Compliance
senderZ enforces TCPA and CTIA rules in the router before every message ships — not in customer code, not in hope, not in post-hoc audit. This page documents what runs today, what is on the roadmap, and what remains the customer's responsibility.
On this page
TCPA and CTIA obligations
The Telephone Consumer Protection Act governs US commercial messaging. Violation penalties run $500–$1,500 per message. CTIA adds industry best-practices that US carriers enforce through filtering, throttling, and number suspension. senderZ treats both as non-negotiable and enforces them in the router before any message is dispatched.
The router runs four checks on every outbound message: opt-out lookup, quiet-hours check for marketing traffic, daily send-limit check, and per-minute rate-limit check. Any one of these failing fails the message with a typed reason code. Nothing ships that violates the rules — even if the customer's application asked it to.
Opt-out handling (STOP)
When an inbound message arrives with any of the keywords STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT, the router immediately inserts a row into the opt_outs table keyed by tenant_id and phone_number, marked with opted_out_at. A confirmation reply ("You have been unsubscribed and will receive no further messages.") is sent back through the same phone.
From that moment forward, every outbound message for that tenant to that number is blocked at the router layer — before any delivery call. The message status becomes 'blocked', the error reason is 'opted_out', and customer webhooks fire a message.blocked event so downstream systems can record the opt-out.
Opt-in keywords (START, UNSTOP, YES) clear the opt-out record for that phone. A confirmation ("You have been re-subscribed.") is sent. Nothing else is retried automatically — the customer's application must re-send any messages it wants delivered.
Quiet hours
Marketing messages — messages with template type 'marketing' or API payload message_type: 'marketing' — must respect quiet hours. The default window is 8:00 PM to 8:00 AM in the recipient's local time. OTP and alert messages are exempt; a two-factor code arriving at 3 AM is expected behavior, a marketing offer at 3 AM is a TCPA violation.
The recipient's timezone is inferred from the US area code of the phone number, with Eastern as the default for unknown or non-US codes. Customers can override per-contact using the contact's timezone field. If a marketing message arrives during quiet hours, the router requeues it for 8:00 AM local time via Cloudflare Queues' delayed-delivery feature. The message is not dropped and not rejected — it is held.
Custom quiet-hours windows per tenant Planned — Q4 2026 are on the roadmap. Today the window is platform-wide at 20:00–08:00 local.
Consent logging
The consent_log D1 table stores every consent a customer records, with columns for tenant_id, phone_number, consent_type ('express_written' | 'express' | 'implied'), consent_source ('web_form' | 'sms_keyword' | 'api' | 'import' | 'in_person'), consented_at timestamp, optional ip_address (when collected at a web signup), and created_at.
Customers can log consent through POST /v1/compliance/consent or through the portal's contact-add UI. Records are exportable as CSV from the portal at any time for regulatory or legal purposes. TCPA audits typically require customers to produce the consent record for any phone number they have messaged — this log is how we help them do that.
senderZ stores the log but does not validate the customer's opt-in process. It is the customer's responsibility to obtain consent before adding a number to their contact list. senderZ's job is to preserve and retrieve the evidence.
Daily send limits and throughput
CTIA P2P guidelines cap per-number messaging to prevent carrier filtering. senderZ enforces 1,000 outbound messages per phone per day and 15 messages per minute per phone, independently of plan limits. When a phone hits its daily ceiling, the router falls back to another phone in the pool automatically.
Per-number limits live in D1 (phones.messages_today counter) and KV (per-minute window). The counter resets at UTC midnight. New-contact warming caps layer on top — see the Limits page for the full behavior.
10DLC and carrier registration
Since February 2025, US SMS originating on 10-digit long codes for Application-to-Person traffic requires carrier registration under the 10DLC framework. iMessage traffic is unaffected because it routes through Apple, not the carrier network.
senderZ's current SMS path uses dedicated devices as personal lines (Person-to-Person by the carrier's classification), which technically does not require 10DLC registration. At sufficient volume, carriers may reclassify the traffic as A2P and begin filtering — the risk scales with outbound volume per number.
