SEBI’s cloud framework, and where AI runs
SEBI’s Framework for Adoption of Cloud Services tells regulated entities that moving a workload to the cloud doesn’t move the responsibility: the entity still owns its data, still answers for audit and continuity, still has to be able to exit. For an AI decisioning workload, the practical consequence is that the system should run inside the entity’s own governance perimeter — which is exactly the in-VPC posture Vihaya is designed around.
What the framework sets out
The framework establishes that cloud adoption is permitted but bounded: regulated entities must put in place board-level governance, assess and manage risks including vendor concentration, retain ownership and control of their data, and maintain the ability to audit the arrangement and to exit it without disruption to the market function they perform.
Crucially, the framework treats the regulated entity as accountable end to end. Using a cloud or AI vendor does not transfer the regulatory obligation — it adds a third party the entity must govern. That principle is the lens through which any AI decisioning deployment should be evaluated.
Mapping an AI deployment to it
The cleanest way to satisfy ‘the entity owns its data and control’ is to not hand the data to the AI vendor at all. Vihaya is designed to run as a decisioning service inside the regulated entity’s own cloud account, so data ownership, localisation, audit access, and the exit path all remain with the entity. The audit trail Vihaya writes is itself evidence for the governance and oversight the framework expects.
None of this substitutes for the entity’s own assessment. The framework requires the regulated entity to make and document its compliance determination; Vihaya provides a deployment model designed to support it. Vihaya is pre-revenue with no SEBI-regulated deployment to date.
SEBI cloud framework FAQ
What is the SEBI cloud framework?
It is SEBI’s Framework for Adoption of Cloud Services by SEBI Regulated Entities, which sets principles and mandatory baseline requirements for how stock exchanges, depositories, intermediaries, and other regulated entities may use cloud services. It covers governance, risk, data ownership and localisation, security, and exit/business-continuity expectations.
Who does it apply to?
SEBI-regulated entities — including market infrastructure institutions, brokers, mutual funds, and other intermediaries. If such an entity wants to run a workload, including an AI decisioning workload, on cloud infrastructure, the framework’s principles apply.
What are the key obligations for an AI workload?
The regulated entity retains ownership and control of its data, must avoid undue concentration risk, must be able to audit and exit the arrangement, and must keep regulatory access intact. An AI service should therefore run in a way that keeps data and control inside the regulated entity’s own governance perimeter.
How does Vihaya’s model map to it?
Vihaya is designed to deploy inside the regulated entity’s own cloud account, so data ownership, localisation, audit, and exit all sit with the entity rather than a vendor-hosted endpoint. Compliance remains the regulated entity’s determination; Vihaya is pre-revenue and has no SEBI-regulated deployment.
Want to see this in your environment?
30-minute discovery call. We follow up with a draft SOW shortly after.
Talk to us about a pilot