Opsio - Cloud and AI Solutions
Trust & Compliance

Enterprise compliance for Indian and global workloads

Opsio operates cloud infrastructure for regulated Indian enterprises and global customers running workloads in India. This page documents how we handle your data, the frameworks our team delivers against, and where to get the contract documents procurement needs.

Request DPA & security packOur compliance expertise
Bangalore ISMS
ISO 27001:2022
Data processor role
DPDPA + GDPR Art. 28
Uptime SLA
99.9%
Indian data residency
AWS Mumbai / Azure Central India

Compliance expertise

Opsio's core service is helping regulated Indian and multinational enterprises achieve and maintain their compliance posture. Below, each framework shows what Opsio carries itself and what we deliver for customers. Supporting documentation is available for procurement review under NDA.

  • DPDPA (India)

    India operations · Customer programs

    Opsio: operations at our Bangalore delivery center are aligned with India's Digital Personal Data Protection Act 2023. For customers: DPDPA readiness assessments, consent architecture, right-to-correction tooling, retention controls, and CERT-In incident reporting pipelines — delivered to BFSI, manufacturing, and SaaS customers across India.

  • CERT-In (India)

    Customer implementation programs

    For customers: implementation of CERT-In's April 2022 directives — 6-hour incident reporting pipelines, 180-day log retention, mandatory KYC where applicable, and integration with a central SOC for automated reporting. Our SIEM integration patterns are production-ready for Indian deployments.

  • ISO 27001:2022

    Bangalore scope · Customer programs

    Opsio: ISO 27001 certified at our Bangalore delivery center (scope covers operations staff and development activities there). For customers: we lead full ISO 27001 implementation programs — gap analysis, ISMS design, policy authorship, internal audit, and Stage 1/Stage 2 audit support. Indian customers have achieved certification via this approach.

  • RBI / SEBI (India financial services)

    Customer compliance programs

    For customers in Indian BFSI: implementation of RBI's Master Direction on IT Risk Management, SEBI's Cyber Security and Cyber Resilience Framework — data classification, BCP testing cadence, third-party risk assessment, and incident reporting alignment. Our architects have delivered this for Indian banks and NBFCs.

  • GDPR (EU 2016/679)

    Article 28 processor

    Opsio: data processor under GDPR Article 28 for European customer personal data we handle during managed operations. Standard Contractual Clauses on file for cross-border transfer to our India team. For customers: GDPR implementation support where Indian enterprises serve European users.

  • SOC 2 Type II

    Customer readiness programs

    Opsio: not currently SOC 2 attested as a firm. For customers: SOC 2 readiness programs — control mapping, evidence automation, monitoring setup, and auditor liaison through the observation window. Especially relevant for Indian SaaS companies selling to US customers.

  • HIPAA (US customers)

    BAA available · Customer architectures

    Opsio: Business Associate Agreement available for US healthcare customers. For customers: HIPAA-ready architectures on AWS Mumbai / Azure Central India with audit controls, encryption, and BAA chain management — relevant for Indian companies providing services to US healthcare.

Data Processing Agreement

Opsio acts as a data processor under DPDPA (India) and GDPR Article 28 (EU) for customer personal data we process on your behalf during managed operations, migration, and consulting engagements.

  • Standard DPA template provided at contract signing or on request beforehand for procurement review.
  • Supports EU Standard Contractual Clauses (2021/914) for any transfer between India and the EU, and DPDPA-compliant contractual terms for Indian data.
  • Customer retains controller / data fiduciary status and decision rights over data classification, retention, and deletion.
  • Subprocessor changes communicated with at least 30 days' notice via the contact channel you nominate.
  • Breach notification within CERT-In's 6-hour window for Indian data and within 72 hours per GDPR Article 33 for European personal data.
Request DPA

We will typically return a signed DPA template within 2 business days. For pre-contract review we can sign a mutual NDA first — request via the same email.

Subprocessors

Opsio engages the following subprocessors to deliver services. The current authoritative list is maintained internally and provided as an annex to the DPA on request. Hyperscaler region selection is configurable per customer contract, with Indian customers defaulting to Mumbai / Hyderabad / Pune.

