Done-for-you offer · Fractional CMO with AI Swarm · walk-in-phone-attribution 4-skill bundle · walk-in- phone-attribution agent
Multi-vendor call-tracking + POS-receipt offline-attribution pairing for multi-unit franchise and multi-location service brand operators — Ingest + Canonicalize + Match + Emit 4-skill bundle on the walk-in-phone-attribution agent, under a 5-anchor compliance overlay anchored on state recording-consent + TCPA/ 10DLC + PCI DSS/FACTA + HIPAA + Song-Beverly/CCPA cross-context
You operate 50-1,500 locations where calls arrive across multiple call-tracking vendors at different banners, transactions land in multiple POS systems, some banners touch PHI under HIPAA, some calls take payments triggering PCI DSS 4.0, calls span all-party-consent recording jurisdictions (California Penal Code 632, Illinois 720 ILCS 5/14, Pennsylvania 18 Pa.C.S. 5704, Washington RCW 9.73 Privacy Act, Maryland, Massachusetts, Connecticut, Florida, Montana, Nevada, New Hampshire), POS receipts must satisfy FACTA truncation 15 USC 1681c(g) and California Song-Beverly Credit Card Act Civil Code 1747.08 plus the Pineda v Williams-Sonoma 2011 ZIP-as-PII ruling, and the join of call data plus POS data plus ad- attribution triggers CCPA Section 1798.140(ae) cross-context- behavioral-advertising opt-out plus state-comprehensive- privacy patchwork. The call-tracking, POS, conversation- intelligence, CDP, identity-resolution, attribution, tokenization, and DTMF-masking vendors below ship strong primitives. The orchestration above them — per-state recording- consent enforcement before Ingest, PCI scope reduction via DTMF masking and payment tokenization, FACTA receipt truncation enforcement, HIPAA BAA chain enforcement when healthcare-vertical banners are in scope, CCPA cross-context- behavioral-advertising opt-out propagation across the call- POS-attribution join, Match cascade against operator-counsel- set confidence thresholds, audit trail — is operator-side architecture. The compliance gate is anchored on five real anchors: state two-party-consent recording (11 all-party states + Federal Wiretap 18 USC 2511); TCPA 47 USC 227 + 10DLC + STIR/SHAKEN + FCC RND + DNC for callback; PCI DSS 4.0 (mandatory March 31, 2025) Requirements 3 + 4 + 10 + DTMF masking via Semafone/Eckoh/PCI Pal/Sycurio + FACTA 15 USC 1681c(g) receipt truncation; HIPAA 45 CFR Parts 160 + 164 + HITECH + BAA + Washington My Health My Data Act effective April 2024; California Song-Beverly Credit Card Act Civil Code 1747.08 + Pineda v Williams-Sonoma + state similar + CCPA Section 1798.140(ae) cross-context-behavioral-advertising opt- out + state-comprehensive-privacy patchwork. You keep the call-tracking and POS relationships, the BAA chain, the recording-consent policy, the PCI attestation library, the FACTA truncation register, the Song-Beverly compliance evidence, the CCPA cross-context opt-out records, the WORM audit trail, and the policy-as-code policies. You keep the ability to in-house at any time.
Published September 24, 2026
The real ecosystem this sits above
Call tracking + telephony
Call tracking: CallRail, CallTrackingMetrics, Invoca, DialogTech, Marchex, Convirza, WhatConverts, PhoneWagon, Ringba, Phonexa, CallSource, Retreaver, 800response. Telephony: Twilio, Bandwidth, Plivo, Inteliquent, Telnyx, Vonage, RingCentral, Five9, Genesys, Talkdesk, 8x8, NICE inContact, Cisco Webex Calling. Each ships strong number provisioning + DNI + recording + routing primitives. Per- state recording-consent enforcement above them is operator- side architecture.
