Bolti AI - Automated Call Agent Platform Logo

DPDP Act Compliance Guide for AI Recruitment in India (2026)

Bolti Team·

Bolti, a voice AI platform for building production-ready conversational phone agents, helps Indian enterprises automate high-volume candidate screening while maintaining strict data privacy standards. With pricing starting at a flat ₹7/min pay-as-you-go pricing and a 50-minute free trial, you can deploy secure voice agents that handle candidate calls without risking regulatory penalties.

As Indian enterprises adopt automated hiring workflows, compliance with the Digital Personal Data Protection (DPDP) Act has become a core operational requirement. This guide outlines the steps required to ensure your voice-based AI recruitment processes align with Indian data privacy laws in 2026.

What is DPDP compliance in AI recruitment for Indian enterprises?

DPDP compliance in AI recruitment means obtaining explicit, unambiguous consent from job applicants before processing their personal data, limiting data collection to what is necessary for the role, and ensuring secure processing, storage, and erasure of their information.

Under the DPDP Act, job applicants are classified as "Data Principals," while your company acts as the "Data Fiduciary." Any third-party platform you use to run automated interviews or screen candidates acts as a "Data Processor." As the Data Fiduciary, your team is legally responsible for every piece of candidate data that passes through your AI recruiting tools.

Non-compliance carries severe financial and reputational risks, with penalties for data breaches reaching up to ₹250 crore. To protect your company, your AI recruitment workflows must respect candidate rights, including:

  • The Right to Information: Candidates must know exactly what data is being collected and why.
  • The Right to Correction and Erasure: Candidates can request that their resume, contact details, and call recordings be updated or permanently deleted.
  • The Right to Grievance Redressal: Candidates must have a clear channel to register complaints regarding how their data is handled.

How does the DPDP Act impact automated voice screening?

The DPDP Act impacts automated voice screening by classifying voice recordings, transcripts, and candidate contact details as Personal Data. You must secure this data during live calls, prevent unauthorized third-party access, and store it within compliant jurisdictions.

When your team uses a voice AI agent to conduct initial phone screenings, the conversation touches multiple technology layers. Each layer presents unique compliance risks that you must address:

  1. In-Flight Call Audio: The live audio streamed between the candidate and the AI agent must be encrypted. If audio is written to unencrypted disks during the call, it represents an immediate vulnerability.
  2. Third-Party LLM Exposure: Voice AI platforms rely on Large Language Models (LLMs) to understand candidate responses. If raw transcripts containing names, phone numbers, and addresses are sent to global LLM providers, that data may be stored in external logs, violating your DPDP obligations.
  3. Call Recording and Transcript Storage: Once a screening call ends, the audio recording and text transcript must be stored securely. Unauthorized internal access by employees who do not need to see the data is a compliance failure.

What are the key steps to ensure dpdp compliance ai recruitment india?

To ensure compliance, you must provide clear multi-lingual consent notices, mask personally identifiable information (PII) before sending transcripts to LLMs, store all recordings and transcripts in India, and establish automated data deletion policies once the hiring process ends.

Implementing a compliant AI recruitment framework requires a structured approach to data handling. Follow these five steps to secure your pipeline:

  • Deliver Multilingual Consent Notices: Before starting any automated screening, your voice agent must state the purpose of the call and obtain verbal consent. Since Bolti supports over 80 languages—including Hindi, Marathi, Tamil, Telugu, Bengali, Gujarati, and English—you can deliver these notices in the candidate's preferred local language.
  • Enforce Indian Data Residency: Ensure your voice AI provider stores all database records, audio files, and transcripts within India's borders.
  • Implement Runtime PII Masking: Automatically redact sensitive candidate details (such as Aadhaar numbers, PAN, or exact home addresses) from the transcript before sending the text to an LLM.
  • Establish Role-Based Access Controls: Limit access to candidate transcripts and recordings. Ensure only authorized hiring managers can review call data.
  • Set Up Automated Erasure Workflows: Build automated triggers to delete candidate records and call audio once a position is filled or if a candidate requests data deletion.

Why is local data residency critical for DPDP compliance?

Local data residency is critical because the DPDP Act mandates strict control over where candidate data is stored and processed. Storing sensitive candidate profiles, voice recordings, and transcripts on servers outside of India can expose your organization to regulatory scrutiny and cross-border data transfer violations.

To maintain compliance, your team must know exactly where the bytes representing your candidates' calls live. Bolti solves this by running its managed cloud infrastructure entirely within India.

Here is how Bolti categorizes and stores your recruitment data within India by default:

  • Application Data: Candidate contact lists, campaign metadata, and agent configurations are stored in secure PostgreSQL databases hosted in the India (ap-south) region.
  • Call Recordings: Compressed audio files of screening interviews live in secure, private object storage on E2E Networks infrastructure in India. They are never publicly readable and can only be accessed via time-limited signed URLs.
  • Call Transcripts: The text of what was said during each screening call is stored in secure Indian databases, workspace-scoped to prevent unauthorized cross-department viewing.
  • In-Flight Call Audio: Live audio streamed during active screening calls runs entirely in memory on realtime audio service hosts located in India. It is never written to disk outside of your dedicated, secure recording pipeline.

How does Bolti secure candidate PII during live calls?

Bolti secures candidate data by encrypting recordings and transcripts at rest and in transit, isolating active call sessions, and routing all data storage through secure Indian infrastructure with strict role-based access controls.

To mitigate the risk of third-party LLM exposure, Bolti provides built-in PII masking. When a candidate speaks their phone number, email, or address during a screening call, Bolti's runtime detects and redacts these entities before the transcript is sent to external LLM providers. This ensures that global models only process anonymized context, keeping your pipeline fully compliant.

Additionally, you can customize your technology stack to use highly compliant enterprise components. For example, you can pair Bolti with local Indian telephony carriers via SIP trunking and choose localized speech-to-text (STT) providers like Fennec or Sarvam that are optimized for Indian accents and regional languages.

Set up your first DPDP-compliant voice screening agent

Deploying a secure, DPDP-compliant voice screening workflow does not require complex infrastructure development. With Bolti, your team can configure localized data residency, PII masking, and multi-lingual consent notices to protect job applicants from day one.

Whether you are launching high-volume recruitment campaigns using our batch calling tools or integrating voice screening directly into your existing Applicant Tracking System (ATS), Bolti provides the security controls your legal team requires.

You can start your free trial to get 50 minutes of free call time and test our compliance features. For larger enterprise recruitment agencies requiring custom DPDP-aligned contracts, dedicated on-premises deployments, or single sign-on (SSO) integration, you can schedule an enterprise consultation with our team.

Frequently Asked Questions

Can we use AI voice agents for automated job interviews under the DPDP Act?

Yes, but you must obtain explicit, unambiguous consent from the candidate before the call begins, provide clear notices detailing what data is collected, and ensure all candidate data is stored and processed securely in compliance with the Act.

Where does Bolti store candidate recordings and transcripts?

By default, Bolti's managed cloud runs on Indian infrastructure (E2E Networks and AWS RDS in the ap-south region). All call recordings, transcripts, and application metadata remain physically within India.

How does Bolti prevent candidate PII from leaking to external LLM providers?

Bolti utilizes runtime PII masking to detect and redact sensitive entities like names, phone numbers, and ID numbers from transcripts before they are sent to third-party LLMs, keeping your data pipeline secure.

What happens if a candidate requests the deletion of their interview data?

Under the DPDP Act's right to erasure, you must delete their data. Bolti supports complete data deletion via its API and dashboard, allowing you to remove call recordings and transcripts permanently.