Security & Compliance
This agreement is between eConsent LLC and the client with regard to access and use of econsent.org and related services. Contact us with questions.
Last Updated: April 1, 2026
Our Commitment
eConsent is a TCPA compliance platform that processes sensitive consent data on behalf of our customers. Security is foundational to our product — not an afterthought. This page describes the technical and organizational measures we implement to protect your data.
Infrastructure
Cloud Hosting
eConsent runs on Amazon Web Services (AWS) in the US-West-2 (Oregon) region. Our infrastructure leverages:
- AWS Fargate (ECS) — Serverless container orchestration for our API services. No persistent servers to patch or maintain. Containers are ephemeral and rebuilt on every deployment.
- Amazon S3 — Long-term certificate storage with Object Lock in COMPLIANCE mode. Once a certificate is archived, it cannot be modified or deleted for the duration of the retention period (up to 7 years).
- Amazon EFS — Encrypted file storage for active session recordings with automatic replication.
- Amazon CloudFront — Content delivery network with TLS termination for our client-side recording script and WASM processing module.
- Amazon RDS / PostgreSQL — Managed relational database for session and certificate data with automated backups and encryption at rest.
Isolation
Each customer’s data is logically isolated at the database level using company-scoped partitioning. Customer data is never commingled in shared tables without partition boundaries. API authentication enforces tenant isolation on every request.
Encryption
In Transit
All data transmitted between clients, our APIs, and our infrastructure is encrypted using TLS 1.2 or higher. This includes:
- Browser to API communication
- Internal service-to-service communication
- Database connections
- Redis connections
- Webhook delivery to customer endpoints
At Rest
- Certificate archives: Stored in S3 with server-side encryption (AES-256)
- Access tokens: Encrypted using AES-256-GCM with per-token random initialization vectors before storage
- Database: PostgreSQL and MongoDB instances use encrypted storage volumes
- Session recordings: Stored on encrypted EFS volumes
Integrity Verification
Every consent certificate includes a SHA-256 cryptographic hash of its canonical payload. This hash provides tamper detection — any modification to the certificate data after issuance will produce a different hash, making tampering evident.
Outbound webhook payloads are signed with HMAC-SHA256 using a per-endpoint secret key, allowing recipients to verify that payloads originate from eConsent and have not been altered in transit.
Authentication and Access Control
Customer Access
- Session-based authentication with secure, HTTP-only cookies
- Password hashing using industry-standard algorithms
- Role-based access control (RBAC) with configurable permissions per user
- Organization-level isolation — users can only access data within their own organization
Internal Access
- Access to production systems is restricted to authorized personnel
- Infrastructure management uses AWS IAM with least-privilege policies
- No customer data is stored on employee workstations
Session Recording Privacy
eConsent’s session recording technology captures consumer interactions with web forms for consent verification purposes. We implement the following privacy controls:
- Password fields are automatically masked in all recordings
- Custom field masking allows customers to designate any form input as sensitive — masked fields appear as asterisks in replays and are never stored in plaintext
- Selective field capture — by default, only core PII fields necessary for TCPA verification are captured. Additional fields require explicit whitelisting by the customer.
- Minimal browser storage — the recording script stores only session identifiers and timestamps in cookies and localStorage on the Customer’s domain. No PII is persisted on the consumer’s device. See our Cookie Policy for details.
Data Retention
| Data Type | Default Retention | Maximum |
|---|---|---|
| Session recordings (active) | Per customer plan | Configurable |
| Certificate archives (S3 Object Lock) | Up to 7 years | 7 years (COMPLIANCE mode) |
| Session metadata | Per customer plan | Configurable |
| API and access logs | 90 days | 90 days |
| Account data | Duration of account | Until deletion requested |
Customers may configure retention periods through their dashboard. When data expires, it is permanently deleted and cannot be recovered.
Incident Response
Breach Notification
In the event of a data breach affecting customer data, eConsent will:
- Notify affected customers within 72 hours of confirmed discovery
- Provide details of the nature and scope of the breach
- Describe the measures taken to contain and remediate the incident
- Cooperate with customers’ own notification obligations under applicable law
Our breach notification procedures are detailed in our Data Processing Agreement.
Monitoring and Availability
Uptime Monitoring
eConsent monitors all critical services continuously with automated health checks:
- API availability (30-second intervals)
- Database connectivity
- Redis connectivity
- CDN availability
- Recording pipeline health
- Certificate generation pipeline health
- Webhook delivery queue health
Our public status page is available at status.econsent.org.
Logging
All API requests are logged with timestamps, request metadata, and response codes. Logs are retained for 90 days. Logs do not contain consumer PII or form field values.
Compliance
TCPA
eConsent is purpose-built for Telephone Consumer Protection Act compliance. Our platform documents the consent interaction — what was displayed, what the consumer did, and when it happened — providing businesses with defensible records for TCPA litigation.
CCPA / CPRA
eConsent supports California Consumer Privacy Act compliance for our customers. We do not sell consumer personal information. We support data deletion and access requests as described in our Privacy Policy.
GDPR
For customers processing data of EU residents, eConsent offers a Data Processing Agreement that addresses GDPR requirements including data subject rights, processing instructions, subprocessor management, and cross-border transfer mechanisms.
SOC 2
SOC 2 Type II certification is on our roadmap. Our current security controls are designed to align with SOC 2 Trust Service Criteria (Security, Availability, Confidentiality). If you require a detailed security questionnaire or vendor assessment, contact us at security@econsent.org.
Responsible Disclosure
If you discover a security vulnerability, please email security@econsent.org. Do not disclose vulnerabilities publicly before we have had an opportunity to investigate and remediate.
Questions
For security-related inquiries, vendor security assessments, or to request our security questionnaire, contact:
Email: security@econsent.org
