What Indian compliance actually means
The phrase 'Indian compliance' gets thrown around as if it were a single rulebook. It is not. For most Indian mid-market businesses outside the regulated sectors, compliance is really three things - data residency in India, an audit trail you can show, and a DPDP-compliant consent and purpose framework. All three are achievable on cloud or on-premise.
- DPDP Act 2023 (horizontal). Covers personal data of Indian residents - consent, purpose limitation, breach notification, and rights of data principals. Does not, in itself, mandate on-premise.
- RBI for banks and NBFCs. Payment data localisation rule (April 2018) and outsourcing guidelines that constrain how cloud providers can host certain workloads.
- SEBI for market intermediaries. Cyber security framework with specific access control, audit log, and incident reporting requirements.
- IRDAI for insurers. Outsourcing rules that add governance overhead on cloud arrangements, including board approval for material outsourcing.
- CERT-In incident reporting. Six-hour breach reporting requirement that affects logging discipline regardless of deployment shape.
- Defence and government contracts. Contract-level data handling clauses that often override sectoral guidance and can mandate on-premise outright.
The choice between deployment shapes is not compliance versus non-compliance. It is operating model and cost.
The three shapes at a glance
| On-premise | Single-tenant private cloud | Multi-tenant SaaS | |
|---|---|---|---|
| Data residency | Absolute, by definition | Indian region, dedicated tenancy | Indian region, shared infrastructure |
| GPU cost | ₹8L - ₹20L hardware capex | Included in subscription | Included in subscription |
| Audit visibility | Full ownership, IT must maintain | Cleaner default logs, customer accessible | Cleaner default logs, customer accessible |
| Latency to source | Lowest network latency | Adds 20 to 80 ms over network | Adds 20 to 80 ms over network |
| Year-1 cost | ₹13L - ₹29L all-in | ₹4.5L - ₹10L | ₹3L - ₹6L |
| Best fit | Defence, BFSI, sensitive healthcare | Procurement-driven, board mandates | Most mid-market trading, manufacturing, real estate |
On-premise reality check
On-premise AI sounds simple in a slide and is operationally demanding in practice. It is achievable - we have customers running KolossusAI fully on-premise - but it should be a deliberate choice driven by a real reason, not a default born of cloud anxiety.
- GPU hardware capable of inference. Typically an A6000-class card or better, currently ₹4 to ₹12 lakh per card depending on configuration.
- Server, redundant power, cooling. Sustained 300 to 400 watts of heat per card. Most office server rooms need a small upgrade to handle it.
- Network isolation your IT team commits to maintain. Patching, firewall rules, and access reviews on a recurring schedule, not a one-time setup.
- Someone who understands the stack. Model updates, security patches, log rotation, and recovery from the inevitable disk failure. For a 50-person business with one IT generalist, this is a real ongoing cost.
- Hardware refresh in year four or five. GPU capabilities and model sizes evolve. Plan capex for a refresh, not just a one-time install.
The reasons that justify it are usually clear. Defence contracts that prohibit external hosting. Banks and NBFCs with workloads that fall under the RBI payment data localisation rule. Hospitals with sensitive patient records governed by sector-specific ethics committees. Family offices and listed company audit committees with explicit board mandates against any data leaving owned infrastructure.
Single-tenant private cloud - the underrated middle ground
Most 'I want on-premise' conversations are actually solved by single-tenant private cloud. Your KolossusAI instance runs in an isolated environment in an Indian region you choose, with dedicated compute and storage that no other customer touches. The data never sits in a multi-tenant database. The compute is not shared. The audit trail is your own.
You get cloud convenience - no hardware to procure, no GPU to maintain, automatic patching, elastic scale - without the multi-tenant concerns that make procurement teams nervous. The cost is roughly 1.4x to 1.8x of multi-tenant managed cloud, well below the 3x to 5x total cost of on-premise once you factor in hardware depreciation and IT headcount. For most Indian mid-market businesses with procurement-side concerns rather than regulator-side mandates, this is the right shape.
Multi-tenant SaaS - where it is genuinely fine
Multi-tenant managed cloud is fine for the large majority of Indian businesses outside the regulated sectors. Trading companies, manufacturers, retail and consumer brands, real estate developers, professional services firms - the data sensitivity is real but the regulatory bar is the DPDP Act and ordinary commercial confidentiality, not a sectoral rule. Multi-tenant on Indian infrastructure with strong tenant isolation, audit logging, and encryption in transit and at rest meets these requirements.
Where multi-tenant gets genuinely uncomfortable is when your data has named individuals' financial records at scale (full ledger of consumer borrowers, full payment history of patients), when the contract with a customer or regulator explicitly forbids it, or when the threat model includes a sophisticated attacker who would specifically target your tenant. For these situations, single-tenant private cloud or on-premise are the right answer.
Latency, residency, and audit visibility
Three operational dimensions decide which shape feels right in practice, and the trade-offs are smaller than most procurement decks make them out to be.
| Dimension | On-premise edge | Cloud edge |
|---|---|---|
| Latency | Lowest network latency to source systems | Faster model inference on better hardware |
| Residency | Absolute, by definition | Indian region with contractual no-egress |
| Audit logging | Full ownership of logs, IT must maintain | Cleaner default logs at infrastructure layer |
| Operational burden | Carried by your IT team | Carried by KolossusAI |
Cost differences over three years
Realistic three-year totals for a typical Indian mid-market deployment with 10 to 30 users on KolossusAI.
Multi-tenant managed cloud runs ₹3 lakh to ₹6 lakh per year all-in. Three-year total ₹9 lakh to ₹18 lakh. No infrastructure capex, no IT headcount, automatic updates included.
Single-tenant private cloud runs ₹4.5 lakh to ₹10 lakh per year. Three-year total ₹13.5 lakh to ₹30 lakh. Slightly higher annual cost, no procurement or operational burden.
On-premise carries hardware capex of ₹8 to ₹20 lakh one-time, plus ₹2 to ₹4 lakh per year in software, plus 0.3 to 0.5 of an IT FTE allocated to running it (₹3 to ₹5 lakh per year fully loaded). Three-year total ₹17 lakh to ₹47 lakh, with the hardware depreciating and likely needing refresh in year four. Justified by regulation, not by cost.
KolossusAI's three deployment shapes
- Managed cloud. Multi-tenant on Indian regions, fastest to deploy (1 to 2 weeks), lowest TCO. Most mid-market trading, manufacturing, and real estate customers run here.
- Single-tenant private cloud. Isolated instance in an Indian region of your choice. 2 to 3 weeks to deploy. Common for consumer financial data, family offices, and procurement-driven enterprise contracts.
- On-premise. Full stack inside your network, including our Nano LLM that does not require external API calls. 4 to 8 weeks to deploy depending on hardware procurement. Common for BFSI, defence suppliers, and healthcare with sensitive records.
See our security page for the full controls list and how it works for the deployment shapes in detail.