Skip to content
Regulation · RBI IT Outsourcing

RBI’s IT outsourcing framework — and how Vihaya fits

The Reserve Bank of India’s Master Direction on Outsourcing of IT Services, paired with the Cloud Outsourcing direction, defines how Indian banks and NBFCs may engage external technology providers. The framework is strict on data localisation, audit rights, and exit-management — and Vihaya’s deployment model satisfies the structural requirements by construction.

Designed in-VPC
Built to deploy inside the bank’s cloud account
Right-to-audit
Clause in the pilot SOW template
Exit plan
Snapshot + migration support designed in

Pre-revenue caveat

Vihaya is pre-revenue. No bank has deployed Vihaya yet. Every line below describes the design intent and the template artefacts in the pilot SOW — not delivered customer outcomes. Final compliance posture is the bank’s determination, not Vihaya’s certification.

How Vihaya is designed to map to the framework

RBI requirementVihaya design posture
Data localisationDesigned to deploy in the bank’s VPC (AWS Mumbai / GCP Mumbai / Azure South India). Vihaya does not store customer data in its own environment.
Right to auditClause in the pilot SOW template; audit trail designed to be accessible via the customer’s existing tooling
Exit managementPlan included at pilot kickoff; data and IP transition documented in the template
BCP / DRRunbook with RPO/RTO targets designed for handoff delivery
Sub-contractingSub-contracting would be limited to the foundation-model provider the bank has cleared (Azure OpenAI India, Vertex Mumbai, Anthropic, or OpenAI Enterprise). No enterprise contracts are in place yet.
Material risk eventsIncident-event hooks designed to surface material-risk events to the bank’s reporting workflow

RBI IT outsourcing FAQ

Which RBI direction applies to AI outsourcing?

The ‘Master Direction on Outsourcing of Information Technology Services’ issued in April 2023 (updated periodically) is the primary instrument. It applies to all scheduled commercial banks, NBFCs, urban cooperative banks, and large credit information companies.

Does this require data localisation?

Effectively yes for personal and customer data. The direction requires sensitive data to remain within India and the customer to retain the ability to retrieve and migrate data on exit. Vihaya is designed to deploy inside the bank’s own VPC (AWS Mumbai, GCP Mumbai, Azure South India) so that no data leaves the bank — no bank has deployed Vihaya yet.

What about cloud outsourcing specifically?

RBI’s 2023 Master Direction on Outsourcing of IT Services covers cloud arrangements alongside other IT outsourcing. Vihaya is designed to be deployment-model-agnostic — it would run on whichever CSP the bank has cleared, with the bank as the cloud-account owner.

What’s in the exit-management plan?

Standard contents: data extraction format, timeline for migration, IP-handover provisions, transition support. Vihaya’s pilot SOW template includes an exit-management plan. Practically: customer data would sit in their own database in their own VPC — exit is one snapshot away.

Next step

Want to see this in your environment?

30-minute discovery call. We follow up with a draft SOW shortly after.

Talk to us about a pilot