POS systems
Square, Toast, Clover, Shopify POS, Lightspeed, Revel, TouchBistro, NCR Aloha, Oracle MICROS. Each ships strong transaction + receipt + inventory + payment primitives. FACTA receipt truncation enforcement + Song-Beverly per- jurisdiction restriction enforcement above them is operator-side architecture.
Conversation intelligence
Gong, Chorus.ai, CallMiner, Verint, Observe.AI, Level AI, Cresta, Salesloft. Each ships strong sentiment + topic + intent + agent-coaching primitives. BAA chain enforcement when healthcare-vertical PHI is in scope above them is operator-side architecture.
CDP + identity resolution + attribution
CDP: Segment, mParticle, Rudderstack, Tealium, Hightouch, Census, ActionIQ. Identity: LiveRamp, ID5, Acxiom, Throtle, InfoSum. Attribution: Northbeam, Hyros, AppsFlyer, Adjust, Branch, Kochava, Singular. Each ships strong join + identity + attribution primitives. CCPA cross-context-behavioral- advertising opt-out propagation across the call-POS- attribution join above them is operator-side architecture.
Tokenization + DTMF masking + policy-as-code + WORM
Tokenization: Skyflow, Very Good Security, Basis Theory, TokenEx, Truework. DTMF masking: Semafone, Eckoh, PCI Pal, Sycurio, Compliance Point. Policy-as-code: OPA Rego, AWS Cedar, Casbin, Cerbos, Oso. WORM: AWS S3 Object Lock, GCS retention, Azure Blob immutable, Snowflake Time Travel. Each ships strong primitives. The 5-anchor compliance gate that maps state recording-consent + TCPA/10DLC + PCI DSS/ FACTA + HIPAA + Song-Beverly/CCPA cross-context onto an operator-counsel-approved policy bundle is operator-side architecture.
Frequently asked
What does multi-vendor call-tracking + POS-receipt offline-attribution pairing actually deliver, and how does the 4-skill bundle decompose?
An orchestration layer that sits above the operator call-tracking + POS + conversation-intelligence + CDP + identity-resolution + attribution + payment-tokenization + DTMF-masking + policy-as-code + WORM-storage stack and joins inbound-call signals with in-store POS transactions to produce per-location offline-attribution evidence. The skill is a four-skill bundle on the walk-in-phone-attribution agent. Skill 1 — Ingest: pull call records from the operator-chosen call-tracking vendors (CallRail, CallTrackingMetrics, Invoca, DialogTech, Marchex, Convirza, WhatConverts, PhoneWagon, Ringba, Phonexa, CallSource, Retreaver, 800response — operator chooses) and from telephony platforms (Twilio, Bandwidth, Plivo, Inteliquent, Telnyx, Vonage, RingCentral, Five9, Genesys, Talkdesk, 8x8, NICE inContact, Cisco Webex Calling — operator chooses) via per-vendor API, webhook, or SFTP fallback. Pull POS transactions from the operator-chosen POS systems (Square, Toast, Clover, Shopify POS, Lightspeed, Revel, TouchBistro, NCR Aloha, Oracle MICROS — operator chooses). Pull conversation-intelligence transcripts when an operator runs Gong + Chorus.ai + CallMiner + Verint + Observe.AI + Level AI + Cresta + Salesloft. Skill 2 — Canonicalize: normalize per-vendor schemas to an operator-counsel-approved canonical call record (per-call timestamp, duration, caller-ID with appropriate privacy redaction, dialed-number, DNI swap-pool assignment if dynamic-number-insertion is used, destination-routing, IVR-tree-path, queue-wait, answered-status, recording-URL when recording lawful, transcription when transcription lawful, sentiment + topic + intent when conversation intelligence available, disposition, agent-ID, session-ID, geocoordinate when lawfully captured) and a canonical POS receipt record (per-transaction timestamp, location-ID, transaction-ID, FACTA-truncated payment token, line items, tender type, register-ID, employee-ID, loyalty-ID when present). Canonicalize never copies raw PAN or CVV2 — payment data tokenizes through the operator tokenization vendor (Skyflow, Very Good Security, Basis Theory, TokenEx, Truework — operator chooses) at ingest. Skill 3 — Match: pair calls to transactions through a probabilistic match cascade. Layer 1 — exact match on operator-controlled identifiers (loyalty-ID, customer-account-ID, scheduled-appointment-ID linking a pre-booked call