The Challenge: Three Deadlines, One Team
By early 2024, CredVault Finance had grown fast — a Series B NBFC disbursing personal loans across 14 Indian cities, processing over 2 million borrower applications in two years. But their security and compliance posture hadn't kept pace.
The problem wasn't a single gap. It was three converging pressures that arrived within the same 30-day window:
- SEBI CSCRF audit in 5 months. SEBI's Cyber Security and Cyber Resilience Framework applies to registered intermediaries including NBFCs above a certain AUM threshold. CredVault had crossed that threshold — and their first SEBI audit was scheduled for September 2024.
- International VC requiring SOC 2 before the next tranche. A Singapore-based growth fund had committed a ₹48Cr tranche but had a hard gate: SOC 2 Type II report before funds release. Without it, the round was in jeopardy.
- 2M+ borrower records with unresolved DPDP exposure. India's Digital Personal Data Protection Act had been notified. With 2 million borrower records — including sensitive loan application data, income documents, and Aadhaar-linked KYC — CredVault's data practices were exposed to significant penalty risk if rules were finalized before they were ready.
Their internal security team was one person: a capable IT manager who had built strong network controls but had never led a compliance programme. The engineering team was heads-down on a new product line. No one had bandwidth to lead three parallel compliance tracks.
"We could have hired a compliance team and started from zero — or we could get someone who had done this dozens of times before, who understood both Indian regulatory frameworks and international standards simultaneously. That's what made NxgSecure the obvious choice."
The Solution: Parallel Tracks, Shared Controls
Most compliance engagements treat SOC 2, SEBI CSCRF, and DPDP as entirely separate programmes — which means duplicated effort, different tools, and three times the disruption to the engineering team. NxgSecure took a different approach: map the control overlaps first, build once, satisfy multiple frameworks.
Before writing a single policy, NxgSecure audited all 180+ controls across SOC 2 TSC, SEBI CSCRF, and DPDP simultaneously — identifying 68 controls that could be shared across frameworks. This became the foundation of the single-source compliance programme.
The 5-month SEBI deadline was the hardest constraint. NxgSecure prioritised the 15 critical SEBI controls — incident response, VAPT, access management, business continuity — and ran a parallel gap assessment + remediation sprint to hit the September audit date.
SOC 2 Type II requires a minimum 6-month evidence observation period. NxgSecure locked in the scope, implemented controls, and started the observation window on Day 45 — giving the team 9 months total to hit Type II, two months ahead of the VC's preferred timeline.
NxgSecure mapped all 2M+ borrower records against DPDP's data principal rights framework — consent capture, purpose limitation, retention schedules, and DSR (Data Subject Request) workflows. Completed 14 months before DPDP enforcement deadlines.
How it worked in practice
The engagement began with a two-week discovery sprint. NxgSecure's team — a dedicated compliance lead plus a security engineer — embedded with CredVault's IT manager and ran structured interviews with heads of engineering, product, and finance.
Rather than producing a lengthy gap report that sat in someone's inbox, the team delivered a live control matrix: every control, every framework, its current state (implemented / partial / missing), the owner, and the deadline. This became the single source of truth for all three tracks for the next nine months.
Engineering was involved minimally — exactly as promised. Most controls were implemented at the infrastructure and process layer, not in product code. Where engineering changes were needed (audit logging, session management, encryption key rotation), NxgSecure wrote the requirements in engineering-ready format and shadowed the implementation sprint.
"The control matrix they built in week two is still how we run compliance today. Every audit, every new vendor review — it all flows from that document."VP Engineering, CredVault Finance
Multiple compliance deadlines converging? We've been here before.
NxgSecure has run parallel SOC 2 + SEBI / DPDP / ISO engagements for 12+ Indian fintechs. We know exactly where the control overlaps are — and how to get there without derailing your engineering team.
9-Month Engagement Timeline
Structured interviews, infrastructure audit, policy inventory. Delivered 180+ control gap analysis across SOC 2, SEBI CSCRF, and DPDP. Identified 68 shared controls.
42 policies written and approved: information security, access control, incident response, change management, business continuity, DPDP privacy notice, retention schedule. Vendor risk assessment for 28 sub-processors.
MFA enforced org-wide, encryption at rest enabled on all databases, centralised SIEM deployed, vulnerability management programme launched. SOC 2 evidence collection window starts.
Incident response plan tested via tabletop exercise. VAPT conducted by empanelled CERT-In auditor. DR/BCP tested. Internal audit report prepared per SEBI format. Mock audit held with NxgSecure acting as SEBI examiner.
CredVault's first SEBI CSCRF audit completed with zero critical findings and two minor observations (both corrected within 30 days). NxgSecure team present throughout the audit as technical support.
2M+ borrower records fully mapped. Consent management workflows live on all new loan applications. DSR handling process deployed. SOC 2 internal readiness review conducted — 4 control gaps identified and closed before external auditor engagement.
External SOC 2 audit completed. Type II report issued with clean opinion. Report shared with VC and three enterprise clients. ₹48Cr tranche released within 30 days of report issuance.
Results: Three Frameworks, Zero Penalties, ₹48Cr Unlocked
Beyond the certifications
The compliance deliverables were table stakes — the real impact was commercial. The SOC 2 report immediately unblocked three enterprise deals that had been stalled in procurement review. One of those clients, a large public-sector bank, had a 12-month procurement cycle that reset every time a vendor couldn't produce a security report. The SOC 2 Type II report ended that cycle permanently.
The SEBI CSCRF audit result had an unexpected second-order effect: CredVault's board risk committee used it as evidence of mature governance during their Series C preparation. Two board members cited it specifically in their investor update as a competitive differentiator in a sector where most NBFCs are still in early compliance stages.
On the DPDP side, the 14-month runway the data mapping programme created meant CredVault wasn't in crisis mode when enforcement rules began circulating. Their consent management system was live, tested, and documented — while competitors were still conducting internal assessments.
CredVault is now the most compliance-certified NBFC in their revenue tier. Their sales team uses the SOC 2 and SEBI certifications as first-call differentiators when speaking to enterprise clients and institutional partners. What started as a crisis became a strategic moat.
Ongoing Partnership
The engagement didn't end at certification. NxgSecure continues as CredVault's managed compliance partner — running annual SOC 2 surveillance, quarterly SEBI compliance reviews, and 24×7 security operations monitoring across their loan servicing infrastructure.
When a zero-day vulnerability in one of their cloud providers was disclosed in Q1 2025, NxgSecure's SOC team had CredVault patched and evidence documented within 4 hours — before the incident even reached their board's radar.