eConsent is a TCPA consent verification platform that captures, certifies, and verifies consumer consent in real time. It provides session recordings, tamper-proof certificates with SHA-256 hashing, and identity verification for businesses that need to prove consent was obtained.

How do I install eConsent on my website?

Add one script tag to your page with your Company ID. No SDK, no build step required. Consent recording starts immediately. eConsent works on any website including WordPress, React, and static HTML.

How much does eConsent cost?

eConsent offers four plans: Starter at $199/month (1,000 retentions), Growth at $750/month (10,000 retentions), Enterprise at $1,500/month (50,000 retentions), and High Volume with custom pricing. All plans include session replay, consent certificates, and verification API. No contracts required.

How is eConsent different from TrustedForm?

eConsent provides a modern alternative to TrustedForm and Jornaya with transparent pricing, a simple verification API, real-time session replay, identity verification dossiers, Meta Lead Ads integration, and infrastructure built with Rust for performance. No long-term contracts required.

Is eConsent secure and tamper-proof?

Yes. Every certificate is SHA-256 hashed and stored in Amazon S3 with Object Lock in COMPLIANCE mode for up to 7 years. Certificates cannot be modified or deleted by anyone. All data is encrypted with TLS 1.2+ in transit and AES-256 at rest.

What is the best TCPA consent verification platform?

eConsent is a modern TCPA consent verification platform offering session recordings, tamper-proof certificates, identity verification, and Meta Lead Ads integration. Unlike legacy providers like TrustedForm and Jornaya, eConsent offers transparent pricing starting at $199/month with no contracts, a simple one-script-tag installation, and core infrastructure built in Rust for performance and security.

Does eConsent work with Meta Lead Ads and Facebook leads?

Yes. eConsent connects to your Facebook Pages via OAuth and automatically generates consent certificates for every lead submitted through Meta Lead Ad forms. Each certificate captures the form definition, consent language, disclaimer responses, ad attribution, and includes a visual replay of the form experience.

What is a TCPA consent certificate?

A TCPA consent certificate is a tamper-proof digital record proving that a consumer provided prior express written consent as required by the Telephone Consumer Protection Act. eConsent generates these certificates automatically, including the exact consent language displayed, a full session replay, timestamp, IP address, and a SHA-256 cryptographic hash for integrity verification.

Legal

Security & Compliance

This agreement is between eConsent LLC and the client with regard to access and use of econsent.org and related services. Contact us with questions.

Last Updated: April 6, 2026

Our Commitment

eConsent is a TCPA compliance platform that processes sensitive consent data on behalf of our customers. Security is foundational to our product — not an afterthought. This page describes the technical and organizational measures we implement to protect your data.

Infrastructure

Cloud Hosting

eConsent runs on Amazon Web Services (AWS) in the US-West-2 (Oregon) region. Our infrastructure leverages:

AWS Fargate (ECS) — Serverless container orchestration for our API services. No persistent servers to patch or maintain. Containers are ephemeral and rebuilt on every deployment.
Amazon S3 (Three-Tier Storage) — Long-term certificate and recording storage using a three-tier architecture: (1) S3 Standard for recently archived data with frequent access, (2) S3 with Object Lock in COMPLIANCE mode for immutable backup that cannot be modified or deleted for the duration of the retention period (up to 7 years), and (3) S3 Glacier for cost-efficient long-term archival with preserved Object Lock protections. Transition between tiers is automated based on access patterns and retention policy.
Amazon EFS — Encrypted file storage for active session recordings, MP4 video conversions, and temporary processing files with automatic replication.
Amazon CloudFront — Content delivery network with TLS termination for our client-side recording script and WASM processing module.
Amazon RDS / PostgreSQL — Managed relational database for session and certificate data with automated backups and encryption at rest.

Isolation

Each customer’s data is logically isolated at the database level using company-scoped partitioning. Customer data is never commingled in shared tables without partition boundaries. API authentication enforces tenant isolation on every request.

Encryption

In Transit

All data transmitted between clients, our APIs, and our infrastructure is encrypted using TLS 1.2 or higher. This includes:

Browser to API communication
Internal service-to-service communication
Database connections
Redis connections
Webhook delivery to customer endpoints

At Rest

Certificate archives: Stored in S3 with server-side encryption (AES-256)
Access tokens: Encrypted using AES-256-GCM with per-token random initialization vectors before storage
Database: PostgreSQL and MongoDB instances use encrypted storage volumes
Session recordings: Stored on encrypted EFS volumes

Integrity Verification

Every consent certificate includes a SHA-256 cryptographic attestation hash that binds together all evidence components — the session recording, extracted consent language, form data, and technical metadata — into a single tamper-evident record. These attestation hashes are not digital signatures; they are one-way cryptographic hashes used to verify that no component of the certificate has been altered after issuance. Any modification to any component of the certificate data will produce a different hash, making tampering evident.

Attestation hashes are computed at the time of certificate creation and stored alongside the certificate in immutable archival storage. Verification APIs allow Customers to recompute and compare hashes at any time.

Outbound webhook payloads are signed with HMAC-SHA256 using a per-endpoint secret key, allowing recipients to verify that payloads originate from eConsent and have not been altered in transit.