to an in-store visit, phone number when consented). Layer 2 — time-window match (a call within an operator-counsel-set lookback window prior to a transaction at the same location). Layer 3 — operator-counsel-approved soft identifiers (mobile device fingerprint, WiFi probe, BLE beacon, geocoordinate when operator has consented capture). Each match emits a confidence score and rule-citation evidence trail. Matches below the operator-counsel-set human-review threshold route to an operator review queue. Skill 4 — Emit: write canonical paired records to the operator CDP (Segment, mParticle, Rudderstack, Tealium, Hightouch, Census, ActionIQ — operator chooses), the operator identity-resolution vendor (LiveRamp, ID5, Acxiom, Throtle, InfoSum — operator chooses), the operator attribution platform (Northbeam, Hyros, AppsFlyer, Adjust, Branch, Kochava, Singular — operator chooses), and the operator data warehouse. Each emission honors the operator-counsel-approved per-jurisdiction CCPA cross-context-behavioral-advertising opt-out + GDPR Article 6 lawful basis + Article 9 special-category restriction + state-comprehensive-privacy patchwork. The call-tracking, POS, conversation-intelligence, CDP, identity-resolution, attribution, tokenization, DTMF-masking vendors below ship strong primitives. The orchestration above them — recording-consent enforcement before each Ingest, PCI scope reduction via DTMF masking, FACTA receipt truncation enforcement, HIPAA BAA enforcement when PHI is in scope, cross-jurisdiction recording-consent and cross-context-behavioral-advertising opt-out, audit trail — is operator-side architecture.
Where does single-vendor call tracking stop compounding for multi-location operators wanting offline-attribution evidence?
Single-vendor call tracking is solved. CallRail ships strong number provisioning + DNI + recording + analytics. Invoca ships strong AI-powered conversation analytics. CallTrackingMetrics ships strong attribution tracking. Marchex + Convirza + WhatConverts each ship strong primitives. Square, Toast, Clover ship strong POS. Gong + Chorus.ai ship strong conversation intelligence. The compound case the walk-in-phone-attribution agent has to handle is the one where a 50-1,500 location multi-unit operator runs (a) different call-tracking vendors at different banners or stages (one banner on CallRail, another on Invoca, a third on Twilio direct because of legacy contact-center integration), (b) different POS systems at different banners (Square at acquired Banner A, Toast at Banner B, Clover at Banner C, NCR Aloha at the QSR portfolio), (c) calls that span jurisdictions with different recording-consent regimes (Pennsylvania 18 Pa.C.S. 5704 + Illinois 720 ILCS 5/14 + California Penal Code 632 + Washington RCW 9.73 + Maryland + Massachusetts + Connecticut + Florida + Montana + Nevada + New Hampshire — 11 all-party-consent states plus state Wiretap Acts that vary further on whether the announcement satisfies consent), (d) some banners in healthcare-adjacent verticals where the call may touch PHI (dental, medical, chiropractic, physical therapy, optometry, behavioral health, veterinary) bringing HIPAA + HITECH + state health-data laws (Washington My Health My Data Act effective April 2024 + state patchwork) into scope, (e) payments taken on the call (subscription confirmations, deposit-on-booking) bringing PCI DSS 4.0 into scope with severe consequences for recording CVV2 (PCI DSS Requirement 3.2.2 prohibits CVV2 storage post-authorization) or recording PAN without compensating controls, (f) POS receipts that under California Song-Beverly Credit Card Act Civil Code 1747.08 cannot include certain personal information collected during card transactions (Pineda v Williams-Sonoma 2011 confirmed ZIP is PII under Song-Beverly), and the FACTA 15 USC 1681c(g) caps PAN display on receipts to last 5 digits + cannot show expiration date, (g) cross-context-behavioral-advertising opt-out under CCPA Section 1798.140(ae) and state-comprehensive-privacy patchwork applies when call data joins to POS data joins to ad-attribution because the join produces a profile used for advertising. Without an