Purpose-built for Indian BFSI. Everything you need to prepare, execute, evidence, and report on regulatory obligations — SEBI · RBI · DPDP · CERT-In · ISO 27001.
Invite-only platform · Enterprise access via structured business engagement
Tenant provisioning by CreativeCyber ·
DPDP Rules notified · May 2027 deadline · ₹250Cr penalties
A practitioner walkthrough of all 11 tools — from SEBI CSCRF and DPDP gap assessment to PASTA threat modeling and AI security evaluation.
Ready to see the platform live? Book a walkthrough →
Core Assessment Modules
Purpose-built for each regulatory context — not configured from a generic framework. Evidence, maker-checker, and audit-ready reporting are native.
Annual assessment with evidence-based maturity scoring across all 6 CSCRF domains. Generates CEO Declaration and Board Report PDFs directly from assessment data.
Structured gap assessment against DPDP Act 2023 obligations with penalty exposure estimation by violation type, maker-checker review, and compliance reporting.
Evaluate AI and ML systems across 8 governance domains with weighted scoring, evidence upload, and multi-format reporting for regulators and boards.
Business-centric threat modeling from business objectives through attack simulation to risk treatment and board-ready reporting. No consultant required.
Complete Toolkit
Every tool produces a regulator-ready output. No tool requires a consultant to operate.
Regulatory Coverage
All modules are built around actual Indian regulatory obligations — not global templates mapped to India as an afterthought.
Mandatory annual assessment for all SEBI-regulated entities. 30 controls across 6 domains. CEO Declaration required.
Mandatory · AnnualMay 2027 enforcement. Penalties up to ₹250Cr per violation. Consent, purpose limitation, breach notification, data rights.
Enforced May 2027Cybersecurity framework for banks and NBFCs. IT examination, cyber fraud prevention, incident reporting, DPSC controls.
Continuously in force6-hour incident reporting. Log retention mandates. Vulnerability disclosure for all India-operating organisations.
Continuously in forceAnnex A control mapping alongside Indian regulatory requirements for cross-framework compliance coverage.
Widely requiredRBI and SEBI expectations on responsible AI in regulated entities — explainability, fairness, data security, model governance.
Emerging obligationWho It's For
If you own compliance, risk, assurance, or resilience for a regulated Indian enterprise — this workbench is designed for your operational reality.
Architecture & Trust
Compliance software must itself meet security expectations. Built with the same rigour it helps organisations demonstrate.
Row-level security at database layer. Tenant ID enforced in every JWT and query.
Super admin, tenant admin, maker, viewer. Fine-grained permission matrix per role.
Every action logged with actor, tenant, IP, timestamp. Cannot be modified by anyone.
Every evidence file hashed on upload. Tamper-evident provenance for all documents.
TLS via Let's Encrypt. CSP, HSTS, X-Frame-Options, Referrer-Policy enforced at edge.
15-min access tokens in memory. HttpOnly refresh cookies. Argon2 password hashing.
Per-tenant storage paths. No cross-tenant access pattern architecturally possible.
10 req/min per IP per auth action. Protects login, reset, and all API surfaces.
Common Questions
Key questions about SEBI CSCRF compliance, DPDP Act 2023, and platform access.
Invite-only access
The Practitioner Toolkit is not self-service. Enterprise access is provisioned by CreativeCyber through a structured engagement process.
Submit EnquirySEBI CSCRF (Cyber Security and Cyber Resilience Framework) is a mandatory annual compliance framework for all SEBI-regulated entities — stock brokers, mutual fund AMCs, depositories, and other market intermediaries. It requires assessment across 6 domains and 30 controls with maturity scoring from 1 to 5, and formal CEO Declaration submission to SEBI each year.
Maximum penalties reach ₹250 crore per violation for Significant Data Fiduciaries. Failure to notify a breach: up to ₹200 crore. Failure to fulfil Data Fiduciary obligations: up to ₹150 crore. Enforcement deadline is May 2027. Every BFSI entity processing personal data of Indian residents must comply.
Maker-checker is a dual-control workflow where assessment responses are completed by one person (Maker) and independently reviewed and approved by a second person (Checker). Each control can be approved, rejected, or flagged for changes — creating a documented governance trail that regulators expect to see when reviewing the assessment process, not just its outputs.
Every evidence file is hashed with SHA-256 at upload. The hash, timestamp, and uploader identity are stored alongside the file — linked to the specific control it supports. An auditor can verify mathematically that evidence presented is identical to what existed at assessment time. Evidence is never permanently deleted; soft delete preserves the metadata and hash in the audit record.
The Practitioner Toolkit is invite-only. Access is provisioned through a structured enterprise engagement — not self-service. Submit an enquiry at creativecyber.in/business-enquiry or write to info@creativecyber.in. CreativeCyber conducts a qualification and provisioning discussion before onboarding.
Practitioner Intelligence
Deep dive into evidence deficiencies across 30 controls and 6 domains. Anatomy of the CEO Declaration dilemma and a 16-week evidence architecture playbook.
Penalty schedule breakdown, 11 key obligations for Data Fiduciaries, sector-specific implications, and a 15-month compliance roadmap.
8 AI security domains every CISO must address, risk-tiered governance model, and regulatory mapping for DPDP, SEBI, and RBI AI requirements.
Pick a CSCRF domain, tick what evidence you already hold. See your readiness percentage and exact gaps — the same diagnostic the Practitioner Toolkit uses for all 68 controls.
Practitioner Toolkit automates this across all 68 controls · evidence upload · maker/checker workflow · SEBI audit reports
The Practitioner Toolkit is provisioned through a structured enterprise engagement. Submit an enquiry and the CreativeCyber team will conduct an initial qualification discussion.