Section 01
Compliance Overview
Adoptiv (adoptiv.com) is a Communications Platform as a Service (CPaaS) delivering Telephony, CRM, and AI Assistance to high-velocity sales teams. As a platform that processes millions of calls, SMS messages, and customer records, Adoptiv operates under some of the most rigorous telecommunications and data protection regulations in existence.
We treat compliance not as a legal checkbox but as a product feature. Every framework listed on this page is actively maintained, audited, and embedded directly into our engineering, operational, and AI governance practices. Below are the three primary pillars of the Adoptiv compliance stack:
Telephony Compliance
TCPA 2025, FCC Robocall Rules, CPNI, DNC, STIR/SHAKEN, CNAM, NANPA, 10DLC, BYOV carrier rules.
Data & Privacy
GDPR (EU/UK/Swiss), CCPA/CPRA, US State Laws (CO, CT, VA, TX, NV).
AI Governance
FCC AI-generated call rules (Feb 2024), GDPR Art. 22 automated decision-making, no AI model training on customer data.
📌 Platform Compliance Commitment
Adoptiv provides the compliance infrastructure and controls. Our customers are responsible for ensuring their own use of the Adoptiv platform — including outbound calling campaigns, consent collection, and list management — complies with applicable laws in their jurisdiction. We offer built-in compliance tools to help.Section 02
TCPA — Telephone Consumer Protection Act
The Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, governs the use of automated telephone dialing systems (ATDS), prerecorded messages, and artificial voice calls. It is administered and enforced by the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC).
⚠️ 2025 Rule Change: One-to-One Consent (Effective January 27, 2025)
The FCC enacted a landmark rule change requiring that TCPA prior express written consent (PEWC) be obtained from only one identified seller per consent interaction. Blanket consent across multiple sellers or lead generators is no longer valid. Adoptiv's platform enforces per-contact consent fields and campaign-level consent documentation.⚠️ 2025 Rule Change: Consent Revocation (Effective April 11, 2025)
Consumers may now revoke consent in any reasonable manner using words like "Stop," "Quit," "Cancel," "Opt-Out," "Unsubscribe," or "End." Callers must honor revocations within 10 business days. One confirmation text is permitted within 10 minutes of the request. Adoptiv's DNC sync processes revocations within 24 hours.TCPA Key Requirements
| Requirement | Rule | Adoptiv Control |
|---|---|---|
| Prior Express Written Consent (PEWC) | Required for ATDS/prerecorded calls to wireless numbers | Consent field per contact record; campaign-level consent tracking |
| One-to-One Consent | Each seller must obtain individual consent (Jan 27, 2025) | Single-seller consent enforcement; no list sharing across customers |
| Revocation Handling | Honor within 10 business days (Apr 11, 2025) | Automated DNC sync within 24 hours; STOP keyword processing |
| DNC Registry Scrubbing | Check before each campaign | Real-time DNC scrubbing pre-dial; 30-day refresh cycle |
| Call Abandonment | ≤ 3% abandoned calls; wait ≥ 15 sec / 4 rings | Predictive dialer configurable to FCC thresholds |
| Calling Hours | Only between 8am–9pm recipient's local time | Time-zone enforcement engine; UTC offset mapping per number |
| Prerecorded Messages | Must include opt-out option at start | Auto-prepend opt-out disclosure to all prerecorded campaigns |
| SMS Consent | Written consent required for ATDS-sent texts | SMS opt-in management with keyword STOP/HELP processing |
| Caller ID | Must display accurate calling number | STIR/SHAKEN signed; no spoofed CLI permitted |
TCPA Violation Penalties
Statutory Damages (per violation)$500
Willful / Knowing Violations (per violation)$1,500
Class Action ExposureUncapped (millions possible)
FCC Forfeiture Penalty (carrier violations)Up to $1,000,000 per action
ℹ️ Adoptiv Platform Controls
Adoptiv embeds TCPA controls directly into the dialing workflow: time-zone enforcement, DNC real-time scrubbing, per-contact consent status, campaign-level compliance logs, and automated opt-out processing. Customers remain responsible for obtaining valid PEWC before uploading contact lists.Section 03
Robocall Compliance
A robocall is any call made using an automated telephone dialing system (ATDS) or that delivers a prerecorded or artificial voice message. Under FCC rules, AI-generated voice calls are legally classified as robocalls, regardless of how human-like the voice sounds.
