Compliance. How we keep your outreach inside the lines.

You are the data controller. You decide who to contact, why, and on what legal basis. You retain ultimate compliance responsibility under TCPA, CAN-SPAM, GDPR, CCPA, and any vertical-specific regulation that applies.

We are the operator. We build the guardrails, run the scrubs, capture the consents, enforce the opt-outs, and log everything. If your campaign requirements conflict with safe operating standards, we flag it before we ship.

For voice products (Title Voice, AgentSixx, outbound calls service) and any SMS sequence, we enforce the following before any dial or send:

• Federal DNC scrub against the National Do Not Call Registry
• State DNC scrub where stricter rules apply
• Express written consent captured + timestamped at submission
• Quiet hours enforced in caller-local time (8am-9pm)
• STOP / HELP keyword handling, auto-suppression on opt-out
• Brand identification disclosure at start of every contact where required
• Frequency cap per lead, enforced across channels
• Audit log per touch, retrievable on demand
• Carrier compliance: 10DLC + A2P registration for SMS

Outreach services run on dedicated, warmed sending domains separated from your primary inbox. We never send cold outreach from a domain you want to protect.

Every email includes a working unsubscribe link, a physical mailing address, and a clear sender identity. Unsubscribes are honored within 10 business days as required by CAN-SPAM, and within 24 hours in practice.

We do not source lists from data brokers without verifying lawful basis. Lists you provide are your responsibility; we scrub for deliverability but not for consent.

Encryption: TLS 1.2+ in transit, AES-256 at rest. Database connections are TLS-pinned where supported.

Access: role-based, scoped per engagement, logged. Production access requires hardware MFA. We rotate access on engineer rotations and offboardings.

Backups: daily snapshots, 30-day retention, restorable within 24 hours.

SOC 2: working toward Type II. Not certified yet — we will not claim otherwise.

We use OpenAI, Anthropic, Vapi, Retell, ElevenLabs, and select open-source models depending on the workload. Each provider has its own data handling terms; we configure all of them for the strictest mode available.

• OpenAI + Anthropic: zero-retention mode enabled where available, opt out of training entirely
• Voice providers: call audio retained per TCPA window only, never used for model training
• No fine-tuning on your data without explicit written consent from you
• No model outputs published or claimed as ours when they were generated for you

Every contact, dial, send, and reply is timestamped and logged. Logs are retained for the longer of 4 years (TCPA window) or your contract term plus 12 months.

You can request audit exports at any time: every touch on every lead, every disclosure, every opt-out, every disposition. Exports delivered within 7 business days, faster for active compliance reviews.

If we discover a data incident, a regulatory escalation, or a compliance breach affecting your engagement, you hear from us within 24 hours of confirmation. We do not sit on bad news.

For incidents that involve personal data of EU/UK or California residents, we follow the notification windows required by GDPR (72 hours) and CCPA respectively.

For audit requests, compliance reviews, regulator notifications, or incident reports, email below. Compliance-marked emails are routed to a founder, not a generic inbox.