Trust Center

Built for brokerages that
demand compliance

Gift of Gab handles calls, texts, and AI automations for real estate teams. That means TCPA, CASL, 10DLC, and PIPEDA aren't optional -- they're foundational to how we operate.

TCPA Compliant

CASL Compliant

10DLC Registered

PIPEDA Compliant

Azure Canada

TLS 1.3 + AES-256

Documentation

Security and compliance resources

Security

Encryption standards, infrastructure hardening, access controls, authentication architecture, monitoring, and incident response procedures.

View Security Details

Privacy Policy

How we collect, use, store, and protect personal information. Your rights under PIPEDA, provincial privacy statutes, and international law.

Read Privacy Policy

Terms of Service

Service agreement, acceptable use, billing terms, data ownership, intellectual property rights, and SLA commitments.

Read Terms of Service

Compliance Center

PIPEDA, CASL, TCPA, RECO, and 10DLC compliance documentation. DPA templates, BAA agreements, and subprocessor registry.

View Compliance Docs

US Compliance

TCPA compliance -- automated calling and texting

The Telephone Consumer Protection Act governs automated calls and texts to cell phones. For real estate agents using Gift of Gab to reach leads, this is non-negotiable. Here is exactly how we comply.

Prior Express Written Consent

No automated text or call is sent without verified prior express written consent (PEWC) on file
Consent records include: timestamp, source, exact disclosure language, and the phone number consented
Consent is tied to specific communication types (calls vs. texts) and specific campaigns -- no blanket consent
Consent records are immutable and retained for the federally recommended minimum of 5 years

Opt-Out and Do-Not-Call Management

Every SMS includes a STOP keyword that immediately halts all automated messaging to that number
Opt-outs are processed within seconds and synced to your CRM in real time -- no delayed batch processing
Internal Do-Not-Call list maintained per organization, checked before every outbound communication
National DNC registry scrubbing available for outbound calling campaigns

Calling Time and Rate Controls

Automated calls and texts restricted to 8:00 AM - 9:00 PM in the recipient's local time zone
Time zone detection based on area code and verified address data from your CRM
Rate limiting prevents excessive contact attempts to any single number within a rolling window
All outbound communications are logged with timestamps for audit and dispute resolution

Caller ID and Disclosure

All outbound calls transmit accurate caller ID identifying your brokerage or team
STIR/SHAKEN attestation on all voice calls to prevent spam/scam labeling by carriers
Automated messages clearly identify the sender and include opt-out instructions in every message
Call recordings include disclosure notification where required by state or provincial law

Canadian Compliance

CASL compliance -- Canada's Anti-Spam Legislation

CASL regulates all commercial electronic messages (CEMs) sent to or from Canada. Penalties reach $10M per violation for organizations. Gift of Gab enforces CASL requirements at the platform level so individual agents cannot accidentally violate the law.

Express vs. Implied Consent

Platform distinguishes between express consent (opt-in confirmed) and implied consent (existing business relationship)
Implied consent automatically expires after 24 months from last transaction or 6 months from inquiry, per CASL requirements
Agents are prompted to obtain express consent before implied consent expires
Consent type, source, and timestamp are recorded for every contact

Required Message Elements

Every CEM includes sender identification: agent name, brokerage name, and physical mailing address
Functional unsubscribe mechanism in every message using cryptographic one-click tokens (no login required)
Unsubscribe requests processed within 10 business days (platform processes within seconds)
Unsubscribe mechanism remains functional for a minimum of 60 days after the message is sent

Platform-Level Enforcement

Gift of Gab blocks CEMs to contacts without valid consent at the API level -- agents cannot override this
Consent audit trail exportable for CRTC investigations or internal compliance reviews
Brokerage admins can view consent status for every contact across all agents in their organization
Annual CASL compliance review included for Enterprise plan customers

Carrier Compliance

10DLC and A2P messaging registration

US carriers now require businesses sending SMS from local 10-digit numbers to register through The Campaign Registry (TCR). Unregistered traffic is throttled or blocked. Gift of Gab handles this for you.

