Compliance

PrimeVistara Cloud is engineered so regulated organisations can meet their obligations without exporting data or control outside India. This page describes our compliance approach. Formal attestations are issued under NDA on request.

Data localisation & sovereignty

All customer content, logs and metadata are stored and processed within India, under Indian jurisdiction, with no foreign control plane in the path. This is designed to support sectoral data-localisation requirements (e.g. RBI, SEBI, IRDAI guidance) and the Digital Personal Data Protection Act, 2023.

Regulatory alignment

• DPDP Act, 2023 — data-fiduciary obligations, purpose limitation, breach notification readiness.
• IT Act, 2000 & SPDI Rules — reasonable security practices for sensitive personal data.
• CERT-In — incident-reporting and log-retention practices aligned to applicable directions.
• Sectoral guidance — architecture suitable for BFSI, government and healthcare localisation needs.

Security frameworks we align to

Our control set is designed around widely recognised frameworks — ISO/IEC 27001 control families and CIS Benchmarks — covering access control, encryption, change management, logging and incident response. Independent certification status is shared under NDA via the Trust Center.

Shared responsibility

PrimeVistara secures the underlying infrastructure (physical, host, hypervisor, network fabric, storage). Customers are responsible for their guest OS, applications, data classification, identity and in-tenant configuration. We provide the controls; you operate within them.

Audit support

We support customer and regulator audits with documentation, configuration evidence and architecture briefings. Request a compliance pack at cloud@primevistara.cloud.

This page describes our approach and does not by itself constitute a certification or legal assurance. Specific certifications and audit reports are provided under agreement.