orchestration layer above the call-tracking + POS + conversation-intelligence + CDP + identity-resolution + attribution vendors, recording-consent regimes get applied inconsistently across vendors (some vendors play a beep, some play a full disclosure, some require operator configuration that drifts), PCI scope balloons across vendors (any vendor that touches payment data becomes a PCI-scope assessment), HIPAA BAA coverage breaks (when call-tracking and conversation-intelligence vendors handle PHI without BAA), cross-context-behavioral-advertising opt-out enforcement splinters, and the audit trail of "what call, recorded under which jurisdictional consent regime, joined to which POS transaction with what FACTA truncation, emitted to which attribution platform with what CCPA opt-out status" fragments across consoles. The orchestration above the vendors is what holds the cross-vendor + cross-jurisdiction + cross-vertical invariants.
How does Skill 1 Ingest enforce per-state recording-consent before pulling call recordings?
The Ingest skill checks per-call jurisdictional reach before reading or persisting any recording. Step 1 — establish jurisdiction. The orchestration determines (a) the inbound caller jurisdiction by area code and lookup (recognizing that area code is a weak signal — number portability and VoIP make geolocation noisy, so the operator-counsel-approved policy may treat any call originating from or terminating in an all-party-consent state as triggering all-party-consent obligations), and (b) the destination operator location. Step 2 — apply per-state two-party/all-party consent law. 11 all-party-consent states require all parties to consent to recording: California (Penal Code 632 + 632.5 + 632.6), Connecticut (Conn Gen Stat 52-570d), Delaware (Title 11 1335 + 11 2402), Florida (Statute 934.03), Illinois (720 ILCS 5/14-2 — Illinois eavesdropping statute requires consent of all parties for in-person communications + Illinois Telephone Solicitation Act + 720 ILCS 5/14 after 2014 amendments), Maryland (Md Code Cts Jud Proc 10-402), Massachusetts (M.G.L. ch 272 99), Montana (45-8-213), Nevada (NRS 200.620), New Hampshire (NH RSA 570-A:2), Pennsylvania (18 Pa.C.S. 5704), Washington (RCW 9.73 — Washington Privacy Act). Federal Wiretap Act (18 USC 2511) sets a federal one-party-consent baseline that states can exceed. Some states (Connecticut, Hawaii) have different rules for in-person vs telephonic. Step 3 — verify disclosure mechanism. Per-state law varies on whether a recorded beep tone alone satisfies consent (Federal one-party regime accepts implied consent through continued conversation after disclosure; some all-party states require explicit verbal consent, others accept the beep + recorded notice). Per-vendor configuration must implement the operator-counsel-approved disclosure mechanism for each jurisdictional bracket — the orchestration verifies the per-vendor configuration matches the operator-counsel-approved per-state policy before Ingest reads recordings. Step 4 — refuse to ingest non-compliant recordings. When a per-vendor configuration does not match operator-counsel-approved policy for the call jurisdiction (the operator forgot to enable consent disclosure in CallRail for the Pennsylvania number pool, for example), Ingest refuses to read the recording and emits an exception to the operator queue. The exception preserves the call metadata (timestamp, duration, caller-ID) without the recording so the operator can investigate. Step 5 — write the per-call jurisdictional-consent attestation to the WORM audit trail with rule_id + policy_version + per-state statute citation + vendor-config-version evidence. Operator counsel maintains the per-state policy + per-vendor configuration mapping; the orchestration enforces it. Step 6 — broader call retention: state Wiretap Acts include recording-retention obligations that vary; some operator-counsel policies destroy recordings after the operator-counsel-set retention period; the WORM audit trail of the consent attestation and metadata persists past recording destruction so the operator can demonstrate compliance years later in discovery.
