Trust & Compliance Center

Updated on 20/04/2026

01Compliance Overview

About Adoptiv. "Adoptiv" is a Communications Platform as a Service (CPaaS) product operated by Adoptiv Inc, a Delaware corporation with registered office at [US operating address — TBD], Delaware, USA (EIN [EIN — TBD]), a wholly-owned subsidiary of Prishal Technolabs Private Limited (Patna, Bihar, India). All licenses, registrations, certifications, and customer contracts are held in the name of Adoptiv Inc.

Adoptiv is not a lead-generation service, is not a list broker or data reseller, is not a marketing agency, and is not a licensed telecommunications carrier of record in any jurisdiction except where expressly registered with the relevant regulator. Customers are the senders and controllers of the communications and data they originate through the Adoptiv Platform; Adoptiv Inc acts as a service provider / data processor on the Customer's documented instructions.

Adoptiv (adoptiv.com) is a Communications Platform as a Service (CPaaS) delivering programmable Telephony, CRM, and AI Assistance to businesses and developers. As a platform that processes high volumes of calls, SMS messages, and customer records, Adoptiv operates under rigorous telecommunications and data protection regulations.

We treat compliance as a product feature. Every framework listed on this page is actively maintained, audited, and embedded into engineering, operations, and AI governance. Below are the three primary pillars of the Adoptiv compliance stack.

Pillar	Coverage
Telephony compliance	TCPA 2025, FCC robocall rules, CPNI, DNC, STIR/SHAKEN, CNAM, NANPA, 10DLC, BYOV carrier integration rules. Adoptiv is not a carrier of record except where expressly registered.
Data & privacy	GDPR (EU/UK/Swiss), CCPA/CPRA, US state privacy laws (CO, CT, VA, UT, TX, OR, MT, NJ, DE, IA, TN, IN, MN, MD), DPDPA 2023 (India), LGPD (Brazil), PIPEDA + Quebec Law 25 + CASL (Canada).
AI governance	EU AI Act (Reg. 2024/1689), FCC AI-generated call rules (Feb 2024), Colorado AI Act (SB 24-205, Feb 2026), California AB 2905, GDPR Art. 22, MeitY AI Advisory (India, Mar 2024), and a strict prohibition on training models on customer data.

Platform compliance commitment. Adoptiv provides compliance infrastructure and controls. Customers remain responsible for lawful use of the platform — including application traffic, consent collection at the point of lead capture, and recipient data hygiene — in their jurisdictions. Built-in tools are provided to help you meet those obligations.

02Coverage Roadmap

Adoptiv operates globally. The table below shows current live coverage, near-term expansion, and jurisdictions that are explicitly out of scope.

Tier 1 — Launch (live now)

Jurisdiction	Privacy	Telecom	AI
United States	CCPA / CPRA + state laws (CO, CT, VA, UT, TX, OR, MT, NJ, DE, IA, TN, IN, MN, MD)	FCC / TCPA / STIR-SHAKEN / 10DLC (TCR)	FCC AI voice (Feb 2024) + CA AB 2905 + CO SB 24-205 + UT SB 149
India (mother-company jurisdiction)	DPDPA 2023 + IT Act / SPDI Rules / IT Rules 2021	TRAI TCCCPR 2018 (DLT) + DoT — only if Indian carrier used	MeitY AI Advisory (Mar 2024)

Tier 2 — Near-term international (planned, contracted via Adoptiv Inc)

Jurisdiction	Privacy	Telecom	AI
EU-27	GDPR + ePrivacy Directive	EECC + national regulators	EU AI Act (Reg. 2024/1689) — staged 2025–2027
United Kingdom	UK GDPR + PECR + DPA 2018	Ofcom CLI rules	UK AI principles (voluntary)
Canada	PIPEDA + Quebec Law 25 + CASL	CRTC + STIR-SHAKEN	Bill C-27 AIDA (pending)
Australia	Privacy Act 1988 + APPs + Spam Act 2003	ACMA	Voluntary AI Safety Standard

Tier 3 — Roadmap

Brazil (LGPD / ANATEL) · Mexico (LFPDPPP / IFT) · UAE (PDPL / TDRA) · KSA (PDPL / CITC) · Singapore (PDPA / IMDA) · Japan (APPI / MIC) · South Korea (PIPA) · South Africa (POPIA)

Out of scope

China · Russia · Iran · North Korea · Any jurisdiction on UN / India / US consolidated sanctions lists

03TCPA — Telephone Consumer Protection Act

The Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, governs automated telephone dialing systems (ATDS), prerecorded messages, and artificial voice calls. It is administered by the FCC and enforced together with the FTC.

