Compliance
Built around the rules, not patched after them.
Abandon-rate pacing, calling windows, and DNC are enforced where the calls are actually placed — in the dialer loop and the hopper query, not in a settings page that hopes you read it. This page documents the mechanism behind each claim so counsel can verify it.
Abandonment — FTC 16 CFR 310.4
A drop is the last resort, and it is always recorded.
The dialer paces predictive originations toward a configurable drop target — default 3.0%, the FTC safe-harbor ceiling. When an answered call finds no agent free, it does not drop on the spot. It HOLDS for the campaign’s drop window (configurable in seconds) and connects the moment any agent frees up inside that window. Only on expiry — no agent within the window — is the call abandoned.
Every abandonment is written as a DROP disposition on its own CDR row, with the hangup cause attached. The abandon rate is therefore computable from the operator’s own call records, not reported back by a vendor: count the DROP rows, divide by answered calls, over whatever interval an auditor asks for.
| Drop target | Configurable per campaign. Default 3.0%. The adaptive ratio paces originations to stay under it. |
| Drop hold-window | An answered call with no free agent holds for the configured seconds and connects if an agent frees up inside it. |
| Abandon event | Only on window expiry. Written as a DROP disposition with hangup cause on its own CDR row. |
| Rate, audited | Computed from the operator's CDR rows — DROP count over answered calls — not a vendor-reported figure. |
Calling hours — TCPA
The window is the lead's, evaluated in the lead's timezone.
Calling windows are evaluated per lead, in that lead’s local timezone — derived from the phone number at import, not assumed from the campaign or the server clock. The default window ships as 9am–9pm local and is configurable.
Enforcement is structural rather than advisory: the hopper simply never loads a lead that is outside its window. There is no separate check an agent can skip and no time-of-day banner to ignore. If the clock says it is 8:47pm where the lead lives, that lead is not in the set of records the dialer can pull, full stop.
Do-Not-Call
DNC is checked at every place a call can start.
Suppression has two layers: a per-lead DNC flag and a tenant-wide DNC list. Both are enforced at every entry point a call can originate from — the predictive hopper query, manual dial, and transfer-add. A number on either list cannot be reached through any of those paths; there is no route around the check.
Honest note on the national list: CalvyxDial does not resell a national DNC subscription. National registry data is the operator’s own subscription, loaded into the tenant DNC list through the same list mechanics — once loaded, it is enforced identically to any internal suppression entry.
| Predictive hopper | DNC filtered in the query that builds the dial set. Suppressed leads never enter the hopper. |
| Manual dial | The same DNC gate runs before a manually entered number is allowed to originate. |
| Transfer-add | Adding a party to a call re-checks DNC before the leg is created. |
| National registry | Operator's own subscription, loaded into the tenant DNC list and then enforced like any other entry. |
The record
The audio and the CDR are one row, on your infrastructure.
Each call produces a full-call bridge recording linked to its CDR. The record carries the agent, the timestamps, the disposition, and the duration; the CDR retains hangup cause, talk and wait seconds, and the transfer target when there is one. The recording and the metadata are not two systems to reconcile — they are the same row.
Recordings are retained on the operator’s own infrastructure: your storage, your retention policy. They do not live in a vendor cloud you cannot audit or export on your own terms.
Identity & access
Isolation is enforced in the database, not by query discipline.
Logins are per-user with bcrypt-hashed credentials and rate-limited at the login endpoint. Administrative surfaces are role-gated: an agent token cannot reach the recordings, reporting, or admin APIs — the authorization check rejects it before any data is read.
Tenant isolation is enforced by PostgreSQL row-level security, in the database itself. A query scoped to the wrong tenant returns zero rows because the engine refuses them, not because the application remembered to add a WHERE clause.
| Credentials | Per-user logins, bcrypt-hashed. Login endpoint is rate-limited. |
| Role gating | Agent tokens cannot reach recordings, reports, or admin APIs — rejected at authorization. |
| Tenant isolation | PostgreSQL row-level security enforced in the database. Wrong-tenant queries return zero rows. |
What we don't do
The honest boundary.
So counsel can plan around it rather than discover it later:
- 01No consent management. Bring your own consent records — we do not store or evaluate them.
- 02No national DNC subscription resale. You load your own registry data into the tenant DNC list.
- 03AMD voicemail-message drop is on the roadmap, not shipped.
Walk your counsel through it live.
We’ll show each mechanism in the running software — the hopper query, a DROP row, the RLS policy refusing the wrong tenant.