Calling people has rules, and they change by state and by hour. We enforce them for you — who not to call, when not to call, and what has to be said — and keep the record that proves it.
2yr
we keep the do-not-call record for
Every call
checked against the rules first
What the platform enforces.
TCPA + quiet hours
Outbound calls honour federal and state quiet-hour rules by default — the dispatcher refuses jobs outside the callee’s local 8am–9pm window. Consent records are stamped on every call so audit trails are one query away.
Numbers are scrubbed against the federal DNC list plus every state list we have a data licence for. Tenants can add their own internal suppression lists via the API or dashboard — suppression is enforced at dispatch-time, not post-hoc.
Two-party consent states get a pre-greeting legal prompt before any audio is captured. One-party states still record the consent event in the call log so downstream disputes have evidence.
Every voice clone requires a signed consent statement from the speaker at enrolment — stored immutably and linked to every call the clone participates in. Revocation takes the voice out of rotation within one dispatch cycle.
EU-origin traffic routes to EU-region infrastructure; subject-access + erasure APIs ship with the platform. A DPA + SCC package is available on request from the legal section of the dashboard.
External penetration testing runs annually against every public surface; findings and remediations are summarised on /security. Disclosures land within the same window we’d want as a customer.
We cannot audit your source lists, your purpose of contact, or the accuracy of the consent you collected upstream. The platform enforces what it can see — you remain the controller of record for the consent provenance, the call purpose, and any regulated content the agent discusses. The AUP spells out what you commit to when you send traffic through Rexa.ai.