Brand Registration

Gift of Gab Tech Inc. is registered as a verified brand with The Campaign Registry (TCR)
Each brokerage is registered as a sub-brand with their own EIN/BN validation
Brand vetting score maintained above carrier thresholds for maximum throughput
Registration status visible in your admin dashboard at all times

Campaign Registration

Campaigns registered under approved use cases: real estate lead follow-up, appointment reminders, transaction updates
Message sample templates pre-approved by carriers to prevent filtering
Throughput limits managed automatically based on your trust score (up to 75 SMS/second for verified brands)
Carrier feedback loops monitored -- spam complaints investigated and resolved within 24 hours

Message Content Controls

All SMS templates reviewed for carrier-prohibited content before activation
URL shorteners use branded domains to avoid spam filter triggers
Opt-out language included in every initial message and periodically in ongoing threads
MMS content validated for size and format compliance across all major carriers

Delivery and Compliance Monitoring

Real-time delivery receipts tracked for every message with failure reason codes
Carrier filtering events automatically flagged and investigated
Monthly compliance reports available for brokerage compliance officers
Proactive re-registration when carriers update 10DLC requirements

Consent Management

Consent is tracked, enforced, and auditable

Every automated communication Gift of Gab sends on your behalf requires valid consent. This is not a setting you can disable. It is how the platform works.

Consent Capture

When a lead enters your system (web form, manual entry, CRM import), the platform records the consent source, timestamp, IP address, and the exact disclosure language presented. No consent record, no automated messages.

Consent Storage

Consent records are stored in an append-only audit table. They cannot be modified or deleted by agents or admins. Retention minimum: 5 years for TCPA, indefinite for active contacts under CASL.

Consent Enforcement

Every outbound call, text, and email passes through a consent validation gate before delivery. The gate checks: consent exists, consent has not expired (CASL implied), consent covers the communication type, and contact has not opted out.

Consent Expiry Alerts

Agents receive automated warnings 30 days before implied consent expires under CASL. The platform suggests re-engagement workflows to obtain express consent before the window closes.

Consent Export and Audit

Full consent history is exportable as CSV or PDF for regulatory investigations, brokerage audits, or CRTC/FCC inquiries. Export includes every field required to demonstrate compliance.

Data Residency

Your data stays in Canada

Gift of Gab Tech Inc. is a Canadian company. All primary data storage and processing occurs on Microsoft Azure Canada Central (Toronto region). This matters for PIPEDA compliance and for brokerages with data sovereignty requirements.

Primary Region

Azure Canada Central

Toronto, Ontario

Database

Azure PostgreSQL

Canada Central, zone-redundant

Application Hosting

Azure Container Apps

Canada Central, auto-scaling

Secrets Management

Azure Key Vault

Canada Central, HSM-backed

Cross-border data note

Some subprocessors (Stripe, Twilio routing, Follow Up Boss) process data in the United States. This is disclosed in our subprocessor list below and covered by contractual data protection agreements. AI processing uses Azure OpenAI Service deployed in Canada Central -- your CRM data does not leave Canada for AI processing.

Data Handling

Encryption, isolation, and access controls

Every piece of data that flows through Gift of Gab is encrypted at every stage and isolated per organization. No other customer can see your data. No Gift of Gab employee can access your data without documented justification and audit trail.

Encrypted Everywhere

AES-256 encryption at rest in Azure PostgreSQL (Canada Central)
TLS 1.3 for all data in transit -- no fallback to older protocols
Azure Key Vault (HSM-backed) for all secrets and encryption keys
Passwords hashed with bcrypt (cost factor 12), never stored in plain text
API keys and tokens encrypted at rest, never logged or exposed in error messages

Tenant Isolation

Multi-tenant architecture with strict database-level isolation by OrgId
Row-level security policies prevent cross-tenant data access
Zone-redundant high availability with automatic failover
35-day point-in-time backup retention with second-level granularity
Backups encrypted and stored in the same Canadian region

Access Controls

Role-based access controls (RBAC): Owner, Admin, Team Lead, Agent
JWT authentication with httpOnly secure cookies and short-lived tokens
All administrative actions logged with user ID, timestamp, and IP address
Full audit trail of every AI-generated action and recommendation
Quarterly access reviews for all Gift of Gab engineering staff

CRM Integration

How we handle your Follow Up Boss data

When you connect your Follow Up Boss account, here is exactly what happens with your data at every stage.

Authorized Access Only

Gift of Gab accesses your FUB data only through your authorized API key. We never store your FUB password. You can revoke access instantly by removing the API key from your settings. Revocation stops all sync immediately.

Encrypted Sync and Isolated Storage

Contact records, notes, and interaction history are synced to your isolated tenant within our Azure PostgreSQL database in Canada Central. Encrypted at rest with AES-256. Strict OrgId-level isolation means no other customer can access your data, even in a shared database.

AI Processing Stays in Canada

Your CRM data is processed by Azure OpenAI Service deployed in Canada Central to generate call summaries, insights, and briefings. Your data is never used to train AI models. Processing happens within the same Canadian region as your database.

