Part 13.4

VPN and Cloud Regulations

"New Compliance Landscape for Digital Services"

VPN service provider obligations, KYC requirements, 5-year data retention, cloud service agreements, data localization, and third-party risk management.

4.1

VPN Provider Obligations under CERT-In 2022

VPN Service Providers - Who is Covered?

Covered Entities:

1. Virtual Private Network (VPN) service providers

2. Virtual Private Server (VPS) providers

3. Cloud Service Providers

4. Data Centre service providers

Note: Enterprise/Corporate VPNs used internally are NOT covered by these provisions (exemption for own use).

CERT-In Directions 2022 - VPN Rules

Mandatory KYC and Data Retention

VPN service providers, cloud service providers, and virtual private server providers shall maintain records of subscribers and customers for a period of 5 years or longer as mandated after any cancellation or withdrawal of subscription. Records include: Validated names, Period of hire, IPs allotted, Email and IP address at registration, Purpose of hiring, Validated address and contact numbers, Ownership pattern.

4.2

KYC Requirements - Detailed Breakdown

Information Required	Individual Users	Business Users
Name	Full legal name (validated)	Company name + Authorized person
Address	Validated residential address	Registered office + Branch address
Contact	Mobile number (verified)	Official contact + Authorized person mobile
Email	Email at time of registration	Official email + Personal email of contact
IP Address	IP at registration time	IP at registration time
IPs Allotted	All IPs assigned during subscription	All IPs assigned to the organization
Purpose	Stated purpose of hiring services	Business use case description
Ownership	Self-declaration	Directors/Partners/Shareholders details
Retention	5 years after cancellation	5 years after cancellation

Validation Methods

For Individuals:

- Aadhaar-based eKYC (recommended)

- Video KYC with ID verification

- In-person verification with documents

For Businesses:

- GST registration verification

- MCA (Company/LLP registration) verification

- Authorized signatory verification via KYC

4.3

Cloud Service Compliance

Cloud Service Provider Obligations

CERT-In Requirements:

1. Maintain customer/subscriber KYC records (5 years)

2. Maintain logs of cloud infrastructure (180 days)

3. Report incidents within 6 hours

4. Designate Point of Contact

5. Enable NTP synchronization (Indian Standard Time)

Additional Considerations:

6. Data localization requirements (sector-specific)

7. Encryption standards

8. Access controls and audit trails

Sector	Data Localization Requirement	Regulator
Payment Data	Must be stored in India (RBI 2018)	RBI
Insurance Data	Critical data in India (IRDAI guidelines)	IRDAI
Telecom Data	Customer data in India (License conditions)	DoT
Government Data	Must be in India (GI Cloud/MeghRaj)	MeitY
Healthcare	Patient records preferably in India	ABDM Guidelines
DPDPA (All)	Blacklist approach - restricted countries only	DPB (Future)

4.4

Cloud Service Agreements - Key Clauses

Essential Clauses for CERT-In Compliance

1. Data Location Clause:

- Specify data storage locations

- Ensure India jurisdiction access for logs

2. Security Standards Clause:

- Encryption at rest and in transit

- Access control mechanisms

- Security certifications (ISO 27001, SOC 2)

3. Incident Response Clause:

- Provider must notify customer within specified time (less than 6 hours)

- Support for CERT-In reporting obligations

- Evidence preservation support

4. Audit Rights Clause:

- Customer right to audit or obtain audit reports

- Third-party audit access

5. Data Retention/Deletion Clause:

- Clear data deletion procedures

- Certificate of deletion

- Compliance with 180-day log retention

Third-Party Risk Management

Due Diligence Checklist:

1. Security certifications and compliance status

2. Data center locations and jurisdiction

3. Sub-contractor/sub-processor policies

4. Incident history and response capabilities

5. Business continuity and disaster recovery

6. Insurance coverage

7. Exit strategy and data portability

4.5

Maharashtra Context - Cloud and VPN Usage

Maharashtra IT Industry Implications

IT/ITES Companies (Pune, Mumbai, Nagpur):

- Using international cloud services? Ensure logs accessible in India

- Client data processing? Check sector-specific localization rules

- Remote workforce using VPN? Enterprise VPN exempt but ensure security

Startups:

- Cost considerations for compliance vs. cloud convenience

- MeitY empaneled cloud providers (GI Cloud) may simplify compliance

E-commerce (Mumbai/Pune):

- Payment data must be in India (RBI mandate)

- Customer data subject to CERT-In + DPDPA obligations

Practical Tip

Cloud Service Selection Criteria

When selecting cloud services: (1) Check if provider has India region/data center; (2) Verify CERT-In compliance capabilities; (3) Review data processing agreements for log access; (4) Confirm incident notification SLAs (less than 6 hours); (5) Ensure audit reports available (SOC 2 Type II, ISO 27001); (6) Consider MeitY empaneled providers for government-related work.

Key Points - Part 13.4

VPN Providers - Must maintain KYC of all subscribers for 5 years after cancellation
Enterprise VPN - Internal/corporate VPNs are exempt from VPN provider rules
KYC Details - Name, address, contact, email, IP at registration, IPs allotted, purpose, ownership
Cloud Providers - Same obligations as VPN providers; plus 180-day log retention
Data Localization - Sector-specific; Payment data mandatory in India (RBI)
DPDPA Approach - Blacklist approach; restricted countries will be notified
Contract Clauses - Data location, security, incident response, audit rights, deletion procedures
Third-Party Risk - Due diligence on security certifications, data locations, incident capabilities
Maharashtra IT - International cloud users ensure India log access; payment data localized
MeitY Cloud - Government/sensitive projects consider MeitY empaneled cloud providers