TCPA Compliance & Suppression Controls
Visquanta LLC is a platform provider for business-operated SMS workflows; businesses are the caller of record and own consent, policy configuration, and campaign operation.
Last updated: December 17, 2025
How responsibility is split
The business decides when and why a consumer is contacted. Visquanta LLC provides controls that help the business configure, operate, and review those workflows.
Business is responsible for
- Capture and document consent before outreach.
- Maintain opt-in records and consent sources.
- Configure suppression rules for each program.
- Set calling-time policy and contact cadence.
- Configure required SMS disclosure language where applicable.
Visquanta LLC provides
- Pre-send DNC and suppression checks on every outbound SMS and voice attempt, blocked before carrier handoff.
- Real-time inbound opt-out detection across 9 keywords: stop, unsubscribe, cancel, quit, end, opt out, opt-out, remove, delete.
- Cross-channel opt-out propagation: SMS opt-outs suppress voice and voice opt-outs suppress SMS.
- Carrier-aware phone intelligence: landline detection, non-SMS carrier blocking, ported number flagging, and VoIP awareness before spending a message.
- Three-tier suppression engine: global, location-scoped, and transient suppression with auto-expiry on temporary failures.
- Automatic intent classification on every outbound SMS for quiet-hours auditability.
- PII redaction at ingress and egress for SSNs, credit cards, bank accounts, routing numbers, driver licenses, and dates of birth.
- Immutable audit logs for opt-outs, DNC blocks, suppressions, PII redactions, consent captures, and signing events.
- Consent capture infrastructure storing server-side timestamp, IP, user agent, exact disclosure text, and policy URLs per submission.
- Cryptographic webhook signature verification with replay protection on inbound carrier traffic.
- TLS in transit and AES-256 at rest, with signatures encrypted using AES-256-GCM in server-side functions.
- Role-based access control scoped per location, with agency and sub-account boundaries.
Three tiers of suppression
Businesses configure suppression policies for each program. The platform applies those configured controls across supported contact workflows.
Tier 1
Pre-contact suppression
- Per-business DNC store checked on every send via a single RPC.
- Carrier-tier suppression: global 90-day for unreachable or invalid numbers, location-scoped 90-day for configuration failures, and transient 7-day for temporary carrier issues.
- Phone intelligence pre-send validation catches landlines with 180-day suppression, non-SMS carriers with permanent suppression, and invalid formats with 90-day suppression.
- Quiet-hours enforcement defaults to 8am-9pm consumer local time and is IANA timezone-aware per location.
Tier 2
At-contact opt-out
- Inbound SMS is scanned for 9 opt-out keywords before any CRM push.
- On match, the platform writes immediately to the suppression store, tags the message as opt_out_received, and protects the contact from in-flight cadence activity.
- Email opt-outs are distinguished from bounces: self_unsubscribed, hard_bounce, and soft_bounce each carry their own suppression policy, with indefinite retention for explicit opt-outs.
Tier 3
Cross-channel propagation and audit
- SMS opt-out suppresses voice; voice opt-out suppresses SMS.
- Every suppression and opt-out event is written to structured audit logs with actor, action, location, timestamp, and reason code.
- Audit logs are append-only: no record edits, only appends.
Related compliance workflows
TCPA compliance usually sits beside SMS consent, suppression, disclosure, and audit controls. Visquanta LLC keeps these workflows visible for business operators without replacing legal review.
SMS and A2P readiness
Visquanta LLC provides configuration fields and workflow controls that support business-managed SMS programs, including campaign setup inputs, message templates, opt-out handling, and contact-record visibility. Businesses remain responsible for program approvals, message content, and applicable messaging rules.
Consent source visibility
Businesses configure consent sources such as web forms, in-store capture, prior-business-relationship records, or imported CRM fields. The platform surfaces the available consent timestamp and source on each supported contact record.
SMS disclosure controls
SMS workflows may require sender identification, opt-out language, and other disclosures depending on the program. Businesses configure message disclosure language and should consult counsel for state-specific requirements.
Operational review trail
Visquanta LLC provides workflow-level visibility into suppression events, contact attempts, opt-out propagation, and transcript availability so business teams can review how controls were configured and applied.
Consent records stay visible
Every consent record captured by the platform stores the exact disclosure text shown to the consumer, the channels consented to, the Privacy Policy and Terms URLs linked at time of capture, client-side timestamp, authoritative server-side timestamp, IP address from x-forwarded-for, and user agent.
Consent records are stored as immutable JSONB and remain queryable for compliance review. Privacy Policy and Terms URLs are stored once at the business level and propagated to every consent point.