Adoptiv is a consent-record custodian — not a lead generator

Adoptiv does not generate, purchase, aggregate, broker, or sell leads or contact lists. We do not operate lead-generation funnels and we do not share contact data across Customer accounts. Our platform provides structured fields that allow each Customer to record and retain its own consent evidence for each contact, including:

Prior Express Written Consent (PEWC) text shown to the recipient
Timestamp of consent
Source URL / campaign / form from which consent was captured
IP address of the consenting individual
Identity of the single seller to whom consent was given (FCC one-to-one consent rule, effective 27 January 2025)
Consent revocation events (STOP / QUIT / CANCEL / OPT-OUT / UNSUBSCRIBE / END) and the channel through which revocation was received

Consent is collected by the Customer at the point of lead capture on the Customer's own website, landing page, or form — not by Adoptiv. The Customer represents and warrants that all consent records uploaded to Adoptiv were lawfully obtained. Adoptiv's role is limited to storing and surfacing those records to the Customer's dialing, messaging, and AI workflows so that they can be enforced in real time.

Contact lists, consent records, call audio, transcripts, and CRM records are logically isolated per tenant. Adoptiv does not pool, share, sell, or otherwise commingle one Customer's data with another's, and does not use Customer Data to train generalized AI models.

2025 rule change: one-to-one consent (effective January 27, 2025)

The FCC requires that TCPA prior express written consent (PEWC) name only one identified seller per consent interaction. Blanket consent across multiple sellers or lead generators is not valid. Adoptiv's consent fields record per-contact, per-seller consent as captured by the Customer.

2025 rule change: consent revocation (effective April 11, 2025)

Consumers may revoke consent in any reasonable manner — including words such as "Stop," "Quit," "Cancel," "Opt-Out," "Unsubscribe," or "End." Callers must honor revocations within ten business days. One confirmation text is permitted within ten minutes of the request. Adoptiv's DNC sync targets processing revocations within 24 hours.

TCPA key requirements

Requirement	Rule	Adoptiv control
Prior express written consent (PEWC)	Required for ATDS/prerecorded calls to wireless numbers	Consent-record fields populated by the Customer; campaign-level consent tracking
One-to-one consent	Each seller must obtain individual consent (Jan 27, 2025)	Single-seller consent field enforced at dial time; no cross-customer list sharing
Revocation handling	Honor within 10 business days (Apr 11, 2025)	Automated DNC sync within 24 hours; STOP keyword processing
DNC registry scrubbing	Check before each campaign	Real-time DNC scrubbing configurable pre-dial; 30-day refresh
Call abandonment	≤ 3% abandoned; wait ≥ 15 sec / 4 rings	Predictive dialer configurable to FCC thresholds
Calling hours	8am–9pm recipient local time	Time-zone enforcement; UTC offset mapping per number
Prerecorded messages	Opt-out at start	Auto-prepend opt-out disclosure to prerecorded campaigns
SMS consent	Written consent for ATDS-sent texts	SMS opt-in management with STOP/HELP processing
Caller ID	Accurate calling number	STIR/SHAKEN signing; no spoofed CLI

TCPA violation penalties

Category	Exposure
Statutory damages (per violation)	$500
Willful / knowing (per violation)	$1,500
Class action exposure	Uncapped
FCC forfeiture (carrier violations)	Up to $1,000,000 per action

Platform controls. TCPA controls are embedded as platform features the Customer configures into its dialing workflow: time-zone enforcement, real-time DNC scrubbing, per-contact consent status enforcement, campaign compliance logs, and automated opt-out processing. Customers remain responsible for obtaining valid PEWC before uploading consent records.

04Robocall Compliance

A robocall is any call made using an ATDS or that delivers a prerecorded or artificial voice message. Under FCC rules, AI-generated voice calls are classified as robocalls regardless of how human-like the voice sounds.

FCC declaratory ruling: AI voice = robocall (February 8, 2024)

The FCC confirmed that calls using AI to generate a human voice are robocalls under TCPA 47 C.F.R. § 64.1200. AI-generated calls to mobile or residential lines require PEWC. Adoptiv enforces the consent record stored by the Customer before AI Voice Agent calls are initiated.