SubprocessorPurposeProcessing region
Amazon Web Services (AWS)Hosting, compute, storage, and managed services where customer has elected AWSCustomer-selected AWS region (ap-south-1 Mumbai, ap-south-2 Hyderabad, eu-north-1, us-east-1, etc.)
Microsoft AzureHosting and managed services where customer has elected AzureCustomer-selected Azure region (Central India / South India / Sweden Central / etc.)
Google Cloud PlatformHosting and managed services where customer has elected GCPCustomer-selected GCP region (asia-south1 Mumbai, asia-south2 Delhi, etc.)
Google WorkspaceInternal business communication and shared document handlingEU
Microsoft 365 (Teams)Internal and customer-facing meetings, chat, and collaboration during engagementsEU
GitHub / GitLabSource code hosting for customer engagement artefacts (Infrastructure-as-Code, scripts)Customer-selected per engagement
OdooInternal ERP, CRM, project tracking, and billingEU
Opsio IndiaDelivery-center operations in Bangalore; personnel access to customer environments is logged and governed by SCCs for European customersIndia (Bangalore)

Customers may object to new subprocessors within the 30-day notice window. Engagement-specific subprocessors (monitoring agents, SIEM platforms, etc.) are disclosed in the Statement of Work.

Service Level Agreement

SLA commitments are documented in the Master Service Agreement for each engagement. The following summary represents our standard terms; customised SLAs for 99.95% or 99.99% tiers are available for mission-critical workloads.

  • Infrastructure uptime99.9%

    Measured monthly. Service credits apply to breaches.

  • Severity 1 response15 minutes

    24/7. Production impact, business-critical.

  • Severity 2 response1 hour

    24/7. Degraded performance, workaround possible.

  • Severity 3 response4 business hours

    IST or CET business hours.

  • Monitoring coverage24/7/365

    Follow-the-sun across Bangalore and Karlstad.

  • Patch managementMonthly baseline

    Out-of-cycle emergency patches within 48 hours of CVE publication for critical severity.

Request full SLA terms

Data residency

Customer production data is processed in the cloud region you select. For Indian customers we default to Indian regions (AWS ap-south-1 Mumbai, Azure Central India, GCP asia-south1 Mumbai) unless contractually agreed otherwise. European customers default to EU/EEA regions with SCCs governing any cross-border access by our India team.

Opsio personnel access customer environments via named accounts with MFA and just-in-time elevation. Delivery operations run from Bangalore (primary for Indian customers) and Karlstad (primary for European customers). Personnel access governed by Data Processing Agreements and SCCs where applicable.

Backups and logs inherit the customer's selected region by default. Cross-region replication for disaster recovery is customer-configurable — common pattern is Mumbai primary with Hyderabad DR for Indian customers.

Security practices

How we protect customer environments end-to-end.

  • Penetration testing

    Annual third-party penetration test against Opsio production systems. Engagement-specific penetration testing available as a managed service through our OSCP-certified team.

  • Vulnerability management

    Continuous CVE monitoring with severity-based SLA for patching. Critical CVEs patched within 48 hours of responsible disclosure.

  • Identity & access management

    SSO-enforced named accounts with mandatory MFA. Customer-environment access is time-bound and logged centrally. Shared credentials are prohibited.

  • Encryption

    Data in transit: TLS 1.2+ enforced. Data at rest: hyperscaler-native encryption (AWS KMS, Azure Key Vault, GCP KMS) with customer-managed keys available on request.

  • Logging & monitoring

    All privileged access is logged, tamper-evident, and retained per customer contractual requirements (180-day retention for CERT-In-covered workloads). SIEM integration available for customers using Opsio MDR services.

  • Incident response

    24/7 security incident response with documented playbooks. CERT-In reporting within 6 hours of Indian-jurisdiction incidents and GDPR breach notification within 72 hours for European personal data.

Responsible disclosure

Security researchers who identify a vulnerability in Opsio-operated systems are encouraged to report it via encrypted email. We commit to acknowledging receipt within one business day and providing a remediation timeline within five business days. We do not pursue legal action against good-faith research that follows these guidelines.

Report to: security@opsio.se

Procurement & compliance contact

For DPA requests, security questionnaires, SLA negotiations, or anything else procurement needs to close a deal:

compliance@opsio.se