Compliance
An overview of orderer.io's compliance certifications, regulatory posture, and how we help our customers stay compliant.
Last updated: March 2, 2026
orderer.io is built for regulated industries. We provide the infrastructure, tooling, and documentation you need to operate confidently — and we accept responsibility for our share of the compliance stack. This page covers what we do and what you're responsible for.
Compliance Overview
| Framework / Regulation | Status | Notes |
|---|---|---|
| SOC 2 Type II | Controls Implemented | SOC 2 security controls are implemented and operational. Formal third-party certification audit not yet completed. |
| TCPA (Telephone Consumer Protection Act) | Compliant | Platform enforces opt-in/opt-out mechanics, DNC scrubbing, quiet hours. Operators responsible for own consent programs. |
| CCPA / CPRA (California) | Compliant | Data subject rights honored. No data sale. Privacy Policy revised March 2026. |
| GDPR (EU/UK) | Substantially Compliant | SCCs in place for data transfers. DPA available on request for EU Operators. |
| HIPAA | BAA Available | Healthcare Operators must execute a BAA before processing PHI. Contact legal@orderer.io. |
| 10DLC / TCR Registration | Compliant | All SMS campaigns registered with The Campaign Registry via Telnyx. |
| PCI DSS | Delegated to Stripe | We do not store card data. All payment processing via Stripe (PCI Level 1 certified). |
| FCC Regulations | Compliant | Voice services operated under Telnyx's FCC-regulated infrastructure. |
| State Call Recording Laws | Configurable | Configurable in-call disclosure language for all-party consent states. Operators must configure appropriately. |
TCPA Compliance
The Telephone Consumer Protection Act (TCPA) regulates telemarketing, auto-dialed calls, pre-recorded messages, and SMS messages sent to consumers. Non-compliance can result in statutory damages of $500–$1,500 per violation.
What We Do
- Provide configurable consent capture and logging for verbal and written opt-in
- Automatically log voice consent with timestamp and call reference
- Send mandatory STOP/HELP responses for all SMS programs
- Enforce quiet hours (no SMS between 9 PM and 8 AM local time)
- Support National DNC list scrubbing integration
- Maintain TCR campaign registration for all 10DLC SMS traffic
- Process opt-out requests immediately and honor them platform-wide
What Operators Must Do
- Obtain proper prior express consent before sending messages
- Maintain consent records for at least 4 years
- Use the disclosure script provided when capturing verbal consent
- Not send marketing messages to numbers on the DNC registry
- Configure call recording disclosure language for their jurisdiction
Call Recording & Wiretapping Laws
Call recording laws vary significantly by state. In "two-party consent" (or "all-party consent") states, all parties to a call must be notified of and consent to recording.
Two-Party Consent States (as of 2026)
- California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Washington
What orderer.io Provides
- Configurable in-call recording disclosure language (e.g., "This call may be recorded for quality and training purposes")
- Option to play disclosure before call is connected to AI agent
- A library of compliant disclosure templates for major states
- Ability to enable/disable recording on a per-number basis
Operators are responsible for selecting and enabling the appropriate disclosure for their jurisdiction. We strongly recommend consulting legal counsel for specific guidance.
SMS / 10DLC Compliance
The mobile carrier ecosystem requires all A2P (Application-to-Person) SMS traffic sent over 10-digit long code (10DLC) numbers to be registered with The Campaign Registry (TCR). This affects virtually all business SMS programs in the United States.
How Registration Works with orderer.io
- During onboarding, you provide business information (legal name, business address, website)
- orderer.io submits your brand registration to TCR via Telnyx
- You describe your messaging use case (appointment reminders, order confirmations, etc.) — this is your "campaign"
- TCR reviews and approves your campaign (typically 1–5 business days)
- Your 10DLC number is linked to your approved campaign
- Messages can then flow with carrier-level trust
Unregistered 10DLC traffic is heavily filtered by carriers (AT&T, T-Mobile, Verizon). Registration is required before sending any business SMS. orderer.io will not send SMS for your account until registration is approved.
HIPAA & Healthcare
If you operate a healthcare practice (medical, dental, mental health, chiropractic, etc.) and use orderer.io to handle patient calls, Protected Health Information (PHI) may be transmitted or stored through our platform. In that case:
- You are a HIPAA Covered Entity
- orderer.io becomes your Business Associate
- A Business Associate Agreement (BAA) is legally required before you use the Service
To request a BAA, email legal@orderer.io. We will execute a BAA and enable HIPAA-ready configuration for your account, which includes:
- Encryption at rest and in transit for all PHI
- Access controls and audit logging
- Breach notification procedures
- Data use limitations to the minimum necessary
Data Security
Infrastructure Security
- All data encrypted in transit (TLS 1.2+)
- All data encrypted at rest (AES-256)
- Database hosted on Supabase (PostgreSQL) with row-level security policies
- API hosted on Railway with private networking
- No direct database access from internet; all access through authenticated APIs
Application Security
- JWT authentication with short-lived access tokens and refresh token rotation
- Role-based access control (RBAC) — staff, manager, owner, admin roles
- Multi-factor authentication (MFA) available for all accounts
- Webhook signature validation for all inbound Telnyx events
- Rate limiting on all API endpoints
- Input validation and SQL injection prevention
- OWASP Top 10 addressed in development practices
Operational Security
- Least-privilege access for all employees
- Background checks for employees with data access
- Security training for all engineering staff
- Incident response plan documented and tested
- Error tracking via Sentry with PII scrubbing
PCI DSS (Payments)
orderer.io does not store, process, or transmit payment card data directly. All payment processing is handled by Stripe, which is a PCI DSS Level 1 Service Provider — the highest level of PCI compliance. Our payment integration uses Stripe's hosted payment elements, meaning card data never touches our servers.
GDPR & International Privacy
While orderer.io is a US company, we acknowledge operators and callers may be subject to GDPR or other international privacy regulations. For EU/UK Operators:
- Data Processing Agreement (DPA) available on request
- Standard Contractual Clauses (SCCs) included in DPA for data transfers to the US
- Data subject rights requests honored within 30 days
- Data retention periods configurable per your requirements
Contact legal@orderer.io to request a DPA.
Vulnerability Disclosure
We operate a responsible disclosure policy. If you discover a security vulnerability in our platform, please report it confidentially to security@orderer.io before any public disclosure. We will:
- Acknowledge your report within 2 business days
- Keep you informed of our remediation progress
- Acknowledge your contribution (if desired) after the issue is resolved
We ask that you do not access, modify, or delete data that is not yours.
Certifications & Audits
We are pursuing formal security certifications. Current status:
- SOC 2 Type II controls: implemented and operational; formal certification audit not yet completed
- Penetration testing: conducted periodically by a third-party firm
- Bug bounty program: planned for a future date
Customers requiring a current security report may request our available documentation at legal@orderer.io.
Contact
For compliance questions, BAA requests, DPA requests, or security concerns:
- Legal & Compliance: legal@orderer.io
- Security: security@orderer.io
- SMS Issues: sms@orderer.io