HonkIOHonkIO
Canadian Compliance

Compliance built in, not bolted on

HonkIO enforces Canadian telecommunications law at the API level. You cannot accidentally send a non-compliant message.

CASL — Canada's Anti-Spam Legislation

S.C. 2010, c. 23 · In force since July 1, 2014

CASL requires that every commercial electronic message (CEM) sent to a Canadian recipient must have the recipient's express or implied consent. Violations can result in administrative monetary penalties up to $10 million per violation for organizations. HonkIO enforces CASL requirements programmatically.

Express Consent

  • Recorded with timestamp, source IP, and description
  • Stored immutably in audit log
  • Never expires unless revoked by the recipient
  • Required for cold outreach / new contacts

Implied Consent

  • Applies to existing business relationships
  • Auto-expires after 2 years (CASL §10(9))
  • Expiry date tracked and enforced by API
  • Ineligible for telemarketing messages
STOP / UNSTOP keyword handling: When a recipient replies with STOP, STOPALL, UNSUBSCRIBE, QUIT, END, or CANCEL, HonkIO automatically opts them out within seconds — not the 10 business days allowed by law. START and UNSTOP keywords re-instate consent. Your webhook is notified of all opt-out events.
Pre-send gate: The API will reject any message attempt to an opted-out number with HTTP 451 Unavailable For Legal Reasons. There is no way to override this from the API. Audit log entries are created for every blocked send attempt.

CRTC Do Not Call List (DNCL)

Telecommunications Act · CRTC Rules on Unsolicited Telecommunications

The National DNCL prohibits telemarketing contacts (including SMS) to registered numbers. HonkIO queries the DNCL before sending any message tagged as telemarketing. Results are cached for 24 hours.

EBR

Existing Business Relationship

Customer made a purchase or inquiry within 18 months

CHARITY

Registered Charity

CRA-registered charitable organizations

POLITICAL

Political Party / Candidate

Federal/provincial political communications

Set the dncl_exempt flag and dncl_exempt_reason on your message send request. The exemption reason is stored with the message for audit purposes.

PIPEDA / Privacy Act

Personal Information Protection and Electronic Documents Act · S.C. 2000, c. 5

Canadian Data Residency

  • All data stored in AWS ca-central-1 (Montréal)
  • Message content never transits non-Canadian infrastructure
  • PostgreSQL, Redis, and logs — all in Canada
  • Canada-only carrier messaging profile

Data Minimization & Retention

  • Message body purged after 90 days by default
  • Configurable retention period per account
  • Audit logs retained separately (immutable)
  • Right-to-erasure API endpoint included

Quebec Law 25 — Loi 25

An Act respecting the protection of personal information in the private sector · In full force since September 2023

Quebec Law 25 (Bill 64) imposes GDPR-like obligations on organizations handling personal information of Quebec residents. HonkIO's architecture supports these requirements.

  • Privacy impact assessment (PIA) documented for data flows
  • Right to access personal information via API
  • Right to erasure endpoint wipes all PII for a number
  • Data portability: export all consent and message records
  • Privacy officer contact in all error communications
  • Incident notification procedures in place
🇨🇦

100% Canadian infrastructure

All HonkIO infrastructure runs in AWS ca-central-1 (Montréal). Your message content, phone numbers, consent records, and audit logs never leave Canada. This is enforced at the network level, not just in policy.