InWork Global

Compliance & Data Security

Compliance Is Architecture.
Not a Checkbox.

InWork Global designs compliance into every platform we build — from the data model and API layer to the communication workflows and audit logs. By the time we ship, compliance is not a feature. It is the foundation.

⚠ Compliance Disclosure: InWork Global holds SOC2-aligned practices, HIPAA-aware development practices (BAA available), and GDPR-aware architecture. We do not hold formal SOC2 Type II certification, HIPAA certification, or GDPR certification at this time. ISO 27001 practices are aligned with an ongoing formal certification program.

Compliance Framework

Regulatory Coverage

StandardFull NameInWork Status
FTCFederal Trade Commission ActCompliant by design on all AI and marketing
TCPATelephone Consumer Protection ActArchitecture-level compliance on all voice and SMS
10DLCApplication-to-Person SMS RegistrationAll SMS campaigns registered
CCPACalifornia Consumer Privacy ActData handling practices CCPA-compliant
GDPRGeneral Data Protection RegulationGDPR-aware architecture available
PCI-DSSPayment Card Industry Data Security StandardTokenized payment handling (Stripe)
SOC2Service Organization Controls Type 2SOC2-aligned practices
HIPAAHealth Insurance Portability and Accountability ActHIPAA-aware development, BAA available
ADF/XMLAutomotive Data FormatNative implementation in all automotive platforms
OEM CertifiedAutomotive OEM Programs10+ active certifications
OWASPWeb Application SecurityOWASP Top 10 addressed in all development
ISO 27001Information Security ManagementPractices aligned, ongoing formal program

TCPA & 10DLC

How We Handle TCPA Compliance

TCPA and 10DLC are the highest-risk compliance areas for any business doing SMS or AI voice. Most platforms treat this as a legal checkbox. InWork designs it into the architecture from day one.

Consent First

Prior express written consent documented before the first call or SMS. Consent is captured in the communication system itself, not in a separate form the caller can't verify.

DNC Registry Scrubbing

National DNC Registry query before every outbound voice and SMS batch. Internal opt-out list maintained and honored in real time. State DNC lists honored in all 50 states.

10DLC Registration

All A2P SMS campaigns registered through The Campaign Registry (TCR) before sending the first message. Brand, campaign, use case, and message flow documented and carrier-approved.

Opt-Out in Real Time

STOP, QUIT, CANCEL, UNSUBSCRIBE honored within 60 seconds on SMS. Voice opt-out processed immediately. Internal blacklist propagation within the same session.

Audit Trail Architecture

Every consent, every opt-out, every communication is logged with timestamp, channel, and agent ID. This is the evidence file if there is ever a TCPA dispute.

No Auto-Dialing Without Written Consent

No auto-dialed or pre-recorded calls to mobile numbers without prior express written consent. Wireless number identification on every outbound batch.

Data Security

HIPAA, SOC2 & GDPR Posture

HIPAA-Aware Development

BAA Available

All healthcare platform work is built with HIPAA-aware design principles: minimum necessary data access, PHI handling controls, audit logging, and Business Associate Agreements available for covered entities. We do not hold formal HIPAA certification.

SOC2-Aligned Practices

Practices-Aligned

InWork operates with SOC2-aligned security practices: access controls, encryption in transit and at rest, incident response procedures, and security monitoring. We do not hold a formal SOC2 Type II certification at this time.

GDPR-Aware Architecture

Architecture Available

For EU-facing products, InWork implements GDPR-aware architecture: data minimization, right-to-erasure workflows, consent management, and data processing agreements. We do not hold GDPR certification (no such formal certification exists in the EU framework).

TCPA & 10DLC Deep Dive →HIPAA Architecture Notes →
Compliance by design

Build It Right. Ship It Compliant.

Every InWork engagement includes compliance architecture review at no extra cost. TCPA, 10DLC, CCPA, GDPR-aware, PCI-DSS, HIPAA-aware — by design.

Integrity. Urgency. Ownership.

Schedule a Compliance ReviewView Our Security Posture

40+ US businesses served · 65+ engineers · Zero long-term lock-in

Book a Strategy Call