Building a voice product in Kenya involves three regulatory layers: Communications Authority of Kenya (CAK) licensing, the Data Protection Act 2019 (DPA) governing call recording consent and data residency, and lawful intercept obligations on licensed operators. This post explains what each layer requires, what Sautikit handles as the licensed operator, and what responsibilities remain with you as the application developer.
Kenya's voice services operate under three regulatory authorities:
Communications Authority of Kenya (CAK): the sector regulator under the Kenya Information and Communications Act (Cap. 411A). CAK issues licences for telecommunications services and approves equipment for use on public networks (type-approval). CAK also manages number allocation from the National Numbering Plan.
Office of the Data Protection Commissioner (ODPC): established under the Data Protection Act 2019 (No. 24 of 2019). The ODPC registers data controllers, investigates complaints, and enforces the DPA. Call recording and caller data processing fall under ODPC jurisdiction.
National Intelligence Service / Director of Public Prosecutions: lawful intercept requests flow through these bodies under the National Security Council Act and the Kenya Information and Communications (Lawful Interception of Communications) Regulations 2016.
Understanding which body governs which obligation prevents the common mistake of treating "regulatory compliance" as a single checkbox.
Kenya Information and Communications (Licensing) Regulations 2010 require that equipment operating on Kenyan public telecommunications networks be type-approved by CAK or a CAK-recognised body. Type-approval is a technical certification confirming that equipment does not interfere with network operation, meets safety standards, and follows the national numbering plan.
For VoIP services, the relevant licence class is the Network Facilities Provider (NFP) licence for infrastructure and the Application Service Provider (ASP) licence for services running on top of that infrastructure. Sautikit operates under these licence classes, which cover the SIP infrastructure, media gateways, and interconnect arrangements with Safaricom, Airtel, and Telkom.
What this means for you as a Sautikit API customer: you do not need individual type-approval or a telecommunications licence to build a voice application on Sautikit. Your application calls Sautikit's API; the licenced equipment and interconnect are Sautikit's responsibility. This is analogous to building a web application on a licensed cloud provider: you use the provider's licenced infrastructure without holding an infrastructure licence yourself.
However, if you are building a standalone SIP trunk provider, a standalone VoIP PABX selling directly to enterprises, or a service that bypasses licensed operators for international termination, those activities require separate CAK licensing. Using Sautikit's API for application-layer features (IVR, voice OTP, conference calling, notification calls) does not.
The Kenya Data Protection Act 2019, Section 25 ("Conditions for lawful processing of personal data"), requires that personal data be processed with the knowledge and consent of the data subject. Voice recordings are personal data: they contain biometric voice prints and conversation content.
Recording a call without informing both parties is unlawful under Section 25 read alongside Section 72 (criminal liability for unlawful processing). Consent must be:
Freely given
Specific to the purpose
Informed (the person must understand what is being recorded)
Unambiguous
For a programmable voice system, the compliant approach is a pre-recording notice at call start, before any recording begins. The following Say + GetDigits pattern implements this:
{ "actions": [ { "say": { "text": "This call may be recorded for quality assurance and training purposes. Press 1 to continue, or press 2 to continue without recording.", "language": "en-KE" } }, { "getDigits": { "numDigits": 1, "timeout": 10000, "finishOnKey": "", "action": "https://your-server.example.com/recording-consent" } } ]}
Your /recording-consent handler receives the caller's digit choice and returns the appropriate next action:
Store the consent decision, along with the call ID, timestamp, and the caller's E.164 number, in your database. If a DPA complaint is ever filed, you need an auditable record of when consent was given and for what purpose.
The DPA 2019 does not specify a fixed maximum retention period for call recordings. Instead, it requires that personal data not be retained "for longer than is necessary for the purpose for which it was collected" (Section 25(d)).
In practice, this means:
Customer service recordings (quality assurance): industry practice in Kenya is 90 days. This aligns with the consumer complaint window under the Consumer Protection Act.
Legal/dispute evidence recordings: retain for as long as the dispute resolution period, typically up to 3 years for commercial disputes under the Limitation of Actions Act.
Regulated sector recordings (banking, insurance): CBK and IRA may specify longer retention periods, up to 7 years for transaction records. Check sector-specific guidelines if you are in fintech or insurance.
Sautikit provides recording lifecycle management: set a retention window on your workspace, and recordings are automatically deleted after that window. The recording.deleted webhook event fires when a recording is pruned:
The Kenya Data Protection (General) Regulations 2021, Regulation 16, states that personal data shall not be transferred outside Kenya "unless the country to which the data is to be transferred ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data, or the transfer is subject to appropriate safeguards."
For call recordings, which contain voice biometrics, this means recordings processed under the DPA must remain in Kenya or be transferred under appropriate safeguards (a data processing agreement with standard contractual clauses).
Sautikit stores call recordings in object storage located in the Nairobi region. Recordings are not replicated to foreign cloud regions by default. The recordings.sautikit.com domain resolves to Nairobi-hosted infrastructure.
If your privacy policy states that personal data is processed "by Sautikit (Kenya) Limited as a data processor, with storage in Nairobi, Kenya", you satisfy Regulation 16 without needing cross-border transfer safeguards.
Your privacy policy should include a data processing agreement clause covering:
Data Processor: Sautikit (Kenya) Limited
Processing Activity: Voice call recording and storage
Data Location: Nairobi, Kenya
Retention Period: [Your configured retention window]
Data Subject Rights: Accessible via [your contact]
The Kenya Information and Communications (Lawful Interception of Communications) Regulations 2016 require licensed telecommunications operators to maintain technical capabilities for lawful interception: the ability to provide call content and metadata to authorised security agencies under a court order.
Lawful intercept obligations attach to licensed telecommunications operators, specifically NFP and ASP licensees. Sautikit, as the licensed operator, maintains lawful intercept capabilities as required by the 2016 Regulations. This obligation is not passed to API customers.
What this means for you: if law enforcement or a court order seeks communications records related to a call made through Sautikit, that request goes to Sautikit (as the licensed operator), not to your application. You may receive a secondary request for your application-layer data (user records, transaction logs), but that is governed by the Evidence Act and criminal procedure law, not the 2016 Regulations.
As an API developer, your lawful intercept exposure is limited to your own data, not the network-layer call content, which is Sautikit's responsibility.
Add pre-recording consent notice to all call flows that record audio
Store consent decisions (caller E.164, call ID, timestamp, digit pressed) in your database
Configure a recording retention policy in your Sautikit workspace settings
Add Sautikit as a data processor in your privacy policy with the data processing agreement clause above
If in a CBK/IRA-regulated sector, confirm your sector's retention requirement and align your Sautikit retention window accordingly
Test the consent flow in your staging environment with real dial-in calls before production launch
Register as a data controller with the ODPC if your organisation processes personal data beyond purely personal/household use
If your compliance flows need to reach customers over SMS, WhatsApp, or USSD in addition to voice (for example, sending a consent confirmation or a data-subject-access acknowledgement in writing), Helloduty adds those channels and a human-agent desk on top of the same operating model.