Compliance you don't have to build.
TCPA, the FCC 1:1 consent rule, DNC, call-hour windows, and state AI disclosure laws — enforced at the API boundary, not left to your integration. Frozen flows. Tamper-evident audit chain. One place to answer a legal review.
Six controls your competitors leave to the customer.
consent_type enum at the API boundary
Every outbound call must attach an enumerated consent flavor. The API rejects missing or unknown values with 422 before the call leaves our network. Aligned with the FCC 2024 1:1 consent rule.
Read more →8 am–9 pm server-side call-hour enforcement
Windows are evaluated in the callee's local timezone, derived from the destination number — not yours. Out-of-window calls are blocked server-side with an audited event.
Read more →Tamper-evident audit chain
Every compliance-relevant action hashes forward into the next row. Any rewrite breaks the chain; OpenPhn produces a signed verification report on audit or subpoena request.
Read more →Frozen-publish flow artifacts
Published flows are immutable. Every call references a pinned flow_version_id you can produce under subpoena — the opposite of auto-tuning agents.
Read more →Pre-dial DNC scrubbing
Each dispatch is checked against your internal DNC list and the FTC federal registry (synced daily) before we place the call. Mid-call opt-outs write back automatically.
Read more →Per-field confidence + ambiguity flags
Every structured outcome returns a confidence score and flags the fields where the model was uncertain. Tells your auditor where human-review gates belong.
Read more →Which rules does OpenPhn cover?
| REGULATION | WHAT IT REQUIRES | HOW OPENPHN HANDLES IT | STATUS |
|---|---|---|---|
| TCPA §227 | 8 am–9 pm local calling window, consent before dial, reasonable rate caps. | Timezone-aware server-side block, per-number rate caps, required consent_type on every dispatch. | Enforced |
| FCC 2024 1:1 Consent Rule (effective 2026-01-27) | One-seller-at-a-time prior express written consent. | consent_type enum + per-campaign attribution recorded against each call. | Enforced |
| Federal DNC Registry | Scrub against the FTC national DNC list before dial. | Tenant-managed DNC list enforced pre-dial. Customers must scrub their lists against the Federal DNC Registry independently (your carrier may handle this; see your carrier's compliance docs). | Available |
| State AI disclosure (CA AB 2013, IL 815 ILCS 530) | Identify as an AI caller at the start of a call where state law applies. | Template-supported (customer-configured): flow templates include an AI-disclosure node the customer enables when targeting affected states. The platform does not detect callee state or force the disclosure — that is the customer's responsibility. | Available |
| Colorado AI Act (effective Feb 2026) | Risk-management documentation and consumer notices for high-risk AI decisioning. | Tamper-evident audit chain + disclosure templates; customer produces the risk-mgmt summary. | Available |
| HIPAA | Signed BAA, PHI handling controls. | BAA on the Scale tier; separate PHI-aware retention policy. | Available |
| GDPR / CCPA / CPRA | Data subject rights, DPA, regional data residency. | DPA at /legal/dpa; EU regional processing available on Scale. | Available |
How each control works.
consent_type enum at the API boundary
Every call dispatch must include a consent_type. Unknown or missing values return 422 Unprocessable Entity before the call is queued. Valid values:
prior_express_written— signed TCPA-compliant written consent on file.prior_express— oral or checkbox consent where state law allows.existing_business_relationship— EBR carve-out with attribution.transactional— transactional / informational (no marketing content).emergency— bona-fide emergency; bypasses call-hour enforcement with an audited event.
The enum is enforced at the request boundary, not at call-time — invalid requests never get a chance to bill or dial.
Call-hour enforcement internals
We derive the destination timezone from the E.164 number via the NANP area-code table (with a portability override when present). The 8 am–9 pm window is then evaluated against the callee's local clock, not yours.
Out-of-window calls with consent_type ≠ emergency are rejected at dispatch. An emergency bypass writes a dedicated audit-chain event with the operator identity and reason — useful under regulator inquiry.
Tamper-evident audit chain
Each compliance-relevant event (call dispatched, DNC hit, consent attached, flow published, admin action) writes a row whose hash is H(prev_hash ‖ row_payload). Any rewrite — by us or by anyone who reached our database — breaks the chain at that row.
OpenPhn operators run the verification internally and against external snapshots on a schedule. In an audit, subpoena, or incident-response scenario we produce a signed verification report covering your tenant's rows for the requested window. Email security@openphn.com to request one.
Frozen-publish flow artifacts
Publishing a flow writes an immutable flow_version_id. Every call logs the exact flow_version_idit ran against, so “what script did we run on that call?” has a single, unforgeable answer.
This is a deliberate inverse of auto-tuning approaches — see the compare pages for the tradeoff.
Pre-dial DNC scrubbing
For every dispatch we check, in order:
- Your organization's internal DNC list (propagation latency < 1 second).
- The FTC federal DNC registry (synced daily from the official download).
- Per-number rate caps.
Any match blocks dispatch and records an auditable event. Mid-call opt-outs captured by the agent write back to the customer DNC list automatically on call completion.
Per-field confidence + ambiguity flags
Every structured outcome returns a confidence score in [0, 1] per field, plus an ambiguity_flags[] array identifying fields the model was uncertain about. Webhooks include both.
This matters for compliance because it tells an auditor exactly where your downstream pipeline should gate on human review rather than blindly trusting the extraction.
Data retention + sub-processors
Retention, encryption, and the full sub-processor list live on the /security page — we don't duplicate the tables here. The compliance-relevant highlights:
- Transcripts retained 90 days by default; configurable to 7 days on Scale.
- Recordings are opt-in and stored in isolated per-object-encrypted buckets.
- No training on customer call data. See /security#training.
Requesting a DPA, BAA, or SOC 2 report
Tier and gating:
- DPA: public at /legal/dpa.
- BAA: available on the Scale tier; email security@openphn.com.
- SOC 2 Type II report: on the roadmap. We'll publish a target date when the program kicks off — we'd rather not commit to a deadline we haven't resourced.
State regulation coverage: the matrix above lists the states whose AI-caller disclosure laws are enforced end-to-end by OpenPhn. Customers retain responsibility for state-by-state campaign review, including recording-consent and CCPA/CPRA opt-out routing into their own systems.
What we enforce — and what you still own.
- 8 am–9 pm call-hour window evaluated in the callee's local timezone
- Tenant-managed DNC list enforced pre-dial (customers scrub against the Federal DNC Registry independently; carrier may handle this)
- Required consent_type on every dispatch, validated at the API boundary
- Per-number rate caps
- Tamper-evident audit chain over every compliance-relevant event
- AI-disclosure node available in flow templates (template-supported; customer configures the flow for affected states)
- Obtaining valid prior express (written, where required) consent
- Keeping your internal DNC list current (automated via webhook)
- State-mandated recording-consent disclosures in your script
- Configuring the AI-disclosure flow node where state law (CA AB 2013, IL 815 ILCS 530, etc.) applies
- CCPA / CPRA opt-out routing into your back-office systems
- Legal review of campaign copy and calling lists
- Overall TCPA program recordkeeping beyond OpenPhn's scope
Questions from your legal team? security@openphn.com