🚨 FCC Declaratory Ruling: AI Voice = Robocall (February 8, 2024)
The FCC issued a declaratory ruling confirming that any call using artificial intelligence to generate a human voice is considered a "robocall" under TCPA 47 C.F.R. § 64.1200. AI-generated calls to mobile phones or residential lines require prior express written consent. Adoptiv enforces consent verification before any AI Voice Agent call is initiated.✅ Permitted Robocall Types
- Emergency calls — danger to life, safety, or property
- Transactional / informational calls — with prior express consent
- Healthcare reminders — appointment reminders with consent
- Debt collection — to debtor's own number with consent
- Non-profit / political — landline only, some exemptions apply
- Survey / research — landline only, no commercial purpose
❌ Prohibited Without PEWC
- Telemarketing robocalls to wireless numbers
- AI-generated voice calls (FCC 2024 ruling)
- Prerecorded sales messages without opt-out mechanism
- Spam robocalls from spoofed caller IDs
- Calls to DNC-registered numbers without prior EBR or consent
- Unsolicited robotexts using ATDS to wireless
Adoptiv Robocall Safeguards
1
Consent Verification Engine
Every dialer campaign checks per-contact consent status before dialing. Unconsented contacts are automatically flagged and excluded from ATDS campaigns.
2
AI Call Disclosure
All AI Voice Agent calls include an automated disclosure at the start: "This call is being handled by an AI system on behalf of [Company Name]." Complies with pending FCC AI disclosure rules.
3
Opt-Out Automation
Real-time STOP/QUIT/CANCEL keyword processing across voice and SMS. Opt-outs propagate to all active campaigns within 15 minutes and sync to CRM contact record.
4
Abandonment Rate Monitoring
Predictive dialer is configurable to maintain ≤3% abandonment rate per FCC rules. Real-time monitoring with automated throttling when threshold is approached.
5
Audit Trail
Every call — including consent status, call type (human/AI/prerecorded), duration, result, and opt-out events — is logged with tamper-proof timestamps for compliance review.
Section 04
FCC Regulations
The Federal Communications Commission (FCC) is the primary US regulatory body for telecommunications. Adoptiv's telephony stack — including PSTN connectivity, SMS/MMS, VoIP, and AI voice features — is designed and operated in compliance with FCC rules under the Communications Act of 1934 (as amended) and the TCPA.
| FCC Rule / Order | Effective Date | Impact on Adoptiv | Status |
|---|---|---|---|
| One-to-One Consent Rule (CG Docket 21-402) | Jan 27, 2025 | Per-contact, per-seller PEWC enforcement in all ATDS campaigns | ✓ Compliant |
| Consent Revocation Rule (47 CFR § 64.1200) | Apr 11, 2025 | 24-hour DNC sync; any-manner opt-out processing; one confirmation text rule | ✓ Compliant |
| AI-Generated Voice Declaratory Ruling | Feb 8, 2024 | AI Voice Agent calls classified as robocalls; PEWC required; AI disclosure at call start | ✓ Compliant |
| STIR/SHAKEN Caller ID Authentication (47 CFR § 64.6301) | Ongoing | Full STIR/SHAKEN signing on all outbound calls; no spoofed CLI permitted | ✓ Compliant |
| A2P 10DLC SMS Registration (TCR) | Ongoing | All application-to-person SMS campaigns require brand and campaign registration with TCR | ✓ Compliant |
| Truth in Caller ID Act (47 U.S.C. § 227(e)) | Ongoing | Caller ID must accurately identify the calling party; no spoofing | ✓ Compliant |
| FNPRM: AI Consent & Caller ID Enhancement (Oct 2025) | Pending finalization | Proposed AI-specific consent and in-call disclosure rules; Adoptiv AI already exceeds proposed standards | Monitoring |
📋 FCC Enforcement Action History
Violations of FCC telecommunications rules can result in forfeiture penalties up to $1,000,000 per enforcement action (as demonstrated in the 2024 Lingo Telecom STIR/SHAKEN consent decree). Adoptiv's compliance team monitors FCC enforcement actions and updates platform controls within 30 days of any material rule change.Section 05
AES-256 Encryption
Adoptiv uses AES-256 (Advanced Encryption Standard with 256-bit keys) — the same encryption standard used by the US government for top-secret classified data — to protect all customer data at rest and in transit. AES-256 has 2²⁵⁶ possible key combinations, making brute-force attacks computationally infeasible with current and foreseeable technology.
