Updated: 27 Apr 2026
The SOC 2 Type II report arrives. The certification is clean. The product's security controls, access policies, and data handling practices have been assessed and found compliant. The CTO forwards it to the enterprise sales team. Three deals stalled on the security review move forward.
Two weeks later, the annual internal access review finds something the SOC 2 auditor was not looking for.
The data engineer who joined when the company had eight people still has admin rights to the production database. The contractor who built the data pipeline last year has read access to the full customer table. The customer success manager can export every customer record without a second factor on her login.
The product is compliant. The people who access it are not the product.
SOC 2 Type II certification covers the controls around customer data. It does not, by default, cover whether the people with administrative access to production systems authenticate with a second factor. The audit looks at what the policy says. It does not always look at what the access log shows.
Under the DPDPA 2023, Vertical SaaS companies processing personal data of Indian customers are data fiduciaries responsible for reasonable security safeguards across all systems handling that data, including internal employee and contractor access to production environments. The enterprise client's SOC 2 requirement and India's DPDPA obligation arrive at the same access surface from different directions.
Indian Vertical SaaS companies face a compliance pressure specific to their position: enterprise clients in regulated industries demanding SOC 2 certification, running simultaneously with DPDPA obligations for Indian customer data and, for VC-backed companies, investor security diligence that typically precedes the next funding round.
Cisco Duo, Cisco's identity security platform, enforces MFA across production database access, cloud infrastructure consoles, internal admin tools, and contractor remote access from a single platform. Named individual accounts. Access scoped to what each role requires. Time-limited credentials for contractors.
In Proactive's Cisco Duo deployments across Vertical SaaS companies in Bengaluru, Pune, and Hyderabad, the credential audit consistently finds internal access rights that scaled with headcount but were never formally reviewed: broad production access, shared accounts, and contractor credentials that outlasted the engagement. The SOC 2 auditor did not find these. The DPDPA investigation will.
Proactive is a Cisco Preferred Security Partner deploying Cisco Duo for Indian Vertical SaaS companies: DPDPA compliance, SOC 2 MFA requirements, and internal access security across Bengaluru, Pune, and Hyderabad.
The product is compliant.
The access should be too.
Talk to a Proactive Cisco Duo specialist. Write to [email protected].
We'll get back to you shortly.
