White Paper : SEBI CSCRF and DPDP Act Compliance for Salesforce: A Data Protection Guide for India's Financial Sector

India's financial sector is operating in a fundamentally different compliance environment than it was 18 months ago. SEBI's Cybersecurity and Cyber Resilience Framework came into force on January 1, 2025, and the DPDP Act 2023 is now actively enforcing. For SEBI-regulated entities running Salesforce, the obligations now stretch well beyond internal security policy and into every vendor that processes their data.

Yet many compliance teams find their current Salesforce vendor contracts were written for GDPR or US compliance frameworks, not for India's regulatory environment. The gap between "GDPR-ready" and "SEBI CSCRF-ready" is wider than most organisations expect, and the regulated entity is the one carrying the risk.

This white paper explains what SEBI CSCRF and the DPDP Act actually require of technology vendors, and how the Data Fiduciary and Data Processor distinction defines where your accountability sits. It also lays out the India compliance framework Flosum has built specifically for SEBI-regulated entities: a signed India DPA Addendum governed by Indian law, an Annual Risk Assessment with Part A pre-completed by our CISO, AWS Mumbai data residency, and the documentary evidence your SEBI auditor expects to see in your files.