Permitted types (examples)	Prohibited without PEWC
Transactional / informational calls with prior express consent Healthcare reminders with consent Debt collection to debtor's number with consent Non-profit / political (landline, exemptions may apply) Survey / research (landline, non-commercial)	Telemarketing robocalls to wireless numbers AI-generated voice calls (FCC 2024 ruling) Prerecorded sales messages without opt-out Spam from spoofed caller IDs Calls to DNC numbers without EBR or consent Unsolicited robotexts via ATDS to wireless

Robocall safeguards provided by the platform

#	Control
1	Consent verification engine — Adoptiv's dialer enforces the per-contact consent records stored by the Customer, and will refuse to dial contacts whose consent is absent, expired, or revoked.
2	AI call disclosure — AI Voice Agent calls include disclosure that the call is handled by an AI system on behalf of the Customer.
3	Opt-out automation — STOP/QUIT/CANCEL processing across voice and SMS; propagation within 15 minutes; CRM sync.
4	Abandonment monitoring — predictive dialer configurable to ≤3% abandonment with throttling as thresholds approach.
5	Audit trail — consent status, call type (human/AI/prerecorded), duration, result, and opt-out events logged with timestamps.

05Telecom Regulators (US & International)

Adoptiv's programmable communications APIs integrate with licensed upstream carriers. The Adoptiv Platform is not itself a carrier of record in any jurisdiction except where expressly registered with the relevant regulator. Customers using BYOV (see Section 13) retain their own carrier relationships.

United States — FCC

FCC rule / order	Effective date	Impact	Status
One-to-one consent (CG Docket 21-402)	Jan 27, 2025	Per-contact, per-seller PEWC in ATDS campaigns	Compliant
Consent revocation (47 CFR § 64.1200)	Apr 11, 2025	24-hour DNC sync; any-manner opt-out; one confirmation text	Compliant
AI-generated voice declaratory ruling	Feb 8, 2024	AI Voice Agent calls treated as robocalls; PEWC; disclosure at start	Compliant
STIR/SHAKEN (47 CFR § 64.6301)	Ongoing	Signing on outbound calls; no spoofed CLI	Compliant
A2P 10DLC SMS registration (TCR)	Ongoing	Brand and campaign registration for A2P SMS	Compliant
Truth in Caller ID Act (47 U.S.C. § 227(e))	Ongoing	Accurate caller ID; no spoofing	Compliant
FNPRM: AI consent & caller ID (Oct 2025)	Pending	Monitoring proposed AI-specific consent and disclosure rules	Monitoring

International telecom regulators

Jurisdiction	Regulator / regime
United Kingdom	Ofcom (CLI rules, PECR marketing calls)
European Union	EECC + national regulators (ARCEP, BNetzA, AGCOM, CNMC, etc.)
Canada	CRTC (STIR/SHAKEN, CASL, Voice CLI)
Australia	ACMA (Spam Act 2003, Do Not Call Register Act 2006)
India	TRAI TCCCPR 2018 (DLT) + DoT Unified License conditions — applicable only where an Indian carrier is used
Brazil	ANATEL
Mexico	IFT
Singapore	IMDA + PDPC DNC
UAE	TDRA
Saudi Arabia	CITC
Japan	MIC

FCC enforcement. Forfeiture penalties can reach up to $1,000,000 per action (e.g., 2024 STIR/SHAKEN consent decrees). Adoptiv monitors enforcement and targets control updates within 30 days of material rule changes.

06AES-256 Encryption

Adoptiv uses AES-256 (Advanced Encryption Standard, 256-bit keys) for customer data at rest and TLS 1.3-class protections in transit — the same class of standards used to protect highly sensitive data worldwide.

Hop	Protection
Browser / app	TLS 1.3
API gateway	HTTPS / mTLS
Application	SRTP (voice) where applicable
Database	AES-256 at rest
Backups	AES-256 encrypted

Layer	Protocol / standard	Coverage
Data at rest	AES-256-GCM	Databases, object storage, backups, recordings, CRM data
Data in transit (web)	TLS 1.3 (min TLS 1.2)	Browser, API, webhooks
Voice / VoIP	SRTP + DTLS	VoIP media streams
API communications	HTTPS (pinning where configured)	REST and webhooks
Database connections	TLS in transit	Application to database
File uploads	Server-side AES-256	Imports, attachments, documents
Call recordings	AES-256 at rest + TLS in transit	Storage and playback
Passwords	bcrypt + salt	Never stored in plaintext
Encryption keys	KMS / HSM-managed	Customer-managed keys (CMK) on Enterprise

Topic	Practice
Key management	Keys managed via FIPS 140-2 validated HSMs; rotation every 90 days; CMK option for Enterprise.
Penetration testing	Third-party testing annually and after major infrastructure changes; findings tracked to SLA by severity.

07GDPR — General Data Protection Regulation

The GDPR (EU 2016/679) governs personal data of individuals in the EU, EEA, UK, and Switzerland. Adoptiv Inc acts as a Data Controller for account-holder data and as a Data Processor for customer CRM and telephony data processed on your instructions.