How does Skill 2 Canonicalize handle PCI scope when calls take payment information and POS receipts under FACTA?
Canonicalize never copies raw PAN, CVV2, full magnetic stripe, or PIN. The orchestration enforces PCI scope reduction through three mechanisms. Mechanism 1 — DTMF masking on inbound calls. When the call requires the caller to enter payment information by phone, the orchestration routes the call through an operator-chosen DTMF-masking vendor (Semafone, Eckoh, PCI Pal, Sycurio, Compliance Point — operator chooses) that intercepts DTMF tones before they reach the call recording or the call-center agent. The agent sees the payment processed but never hears or records the PAN. PCI DSS 4.0 Requirement 3.2.2 prohibits CVV2 storage post-authorization; the orchestration verifies the DTMF-masking vendor configuration ensures CVV2 never persists in any recording, transcript, or downstream system. Mechanism 2 — payment tokenization at ingest. When call-tracking, conversation-intelligence, or POS systems would otherwise propagate payment data, the orchestration routes payment data through the operator tokenization vendor (Skyflow, Very Good Security, Basis Theory, TokenEx, Truework — operator chooses) at the ingest boundary. Downstream Canonicalize records carry only opaque tokens that the tokenization vendor can map back to PAN under operator-controlled detokenization policy. Mechanism 3 — POS receipt FACTA truncation enforcement. FACTA 15 USC 1681c(g) caps electronically printed receipts at last 5 digits of PAN and prohibits expiration date display; the orchestration verifies POS configuration at each operator location enforces FACTA truncation. When a POS vendor configuration drifts (a vendor update changes default receipt format), the orchestration surfaces the drift to the operator. Mechanism 4 — California Song-Beverly Credit Card Act (Civil Code 1747.08) prohibits requesting or recording personal-identification-information (name, address, telephone number) during card transactions in California; Pineda v Williams-Sonoma (2011) established that ZIP code is PII under Song-Beverly. Massachusetts (Chapter 93 Section 105) and a handful of other states have similar laws. The orchestration enforces the Song-Beverly + state-equivalent restrictions at POS configuration time. The audit trail records per-transaction PCI compliance attestation + per-receipt FACTA truncation attestation + per-call DTMF-masking attestation + per-jurisdiction Song-Beverly compliance attestation with policy-version evidence. Failed compliance attestations refuse to emit downstream; exceptions route to the operator queue for investigation.
What compliance does the orchestration enforce, and how does it map to state recording-consent + TCPA/10DLC + PCI DSS/FACTA + HIPAA + Song-Beverly/CCPA cross-context?
