Skip to main content

Data in transit

All API requests and responses use TLS 1.2+. Audio streams between Bolna and telephony providers are encrypted in transit. Webhook payloads are delivered over HTTPS.

Data at rest

Data typeWhat is storedRetention
Call recordingsAudio file of the conversationAvailable in execution record; contact support for retention policy
TranscriptsFull conversation textStored in execution record
Extracted dataStructured fields from post-call extractionStored in execution record
Agent configurationPrompts, tool configs, provider keysEncrypted at rest
API keysHashed — Bolna cannot recover a plaintext keyN/A

Data residency

By default, Bolna processes calls on infrastructure in the US (AWS us-east-1). Indian data residency is available for deployments where data must remain in India. When Indian data residency is enabled:
  • Call processing runs on servers in ap-south-1 (Mumbai)
  • Recordings and transcripts are stored in India
  • LLM inference is routed to India-region endpoints (where available)
See Indian Server Configuration for setup. For enterprise customers requiring other regions or on-premise deployment, see Enterprise Plans and On-Premise Deployments.

Webhook security

Bolna sends webhooks from a fixed source IP: 13.203.39.153 To verify webhooks are genuinely from Bolna:
  1. Whitelist 13.203.39.153 on your server or firewall
  2. Reject webhook requests from any other IP on your webhook endpoint
There is no HMAC signature on webhook payloads in the current version. Source IP verification is the primary trust mechanism.

API key security

  • API keys are displayed once at creation — copy and store them securely immediately
  • If a key is compromised, revoke it from the Bolna dashboard and issue a new one
  • Never expose your API key in client-side code or public repositories
  • Use environment variables (BOLNA_API_KEY) in application code

Provider credential storage

When you configure third-party providers (OpenAI, ElevenLabs, Twilio, etc.) in Bolna, your provider API keys are stored encrypted in Bolna’s infrastructure. They are used at call time to authenticate requests on your behalf. Bolna does not log or expose provider credentials in API responses.

Sub-accounts and access control

Enterprise plans support sub-accounts — isolated Bolna accounts under your organization’s umbrella. Each sub-account has its own agents, phone numbers, wallet balance, and API keys. Use sub-accounts to:
  • Isolate different customers or business units
  • Apply per-sub-account spending limits
  • Restrict which agents and numbers a team can access
See Sub-Accounts and Organization Management.

Compliance

Bolna supports compliance application for regulated industries. Applications are reviewed on a per-account basis. See Compliance Introduction to understand the application process. For HIPAA, SOC 2, GDPR, or other specific certifications, contact support@bolna.ai.

Responsible AI

Bolna agents are subject to the Calling Guardrails system, which lets you configure:
  • Time-of-day restrictions for when calls can be placed
  • Do-not-call list integration
  • Maximum call duration limits
These controls help ensure Bolna is used responsibly and in compliance with telemarketing regulations.