Browser/App
TLS 1.3
→
API Gateway
HTTPS / mTLS
→
Application
SRTP (Voice)
→
Database
AES-256 at rest
→
Backups
AES-256 encrypted
| Layer | Protocol / Standard | Coverage |
|---|---|---|
| Data at Rest | AES-256-GCM | All databases, object storage, backups, recordings, CRM data |
| Data in Transit (Web) | TLS 1.3 (min TLS 1.2) | All browser-to-server, API, and webhook communications |
| Voice / VoIP | SRTP (Secure RTP) + DTLS | All VoIP call media streams (end-to-end encrypted where possible) |
| API Communications | HTTPS with certificate pinning | All REST API and webhook traffic |
| Database Connections | TLS 1.3 in-transit encryption | Application-to-database connections |
| File Uploads / Documents | AES-256 server-side encryption | All uploaded files, CSV imports, attachments |
| Call Recordings | AES-256 at rest + TLS in transit | Recording storage and playback streams |
| Passwords | bcrypt (cost factor ≥ 12) + salt | Never stored in plaintext; one-way hashed |
| Encryption Keys | AWS KMS / HSM-managed | Customer-managed key (CMK) option available on Enterprise plan |
🔑 Key Management
Encryption keys are managed via FIPS 140-2 validated Hardware Security Modules (HSMs). Key rotation is performed every 90 days. Enterprise customers can supply their own Customer Managed Keys (CMK).
🔍 Penetration Testing
Third-party penetration testing is conducted annually and after major infrastructure changes. Results are reviewed by the Security team and remediated within defined SLAs based on CVSS severity score.
Section 06
GDPR — General Data Protection Regulation
The General Data Protection Regulation (GDPR) — EU Regulation 2016/679 governs the processing of personal data of individuals in the European Union, EEA, UK, and Switzerland. Adoptiv acts as both a Data Controller (for account holder data) and a Data Processor (for customer CRM and telephony data).
📋 As Data Controller
For personal data of Adoptiv's direct account holders (name, email, billing). Adoptiv determines the purpose and means of processing. Full GDPR obligations apply.
🔧 As Data Processor
For CRM contacts, call records, and telephony data uploaded by customers. Adoptiv processes only on documented customer instruction. Data Processing Agreement (DPA) available.
GDPR Compliance Matrix
| GDPR Article | Requirement | Adoptiv Implementation |
|---|---|---|
| Art. 5 | Data Processing Principles | Lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limits, integrity, accountability — all enforced by policy and system controls |
| Art. 6 | Lawful Basis for Processing | Documented lawful basis per data type: contract, consent, legitimate interest, legal obligation. Basis recorded in processing register. |
| Art. 13 / 14 | Transparency Obligations | Full privacy notice on adoptiv.com/privacy. Data collection disclosed at point of collection. |
| Art. 17 | Right to Erasure | Automated RTBF workflow via privacy portal or email to [email protected] within 30 days. |
| Art. 20 | Data Portability | Data export in JSON/CSV available from account settings. Contact records, call logs, CRM data all included. |
| Art. 22 | Automated Decision-Making | AI features that affect significant decisions require human review. AI governance policy published. Users notified when AI is making recommendations vs. decisions. |
| Art. 25 | Privacy by Design & Default | Data minimisation by design. Strict access controls by default. Privacy impact assessments (DPIA) for new features processing sensitive data. |
| Art. 28 | Data Processing Agreement | DPA available at adoptiv.com/dpa. Executed automatically with Enterprise accounts; available on request for all plans. |
| Art. 32 | Security of Processing | AES-256, TLS 1.3, SRTP, role-based access, audit logs, ISO 27001. See Section 05. |
| Art. 33 | Breach Notification to Authority | Notification to supervisory authority within 72 hours of discovery of qualifying breach. |
| Art. 34 | Breach Notification to Individuals | Affected individuals notified without undue delay when breach poses high risk to rights and freedoms. |
| Art. 37 | Data Protection Officer (DPO) | DPO appointed. Contact: [email protected] |
| Art. 44–49 | International Data Transfers | EU-US Data Privacy Framework (DPF), UK Extension, Swiss-US DPF. SCCs and UK IDTA as fallbacks. Data residency controls available. |
Your GDPR Rights
Right to Access
Request a copy of your personal data
Rectification
Correct inaccurate or incomplete data
Erasure
Right to be forgotten
Restriction
Limit processing of your data
Portability
Export data in machine-readable format
Object
Object to processing based on legitimate interest
No Auto-Decision
Human review of significant AI decisions
Withdraw Consent
Revoke consent at any time
🌍 Transfer Mechanisms
Adoptiv is certified under the EU-US Data Privacy Framework (EU-US DPF), UK Extension to the EU-US DPF, and Swiss-US DPF. For transfers not covered by DPF, Standard Contractual Clauses (SCCs — Commission Implementing Decision 2021/914) and the UK International Data Transfer Agreement (IDTA) are available. Our DPA includes the full module selection for controller-to-processor transfers.Section 07
CCPA / CPRA — California Privacy Rights
The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants California consumers extensive rights over their personal information. Adoptiv fully complies with CCPA/CPRA and provides the required consumer rights infrastructure.
