ZazaVoice/Docs
PricingDashboard

Compliance

We bake compliance defaults into the product. Here's what they do and what you still need to handle on your side.

Recording disclosure

Voice agents can optionally play a disclosure before the greeting:

"This call may be recorded for quality assurance."

It's off by default. You opt in per agent on the agent's Configure page.

US states where you should turn it on (two-party-consent jurisdictions): CA, FL, IL, MD, MA, MT, NV, NH, PA, WA. Other US states are one-party consent (one party — you — is enough). Outside the US, check local law.

If you turn it on, whatever text you type is read aloud verbatim at the start of every call before the greeting. Leave the text empty → no disclosure plays.

TCPA calling hours

For US recipients, the TCPA restricts marketing calls to 8 AM - 9 PM in the recipient's local time (based on the area code of their number).

Each campaign has a start time and end time field. Calls dispatched outside that window are automatically rescheduled to the next valid hour in the lead's timezone. Defaults are 9 AM - 8 PM as a safe margin.

You're responsible for:

  • Setting accurate hours for your use case.
  • Knowing whether your jurisdiction extends TCPA-style rules to SMS.

SMS opt-out (STOP / START)

The system honors standard SMS opt-out keywords automatically:

  • Inbound STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT → recipient added to opt-out list; auto-reply confirms.
  • Inbound START, UNSTOP, YES → removed from opt-out list; auto-reply confirms.

Once a contact is opted out, no future SMS from any of your numbers will be sent to them, until they opt back in. This is enforced at the send path — you don't need to filter your contact lists.

By default broadcasts append \n\nReply STOP to opt out. to the body. You can turn this off per-broadcast if your message already contains the disclosure, but TCPA requires a functional opt-out on every marketing SMS in the US.

Review opt-outs at Dashboard → Compliance → SMS Opt-outs.

10DLC / A2P SMS registration

US carriers throttle unregistered application-to-person (A2P) SMS traffic heavily — sometimes blocking it entirely. To send US SMS reliably you need:

  • Brand registration — your business identity, with The Campaign Registry (TCR).
  • Campaign registration — the use case (marketing, 2FA, customer care, etc.) you'll send under.

Both are configured at the carrier side (Twilio Trust Hub / TCR portal). The dashboard at Dashboard → Compliance → SMS Compliance shows your current registration status as one of:

StatusMeaning
NOT_REGISTEREDNo brand on file. SMS works but is heavily throttled.
PENDINGSubmitted to TCR; awaiting review (typically 1-3 business days).
APPROVEDRegistered. Full SMS throughput.
FAILEDTCR rejected. Email compliance@zazavoice.com — we'll help triage.

Status is derived from the underlying brand + campaign statuses. We don't auto-register — once you've completed registration in Twilio, email the brand SID + campaign SID + messaging service SID to compliance@zazavoice.com and we'll wire them up.

The system does not gate SMS sending on registration status; Twilio enforces throttling at the carrier layer. The dashboard is informational.

Data processing agreement (DPA)

The DPA template is at https://zazavoice.com/dpa and lists every sub-processor we share data with (carrier, AI, payment, infra). If your organization needs a counter-signed DPA, send a request to compliance@zazavoice.com.

Privacy and data retention

Default retention:

  • Call recordings — 90 days, then auto-deleted.
  • Transcripts — kept for the lifetime of the account.
  • Contact data — kept until you delete it or close your account.
  • Encrypted secrets (e.g. Twilio auth tokens) — AES-256-GCM at rest.

To request a data export or deletion: email compliance@zazavoice.com. GDPR / CCPA subject-access requests are honored within 30 days.

Reviewing calls

Every call is recorded and transcribed. After a call ends, open Dashboard → Calls, pick the call, and you get the full transcript, sentiment, disposition, duration, and cost. Use this to audit how the AI handled conversations and to spot-check compliance.

Vendor names

We deliberately don't expose vendor names (carrier, AI provider, TTS) in customer-facing UI or marketing. If something breaks and you need to understand what's happening at the carrier layer, the user-facing message will say "Telephony provider" or "Payment system" rather than "Twilio" or "Stripe". Vendor names appear in admin tools and developer documentation only.