Webhook Verification

All FUB webhooks are verified with HMAC signature validation before processing. Spoofed events are rejected and logged. Every legitimate incoming webhook is audited with timestamp, payload hash, and processing result.

Data Deletion

When you disconnect FUB or cancel your account, synced data is retained for 30 days for reactivation, then permanently deleted from all systems including backups. You can request immediate deletion at any time by contacting support or your account manager.

Privacy Compliance

PIPEDA, RECO, and international privacy standards

Gift of Gab Tech Inc. is a Canadian company subject to PIPEDA. We also align with GDPR requirements for international clients and comply with real estate regulatory body standards including RECO.

PIPEDA (Canada)

Full compliance with the Personal Information Protection and Electronic Documents Act
Clear, documented purpose for all data collection, communicated to individuals before collection occurs
Consent-based data handling with right to withdraw consent at any time, effective immediately
Designated Privacy Officer reachable at privacy@giftofgab.ai
Right to access, correct, and delete your personal information within 30 days of request
Complaints can be escalated to the Office of the Privacy Commissioner of Canada (OPC)

Real Estate Regulatory Alignment

RECO (Real Estate Council of Ontario) compliance for Ontario brokerages, including record retention requirements
GDPR-aligned data handling practices for brokerages serving international clients
Data processing agreements (DPA) available for download -- pre-signed by Gift of Gab, ready for your legal team
Cross-border data transfers protected by contractual standard contractual clauses (SCCs) where applicable
Breach notification within 72 hours to affected organizations and within regulatory timelines to the OPC
30-day data export window upon account cancellation in machine-readable format (JSON or CSV)

Incident Response

What happens if something goes wrong

We operate under the assumption that incidents will happen. What matters is detection speed, containment, and transparent communication. Here are our commitments.

< 15 min

Detection

Automated monitoring with Sentry and Azure alerts. Anomalous access patterns, failed auth spikes, and data exfiltration attempts trigger immediate alerts.

< 1 hour

Containment

Incident response team initiates containment. Affected systems isolated. Access tokens rotated. Preliminary impact assessment begins.

< 24 hours

Customer Notification

Affected organizations notified via email and in-app banner within 24 hours of confirmed breach. Notification includes: what happened, what data was affected, and what we are doing about it.

< 72 hours

Regulatory Notification

OPC (Canada) and relevant state attorneys general (US) notified within 72 hours as required by PIPEDA and applicable state breach notification laws.

99.9% Uptime SLA

Your business depends on Gift of Gab being available when your clients call. Our infrastructure is built for reliability with zone-redundant deployments, auto-scaling, and automated failover. Enterprise plans include contractual uptime SLAs with service credits.

Zone-Redundant

Database and application replicated across Azure availability zones. Survives datacenter failures.

Auto-Scaling

Azure Container Apps scale with demand. During peak call volumes, capacity increases automatically.

35-Day Recovery

Point-in-time restore to any second within the last 35 days. Tested quarterly.

Subprocessor Registry

Every third party that touches your data

This is the complete list of subprocessors that may process data on behalf of Gift of Gab customers. Each maintains documented security certifications and is bound by data processing agreements.

Subprocessor	Purpose	Certifications	Data Region
Microsoft Azure	Cloud infrastructure, compute, storage, and database hosting	SOC 2 Type II, ISO 27001, ISO 27018, FedRAMP High, CSA STAR	Canada Central (Toronto)
Twilio	Voice calls, SMS/MMS delivery, 10DLC registration, A2P messaging	SOC 2 Type II, ISO 27001, HIPAA eligible	US (call routing) / Canada (number provisioning)
Stripe	Payment processing and subscription billing	PCI DSS Level 1, SOC 2 Type II	US
Follow Up Boss	CRM integration and contact synchronization	SOC 2 compliant	US
OpenAI / Azure OpenAI	AI language processing for call summaries and insights	SOC 2 Type II, ISO 27001 (Azure OpenAI)	Azure Canada Central (via Azure OpenAI Service)
Sentry	Application error monitoring and diagnostics	SOC 2 Type II	US
Google	Gmail integration and OAuth authentication	SOC 2 Type II, ISO 27001, FedRAMP	US / Global

Last updated: April 2026. Customers are notified 30 days before any new subprocessor is added.

Enterprise Resources

Documents your compliance team needs

We know what enterprise procurement looks like. These resources are available now -- no NDA required for standard documents.

Trusted by brokerages who take compliance seriously

14-day free trial. Enterprise-grade compliance from day one. No credit card required.

Start Your Free Trial Talk to Security Team

Need a DPA, security questionnaire, or vendor risk assessment? Email security@giftofgab.ai

Built for brokerages that demand compliance