📋 CCPA/CPRA Rights We Honor
- Right to Know — categories, sources, purposes, and specific data
- Right to Delete — request deletion within 45 days
- Right to Correct — update inaccurate personal information
- Right to Opt-Out — of sale/sharing of personal information
- Right to Limit Use — of sensitive personal information
- Right to Non-Discrimination — no service degradation for exercising rights
- Right to Appeal — appeal a denial of a privacy request
🔍 US State Privacy Laws Covered
- California — CCPA/CPRA (enforced by California Privacy Protection Agency)
- Colorado — Colorado Privacy Act (CPA) — effective July 1, 2023
- Connecticut — CTDPA — effective July 1, 2023
- Virginia — VCDPA — effective January 1, 2023
- Texas — TDPSA — effective July 1, 2024
- Nevada — Nevada Privacy Act SB 220
- GPC Signal — Global Privacy Control honored on adoptiv.com
ℹ️ Response Timeline
We respond to CCPA/CPRA verifiable consumer requests within 45 calendar days. Complex requests may be extended by an additional 45 days with notice. We verify identity before processing deletion or access requests. Submit requests to: [email protected] or via our Privacy Center at adoptiv.com/privacy-center.Section 08
AI Compliance & Governance
Adoptiv's AI features — Voice Agents, Sales Agents, Predictive Analytics, Transcription, Sentiment Analysis, Email Parsing, and Lead Recovery — operate under a strict AI governance framework informed by GDPR Article 22, FCC AI rulings, and industry best practices from Twilio, Pipedrive, and HubSpot.
AI Feature Compliance Map
| AI Feature | Data Used | Regulatory Framework | Human Review Required |
|---|---|---|---|
| AI Voice Agents | Contact record, call script, CRM data | TCPA PEWC + FCC AI-voice ruling (Feb 2024) + GDPR Art. 22 | Escalation path mandatory |
| Call Transcription | Call audio, metadata | State call recording laws; GDPR Art. 6; CCPA; consent logged | Admin review available |
| Sentiment Analysis | Transcribed text | GDPR Art. 22 (not sole decision basis); CCPA sensitive data rules | Insight only; no autonomous action |
| Predictive Dialer | Contact history, call outcomes | TCPA abandonment rules; FCC 3% threshold; DNC status check | Threshold alerts; human admin override |
| AI Sales Agents | Deal data, contact history | GDPR Art. 22; CCPA; no automated binding decisions | Human approval for deals > threshold |
| Email Parsing / AI | Email content with consent | GDPR Art. 6(1)(b); CAN-SPAM; CASL | Admin review for flagged items |
| Lead Recovery AI | Deal history, payment records | GDPR legitimate interest; CCPA; TCPA for recontact | Contact list requires human approval |
Four AI Governance Principles
1. Transparency
All AI interactions are clearly labeled. AI Voice Agent calls include mandatory disclosure. AI-generated CRM suggestions are visually marked. Super Admin audit logs capture all AI activity.
2. No Training on Your Data
Customer data — contacts, call recordings, CRM records — is never used to train Adoptiv's AI models or shared with third-party AI providers for training purposes. No exceptions.
3. Human Control
Every significant AI-driven action requires human approval or provides a clear override mechanism. GDPR Art. 22 compliance ensures no fully-automated binding decisions.
4. Privacy-by-Design
AI features are built with data minimisation at their core. AI models see only the minimum data required for the specific function, with no cross-customer data blending.
Section 09
CPNI — Customer Proprietary Network Information
Customer Proprietary Network Information (CPNI) is information that telecommunications providers acquire about their customers by virtue of providing the service. Under 47 U.S.C. § 222, Adoptiv is required to protect and restrict the use of CPNI.
