What Happened
Indian infrastructure giant Larsen & Toubro (L&T) has incorporated Vyoma.AI Ltd, a wholly owned subsidiary designed to establish India's first domestically-built AI data centre infrastructure. This is a significant move in India's push toward data sovereignty and reducing dependence on foreign cloud providers for AI workloads.
Vyoma.AI will focus on building specialised data centres optimised for artificial intelligence and machine learning workloads, with a particular emphasis on serving Indian enterprises that need to keep sensitive data within national borders. The subsidiary comes at a time when Indian businesses are increasingly concerned about data residency requirements under the Digital Personal Data Protection (DPDP) Act, 2023 and regulatory pressure from CERT-In and the RBI.
This isn't just infrastructure news—it's a watershed moment for Indian SMBs navigating the complex intersection of AI adoption, regulatory compliance, and cybersecurity. When I was architecting security for large enterprises, we constantly battled the tension between innovation velocity and data governance. Vyoma.AI addresses exactly that friction point for India.
Why This Matters for Indian Businesses
Let me be direct: this changes everything for Indian SMBs considering cloud migration.
For years, Indian businesses have faced an uncomfortable choice:
- Use global cloud providers (AWS, Azure, GCP) and navigate complex data residency compliance
- Build expensive, in-house infrastructure
- Risk regulatory penalties under DPDP Act and RBI guidelines
The Compliance Advantage
Under the DPDP Act 2023, sensitive personal data must be stored in India. The RBI's guidelines (issued in 2021, reinforced in 2023) require banks and fintech companies to keep customer data within national borders. CERT-In's 6-hour breach notification mandate means you need infrastructure you can audit and control immediately.
With Vyoma.AI:
- Data never leaves Indian territory
- You have a domestic vendor accountable under Indian law
- Compliance audits become simpler (no cross-border data flow complexity)
- You reduce latency for Indian users
The Security Angle
As someone who's reviewed hundreds of Indian SMB security postures, I can tell you: most don't fully understand their cloud provider's security responsibilities. AWS, Azure, and GCP operate under the "Shared Responsibility Model"—they secure the infrastructure, you secure your data and access controls.
With a domestic provider like Vyoma.AI:
- You can request on-site security audits
- CERT-In can conduct investigations without cross-border legal friction
- You have direct accountability to Indian regulators
- Incident response timelines compress dramatically
Technical Breakdown: How AI Data Centre Security Works
Let me walk you through the architecture and threat model of AI-optimized data centres like what Vyoma.AI will operate.
graph TD
A[Data Ingestion Layer] -->|TLS 1.3| B[Network Security]
B -->|Firewall/WAF| C[Kubernetes Cluster]
C -->|RBAC + Pod Security| D[AI Workload Execution]
D -->|Encryption at Rest| E[Storage Layer]
E -->|Audit Logging| F[Compliance & Monitoring]
F -->|SIEM Integration| G[Incident Response]
H[Threat: Data Exfiltration] -.->|Attempts to bypass| B
I[Threat: Privilege Escalation] -.->|Targets| C
J[Threat: Model Poisoning] -.->|Attacks| DKey Security Layers in AI Data Centres
1. Network Segmentation AI workloads handle massive data flows. Vyoma.AI will need microsegmentation—isolating each AI model's network traffic from others. This prevents lateral movement if one tenant's workload is compromised.
# Example: Kubernetes Network Policy (what Vyoma.AI will likely use)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ai-workload-isolation
spec:
podSelector:
matchLabels:
app: ml-model-prod
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: api-gateway
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: data-store
ports:
- protocol: TCP
port: 54322. Encryption in Transit & at Rest AI models are valuable IP. Data flowing through the centre must be encrypted with TLS 1.3 (minimum). Data at rest must use AES-256 encryption with keys managed by an HSM (Hardware Security Module).
# Verify TLS 1.3 is enforced on your cloud connection
openssl s_client -connect your-ai-provider.in:443 -tls1_3
# Output should show: "TLSv1.3" in the protocol line
# If you see TLS 1.2 or lower, escalate to your provider immediately3. GPU/TPU Access Control AI workloads run on specialized hardware (NVIDIA GPUs, TPUs). These must be isolated per tenant with strict RBAC (Role-Based Access Control). A compromised user account shouldn't access another tenant's GPU memory.
