 38 users with old external sharing links to clinical trial data, MFA at 64 percent, audit logs retained 90 days (DPDP needs three years). Fixed-fee tenant hygiene closed the gaps in 6 weeks. Secure Data Guard layered on top in week 7. Quarterly reviews ongoing. Annual cost: less than 0.3 percent of the manufacturer’s annual revenue. (Representative pattern based on typical engagement scope.)
Is the Sirius Star data protection methodology for you?
Data protection for Indian businesses from Sirius Star Enterprise Technologies is a Microsoft Partner advisory and managed-DLP service for Indian companies with 50 to 2,000 users on Microsoft 365 Business Premium, E3, or E5 who handle personal data subject to the Digital Personal Data Protection Act 2023. Delivered from our Vashi, Navi Mumbai headquarters with read-only review-first methodology, quarterly posture reviews, and pan-India delivery and deployment.
We are a Microsoft Partner. 200+ active business clients across BFSI, manufacturing, pharma, hospitality, healthcare, retail, and education. We review before we recommend, we tell you when you do not need a tool yet, and we walk away if the readiness math says you are already covered.
You are a fit if:
- You handle personal data of Indian individuals (customers, employees, vendors) and are evaluating DPDP readiness
- Your board, auditor, or cyber insurer has asked for a DPDP compliance posture statement in the last 12 months
- You are on Microsoft 365 Business Premium, E3, or E5 and have never deployed sensitivity labels at scale
- You have a stale SharePoint estate you have not cleaned up in over 18 months
- You operate in a regulated sector (BFSI, pharma, healthcare, education) where data handling is audited annually
- You want a single accountable Indian partner for DPDP rather than three separate consultants for policy, technical, and audit
Skip this if your tenant is under 25 users and you handle only employee data. The DPDP framework still applies but the cost-benefit usually favours a self-managed Purview deployment plus a quarterly review from us, not a full Secure Data Guard rollout.
Request your free 24-hour DPDP readiness review
Tell us about your tenant. We reply within 8 working hours with the read-only access steps and your 24-hour review window. PDF report on day two.
- Free review, no obligation
- Read-only access, no changes
- PDF report inside 28 working hours
- Reply within 8 working hours, including WhatsApp
- Your data stays in India
Industries where we deploy data protection
DPDP applies to every Indian business that handles personal data. The risk pattern is different by sector. Here is what we typically deploy.
Manufacturing
Design IP protection, supplier portal access governance, employee PII in HR systems. Secure Data Guard + Purview labels on engineering SharePoint + Hirschmann industrial network segmentation.
BFSI & NBFC
Customer KYC data, account statements, transaction logs. RBI cyber framework alignment. ARCON PAM + DNIF SIEM + Secure Data Guard + audit-log retention for the three-year DPDP window plus the seven-year RBI window.
Pharma & Life Sciences
Clinical trial data, patient records, formulation IP. Schedule M and DPDP overlap. Microsoft Purview + Secure Data Guard + Veeam long-retention backup + Quantum tape archive for trial-data multi-decade retention.
Hospitality
Guest PII, payment card data, loyalty programme records. PCI DSS overlap. Secure Data Guard on M365 + segmented guest Wi-Fi via Ruckus + Sophos endpoint on POS terminals.
Education
Student records, parent contact data, payment records. DPDP plus minor-data special provisions. Microsoft 365 Edu + Purview + Sophos for managed student devices + biometric attendance hardening.
Healthcare
Patient health information, diagnostic reports, prescription data. DPDP plus Clinical Establishments Act. Secure Data Guard on M365 + Bosch cameras in sensitive areas + Defender + signed BAA with Microsoft for the Indian region.
Retail & E-commerce
Customer transaction history, loyalty data, payment card storage. PCI DSS plus DPDP. Secure Data Guard + Hikvision POS-area surveillance + Sophos endpoint on store terminals + cloud backup with Indian residency.
Logistics & 3PL
Driver PII, customer shipment data, contract terms with carriers. Secure Data Guard + SOTI rugged MDM on field devices + Teltonika fleet routers + Acronis backup with rapid-recovery SLAs.
Representative deployments
What a Sirius Star data protection engagement looks like at three different Indian SMB scales.
Patterns based on typical engagement scope. Named customer references available under NDA on request.
