Skip to main content

Compliance attestation

SMS compliance

Every WAVE SMS flows through a six-stage compliance gateway. Express opt-in capture. STOP and HELP keywords on every conversation. Cross-platform opt-out. Four-year consent retention.

A2P 10DLC brand: BN4c6027afd29a6ab8a04ffce1794a253e (registered 2026-04-26)

Standards we follow

TCPA (US federal)

Express written consent for marketing. STOP keyword honored within five minutes. Known TCPA litigators auto-blocked via Twilio compliance feature.

CTIA Messaging Principles

Brand identification on every message. HELP and STOP instructions in conversation. Message and data rate disclosure on opt-in surface.

A2P 10DLC

Registered brand and campaign with The Campaign Registry. Sample messages match production. Privacy and Terms URLs verified on every campaign before the 2026-06-30 carrier cutover.

CAN-SPAM, CASL, state laws

Cross-border consent capture. Quiet hours respected per recipient local time (8am to 9pm baseline; stricter where state law applies). Canada CASL express-opt-in path for Canadian recipients.

Six-stage compliance gateway

Every outbound SMS — whether a 2FA code, a security alert, a creator payout notice, or a Talkback reply — passes through SmsComplianceGateway before Twilio. The gateway runs six stages and refuses to send if any fail.

  1. Pre-check. Opt-in record exists for this recipient + scope. STOP history clean. Quiet hours respected. Per-recipient rate limit not exceeded.
  2. Content. Brand prefix attached. HELP and STOP keywords on first message. Body scanned for PII leak per outbound-message-pii-protection rule.
  3. Send. Routed via registered Messaging Service SID (not raw From number). Per-message audit row created before send.
  4. Status. Twilio delivery callback verified via HMAC. State persisted: queued, sent, delivered, failed, undelivered.
  5. Inbound. Replies parsed for STOP, START, HELP. STOP routed to OptOutRegistry within five minutes. HELP replies include brand name and opt-out instructions.
  6. Retention. Consent records held four years from last event. Delivery logs eighteen months. Phone numbers HMAC-hashed in all audit logs.

One STOP. Every WAVE product.

Reply STOP to any WAVE SMS and your phone number is opted out of every WAVE messaging surface — Talkback, security alerts, creator payouts, stream notifications, billing reminders. The opt-out registry has no organization scope. Cross-platform enforcement is the standard, not an upgrade.

Your rights

  • Opt out anytime. Reply STOP to any message. Effective within five minutes, cross-platform.
  • Get help. Reply HELP for sender identification and opt-out instructions.
  • Export your record. File a data subject access request via /privacy and we return the full SMS consent + delivery history within 30 days.
  • Delete your record. Account deletion clears all SMS records cascadingly except where regulation requires retention (consent proofs four years per TCPA).

Questions: [email protected]

Standards: TCPA · CTIA Messaging Principles · A2P 10DLC · CAN-SPAM · CASL · GDPR Art. 7 (consent records) · CCPA · Various state quiet-hour laws (CA, FL, OK, others)

Last reviewed: 2026-04-29