4. Model & Data Poisoning Prevention This is the new frontier. Attackers can inject malicious data into training sets, corrupting AI models. Vyoma.AI will need:
- Data validation pipelines
- Model integrity verification
- Anomaly detection on training inputs
- Audit trails for all model updates
5. Compliance Logging & Audit Under DPDP Act, you must log:
- Who accessed what data, when, and why
- All encryption key rotations
- All user privilege changes
- All data export requests
# Example: Query audit logs for unauthorized access attempts
# (This is what Vyoma.AI's security team will monitor 24/7)
grep "UNAUTHORIZED_ACCESS" /var/log/audit/compliance.log | wc -l
# For CERT-In compliance, these logs must be retained for 180 days minimum
find /var/log/audit -name "*.log" -mtime +180 -deleteKnow your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanHow to Protect Your Business When Choosing an AI Data Centre
If you're considering migrating AI workloads to Vyoma.AI or any domestic provider, here's your security checklist:
| Security Requirement | What to Verify | Difficulty |
|---|---|---|
| Data Residency | All data stored within India; no replication to foreign regions | Easy |
| Encryption | AES-256 at rest, TLS 1.3 in transit | Easy |
| Access Control | RBAC enforced; no shared credentials between tenants | Medium |
| Audit Logging | 180+ day retention; SIEM integration available | Medium |
| Incident Response | 24/7 SOC; CERT-In notification within 6 hours | Hard |
| Compliance Certification | ISO 27001, SOC 2 Type II, DSPM capability | Hard |
| Penetration Testing | Annual VAPT by independent firm; results shared with you | Hard |
| Disaster Recovery | RTO < 4 hours; RPO < 1 hour; tested quarterly | Hard |
Quick Fix: Audit Your Current Cloud Setup
Before moving to Vyoma.AI, understand your current risk:
# Step 1: List all cloud storage buckets and their encryption status
aws s3api list-buckets --query 'Buckets[].Name' --output text | \
while read bucket; do
encryption=$(aws s3api get-bucket-encryption --bucket $bucket 2>/dev/null)
if [ -z "$encryption" ]; then
echo "⚠️ RISK: $bucket has NO encryption"
else
echo "✓ $bucket is encrypted"
fi
done
# Step 2: Check if data leaves India
aws s3api get-bucket-location --bucket your-bucket --query 'LocationConstraint'
# Should return: ap-south-1 (Mumbai) or ap-south-2 (Hyderabad)
# If it returns us-east-1 or eu-west-1, your data is outside India
# Step 3: Verify access logging is enabled
aws s3api get-bucket-logging --bucket your-bucket
# Should show LoggingEnabled with a target bucketHow Bachao.AI Detects These Risks
This is exactly why I built Bachao.AI—to make enterprise-grade security accessible to Indian SMBs making these infrastructure decisions.
- VAPT Scan (Rs 4,999) — Assess your current cloud configuration for data residency violations, encryption gaps, and access control weaknesses before migration. Identifies which workloads are safe to move to domestic infrastructure.
- DPDP Compliance Assessment (Free → Rs 2,999) — Verify that Vyoma.AI's service terms meet DPDP requirements. We check data processing agreements, breach notification clauses, and audit rights.
- Cloud Security Audit (Rs 7,999) — Deep dive into your AWS/GCP/Azure setup. We identify data leaving India, unencrypted storage, and overprivileged accounts that need remediation before switching providers.
- API Security Scan (Rs 3,999) — If your AI workloads expose APIs (common for ML model serving), we test for injection attacks, authentication bypasses, and model extraction attempts.
- Dark Web Monitoring (Rs 1,999/month) — Monitor if your company data or employee credentials appear in breach databases. Critical when migrating to new infrastructure.
- Incident Response (24/7 on-call) — If something goes wrong during migration, our team handles CERT-In notification, forensics, and recovery.
What's Next for Indian SMBs?
Vyoma.AI's launch signals a major shift: India is building its own AI infrastructure stack. This is good news for compliance, latency, and long-term data sovereignty.
But it also means:
- Your security responsibilities don't disappear—they shift
- You still need to audit your data flows, encryption, and access controls
- CERT-In and DPDP compliance requirements remain unchanged
- Incident response timelines are now faster (which is good, but requires preparation)
If you're considering Vyoma.AI, now is the time to:
- Audit your current security posture
- Understand your DPDP compliance gaps
- Plan your data migration strategy
- Set up monitoring and incident response before you move
Originally reported by Inc42
Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.
Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.