From “no DPDP plan” to audit-ready in 8 weeks
Over-permissioned SharePoint sites holding clinical-trial data. Free review found them. 6-week tenant hygiene project closed them. Secure Data Guard layered in week 7. Annual posture review locked in. Board presentation passed clean.
RBI cyber framework + DPDP in one engagement
Audit log retention extended from 90 days to three years for DPDP, seven years for RBI. Microsoft Purview labels deployed across customer KYC and transaction folders. ARCON PAM added for privileged access. Quarterly drills now routine.
POS terminals + loyalty data hardened for PCI + DPDP
Maximum DPDP penalty under Section 33 once data protection gaps are found in audit.
Every data-protection brand we work with in India
We deploy Secure Data Guard as our flagship managed DLP. We also resell and configure the Microsoft-native stack plus the leading non-Microsoft alternatives so we can match each tenant to the right tool, not the tool that pays the highest margin.
Sirius Star flagship
Secure Data Guard (DLP)
Our flagship managed DLP service. DPDP-compliant data handling on M365. ₹749 per device per month.
DPDP Compliance Services
Policy drafting, breach workflow, fiduciary register, data principal request handling, tabletop drills.
See DPDP scope →
DPDP Readiness Self-Assessment
15-question self-check before you book the 24-hour review. Free, instant, no email gate.
Take the self-check →
Microsoft-native data protection (Purview, Defender, Entra)
Microsoft Purview Information Protection
Sensitivity labels, DLP policies, Insider Risk Management. Bundled in M365 Premium, E3, E5.
See Purview deployment →
Microsoft Defender for Business
Endpoint XDR, conditional access, attack surface reduction. Free in M365 Business Premium.
Microsoft Sentinel (cloud SIEM)
Cloud-native SIEM for DPDP breach detection. Pair with Defender for unified XDR.
Ask about Sentinel →
Microsoft Entra ID (identity)
Conditional access, MFA, identity protection. The first layer of any DPDP plan.
Non-Microsoft data protection (DLP, DSPM, IAM)
Fortra Digital Guardian (DLP + DSPM)
Tier-1 enterprise DLP. Agent-based endpoint plus DSPM. SatCom-route for India.
Aurva DSPM (Indian-origin)
Hot 2026 category. Affordable mid-market DSPM for cloud-first Indian businesses.
Netwrix AD Security + Classification
AD security audit, data classification, AD-tier privilege visibility. Pairs with M365 deals.
Proofpoint Email Security
Premium email security. Pairs with M365 + Secure Data Guard for layered DPDP defence.
Skyhigh Security CASB + SSE
Cloud Access Security Broker for shadow-IT discovery and SaaS data control.
ARCON PAM (Indian-origin)
Privileged Access Management. BFSI compliance default. RBI / SEBI alignment.
Backup, recovery, SIEM, MDR (the breach-response stack)
Cloud Backup & Disaster Recovery
M365 plus on-prem server backup with Indian-residency options. Veeam, Acronis, Druva.
Veeam Backup (M365 + servers)
The most-deployed backup brand in India. Long-retention for DPDP and sector mandates.
Sophos MDR (24×7 managed detection)
Managed detection and response for DPDP breach window. India-aware SOC.
DNIF Next-Gen SIEM (Indian)
Hyperscale SIEM at India pricing. Strong for BFSI + mid-market compliance.
Not seeing a data-protection brand you already use? Ask us. Through Ingram, Savex, SatCom, and direct OEM partnerships we can source most cloud-security and DLP brands in India. Reply within 8 working hours.
Frequently asked questions about Indian data protection and DPDP
- What does the Digital Personal Data Protection Act 2023 require of an Indian business?
- The DPDP Act 2023 requires any Indian business processing personal data of Indian individuals (data principals) to obtain valid consent for processing, appoint a designated grievance officer, maintain a record of processing activities, notify breaches to the Data Protection Board and affected individuals, honour data principal rights (access, correction, erasure, grievance), and implement reasonable security safeguards including encryption, access controls, and audit logging. Sirius Star’s Secure Data Guard service and DPDP compliance project cover the technical and documentary requirements end-to-end.
- How is the Sirius Star DPDP readiness review different from a paid audit?
