When an Indian bank customer calls a voice AI system, their voice — a biometric — is transmitted across a network, processed by an AI model, and stored as a recording and transcript. Where all of that happens matters enormously. For BFSI companies in India, it matters legally, regulatorily, and practically.
The answer, under Indian law, is unambiguous: it must all happen in India.
The Legal Framework
DPDP Act 2023
India's Digital Personal Data Protection Act establishes that personal data of Indian residents must be processed in accordance with Indian law — and gives the Central Government authority to restrict cross-border data transfers. Voice recordings and biometric voice data are explicitly personal data under DPDP.
Practically, sending Indian customer voice data to servers in the US or EU for processing creates a cross-border data transfer that requires:
- Either a government-notified adequacy determination for the destination country (none exist yet)
- Or standard contractual clauses approved by the Data Protection Board
- Or explicit customer consent for the specific cross-border transfer — separate from general processing consent
For a voice AI making thousands of calls per day, obtaining specific cross-border transfer consent on each call is operationally impossible. The practical requirement is data residency in India.
RBI Guidelines for Financial Data
The Reserve Bank of India's 2018 circular on storage of payment system data explicitly requires that payment-related data be stored only within India. For NBFC and bank voice AI deployments where calls involve payment data — EMI amounts, account balances, transaction details — this RBI requirement sits on top of DPDP and applies independently.
IRDAI Guidelines for Insurance
The Insurance Regulatory and Development Authority of India has similar data localisation requirements for insurance-related data. Insurers and insurance distributors using voice AI to discuss policy details must ensure that conversation data stays in India.
The compliance stack: For a typical BFSI voice AI deployment, three independent regulatory requirements — DPDP, RBI, and IRDAI (for insurance) — all point to the same requirement: India-only data processing and storage.
The Technical Reality of "India Servers"
A voice AI call involves multiple data processing steps, each of which must happen in India:
- Telephony ingestion: The phone call audio is received by a server
- STT processing: Audio is transcribed to text
- LLM inference: Text is processed to generate a response
- TTS synthesis: Response text is converted to audio
- Recording storage: Call audio is stored
- Transcript storage: Text transcript is stored
- Analytics processing: Sentiment, outcome classification are computed
For data residency to be genuine, all seven steps must occur on India-based infrastructure. A platform that hosts its telephony in India but routes LLM inference through US servers has not achieved data residency — step 3 creates a cross-border transfer.
This is the hidden compliance gap in many "India-available" global platforms: they accept calls in India but send the audio or transcript to their primary compute region (US, EU) for AI processing.
Global Platforms and the Residency Gap
Major global voice AI platforms — Retell AI, Vapi, Bland, ElevenLabs — are built on US-based infrastructure. Their LLM inference happens on US cloud providers (AWS us-east, Azure East US). Their recording storage is US-based by default.
Plugging one of these platforms into an Indian BFSI deployment creates a structural compliance violation: every call processes Indian customer biometric data on US servers without the legal basis required under DPDP.
This isn't a theoretical risk. DPDP enforcement is expected to begin in earnest in 2025, and BFSI companies — given the sensitivity of their data and their existing regulatory scrutiny — are expected to be priority enforcement targets.
The Latency Dividend
Beyond compliance, India-hosted infrastructure provides a material performance advantage. Round-trip latency from an Indian mobile network to a US server and back adds 80–200ms per query — on top of AI processing time. For a voice AI targeting sub-500ms total response time, that round trip consumes 20–40% of the entire latency budget just in network transit.
India-hosted infrastructure eliminates this. STT, LLM, and TTS all happen in the same Indian data centre — round-trip network overhead is under 5ms. The result is noticeably more natural conversation cadence.
"Our CTO asked a simple question before we signed: 'Where does the voice data go?' The answer from every global platform was 'US.' The answer from Agni was 'It never leaves India.' That ended the evaluation." — CTO, BFSI Fintech (Mumbai)
Agni's Infrastructure
Agni processes all data on ISO 27001-certified Indian data centres:
- Telephony ingestion: Mumbai (primary), Delhi (secondary)
- AI compute (STT, LLM, TTS): Mumbai region
- Recording and transcript storage: Mumbai region, encrypted at rest
- Analytics and reporting: India-only
No call audio, transcript, or customer data transits outside Indian jurisdiction at any point in the processing pipeline. This is verifiable through Agni's data processing agreement (DPA), which specifies India-only processing as a contractual guarantee.
What Data Residency Compliance Requires from You
To claim DPDP data residency compliance, your deployment needs:
- An AI platform with documented India-only processing (contractually guaranteed)
- A signed Data Processing Agreement specifying India residency
- Audit logs showing data never left India (Agni provides these)
- Incident response procedures for any breach (Agni's DPA includes breach notification SLAs)
Ready to get started?
Get Agni's Data Processing Agreement and infrastructure documentation for your compliance team. Contact us at info@ravan.ai or start at app.ravan.ai.
