Data in transit
All API requests and responses use TLS 1.2+. Audio streams between Bolna and telephony providers are encrypted in transit. Webhook payloads are delivered over HTTPS.Data at rest
| Data type | What is stored | Retention |
|---|---|---|
| Call recordings | Audio file of the conversation | Available in execution record; contact support for retention policy |
| Transcripts | Full conversation text | Stored in execution record |
| Extracted data | Structured fields from post-call extraction | Stored in execution record |
| Agent configuration | Prompts, tool configs, provider keys | Encrypted at rest |
| API keys | Hashed — Bolna cannot recover a plaintext key | N/A |
Data residency
By default, Bolna processes calls on infrastructure in the US (AWS us-east-1). Indian data residency is available for deployments where data must remain in India. When Indian data residency is enabled:- Call processing runs on servers in
ap-south-1(Mumbai) - Recordings and transcripts are stored in India
- LLM inference is routed to India-region endpoints (where available)
Webhook security
Bolna sends webhooks from a fixed source IP:13.203.39.153
To verify webhooks are genuinely from Bolna:
- Whitelist
13.203.39.153on your server or firewall - Reject webhook requests from any other IP on your webhook endpoint
API key security
- API keys are displayed once at creation — copy and store them securely immediately
- If a key is compromised, revoke it from the Bolna dashboard and issue a new one
- Never expose your API key in client-side code or public repositories
- Use environment variables (
BOLNA_API_KEY) in application code
Provider credential storage
When you configure third-party providers (OpenAI, ElevenLabs, Twilio, etc.) in Bolna, your provider API keys are stored encrypted in Bolna’s infrastructure. They are used at call time to authenticate requests on your behalf. Bolna does not log or expose provider credentials in API responses.Sub-accounts and access control
Enterprise plans support sub-accounts — isolated Bolna accounts under your organization’s umbrella. Each sub-account has its own agents, phone numbers, wallet balance, and API keys. Use sub-accounts to:- Isolate different customers or business units
- Apply per-sub-account spending limits
- Restrict which agents and numbers a team can access
Compliance
Bolna supports compliance application for regulated industries. Applications are reviewed on a per-account basis. See Compliance Introduction to understand the application process. For HIPAA, SOC 2, GDPR, or other specific certifications, contact support@bolna.ai.Responsible AI
Bolna agents are subject to the Calling Guardrails system, which lets you configure:- Time-of-day restrictions for when calls can be placed
- Do-not-call list integration
- Maximum call duration limits