Role	Description
As data controller	For Adoptiv account holders (name, email, billing): Adoptiv Inc determines purpose and means; full GDPR obligations apply.
As data processor	For CRM contacts, call records, and telephony data uploaded by customers: processing only on documented instructions; DPA available.

GDPR compliance matrix

Article	Requirement	Adoptiv implementation
Art. 5	Principles	Lawfulness, fairness, transparency, minimisation, accuracy, storage limits, integrity, accountability.
Art. 6	Lawful basis	Documented lawful basis per data type; recorded in processing register.
Art. 13 / 14	Transparency	Privacy notice at /privacy; disclosures at collection points.
Art. 17	Erasure	RTBF workflow via privacy portal or [email protected] within 30 days.
Art. 20	Portability	JSON/CSV export from account settings including CRM and call logs.
Art. 22	Automated decisions	Human review for significant AI-affected decisions; governance policy; clear UX when AI recommends vs decides.
Art. 25	PbD / default	Minimisation, strict RBAC defaults, DPIAs for sensitive new processing.
Art. 28	Processor terms	DPA at /gdpr (Enterprise auto-execution; available on request for other plans).
Art. 32	Security	AES-256, TLS 1.3, SRTP, RBAC, audit logs (see Section 06).
Art. 33	Authority notification	Supervisory authority notification within 72 hours where required.
Art. 34	Individual notification	Affected individuals notified without undue delay when high risk.
Art. 37	DPO	DPO appointed — [email protected].
Art. 44–49	Transfers	Standard Contractual Clauses (SCCs) are the default transfer mechanism; UK IDTA and Swiss SCCs apply for UK and Swiss transfers; EU-US DPF self-certification is pursued for Adoptiv Inc and supplements (but does not replace) SCCs pending certification.

Your GDPR rights

Right to access — copy of your personal data
Rectification — correct inaccurate data
Erasure — right to be forgotten
Restriction — limit processing
Portability — machine-readable export
Object — object to legitimate-interest processing
No solely automated significant decisions — human review pathways
Withdraw consent — at any time

08AI Compliance & Governance

Adoptiv AI — Voice Agents, Sales Agents, predictive analytics, transcription, sentiment, email parsing, and lead recovery — operates under a governance framework aligned with the EU AI Act, GDPR Article 22, FCC AI voice rulings, US state AI statutes, and current MeitY guidance.

AI feature	Data used	Regulatory framework	Human review
AI Voice Agents	Contact, script, CRM	EU AI Act Art. 50 + TCPA PEWC + FCC AI voice + GDPR Art. 22	Escalation path mandatory
Call transcription	Audio, metadata	State recording laws; GDPR Art. 6; CCPA	Admin review available
Sentiment analysis	Transcript text	GDPR Art. 22; CCPA sensitive rules	Insight only; no autonomous action
Predictive dialer	History, outcomes	TCPA abandonment; DNC	Threshold alerts; admin override
AI sales agents	Deals, contacts	GDPR Art. 22; CCPA; Colorado AI Act	Human approval above thresholds
Email parsing / AI	Email content (with consent)	GDPR Art. 6(1)(b); CAN-SPAM; CASL	Admin review for flagged items
Lead recovery AI	Deals, payments	Legitimate interest; CCPA; TCPA for recontact	Lists require human approval

Four AI governance principles

Principle	Commitment
Transparency	AI interactions labeled; voice disclosure; CRM suggestions marked; Super Admin audit logs. Synthetic voice labelled per EU AI Act Art. 50(4) and MeitY guidance.
No training on your data	Customer CRM and recordings are not used to train Adoptiv or third-party foundation models.
Human control	Significant AI-driven actions require approval or clear override; no solely automated binding decisions.
Privacy-by-design	Minimised inputs; no cross-tenant blending; residency and encryption applied uniformly.

AI statutes monitored

EU AI Act (Regulation (EU) 2024/1689) — limited-risk transparency for AI Voice Agents; synthetic-voice labelling; prohibited practices under Article 5; staged 2025–2027.
Colorado AI Act (SB 24-205) — effective 1 February 2026; deployer impact assessments and consumer disclosures for consequential decisions.
California AB 2905 — AI disclosure on voice calls when asked.
Utah SB 149 — consumer-facing AI disclosure requirements in regulated industries.
NYC Local Law 144 — automated employment decision tools bias audits (not offered for HR use cases on the Adoptiv Platform).
MeitY AI Advisory (India, March 2024) — synthetic-media labelling and originator traceability.

09CPNI — Customer Proprietary Network Information

CPNI is information a carrier obtains about a customer by virtue of providing telecommunications service. Under 47 U.S.C. § 222, Adoptiv protects and restricts use of CPNI.