For tenants sending more than 500 SMS per day, we advise registering your brand and use case with your intended carriers. The operator dashboard tracks high-volume unregistered tenants and flags them for follow-up. Managed 10DLC registration by senderZ Planned — Q1 2027 is on the roadmap as part of the Agency OS package.
What senderZ does NOT do
- senderZ does not guarantee CAN-SPAM compliance for email. senderZ has no email channel.
- senderZ does not validate the customer's opt-in process. Customers are responsible for obtaining consent before adding numbers to their lists. senderZ stores and retrieves the consent record they provide.
- senderZ does not provide legal advice. Customers with specific TCPA, CCPA, or state-level questions should consult their own counsel.
- senderZ does not register 10DLC on behalf of customers today. See the section above.
- senderZ does not enforce international compliance regimes (OFCOM, ePrivacy, CASL) in code. International messaging customers must confirm their own compliance.
HIPAA posture
senderZ is not HIPAA-compliant out of the box. We do not sign Business Associate Agreements on the shared API Cloud or Workspace products. Message content is stored in D1 with the same retention and access posture as any other tenant — it is not treated as Protected Health Information by default. Not applicable
Healthcare customers with PHI in message bodies have two paths. Short-term: avoid placing identifiable health information in message bodies (send a link to a HIPAA-compliant portal instead). Long-term: talk to us about Self-Hosted senderZ under a custom agreement where your infrastructure and data residency give you the controls you need.
Frequently asked questions
What happens to a message already queued when the recipient sends STOP?
Inbound STOP lands in the router before the message body is delivered. The router inserts an opt_outs row for that tenant + phone number, then re-checks every queued outbound send against the opt-out list immediately. Messages still in-flight at the delivery adapter can complete delivery — there is no reliable cancellation path once a message is in the device's send queue — but nothing new ships after the STOP is processed.
How long are consent records retained?
Consent log rows are retained indefinitely for the life of the tenant. Records survive tenant deletion for 90 days as a safeguard, after which they are purged. Customers can export the full consent log as CSV from the portal at any time for their own records.
Does senderZ support international SMS and compliance regimes outside the US?
senderZ currently routes through US-based devices with US carriers. International delivery is possible but not supported — iMessage works globally through Apple, SMS to non-US numbers incurs international SMS charges on the carrier side, and non-US regulatory regimes (UK OFCOM, EU ePrivacy, Canadian CASL) are not actively enforced in code. Teams with international compliance needs should contact us before scaling.
Why does CTIA care about a 1:1 inbound-to-outbound ratio?
Carrier spam-filtering algorithms flag numbers that only send and never receive as likely automation. Keeping inbound traffic flowing alongside outbound signals a real two-way conversation. senderZ tracks this ratio per phone and surfaces it in the operator dashboard; customers approaching a 10:1 send-to-receive ratio get warned via email.
How accurate is the area-code timezone inference for quiet hours?
US area codes are mapped to a primary timezone — e.g., 212 → Eastern. This is right for the majority of numbers but wrong for anyone who moved and kept their number. Customers can override per-contact timezone via the API (recipient.timezone field). Unknown or international area codes default to Eastern.
Is senderZ HIPAA-compliant for healthcare messaging?
Not by default. senderZ does not sign Business Associate Agreements on the shared API Cloud product, and message content is stored in D1 with the same retention as any other tenant. Healthcare customers with PHI in message bodies should talk to us about Self-Hosted deployment under a custom agreement.
Does CAN-SPAM apply to SMS messages?
CAN-SPAM is an email law and does not govern SMS. SMS is governed by TCPA and CTIA best practices. senderZ does not enforce CAN-SPAM unsubscribe headers on outbound SMS because they are not applicable.
Need something formal?
We share our DPA, SOC 2 status, security questionnaire responses, and other formal materials under NDA. Email us or request access below.