What Constitutes CPNI
- Number of calls made/received
- Call duration and frequency
- Call destinations (numbers dialed)
- Location of calling/called device
- Type and configuration of telephony service
- Service subscription details
What Is NOT CPNI
- Customer's name and billing address
- Telephone number of subscriber
- Payment information
- Content of calls or voicemails
- Account username and password
⚖️ CPNI Usage & Your Rights
Adoptiv uses CPNI only to provide and improve the services you have subscribed to. We do not share CPNI with third parties for marketing without your explicit consent. You may opt out of CPNI use for marketing at any time by emailing [email protected] with the subject "CPNI Opt-Out." Opt-out requests are processed within 24 hours. If Adoptiv experiences a CPNI breach, law enforcement is notified within the required timeframe, and customers are notified at least 7 days thereafter (or as law enforcement permits).Section 11
Do-Not-Call (DNC) Registry
The National Do-Not-Call Registry (administered by the FTC under 16 CFR Part 310 — Telemarketing Sales Rule) prohibits telemarketing calls to registered numbers. Adoptiv provides automated DNC scrubbing integrated directly into the dialing workflow.
🔄 DNC Controls in Adoptiv
- National DNC Registry scrubbing pre-campaign
- Company-specific internal DNC list management
- State DNC list scrubbing (where applicable)
- Real-time opt-out addition to DNC list
- 30-day DNC list refresh cycle
- Campaign-level DNC override audit trail
⚠️ DNC Violation Penalties (FTC)
Per Violation (FTC)Up to $51,744
Per Violation (FCC / TCPA)Up to $1,500
Section 12
STIR/SHAKEN — Caller ID Authentication
STIR (Secure Telephony Identity Revisited) / SHAKEN (Signature-based Handling of Asserted Information using toKENs) is the FCC-mandated caller ID authentication framework implemented under 47 CFR § 64.6301. It cryptographically signs outbound calls to verify that the caller ID is accurate and the calling party is authorized to use that number.
🔐 Attestation Level A
Full attestation: Adoptiv has verified the calling party's identity and their right to use the phone number. Applied to all direct inward dial (DID) numbers assigned to Adoptiv customers.
📋 FCC Requirement
All voice service providers must implement STIR/SHAKEN for calls over IP networks. Failure to comply can result in calls being flagged as "Spam Likely" or blocked by terminating carriers.
🚫 No Spoofing
Adoptiv's platform technically prevents caller ID spoofing on customer accounts. Customers cannot configure outbound caller IDs to numbers they do not own or control.
Section 13
Data Residency & International Transfers
Adoptiv offers data residency controls to help customers meet jurisdiction-specific data localization requirements, including GDPR requirements for EU data to remain within the EEA.
| Region | Data Center | Transfer Mechanism | Availability |
|---|---|---|---|
| United States | US-East, US-West | Primary region — no transfer mechanism required | All Plans |
| European Union | EU-West (Frankfurt/Dublin) | GDPR-compliant; data stays within EEA | Pro + Enterprise |
| United Kingdom | EU-West + UK-South | UK GDPR + IDTA for EEA transfers | Enterprise |
| Canada | CA-Central | PIPEDA compliance; within Canada | Enterprise |
| Australia | AP-Southeast | Australian Privacy Principles (APP) | Enterprise |
Section 14
Security Incident Response
Adoptiv maintains a formal Security Incident Response Plan (SIRP) aligned to NIST SP 800-61 and our GDPR, and CCPA notification obligations.
1
Detection & Triage (0–2 hours)
24/7 automated alerting via SIEM. Security team triages severity using CVSS scoring. P1 incidents escalate to CISO immediately.
2
Containment (2–8 hours)
Affected systems isolated. Access credentials rotated. Forensic investigation begins. Incident documented in secure ticketing system.
3
Customer Notification (within 72 hours)
Affected customers notified via email with incident description, data categories involved, and mitigation steps. GDPR supervisory authority notified within 72 hours for qualifying EU breaches.
4
Remediation & Recovery
Root cause analysis completed. Patches deployed. System restored from clean backups where necessary. Post-incident review within 14 days.
5
Post-Incident Report
Full incident report provided to affected Enterprise customers within 30 days including timeline, root cause, data impact assessment, and remediation steps taken.
Section 15
Compliance Contacts
Our compliance team is available to assist with privacy requests, compliance questions, and legal inquiries. All compliance communications are handled by dedicated personnel — not automated systems.
📍 Registered Addresses
US Entity: Adoptiv Inc., [Address], Delaware, USA | EU Representative: Adoptiv EU Ltd., [EU Address], Ireland | UK Representative: [UK Representative Name], [UK Address]