- The readiness review is free, takes 28 working hours, and is read-only. We never change a setting in your tenant. The output is a PDF that lists nine concrete gaps (SharePoint sprawl, unlabelled documents, MFA coverage, audit-log retention, breach-notification readiness, sensitivity-label coverage, conditional access state, external sharing-link sprawl, DLP rule readiness) with the rupee impact of each. A paid audit by a Big Four firm typically takes 6 to 12 weeks and costs ₹8 to ₹40 lakh for a comparable scope. Our review is a 24-hour starting point to decide whether you need that depth of audit, not a replacement for one.
- What does Secure Data Guard actually do and why is it priced per device?
- Secure Data Guard is a managed DLP service that layers on top of Microsoft 365. It deploys and tunes Microsoft Purview sensitivity labels, document-level DLP policies, conditional access on classified content, and Defender for Cloud Apps rules across Email, OneDrive, SharePoint, and Teams. We monitor the alerts, tune the rules monthly, and surface anomalies that need human attention. Pricing is per managed device (₹749 per device per month) because the unit of DPDP risk is the endpoint that touches personal data, not a licence seat. A user with two laptops creates twice the exposure of a user with one. Per-device pricing aligns the protection cost with the actual exposure.
- Do we need Secure Data Guard if we already have Microsoft Defender and Microsoft Purview?
- You may not. If your tenant is on Microsoft 365 Business Premium, E3, or E5 and you have a dedicated IT security analyst who runs Microsoft Defender India: Complete 2026 SMB Setup Guide and Microsoft Purview India: Complete 2026 Deployment Guide daily, you may already have most of what Secure Data Guard provides. Where Secure Data Guard adds value is the managed-service layer: configuration, deployment, monthly tuning, quarterly posture review, and the breach-response runbook. Most Indian SMBs do not have a full-time security analyst, which is when paying for the managed service rather than running it yourself usually wins. We tell you which side of that line you sit on at the end of the readiness review.
- Can Sirius Star handle our DPDP breach notification workflow?
- Yes, as part of the DPDP compliance project we draft the breach notification workflow document, train the named roles (Grievance Officer, Data Protection Officer if appointed, IT and legal leads), and run a tabletop drill so the workflow is rehearsed. We also configure Defender, Purview, and Sentinel alerting so the technical triggers feed the workflow. We do not act as your legal counsel for the Data Protection Board notification itself; that conversation must be handled by your appointed Grievance Officer or external counsel. We provide the technical evidence, the timeline reconstruction, and the IT response actions that support the legal notification.
- What is DSPM and do we need it on top of DLP?
- DSPM (Data Security Posture Management) is the 2026 category that answers “where is our sensitive data actually sitting today, across cloud and on-prem”. DLP is “stop the data from leaving once you know where it is”. Most Indian SMBs do not need DSPM yet because their tenant is small enough that the readiness review surfaces the same answers manually. DSPM becomes necessary at the 500-plus-user enterprise tier or for any business with significant on-prem data alongside cloud. We resell Fortra Digital Guardian DSPM through SatCom for the enterprise tier and Aurva DSPM (Indian-origin) for the mid-market. The readiness review tells you which tier you are at.
- How does cyber insurance underwriting connect to DPDP readiness?
- Indian cyber insurers in 2026 are asking DPDP-specific questions in their underwriting questionnaires: MFA coverage percentage, audit-log retention duration, DPO appointment status, breach-response drill cadence, sensitivity-label deployment depth, third-party data-sharing inventory. A clean readiness review report shortens the underwriting cycle and frequently reduces the premium. Several of our clients use the Sirius Star readiness PDF directly as the technical attachment to their cyber insurance renewal. The free cyber insurance readiness assessment maps the readiness gaps to the typical insurer questionnaire.
- Where is Sirius Star based and how do you support clients outside Mumbai?
- Head office is in Vashi, Navi Mumbai. The DPDP readiness review and most of the configuration work is delivered remotely; we have not yet visited a client tenant on site for review purposes. For on-site work (training, tabletop drills, tabletop exercises with named roles) we travel across Mumbai-Pune-Thane, Bangalore, Delhi NCR, Hyderabad, and Chennai routinely, and to Tier-2 cities through our pan-India field service partners.
Most Indian businesses are 12 to 24 months from a DPDP notice and do not know where their personal data sits
Find your gaps in 24 hours. Free. Read-only access only. PDF report on day two. No commitment.