Case Study

Razorpay

Automating RBI Compliance with Policy as Code in a High-Velocity Fintech Platform

Executive summary

Razorpay was founded in 2014 and over the past decade, the company has grown exponentially, setting new benchmarks in the fintech industry. Today, it supports millions of businesses and has reached more than 300 million end consumers across India. With an annualized Total Payment Volume (TPV) of $180 billion, Razorpay has firmly established itself as the market leader in digital payment processing and launched more than 40 products every year, driving innovation and scaling new heights. Today, the fintech major powers payments for 80 of India’s 100 unicorns.

Operating at this immense magnitude within India’s highly regulated financial ecosystem requires compliance standards of the highest caliber. To satisfy the Reserve Bank of India’s (RBI) strict Payment Aggregator (PA) Master Directions while maintaining developer velocity and 99.99% system availability, Razorpay partnered with Nirmata to adopt an enterprise version of Kyverno—a CNCF graduated policy engine. By implementing a unified “Policy as Code” framework, Razorpay automated complex regulatory guardrails across its vast infrastructure, moving from reactive, point-in-time auditing to real-time, continuous compliance enforcement.

Challenges:
Industry:
Location:
Cloud Type:
Published:
June 18, 2026

Projects used

By the numbers

7,000+

Kubernetes Nodes Secured

100%

Real-Time Compliance Enforcement

40+

Products Launched Annually

Challenge

As an authorized Payment Aggregator, Razorpay operates under the strict oversight of the Reserve Bank of India (RBI). The RBI PA Master Directions mandate absolute operating resilience, which introduces several highly specific, non-negotiable security requirements:

  1. Data Localization: Strict localization and isolated boundary enforcement ensuring all transactional processing systems and logs reside strictly within geographic borders.
  2. Zero-Trust Access & Microsegmentation: Absolute isolation of core transaction-processing clusters, demanding continuous enforcement of least-privilege access and secure segregation of duties.
  3. Continuous Auditability: The regulator no longer accepts static, historical “point-in-time” screenshots or spreadsheet approvals. Systems must prove continuous compliance at any given second.
+--------------------------------------------------------------------------+
|                     THE MANUAL IMPOSSIBILITY PARADOX                     |
|                                                                          |
|  Traditional Audit:                                                      |
|  [Manual Code Review] -> [Spreadsheets] -> [Slow Ticket Approvals]       |
|  (Result: Human errors, deployment bottlenecks, drift risk)              |
|                                                                          |
|  Razorpay Reality:                                                       |
|  [7,000+ Nodes] * [Dozens of Commits/Day] * [Elastic Scaling Events]     |
|  (Result: Mathematically impossible to audit manually without outages)   |
+--------------------------------------------------------------------------+

Historically, validating these requirements fell on manual architectural reviews, complex deployment checklists, and manual engineering approvals. However, as Razorpay scaled to support an average of 7,000+ Kubernetes nodes processing millions of transactions, this manual approach ran into the Manual Impossibility Paradox:

Solution

To overcome these obstacles, Razorpay partnered with Nirmata to integrate Kyverno natively into its Kubernetes architecture. Selecting Kyverno was a strategic decision driven by its design: as a Kubernetes-native policy engine, it manages policies as declarative custom resources (YAML) exactly like application manifests, avoiding the steep learning curve of non-native policy languages.

The core of Razorpay’s solution is a Dual-Front Defense architecture, securing the infrastructure from code commit to container runtime:

1. Proactive Controls

Proactive controls are executed in the IaC and GitOps pipelines. Infrastructure as Code (IaC) templates, and Kubernetes manifests, are vetted pre-deployment with Kyverno policies. Dynamic cloud policies ensure that AWS/cloud boundaries, S3 buckets, and ledger access mechanisms are strictly locked down and compliant with data residency rules before clusters are provisioned.

2. Preventive Controls

Preventive controls block deployment and prevent misconfigurations by securing the internal workloads where transaction computations occur. Kyverno serves as the ultimate gatekeeper at the Kubernetes API Server layer, implementing three key pillars:

       Developer Git Push
              │
              ▼
   [Proactive IaC Scanning]
              │
              ▼ (K8s API Server)
  ┌─────────────────────────────────────────────────────────┐
  │ KYVERNO ADMISSION CONTROLLER                            │
  │                                                         │
  │  Validate: Block root access / wildcard RBAC            │
  │  Mutate: Inject security defaults and compliance labels │
  │  Verify: Cryptographically validate image signatures    │
  │  Generate: Auto-provision isolated NetworkPolicies      │
  └─────────────────────────────────────────────────────────┘
              │
              ▼ (Passed Security Checks)
    [Secured Live Workload] (Active on 7,000+ Elastic Nodes)

3. Detective Controls

Detective controls periodically scan Kubernetes clusters and cloud configurations to detect drift or policy bypass. These continuous checks also ensure that if IaC policies are updated, for example to comply with the latest standards, prior configurations are audited and flagged for updates.

Impact

Transitioning to Policy as Code using Kyverno revolutionized how Razorpay maintains secure, resilient systems without hindering innovation:

Future plans

Looking forward, Razorpay plans to deepen its partnership with Nirmata and expand usage of CNCF projects to scale Policy as Code across next-generation cloud-native architectures: