Security & compliance

DPDP Act 2023

Every outbound campaign captures explicit consent before dialling, versioned and stored in our consent registry.
DPDP data-subject requests (access, erasure, portability, consent withdrawal) are fulfilled within 30 days through the in-app inbox.
Voice recordings and transcripts are stored in Mumbai (ap-south-1). Default retention is 90 days; configurable per organisation up to 365 days.
PII (Aadhaar, PAN, card numbers) is auto-redacted in stored recordings via the post-call PII redaction worker before long-term storage.
Our DPO can be reached at dpo@cualify.in for any data-protection question.

TRAI / DLT compliance

Cualify is registered as a Principal Entity (PE) on the DLT registry. We originate every outbound call from the 140-series.
Every campaign template is registered before first dial. Calling windows enforce TRAI's 09:00–21:00 IST default plus your selected state holiday calendar.
Every contact list is scrubbed against the TRAI NCPR feed within 24 hours of any outbound dispatch.
An AI disclosure clip plays in the first 5 seconds of every outbound call, in the same language as the conversation.

Data residency

Postgres runs on Supabase ap-south-1 (Mumbai). Read replicas in ap-south-1.
Recordings, transcripts, and exports live in Cloudflare R2 with the bucket pinned to Asia jurisdiction.
PostHog product analytics is hosted in EU (eu.i.posthog.com) with cookie-less ingestion.
No PII leaves Indian soil without an executed DPA and your written instruction.

SLA & status

Pilot 99.0% · Starter 99.0% · Growth 99.5% · Scale 99.9%.
Status page lives at status.cualify.in (BetterStack-hosted, independent of our primary infra).
Credits are issued automatically against the next month's invoice if we miss our SLA in any 30-day window.

Sub-processors

Bolna AI — voice agent runtime (US/EU regions, India routing for outbound dial).
Sarvam AI — Indic TTS / STT (India).
Exotel — outbound + inbound telephony (India).
Razorpay — payments (India).
AiSensy — WhatsApp BSP (India).
Resend — transactional email (US/EU).
Cloudflare — R2 storage + DNS (Asia jurisdiction bucket).
Supabase — Postgres (ap-south-1, Mumbai).
Sentry, BetterStack, Axiom — observability.
Updates to this list are notified to org owners 30 days before they take effect.

DPDP Act 2023

Every outbound campaign captures explicit consent before dialling, versioned and stored in our consent registry.

DPDP data-subject requests (access, erasure, portability, consent withdrawal) are fulfilled within 30 days through the in-app inbox.

Voice recordings and transcripts are stored in Mumbai (ap-south-1). Default retention is 90 days; configurable per organisation up to 365 days.

PII (Aadhaar, PAN, card numbers) is auto-redacted in stored recordings via the post-call PII redaction worker before long-term storage.

Our DPO can be reached at dpo@cualify.in for any data-protection question.

TRAI / DLT compliance

Cualify is registered as a Principal Entity (PE) on the DLT registry. We originate every outbound call from the 140-series.

Every campaign template is registered before first dial. Calling windows enforce TRAI's 09:00–21:00 IST default plus your selected state holiday calendar.

Every contact list is scrubbed against the TRAI NCPR feed within 24 hours of any outbound dispatch.

An AI disclosure clip plays in the first 5 seconds of every outbound call, in the same language as the conversation.

Data residency

Postgres runs on Supabase ap-south-1 (Mumbai). Read replicas in ap-south-1.

Recordings, transcripts, and exports live in Cloudflare R2 with the bucket pinned to Asia jurisdiction.

PostHog product analytics is hosted in EU (eu.i.posthog.com) with cookie-less ingestion.

No PII leaves Indian soil without an executed DPA and your written instruction.

Sub-processors

Bolna AI — voice agent runtime (US/EU regions, India routing for outbound dial).

Sarvam AI — Indic TTS / STT (India).

Exotel — outbound + inbound telephony (India).

Razorpay — payments (India).

AiSensy — WhatsApp BSP (India).

Resend — transactional email (US/EU).

Cloudflare — R2 storage + DNS (Asia jurisdiction bucket).

Supabase — Postgres (ap-south-1, Mumbai).

Sentry, BetterStack, Axiom — observability.

Updates to this list are notified to org owners 30 days before they take effect.

Compliance is a feature, not a footnote.

DPDP Act 2023

TRAI / DLT compliance

Data residency

SLA & status

Sub-processors

Compliance is a feature, not a footnote.

DPDP Act 2023

TRAI / DLT compliance

Data residency

SLA & status

Sub-processors