Five anchors. Anchor 1 — State two-party-consent recording laws + Federal Wiretap Act. 11 all-party-consent states (California Penal Code 632 + 632.5 + 632.6, Connecticut Conn Gen Stat 52-570d, Delaware Title 11 1335 + 11 2402, Florida Statute 934.03, Illinois 720 ILCS 5/14-2, Maryland Md Code Cts Jud Proc 10-402, Massachusetts M.G.L. ch 272 99, Montana 45-8-213, Nevada NRS 200.620, New Hampshire NH RSA 570-A:2, Pennsylvania 18 Pa.C.S. 5704, Washington RCW 9.73 Privacy Act — counts vary by source and case law interpretation) and federal Wiretap Act (18 USC 2511) set the recording-consent floor. Per-state Wiretap Acts add state-specific enforcement + state-specific exemptions. Per-state Telephone Consumer Protection Acts (Florida Telephone Solicitation Act 2021 + Oklahoma + Washington CEMA + Maryland) overlay on TCPA-style consent for solicitation. Anchor 2 — TCPA (47 USC 227) + 47 CFR 64.1200 + 10DLC + The Campaign Registry + STIR/SHAKEN attestation + FCC Reassigned Numbers Database + ROBOCALL Mitigation Database + Federal DNC + per-state DNC when call-tracking integrations trigger outbound callback (a missed call that triggers an SMS, a follow-up call, a callback queue). Anchor 3 — PCI DSS 4.0 (in effect since March 2024 for early adopters, mandatory from March 31, 2025) Requirements 3 (PAN protection + CVV2 prohibition post-authorization), 4 (transmission encryption), 9 (physical access to cardholder data), 10 (audit logs of access to cardholder data), 12 (information security policy). DTMF masking via Semafone, Eckoh, PCI Pal, Sycurio, Compliance Point reduces PCI scope by preventing payment data from entering the recording or agent system. Payment tokenization via Skyflow, Very Good Security, Basis Theory, TokenEx, Truework moves payment data out of downstream systems. FACTA 15 USC 1681c(g) receipt truncation (last 5 digits PAN + no expiration date) on POS receipts. Anchor 4 — HIPAA (45 CFR Parts 160 and 164) when operator is a HIPAA-covered entity or business associate and the call touches PHI. Common in healthcare-vertical service brands (dental, medical, chiropractic, physical therapy, optometry, behavioral health, veterinary in some states). HITECH Act adds breach-notification + business-associate-liability extensions. HIPAA requires Business Associate Agreement (BAA) with call-tracking vendor + conversation-intelligence vendor + any vendor that touches PHI on recordings or transcripts. 45 CFR 164.312 technical safeguards (access control, audit controls, integrity, person-or-entity authentication, transmission security). Washington My Health My Data Act (effective April 2024) broadens health-data protection to non-HIPAA-covered operators handling consumer health information with state-AG enforcement + private right of action. State health-information patchwork. Anchor 5 — POS receipt + transaction data privacy + cross-context-behavioral-advertising. California Song-Beverly Credit Card Act (Civil Code 1747.08) prohibiting collection of personal-identification-information during credit card transactions in California; Pineda v Williams-Sonoma (Cal. 2011) ruling ZIP is PII under Song-Beverly. Massachusetts Chapter 93 Section 105 + similar state-by-state. CCPA Section 1798.140(ae) cross-context-behavioral-advertising opt-out + Section 1798.121 sensitive PI opt-out triggered when joining call-data + POS-data + ad-attribution because the joined record is used for behavioral advertising. State-comprehensive-privacy patchwork: Texas DPSA + Virginia CDPA + Connecticut CTDPA + Colorado CPA + Utah CPA + Oregon + Tennessee + Montana + Indiana + Iowa + Florida + Delaware + Maryland Online Data Privacy Act + Washington MHMDA with state-specific opt-out and notice requirements. GDPR Articles 6 (lawful basis), 9 (special-category data when health-information call), 13/14 (information at collection), 30 (records of processing) when EU residents are recorded. Broader gate also enforced: GLBA Safeguards Rule + FCRA + ADA Title III + WCAG 2.2 AA for call-center accessibility + per-vertical regulator rules (FDA OPDP for pharma call recording, DEA for controlled substance prescriber calls, state licensing-board for licensed-professional call recording, FINRA when financial-services-adjacent) via policy-as-code (OPA Rego + AWS Cedar + Casbin + Cerbos + Oso). WORM audit trail (AWS S3 Object Lock + GCS retention + Azure Blob immutable + Snowflake Time Travel) with per-statute retention (state Wiretap variable + TCPA 4yr + PCI DSS 1yr minimum audit + FACTA 5yr + HIPAA 6yr + Washington MHMDA 6yr + CCPA 3yr + GDPR 6yr + state-AG variable + FTC 7yr) per operator counsel policy.
What does the engagement look like across Tier 1 → Tier 2 → Tier 3, and what does the Tier 3 reporting cycle commit to?
