Compliance
TCPA, DNC, 10DLC, STIR/SHAKEN, CNAM, caller registry, and answering machine detection -- how Trunx enforces compliance and maximizes answer rates.
TCPA (Telephone Consumer Protection Act)
Trunx enforces TCPA at the infrastructure level. Calls and SMS are only sent during legal hours in the recipient's timezone. This guardrail runs in middleware and cannot be bypassed by API callers.
Every campaign has a configurable schedule:
{
"timezone": "America/Los_Angeles",
"start_hour": "09:00",
"end_hour": "19:00",
"days": [1, 2, 3, 4, 5]
}timezone-- IANA timezone of the recipients (e.g.,America/New_York)start_hour/end_hour-- allowed calling window in 24-hour formatdays-- allowed days of the week (1 = Monday, 7 = Sunday)
Calls attempted outside the allowed window are queued and dispatched during the next valid window. One-off API calls (outside of campaigns) are checked against the recipient's timezone and rejected with a 400 if outside legal hours.
TCPA violations carry penalties of $500-$1,500 per call/text. Trunx enforces time windows automatically, but you are responsible for obtaining proper consent before contacting recipients.
DNC / Suppression List
Every outbound message and call passes through a DNC check before reaching any provider. This is enforced in middleware and cannot be bypassed.
How numbers get on the suppression list:
- API:
POST /suppressionto add individual numbers or bulk import a list. - IVR opt-out: Callers pressing a designated key triggers the suppress action, adding them automatically.
- SMS opt-out: Replies containing STOP, UNSUBSCRIBE, or similar keywords trigger automatic suppression.
Numbers on the suppression list are silently blocked. The API returns a success response but no message is sent and no call is placed. This prevents information leakage about which numbers are suppressed.
Managing the Suppression List
# Add a number
curl -X POST https://api.trunx.io/suppression \
-H "Authorization: Bearer tk_live_..." \
-H "Content-Type: application/json" \
-d '{"phone": "+14155551234", "reason": "customer_request"}'
# Check if a number is suppressed
curl https://api.trunx.io/suppression/+14155551234 \
-H "Authorization: Bearer tk_live_..."
# Remove a number
curl -X DELETE https://api.trunx.io/suppression/+14155551234 \
-H "Authorization: Bearer tk_live_..."10DLC (10-Digit Long Code)
10DLC registration is required for sending SMS at volume using standard 10-digit phone numbers. Without it, carriers will filter your messages and delivery rates will drop significantly.
Trunx provides API endpoints for the full registration workflow:
Register your brand
Submit your business information -- name, EIN, address, and vertical.
curl -X POST https://api.trunx.io/10dlc/brands \
-H "Authorization: Bearer tk_live_..." \
-H "Content-Type: application/json" \
-d '{
"name": "Acme Corp",
"ein": "12-3456789",
"address": "123 Main St, San Francisco, CA 94102",
"vertical": "technology"
}'Vet your brand
Submit the brand for third-party verification. This typically takes 1-3 business days.
curl -X POST https://api.trunx.io/10dlc/brands/brand_abc/vet \
-H "Authorization: Bearer tk_live_..."Create a messaging campaign
Define the use case for your messages (e.g., appointment reminders, marketing).
curl -X POST https://api.trunx.io/10dlc/campaigns \
-H "Authorization: Bearer tk_live_..." \
-H "Content-Type: application/json" \
-d '{
"brand_id": "brand_abc",
"use_case": "marketing",
"description": "Promotional offers for opted-in customers",
"sample_messages": [
"Hi {name}, 20% off this weekend! Reply STOP to opt out."
]
}'Assign DIDs to the campaign
Bind your phone numbers to the 10DLC campaign.
curl -X POST https://api.trunx.io/10dlc/campaigns/camp_abc/numbers \
-H "Authorization: Bearer tk_live_..." \
-H "Content-Type: application/json" \
-d '{"numbers": ["+14155559876", "+14155559877"]}'Wait for carrier approval
Carriers review and approve the campaign. This can take 1-7 business days. Check status via the API or subscribe to the 10dlc.campaign.approved SSE event.
Sending SMS without 10DLC registration at volume will result in carrier filtering and message delivery failures. Register before scaling your SMS operations.
STIR/SHAKEN
STIR/SHAKEN is a cryptographic call authentication framework that combats caller ID spoofing. Carriers assign an attestation level to each outbound call:
| Level | Meaning | Trust |
|---|---|---|
| A-attestation | "This caller owns this number" | Highest |
| B-attestation | "This caller is known but number not verified" | Medium |
| C-attestation | "Gateway call, origin unknown" | Lowest |
Trunx verifies A-attestation on outbound calls via your carrier. If calls are downgraded to B or C attestation, Trunx generates alerts so you can investigate.
