TCPA Compliance Without the Headache

TCPA Compliance Without the Headache

The Telephone Consumer Protection Act is the reason outbound calling platforms exist in a constant state of anxiety. One violation can cost $500-$1,500 per call. At campaign scale, that math gets terrifying fast.

Most teams handle TCPA by building compliance logic into their application code. Time window checks, DNC lookups, consent tracking — all scattered across services, all easy to accidentally bypass.

Trunx takes a different approach: compliance is infrastructure, not application code.

The Guardrails Layer

Every outbound action in Trunx — every call, every SMS — passes through a guardrails layer before reaching any provider. This layer sits between your API request and the actual phone call. It cannot be bypassed by API callers, skipped by configuration, or disabled by accident.

The guardrails enforce four things:

1. Time Window Enforcement

Outbound calls and SMS are only sent during legal hours in the recipient's timezone. The schedule is configurable per campaign:

• Timezone — Derived from the recipient's area code
• Start/end hours — e.g., 9 AM to 8 PM local time
• Allowed days — Weekdays only, weekends included, custom

If a call is attempted outside the window, it's not rejected — it's queued for the next valid window. Your campaign keeps running, and the prospect gets called at a legal time.

2. DNC / Suppression Lists

Every outbound number is checked against your suppression list before the call is placed. Numbers can be added to the list through:

• API — POST /v1/suppression with the number
• IVR opt-out — A "press 2 to be removed" node in your IVR tree
• Bulk import — Upload a CSV of numbers to suppress
• Inbound keyword — Text "STOP" to an SMS number

Suppression is enforced at the infrastructure level. A number on the list will never receive an outbound call or SMS through Trunx, regardless of which API endpoint or campaign tries to reach it.

3. Rate Limiting

Per-API-key rate limiting prevents accidental volume spikes. If your code has a bug that fires 10,000 calls in a loop, the rate limiter catches it before your SIP trunk and budget take the hit.

Rate limits use atomic Lua scripts in Redis — no race conditions, no gaps. When exceeded, the API returns 429 Too Many Requests with a Retry-After header.

4. Content Scanning

Outbound SMS content is scanned for:

• Credential leaks (API keys, passwords)
• PII patterns (SSNs, credit card numbers)
• Known spam patterns
• Phishing URLs

Flagged messages are held for review rather than sent. This protects both your recipients and your sender reputation.

Why Infrastructure-Level Matters

When compliance is application code, it has failure modes:

• A new developer bypasses the check because they don't know it exists
• A refactor moves the DNC check after the call is placed
• A race condition lets a call through during a suppression list update
• A timezone bug sends calls at 6 AM local time

When compliance is infrastructure, these failure modes disappear. The guardrails layer doesn't care about your application logic. Every request passes through it, every time, with no exceptions.

Campaign-Level Configuration

While the guardrails enforce minimums automatically, campaigns can be configured with stricter rules:

Schedule: Mon-Fri, 10 AM - 6 PM ET
Max calls per second: 5
Max retries: 2
Retry delay: 4 hours

The campaign engine respects both the guardrails (hard limits) and the campaign config (soft limits). The result is always the more conservative of the two.

Getting Started

TCPA compliance is enforced automatically on every Trunx account. There's nothing to enable or configure for the base protections.

For campaign-specific scheduling and advanced suppression management, see the Campaigns guide and Compliance API reference.