Tier 1 AI Readiness Assessment (2-3 weeks, diagnostic): audits the operator current call-tracking + POS posture against the 4-skill bundle + 5-anchor compliance overlay + per-vendor consent-disclosure configuration state; deliverable is a gap-pack report identifying which call-tracking vendors run with non-compliant consent disclosure for which jurisdictional reach, which call recordings touch payment data without DTMF masking, which POS receipts violate FACTA truncation or Song-Beverly, which healthcare-vertical banners lack BAA with call-tracking and conversation-intelligence vendors, which call-POS joins propagate without CCPA cross-context-behavioral-advertising opt-out, which canonicalization paths leak raw PAN or CVV2 into downstream systems, and a recommended remediation sequence for Tier 2. Tier 2 AI Swarm Setup Sprint (4-8 weeks): builds the 4-skill bundle on the walk-in-phone-attribution agent, wires call-tracking + POS + conversation-intelligence + CDP + identity-resolution + attribution vendors (operator-chosen subset), wires DTMF masking + payment tokenization, configures per-state recording-consent disclosure across vendors, configures FACTA receipt truncation enforcement, configures HIPAA BAA chain for healthcare-vertical banners, configures CCPA cross-context-behavioral-advertising opt-out propagation, wires policy-as-code + WORM-storage, runs 30-day shadow + canary period before flipping to enforce-mode. Tier 3 Fractional CMO with AI Swarm (6-month minimum, 1-2 days/wk embedded): continues operating with daily Ingest + Canonicalize + Match + Emit + weekly per-vendor consent-disclosure-configuration audit + monthly PCI scope review + monthly HIPAA BAA chain review + quarterly per-state recording-consent statute review (case law evolves) + quarterly compliance evidence packages. Tier 3 reporting is a 6-workstream pre-engagement-baseline reporting cycle (per-location call ingestion-completeness + per-location POS ingestion-completeness + per-call recording-consent compliance trend + per-call PCI compliance trend + per-call-POS match-confidence trend + WORM audit-trail completeness) measured against the operator’s pre-engagement baseline. Each workstream surfaces trend direction and the gap to operator-defined targets. Reporting carries explicit caveats: call-tracking + POS + conversation-intelligence + CDP + identity-resolution + attribution + tokenization + DTMF-masking vendor SLA + per-state recording-consent case-law evolution + Federal Wiretap Act interpretive guidance + TCPA + state mini-TCPA amendments + PCI DSS 4.0 implementing guidance + FACTA amendments + HIPAA OCR enforcement + Washington MHMDA implementing guidance + state-comprehensive-privacy implementing rules + CCPA cross-context-behavioral-advertising regulations + Song-Beverly case-law evolution + per-vertical regulator (FDA OPDP + DEA + FINRA + state licensing-board) amendments sit outside Completions control. Attorney-client privilege preservation across operator-counsel-approved per-state recording-consent policy + per-vendor consent-disclosure-configuration register + BAA chain + Song-Beverly compliance evidence + CCPA cross-context-behavioral-advertising opt-out records + PCI compliance attestation library + FACTA truncation attestation library + HIPAA technical safeguards records is maintained per operator counsel policy.
Who owns the call-tracking and POS relationships, the BAA chain, the recording-consent policy, the PCI attestation library, and the audit trail?
