Bolti AI - Automated Call Agent Platform Logo

Ensuring DPDP Compliance in AI Voice-Based Recruitment

Bolti Team·

Hiring teams across India handling candidate resumes and voice recordings must comply with the Digital Personal Data Protection (DPDP) Act. When automating your hiring funnel with voice AI, protecting candidate data is no longer just a technical preference—it is a legal requirement.

Bolti is a voice AI platform for building production-ready conversational phone agents that helps you automate top-of-funnel screening while keeping data secure. With pay-as-you-go pricing at just ₹7/min and a free trial that includes 50 minutes, you can deploy compliant voice agents without upfront overhead. Here is how you can ensure absolute DPDP compliance in your voice recruitment workflows.

What is DPDP compliance in voice recruitment?

DPDP compliance in voice recruitment means obtaining explicit candidate consent, protecting personally identifiable information (PII) during automated phone screens, and securing stored call recordings and transcripts. Because voice screening involves processing highly sensitive personal data—such as names, phone numbers, email addresses, and employment histories—recruiters must ensure this data is not leaked, mishandled, or sent to unauthorized third-party processors.

Under India's DPDP regulations, candidate data must be:

  • Processed only for the specific purpose of job evaluation.
  • Protected against unauthorized access or accidental leaks.
  • Deleted or anonymized once the hiring process is complete or consent is withdrawn.
  • Kept secure during transit, storage, and processing across various AI sub-processors (such as Speech-to-Text and Large Language Model providers).

How does voice AI process candidate data?

To build a compliant hiring pipeline, you must first understand how data flows through an AI voice agent. When you run an automated phone screen, the candidate's personal details move through four distinct stages:

  1. Data Ingestion: You upload CVs or candidate details to create a screening profile. Bolti's HR screening module parses the CV into structured bullet points (refined pointers) containing names, emails, and past job details.
  2. The Active Call (Real-time Pipeline): The agent calls the candidate. The caller's audio goes to a Speech-to-Text (STT) provider (like Deepgram or Fennec for Indian accents), which transcribes the audio. This transcript is sent to a Large Language Model (LLM) to formulate a response, which is then converted back to voice by a Text-to-Speech (TTS) provider.
  3. Data Storage: After the call, the recording and the complete written transcript are stored for your hiring team to review.
  4. Operational Logs: System logs capture metadata about the call for debugging and performance monitoring.

Without strict controls, candidate PII can easily leak to third-party LLM providers or sit unencrypted in vulnerable databases.

Key steps to secure candidate PII during AI phone screens

To maintain a strong compliance posture, your technical and HR operations teams should implement the following security measures:

1. Mask PII before it reaches third-party LLMs

When an LLM processes your call transcripts to decide what the agent should say next, sending unredacted candidate names, phone numbers, or addresses poses a compliance risk. You should configure your voice platform to mask or redact PII in real-time before the text payload leaves your secure environment. This prevents external LLM providers from retaining or training on your candidates' private data.

2. Restrict access to call recordings and transcripts

Call recordings should never be publicly accessible. Ensure your voice platform stores audio in private, encrypted object storage (like AWS S3) where files are only accessible via time-limited, signed URLs generated after strict permission checks. Transcripts should be scoped strictly to the specific workspace where the hiring team operates, requiring a minimum user role (such as "Viewer") to access.

3. Implement role-based access control (RBAC) for your team

Not everyone in your organization needs access to candidate phone numbers or full audio recordings. Use workspace settings to invite team members with specific roles. For example, on Bolti, you can assign roles like Member or Admin, or restrict external contractors and clients to specific workspaces so they cannot view candidate data from other roles or departments.

4. Encrypt data at rest and in transit

Ensure that all candidate data—including raw resume text, parsed CVs, call transcripts, and audio recordings—is encrypted at rest using industry-standard encryption (such as AES-256). All API requests, dashboard interactions, and real-time audio streams must use TLS encryption in transit to prevent interception.

How Bolti helps you build DPDP-compliant voice screening

Bolti is built from the ground up to support high-security enterprise environments, making it easy to align your hiring workflows with DPDP, GDPR, and other data protection frameworks.

  • Isolated Call Environments: Active call sessions are completely isolated per call room, and real-time call audio is never written to disk outside of your dedicated, private recording bucket.
  • Workspace-Scoped Transcripts: Your candidate data, resume pointers, and call logs are securely scoped. If you work with external recruitment agencies, you can restrict them to a specific workspace so they cannot access your internal hiring data.
  • Audited Access: Database access by operational staff is logged, audited, and restricted. Application logs are automatically scrubbed of sensitive credentials and API keys.
  • Flexible Provider Choices: You can select your own compliance-friendly STT, LLM, and TTS providers. For instance, you can choose Azure for its enterprise-grade compliance or Fennec for specialized Indian language processing (Hindi, Tamil, Telugu, etc.) while maintaining complete control over where your data is processed.

If your organization requires custom data processing agreements (DPAs), on-premises deployment, or runtime PII redaction, you can contact our enterprise team to set up a customized, DPDP-aligned contract.

Set up your first compliant voice screening agent

Spin up your first HR-screening voice agent in under 10 minutes and automate your hiring funnel securely. You can sign up for a free account to get 50 free calling minutes, or explore our transparent ₹7/minute pay-as-you-go pricing to scale your recruitment operations without any upfront commitments.

Frequently Asked Questions

Does Bolti store candidate resumes and call recordings securely?

Yes. All call recordings on Bolti are stored in private object storage, accessible only via time-limited signed URLs after a permission check. All candidate data, parsed resumes, and call transcripts are encrypted at rest and scoped strictly to your secure workspace.

Can I prevent candidate PII from being sent to third-party LLMs?

Yes. Bolti supports enterprise-grade PII masking and redaction at runtime. This ensures that sensitive candidate details, such as names and contact numbers, are scrubbed before the transcript payload is sent to third-party LLM providers.

How does Bolti handle user access control for recruitment teams?

Bolti provides robust workspace-scoped access control. You can invite team members as Admins or Members, and restrict external recruiters or hiring managers to specific workspaces so they only see the candidate data and call transcripts relevant to their roles.

Does Bolti support Indian languages for recruitment?

Yes. Bolti supports over 80 languages, including Hindi, Marathi, Tamil, Telugu, Bengali, Gujarati, and English. You can configure specialized, low-latency STT providers like Fennec to accurately process Indian accents and regional languages.