# Services — Compliance operations as a service — Attri Edge

Compliance operations as a service You don’t need another consultant who hands you a report and disappears. You need someone who runs the operational layer — every week, every month — so your enterprise deals close instead of stalling. Attri Edge is a single-operator practice focused on one wedge: the India GCC compliance operations layer for US SaaS, fintech, and healthtech companies. The three operational pillars Each pillar represents a structural gap that compliance automation platforms (Vanta, Drata, Sprinto, Secureframe) do not solve. Active Retainer clients get all three; Foundational Retainer clients get evidence-cycle support across all three with optional add-ons. Vulnerability remediation workflow Compliance platforms ingest vulnerability scanner data. They do not own remediation. We do. The workflow runs every week: Scanner data ingestion from Tenable, Qualys, Snyk, AWS Inspector, or whichever scanner you use SLA assignment by severity — critical (7 days), high (30 days), medium (90 days) Owner-tagged ticket creation in your Jira, Linear, or ticketing system Re-scan verification on closure (not “engineer says it’s fixed”) Monthly remediation report — audit-defensible, ready for any questionnaire Chain-of-custody evidence trails Auditors in 2026 are increasingly rejecting screenshot evidence because it lacks timestamps, owner attribution, and immutability. We close that gap. What we deliver: Audit of every evidence type for timestamp, owner attribution, immutability Replacement of screenshot evidence with logged artifacts Automated re-collection cadences (monthly, quarterly, annual) Evidence binder with verifiable trails — what was done, by whom, when DPDPA + US framework mapping India’s Digital Personal Data Protection Act, 2023, has no clean overlap with SOC 2, HIPAA, or GDPR. The cross-mapping work is judgment-heavy and platform-untouchable. Deliverables per client: DPDPA principles mapped against SOC 2 Privacy, HIPAA Privacy and Security, GDPR articles Data flow diagrams covering US-to-India boundaries India statutory checklist (IT Act, labor law, statutory registers) Significant Data Fiduciary thresholds assessment DPIA templates and walkthroughs What we don’t do Disciplined refusal protects the engagement integrity. We decline work that’s outside our wedge. Generic GCC setup, staffing, recruiting, or payroll Pure compliance theory or audit work (we refer to auditor partners) Penetration testing, red team, or technical security implementation Legal advice or named-officer roles (Privacy Officer, HIPAA Officer) HR or labor law consulting Cross-border tax structuring If you need any of these, we’ll point you to a specialist partner. Transparent pricing. No lock-ins. Month-to-month, cancel anytime. Zero termination fees. Risk & Readiness Review $999 one-time A 90-minute diagnostic call plus a 48-hour Evidence Index Blueprint identifying your top 10 gaps and a 30/60/90 day priority roadmap. 90-minute live diagnostic call 48-hour Evidence Index Blueprint (6–8 pages) Domain scorecard across 5 compliance areas Top 10 gaps with severity and time-to-close 30/60/90 day priority roadmap One sample template relevant to your biggest gap 30-minute readout call to walk through findings Book your diagnostic Foundational Retainer Starting at $3,500 / month For companies starting their compliance journey. Month-to-month, no lock-ins, zero termination fees. Monthly evidence collection cycle Up to 2 security questionnaires per month Vendor risk register (up to 30 vendors) 1 hour/week synchronous time Quarterly Business Review Access to template library 30-day onboarding sprint included Start with a diagnostic Most popular Active Retainer Custom For companies with active enterprise pipeline, multi-framework needs, or India operations. Typically $7,500–$9,000/month. Everything in Foundational Full vulnerability remediation workflow Chain-of-custody evidence trails DPDPA + US framework mapping Up to 6 questionnaires per month Multi-framework support (SOC 2 + ISO 27001 + HIPAA or DPDPA) Quarterly compliance operations sprint 3 hours/week synchronous time Start with a diagnostic Strategic Lead Custom For mature operations needing embedded leadership, regulatory exam prep, and board-level reporting. Everything in Active Program leadership for compliance team Board-level reporting Regulatory exam prep Multi-entity compliance management Audit response leadership Custom scope and cadence Start with a diagnostic Frequently Asked Questions How quickly can we start? Most retainers begin within 7 days of the diagnostic. Onboarding sprint kicks off Week 1 of Month 1. Do you work with companies outside the US? Primary focus is US-headquartered companies with India GCCs. Secondary: UK and Australia headquartered. Not currently EU or APAC ex-India. What if we already have a vCISO? Many of our clients have a US-based vCISO and bring us in for the India operational layer. We collaborate, we don’t replace. Can you handle HIPAA with PHI flowing to India? Only for clients with existing Business Associate Agreement infrastructure. For greenfield HIPAA + offshore PHI, we refer to specialist partners. How does month-to-month actually work? You can cancel at the end of any month with no penalty. We bill on the 1st for the upcoming month. If you cancel by the 28th of any month, the next month doesn’t bill. Will you sign an NDA? Yes, before any substantive technical discussion. Our standard NDA is mutual and one page. We’re also happy to use yours. Find out which tier fits your situation Start with the diagnostic. We'll tell you honestly whether you need a retainer or can handle it internally. Book your diagnostic