Operator owns every artifact. The call-tracking subscriptions (CallRail, CallTrackingMetrics, Invoca, DialogTech, Marchex, Convirza, WhatConverts, PhoneWagon, Ringba, Phonexa, CallSource, Retreaver, 800response — operator chooses) run under operator billing on operator-controlled accounts. The telephony subscriptions (Twilio, Bandwidth, Plivo, Inteliquent, Telnyx, Vonage, RingCentral, Five9, Genesys, Talkdesk, 8x8, NICE inContact, Cisco Webex Calling — operator chooses) run under operator billing. The POS subscriptions (Square, Toast, Clover, Shopify POS, Lightspeed, Revel, TouchBistro, NCR Aloha, Oracle MICROS — operator chooses) run under operator billing. The conversation-intelligence subscriptions (Gong, Chorus.ai, CallMiner, Verint, Observe.AI, Level AI, Cresta, Salesloft — operator chooses) run under operator billing. The CDP + identity-resolution + attribution subscriptions (Segment, mParticle, Rudderstack, Tealium, Hightouch, Census, ActionIQ; LiveRamp, ID5, Acxiom, Throtle, InfoSum; Northbeam, Hyros, AppsFlyer, Adjust, Branch, Kochava, Singular — operator chooses) run under operator billing. The tokenization vendor (Skyflow, Very Good Security, Basis Theory, TokenEx, Truework — operator chooses) runs under operator account. The DTMF-masking vendor (Semafone, Eckoh, PCI Pal, Sycurio, Compliance Point — operator chooses) runs under operator account. The operator-counsel-approved per-state recording-consent policy + per-vendor consent-disclosure-configuration register + Business Associate Agreement chain for healthcare-vertical banners + Song-Beverly + state-equivalent compliance register + CCPA cross-context-behavioral-advertising opt-out records + PCI compliance attestation library + FACTA truncation attestation library + HIPAA technical safeguards records all live in operator counsel repo. The Ingest + Canonicalize + Match + Emit skill code lives in operator code repo. The operator-counsel-approved per-jurisdiction match thresholds for Skill 3 Match live in operator code repo. The WORM audit trail lives on operator-controlled cloud storage (AWS S3 Object Lock + GCS retention + Azure Blob immutable + Snowflake Time Travel) with per-statute retention enforcement. The policy-as-code policies (OPA Rego + AWS Cedar + Casbin + Cerbos + Oso) live in operator code repo, counsel-aligned. The state Wiretap + TCPA + PCI DSS + FACTA + HIPAA + Washington MHMDA + Song-Beverly + CCPA + GDPR + state-comprehensive-privacy + per-vertical regulator compliance evidence records are operator-counsel-maintained. Completions owns the orchestration knowledge — how to design the per-state recording-consent policy against the operator vendor mix, how to wire DTMF masking and payment tokenization to reduce PCI scope, how to wire BAA chain for healthcare-vertical banners, how to enforce Song-Beverly + state-equivalent at POS configuration time, how to propagate CCPA cross-context-behavioral-advertising opt-out across call-POS-attribution joins, how to design the Match cascade for per-location reality (drive-up vs walk-in vs scheduled appointment vs delivery), how to coordinate with sibling lost-call-recovery + auto-text-SMS-followup + master-record-sync skills — and that knowledge transfers under the Tier 3 transition path (30-60 days at engagement end with full hand-off of the recording-consent policy maintenance playbook, the per-vendor consent-disclosure-configuration register maintenance runbook, the BAA chain maintenance runbook, the Song-Beverly compliance playbook, the CCPA cross-context opt-out propagation playbook, the PCI scope reduction playbook, the FACTA enforcement playbook, the Match cascade tuning playbook, and the compliance evidence-package generation playbook). Completions credentials revoke on engagement-end.
Engage Completions
Start with the AI Readiness Assessment (Tier 1, 2-3 weeks): audit of operator current call-tracking + POS posture against the 4-skill bundle + 5-anchor compliance overlay + per-vendor consent-disclosure-configuration state. Hand off to Tier 2 AI Swarm Setup Sprint (4-8 weeks): build the 4-skill bundle on the walk-in-phone-attribution agent, wire call-tracking + POS + conversation-intelligence + CDP + identity-resolution + attribution + tokenization + DTMF- masking + policy-as-code + WORM-storage, configure per-state recording-consent + FACTA + HIPAA BAA chain + Song-Beverly + CCPA cross-context opt-out, run 30-day shadow + canary before flipping to enforce-mode. Continue under Tier 3 Fractional CMO with AI Swarm (6-month minimum, 1-2 days/wk embedded).