Security you can verify.

Cryptographic integrity

Every consent certificate is signed with HMAC-SHA256 using a server-held secret. The signature covers the certificate payload, session metadata, and disclosure content. Any downstream modification — to a single byte — invalidates the signature, and verification is publicly exposed so any party can confirm a certificate's authenticity without needing to trust us.

Records are additionally tamper-hashed with SHA-256 at the storage layer, and voice audio is committed to S3 with Object Lock in COMPLIANCE mode — immutable for seven years, even to us.

Tenancy isolation

PostgreSQL LIST partitioning separates every customer's data into a dedicated partition keyed on company_id. Every query path additionally scopes by api_key_id, making cross-tenant data access a structural impossibility rather than an application-layer check.

SQL is executed exclusively through parameterized queries (Knex on the Node tier, sqlx on the Rust tier). String concatenation into queries is not part of the codebase.

Infrastructure hardening

Services run on AWS Fargate in us-west-2, distributed across 2–4 availability zones depending on service. Secrets are resolved at container start from AWS SSM Parameter Store — credentials are never committed to source control or baked into container images. Deployments use an ECS circuit breaker with automatic rollback, so a failed rollout reverts rather than leaving the cluster in a broken state.

Uptime Kuma performs synthetic health checks against each service. Structured JSON logs stream to CloudWatch with a request ID propagated across every service hop for distributed tracing.

Access controls

API keys are hashed with SHA-256 on creation; the raw key is shown once to the user and never persisted. New API keys enter a gated approval workflow — keys in a pending state cannot be used for production traffic until explicitly approved.

Dashboard access uses role-based permissions with session cookies that are HTTP-only and SameSite=Lax. Rate limiting is applied per-IP and per-company via a Redis sliding window, and Cloudflare Turnstile blocks automated registration attempts. CSRF protection uses a double-submit cookie pattern on dashboard mutations.

The TCPA requires prior express written consent before placing automated calls or sending SMS. Our Voice and SMS compliance chains capture the consent event, the disclosure language, the channel, and the identified seller, and produce a signed certificate that documents the required elements.

The FCC's February 2024 declaratory ruling classified AI-generated voices as "artificial" under the TCPA, requiring consent. Our Voice classifier flags AI-generated audio and records that determination on the certificate so you can prove your consent framework accounted for it.

The FCC's August 2024 NPRM addresses revocation of consent: any reasonable method must be honored and must propagate across channels. Our revocation pipeline accepts inbound revocations via portal, API, and CSV, and updates downstream consent state in real time with an auditable trail.

CTIA's Messaging Principles and Best Practices define what carriers expect from senders. Our SMS pre-send compliance checks evaluate opt-in provenance, required disclosures (HELP, STOP), and prohibited-content categories prior to handoff to a messaging aggregator.

Certificates generated by eConsent capture the fields required to substantiate opt-in for 10DLC campaign registration, including the channel of origin, disclosure text, consumer identifier, and timestamp.

The FTC TSR imposes additional consent and disclosure requirements on telemarketers. Our certificate schema records seller identity, goods or services offered, and the written consent language the consumer saw — the artifacts an FTC inquiry typically asks for.