What constitutes CPNI	What is not CPNI
Volume of calls made/received Call duration and frequency Call destinations Location of calling/called device Service configuration Subscription details	Customer name and billing address Subscriber telephone number Payment information Content of calls or voicemails Account username and password

CPNI usage & your rights. Adoptiv uses CPNI to provide and improve subscribed services. CPNI is not shared with third parties for marketing without explicit consent. Opt out of marketing use of CPNI by emailing [email protected] with subject "CPNI Opt-Out" — processed within 24 hours. CPNI breaches follow regulatory timelines and customer notification where permitted.

10Do-Not-Call (DNC) Registry

The National Do-Not-Call Registry (FTC / TSR) restricts telemarketing calls to registered numbers. Adoptiv provides DNC scrubbing as a platform control that Customers configure into their dialing workflows. The Customer remains the caller of record and retains TCPA responsibility for list hygiene.

DNC controls provided by the platform	Violation exposure (reference)
National DNC scrubbing pre-campaign Company internal DNC lists State DNC lists where applicable Real-time opt-out to DNC 30-day refresh cycle Campaign-level override audit trail	FTC: up to $51,744 per violation (as periodically adjusted for inflation) FCC / TCPA: up to $1,500 per willful violation

11STIR/SHAKEN — Caller ID Authentication

STIR/SHAKEN (47 CFR § 64.6301) cryptographically signs outbound calls so terminating carriers can verify caller ID accuracy and originating authorization.

Topic	Detail
Attestation level A	Full attestation where Adoptiv has verified the calling party and their right to use the number — for DIDs assigned to customers.
FCC requirement	Voice providers must implement STIR/SHAKEN on IP networks; non-compliance risks “Spam Likely” labeling or blocking.
No spoofing	Platform controls prevent configuring outbound CLI to numbers the customer does not own or control.

12Data Residency & International Transfers

Data residency options help meet localization requirements, including GDPR expectations for EU data remaining in the EEA where required, and DPDPA 2023 expectations for Indian Data Principals.

Region	Data center	Transfer mechanism	Plans
United States	US-East, US-West	Primary region	All plans
European Union	EU-West (Frankfurt / Dublin)	EEA processing; SCCs for transfers to third countries	Pro + Enterprise
United Kingdom	UK-South	UK GDPR + IDTA for transfers	Enterprise
Canada	CA-Central	PIPEDA-aligned; Quebec Law 25 considerations	Enterprise
Australia	AP-Southeast	Australian Privacy Principles	Enterprise
India	AP-South (Mumbai)	DPDPA 2023 aligned	Enterprise (on request)

13Security Incident Response

Adoptiv maintains a Security Incident Response Plan (SIRP) aligned to NIST SP 800-61, GDPR/CCPA notification duties, and the Indian CERT-In Directive of 28 April 2022.

Phase	Activities
1. Detection & triage (0–2h)	SIEM alerting 24/7; CVSS-based triage; P1 escalations to security leadership.
2. Containment (2–8h)	Isolation, credential rotation, forensic start, secure ticketing.
3. Customer & authority notification	GDPR Art. 33 (72 hours); Indian CERT-In Directive (6 hours, where applicable); US state breach-notification statutes as triggered.
4. Remediation & recovery	RCA, patching, restore from clean backups when needed.
5. Post-incident report	Enterprise customers may receive a full report within 30 days including timeline, impact, and remediation.

14Compliance Contacts

Compliance communications are handled by dedicated personnel — not automated systems — for privacy requests, regulatory questions, and legal inquiries.

Role	Email	Notes
Data Protection Officer	[email protected]	GDPR, CCPA, DPDPA, privacy rights
General privacy	[email protected]	Policy questions and data requests
Compliance team	[email protected]	TCPA, FCC, regulatory inquiries
Security team	[email protected]	Vulnerability disclosure, SIRP
Legal / law enforcement	[email protected]	Subpoenas, court orders, legal process
CPNI opt-out	[email protected]	Restrict CPNI marketing use
DPA requests	[email protected]	Data Processing Agreements (GDPR / UK / Swiss / DPDPA)

Grievance Officer (India)

Published under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, maintained by Prishal Technolabs Private Limited for Indian Data Principals and users.

Name: Brajesh Sharma
Designation: Grievance Officer
Email: [email protected]
Postal address: 1st Floor, Magadhi, Atal Path, Mahesh Nagar, Patna, Bihar, India 800024
Acknowledgement SLA: 24 hours
Resolution SLA: 15 calendar days
Escalation: [email protected]