Checking Attestation
# Trunk-wide attestation level
curl https://api.trunx.io/reputation/attestation \
-H "Authorization: Bearer tk_live_..."
# Per-DID attestation check
curl https://api.trunx.io/reputation/attestation/+14155559876 \
-H "Authorization: Bearer tk_live_..."A-attestation is the goal for all outbound DIDs. B or C attestation can indicate misconfiguration, carrier issues, or that the number is not properly registered to your trunk. Downgraded attestation correlates with lower answer rates.
CNAM (Caller Name)
CNAM sets your business name in the national caller ID database. When your DID calls a recipient, their phone displays your company name instead of "Unknown" or "Spam Likely."
Trunx automatically assigns a CNAM profile to every DID at purchase time. The profile is linked to your registered brand -- the same brand used for 10DLC. No manual setup is needed.
If a DID doesn't have a CNAM profile (e.g., it was purchased before this feature), Trunx will assign one the next time the compliance pipeline runs for that number.
CNAM propagation takes up to 48 hours. A newly purchased DID may show as "Unknown" on the first few calls while the CNAM database updates.
Caller Registry
Carrier analytics engines (Hiya, First Orion, TNS) maintain databases of known callers. Numbers not in these databases are more likely to be flagged as spam -- even with A-attestation and CNAM set.
Trunx registers all DIDs with the Free Caller Registry, which feeds data to all three major analytics engines. This runs automatically as part of the DID compliance pipeline.
What gets registered
- Your business name, address, and website (from your brand record)
- The phone numbers you own
- Your call category and expected volume
How it works
- DID is purchased or flagged for registration
- Trunx submits the registration to FCR with your brand information
- FCR distributes the data to Hiya, First Orion, and TNS
- Carrier analytics engines update their databases (24-72 hours)
Registration is automatic and does not require any action from you. All DIDs are registered in bulk.
Caller registry presence significantly reduces spam flagging on outbound calls. The effect compounds with CNAM and STIR/SHAKEN -- all three signals together give carriers the most confidence that your calls are legitimate.
Answering Machine Detection
Trunx detects answering machines on outbound campaign calls using real-time speech-to-text. When a call connects, audio is streamed to Deepgram Nova-3 for instant transcription. The system classifies the call as human or machine within 1.4-1.8 seconds.
| Detection | Action |
|---|---|
| Human | Call is connected to your AI voice agent |
| Machine | Trunx waits for the voicemail greeting to end, then plays your voicemail drop audio |
Voicemail drop
When a machine is detected, Trunx keeps listening for the end of the greeting (detected by 1.5 seconds of silence after speech). Once the greeting ends, it plays the campaign's voicemail drop audio file. This ensures the message starts cleanly after the beep.
Voicemail drop audio is configured per campaign. Upload an audio file via the API or dashboard and assign it to the campaign.
AMD runs only on outbound campaign calls. Inbound calls and one-off API-initiated calls are not screened.
DID Selection
Outbound campaign calls use smart DID selection to maximize answer rates and distribute load:
- Local presence -- Picks a DID with the same area code as the recipient when available
- Round-robin -- Rotates across available DIDs to prevent any single number from being flagged for high volume
- Velocity cap -- Limits calls per DID per hour to stay under carrier thresholds
- Atomic selection -- Concurrent calls never pick the same DID twice
DID selection is automatic. No configuration is needed.
Content Scanning
Outbound SMS content is automatically scanned before delivery. The scanner checks for:
- Credential / PII leaks -- passwords, SSNs, credit card numbers
- Known spam patterns -- urgency language, deceptive offers
- Phishing URLs -- links to known malicious domains
- Prohibited content -- content that violates carrier acceptable use policies
Flagged messages are held and not delivered. The API returns a 422 response with details about why the message was flagged. You can subscribe to sms.flagged events via SSE or webhooks for monitoring.
Compliance Checklist
Before going live with outbound communications, verify each item:
- 10DLC brand registered and vetted
- 10DLC campaign created and approved by carriers
- DIDs assigned to 10DLC campaign
- STIR/SHAKEN A-attestation verified on all outbound DIDs
- CNAM caller name set on all outbound DIDs
- DIDs registered with Free Caller Registry
- DNC/suppression list imported (internal list + national DNC if applicable)
- TCPA schedule configured per campaign with correct timezones
- Voicemail drop audio uploaded for campaigns using AMD
- Webhook set up for compliance events (
sms.flagged,call.blocked,suppression.added) - DID health monitoring enabled
- Reputation monitoring active