Authentication and Access Control

Customer Access

Session-based authentication with secure, HTTP-only cookies
Password hashing using industry-standard algorithms
Role-based access control (RBAC) with configurable permissions per user
Organization-level isolation — users can only access data within their own organization

Internal Access

Access to production systems is restricted to authorized personnel
Infrastructure management uses AWS IAM with least-privilege policies
No customer data is stored on employee workstations

Session Recording Privacy

eConsent’s session recording technology captures consumer interactions with web forms for consent verification purposes. We implement the following privacy controls:

Password fields are automatically masked in all recordings
Custom field masking allows customers to designate any form input as sensitive — masked fields appear as asterisks in replays and are never stored in plaintext
Selective field capture — by default, only core PII fields necessary for TCPA verification are captured. Additional fields require explicit whitelisting by the customer.
Minimal browser storage — the recording script stores only session identifiers and timestamps in cookies and localStorage on the Customer’s domain. No PII is persisted on the consumer’s device. See our Cookie Policy for details.

Data Retention

Data Type	Storage Tier	Default Retention	Maximum
Session recordings (active)	Amazon EFS	Per customer plan	Configurable
MP4 video conversions	Amazon EFS / S3	Per customer plan	Same as source recording
Certificate archives (S3 Object Lock)	S3 COMPLIANCE mode	Up to 7 years	7 years
Long-term archives (Glacier)	S3 Glacier	Per lifecycle policy	7 years
Session metadata	Amazon RDS	Per customer plan	Configurable
API and access logs	CloudWatch / S3	90 days	90 days
Account data	Amazon RDS	Duration of account	Until deletion requested
Legal hold records	All applicable tiers	Until hold released	Indefinite

Customers may configure retention periods through their dashboard. When data expires and no legal hold is in effect, it is permanently deleted from all storage tiers and cannot be recovered.

Video Conversion

Session recordings may be converted to MP4 video format for long-term archival and portability. The conversion process:

Runs entirely within our AWS infrastructure (Fargate containers)
Uses open-source tools: Playwright (Microsoft, headless browser for replay rendering) and FFmpeg (video encoding)
No recording data is transmitted to external services during conversion
The resulting MP4 file is stored in the same storage tier and subject to the same retention policies as the source recording
A SHA-256 hash of the MP4 file is computed and stored alongside the video for integrity verification

eConsent supports a consent template registry that allows Customers to register and version consent language templates. Template integrity is protected by:

Immutable versioning — Each template version is assigned a unique identifier at creation time. Template versions cannot be modified after creation; changes require a new version.
Certificate linkage — Each consent certificate references the specific template version that was displayed to the consumer, providing an auditable chain from certificate to consent language.
Hash verification — Template content is included in the SHA-256 attestation hash computation for each certificate, ensuring that any alteration to the referenced template would be detectable.

eConsent provides mechanisms to support consumer consent revocation (opt-out) in compliance with TCPA requirements:

Revocation recording — When a Customer processes a consent revocation, eConsent timestamps and logs the revocation event against the original consent certificate.
Audit trail — The original certificate and session recording are preserved alongside the revocation record, maintaining a complete audit trail of both the consent grant and its subsequent withdrawal.
Self-service lookup — Consumers may verify whether a consent record exists for their information using a SHA-256 hash-based lookup that does not expose underlying PII.
Customer responsibility — The Customer is solely responsible for honoring opt-out requests within the FCC’s 10-business-day requirement. eConsent provides tooling to assist but does not independently process consumer opt-out requests.

Incident Response

Breach Notification

In the event of a data breach affecting customer data, eConsent will:

Notify affected customers within 72 hours of confirmed discovery
Provide details of the nature and scope of the breach
Describe the measures taken to contain and remediate the incident
Cooperate with customers’ own notification obligations under applicable law

Our breach notification procedures are detailed in our Data Processing Agreement.

Monitoring and Availability

Uptime Monitoring

eConsent monitors all critical services continuously with automated health checks:

API availability (30-second intervals)
Database connectivity
Redis connectivity
CDN availability
Recording pipeline health
Certificate generation pipeline health
Webhook delivery queue health

Our public status page is available at status.econsent.org.

Logging

All API requests are logged with timestamps, request metadata, and response codes. Logs are retained for 90 days. Logs do not contain consumer PII or form field values.

Compliance

TCPA

eConsent is purpose-built for Telephone Consumer Protection Act compliance. Our platform documents the consent interaction — what was displayed, what the consumer did, and when it happened — providing businesses with defensible records for TCPA litigation.

CCPA / CPRA

eConsent supports California Consumer Privacy Act compliance for our customers. We do not sell consumer personal information. We support data deletion and access requests as described in our Privacy Policy.

For customers processing data of EU residents, eConsent offers a Data Processing Agreement that addresses GDPR requirements including data subject rights, processing instructions, subprocessor management, and cross-border transfer mechanisms.

SOC 2

SOC 2 Type II certification is on our roadmap. Our current security controls are designed to align with SOC 2 Trust Service Criteria (Security, Availability, Confidentiality). If you require a detailed security questionnaire or vendor assessment, contact us at security@econsent.org.

Responsible Disclosure

If you discover a security vulnerability, please email security@econsent.org. Do not disclose vulnerabilities publicly before we have had an opportunity to investigate and remediate.

Questions

For security-related inquiries, vendor security assessments, or to request our security questionnaire, contact:

Email: security@econsent.org