Trade-In Tool Consent Capture
"By submitting, I agree to be contacted by [dealership] about this trade-in via phone calls, SMS/text, and email, including via automated means. Message & data rates may apply. Consent is not a condition of purchase. Reply STOP to opt out of texts."
This language is TCPA and CAN-SPAM aligned: express written consent for automated calls and texts, the "not a condition of purchase" carve-out, and STOP acknowledgement.
PII redaction at the SMS boundary
All inbound and outbound SMS pass through a single redaction chokepoint before storage or downstream forwarding.
| Data Type | Detection | Replacement |
|---|---|---|
| US Social Security Numbers | 9-digit pattern | [REDACTED_SSN] |
| Credit/debit cards | 13-19 digits, Luhn-validated | [REDACTED_CARD] |
| Bank account numbers | Digits adjacent to banking keywords | [REDACTED_BANK_ACCOUNT] |
| Routing numbers | 9-digit ABA pattern with context | [REDACTED_ROUTING] |
| Driver licenses | Alphanumeric values near DL keywords | [REDACTED_DL] |
| Dates of birth | Dates near DOB keywords | [REDACTED_DOB] |
Conversation context preserved
URLs, vehicle VINs, prices, names, and addresses are preserved so legitimate dealership conversations are not impacted.
Raw values never logged
When redaction fires, the audit log captures type and count only. Raw values are never written to logs, never stored, and never forwarded to third parties.
Production validated
Validated with 81 unit tests and a 247,000-message dry-run before production rollout.
Recording disclosure controls
Per-number controls for recording on/off, transcription on/off, and consent mode.
Verbal consent mode: disclosure spoken at the start of the call.
Auto-beep mode: audible tone with IVR-delivered disclosure for jurisdictions requiring two-party consent.
Recording URL, recording duration, and transcription confidence captured per call.
Status badge surfaces current configuration to the operator, such as Recording active, Verbal consent, Transcription on.
State-specific disclosure language remains the business's responsibility in consultation with counsel; the platform provides controls and audit trail.
Dedicated append-only audit stores
Messaging audit log
Every opt-out, DNC block, auto-suppression, and PII redaction event with structured detail.
MPI consent records
JSONB consent record per trade-in submission, including IP, user agent, and exact disclosure text.
VQSign signer records
OTP events, ESIGN disclosure acceptance, signature IP, geolocation, user agent, SHA-256 document integrity hash, and revision history.
Message archive
Nightly archive of messages older than 90 days, with intent and delivery metadata preserved.
Email send registry
Per-send status, bounce type, suppression policy, and reason.
All change-management activity is tracked through a dated, append-only changelog discipline with 250+ documented production changes, giving auditors a reconstruction path for any feature or control.
VQSign identity verification
Documents requiring electronic signature go through VQSign, built to ESIGN Act and UETA standards.
Email OTP verification: 6-digit code, 10-minute expiry, and 5-attempt rate limit.
ESIGN Act disclosure: signer must explicitly accept before any signature is captured.
Cryptographically secure access tokens: 64-character hex generated via crypto.getRandomValues with 30-day expiry.
Document integrity: SHA-256 hash verified on document load and again before signing; signing is blocked on mismatch.
Signature encryption: AES-256-GCM in a server-side Edge Function, with the key never exposed to the client.
Per-signer audit trail: IP address, geolocation, user agent, and timestamps for sent, viewed, signed, and declined events.
Carrier compliance controls
- All sending numbers registered under A2P 10DLC with brand and campaign vetting.
- Carrier-aware routing: line type and carrier name retrieved on every new number, cached for 90 days, and used to route or suppress.
- Auto-suppression on permanent failure: permanent carrier errors automatically suppress the number with the appropriate TTL.
- Webhook signature verification: every carrier callback is cryptographically verified with a timestamp window for replay protection.
Platform security posture
- Encryption in transit: TLS on all customer, Visquanta, and partner traffic.
- Encryption at rest: platform-managed database encryption, with AES-256-GCM for signatures.
- Credential management: environment-scoped credentials, never committed to source, with service-role keys kept server-side only.
- Access control: role-based and location-scoped, with a documented Access Control Policy.
- Documented policies available on request: SMS PII Handling Policy, Security Controls Inventory, Access Control Policy, and Incident Response Plan.
Visquanta does not currently represent itself as SOC 2 certified. Enterprise customers and auditors can request supporting control documentation through the compliance contact below.
Opt-out & escalation contact
If a consumer believes an opt-out request was not honored by a business-operated workflow, the consumer can escalate the request by email or through the contact form. Visquanta LLC can route the request for review against the relevant business configuration and suppression record.
Last updated December 17, 2025.