BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

Vendor Risk Now Includes Where Your Data Sleeps and Who Owns the Datacenter

Threat Intelligence

Post-2024 incidents and shifting sanctions regimes have made geopolitical considerations a first-class part of vendor risk assessment. The procurement questions that mattered in 2020 are insufficient now.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 29, 2024 · 7 min read

#geopolitical-risk#vendor-risk#threat-intelligence

A pharmaceutical client called us during the 2024 sanctions expansion to ask about exposure across their SaaS portfolio. They had 340 vendors. Within 48 hours we identified 11 with operations or significant ownership in newly sanctioned jurisdictions, four with data residency that violated the updated rules, and one whose primary engineering team was in a country whose government had just been linked to industrial espionage against the client's sector. None of this had appeared in their previous vendor risk assessments because the assessments asked about SOC 2 and ISO 27001, not geopolitics.

The vendor risk model that most enterprises run was built for a world where the primary concerns were data confidentiality, availability, and contractual liability. That model is incomplete in 2026. The active concerns now also include: where does the data physically reside, who has legal access via the vendor's home jurisdiction, who owns or has invested in the vendor, where are the engineers who write and maintain the code, and what happens if relations between your jurisdiction and theirs deteriorate.

Five geopolitical risks worth assessing

Data residency mismatch: vendor stores data in a jurisdiction with weaker protections or compelled-disclosure laws than your home jurisdiction.
Sovereign access: vendor is subject to a government with broad access laws (CLOUD Act in the US, equivalents in China, Russia, India, UAE) that may compel disclosure regardless of your contract.
Sanctions exposure: vendor has operations, owners, or significant revenue in sanctioned jurisdictions, creating compliance risk for you.
Hostile state ownership: vendor is owned, partially owned, or significantly invested in by entities aligned with adversary states relative to your operations.
Supply chain provenance: vendor's product includes components, libraries, or code contributions from jurisdictions of concern, even if the vendor itself is local.

Procurement questions that matter now

The 2020-era vendor questionnaire asked about encryption at rest, breach notification timelines, and SOC 2 attestations. Those still matter. The questions to add for the current environment include some that vendors find uncomfortable but should be able to answer.

Where is data physically stored, with primary, replica, and backup locations specified separately?
Where are your engineering teams located? What percentage of code commits in the last 12 months came from each jurisdiction?
Who owns the company (>5% stake), and have any owners changed in the last 24 months?
What government access requests have you received in the last 12 months and how were they handled?
Does your software include components from suppliers in jurisdictions subject to sanctions or high-risk advisories from your customers' governments?
What is your continuity plan if your primary jurisdiction's relations with our jurisdiction deteriorate?

Reasonable vendors answer these. Vendors who refuse or evade are signaling something. Note the response and proceed accordingly.

Tiering and risk acceptance

Not every vendor needs the full geopolitical assessment. The cost would be prohibitive and most vendors do not handle data sensitive enough to justify it. Tier vendors by data sensitivity and operational dependency: a vendor with read-only access to non-sensitive data has a different geopolitical risk profile than your CRM, your code repository, or your identity provider.

Top tier (identity, code, customer data, financial systems, product infrastructure) gets the full assessment. Mid tier gets a shorter version focused on data residency and ownership. Bottom tier gets the standard SOC 2 questionnaire with a single geopolitical screener question.

What incidents in 2024-2025 actually taught us

Three patterns recurred across the geopolitical incidents we worked. First, ownership changes that pre-date the geopolitical event by 12 to 36 months. The investor or acquirer that looked benign in 2022 is the compliance problem in 2025. Continuous ownership monitoring, not point-in-time onboarding checks, is the operational answer.

Second, data flows that diverge from contracts. The vendor's contract specified EU data residency, but operationally, data was being processed by an engineering team in a third country for support tickets, then deleted. Technically compliant, practically a problem. Audit data flows, not just stored locations.

Third, the long tail of nested suppliers. Your SaaS vendor uses three sub-processors, who use seven sub-sub-processors, one of whom is in a jurisdiction you would not have approved. The major SaaS vendors disclose sub-processors; smaller vendors often do not. Push for the full chain on top-tier vendors.

Building the function

Geopolitical risk assessment lives at the intersection of vendor risk, threat intelligence, and legal/compliance. Most orgs do not have a single owner for this work, which is why it falls through the cracks. Assign someone, ideally in vendor risk with dotted-line into threat intel and legal. Give them quarterly review of top-tier vendors against current geopolitical conditions. Make sure they have authority to recommend remediation including, when warranted, vendor replacement.

Replacement is expensive and slow, which is why this work needs to start now rather than during the next escalation. Build the assessment, build the inventory, identify the high-risk concentrations before they become urgent. The cost of doing this proactively is meaningfully lower than the cost of doing it under pressure.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.