Skip to main content
Running a phone system means inheriting a stack of legal and regulatory obligations — emergency services, recording disclosure, healthcare privacy, payment data, and runaway billing risk. Hiveku Communications has built-in controls for each, and surfaces them in /dashboard/communications/ under the Compliance tab.

E911 — required by law

The RAY BAUM Act (US) and similar laws elsewhere require that any phone capable of dialing emergency services have a verified physical address so first responders know where to go. Hiveku enforces this at provisioning time.
You must register an E911 address for every DID before activating an extension on it. Hiveku will not provision the line without one. This is non-negotiable — both for legal reasons and for the safety of anyone dialing 911 from your line.
1

Add an address

From the Compliance tab, E911 Addresses > New address. Enter the street address, city, state, postal code.
2

Wait for verification

Hiveku validates the address with the carrier’s MSAG (Master Street Address Guide). Most addresses verify in seconds; ambiguous ones may need manual review.
3

Assign to a DID

On the Numbers tab, set the E911 address for each DID. Multiple DIDs can share the same address.
4

Update on physical move

If you move office or a remote employee changes location, update the E911 address. The address tells first responders where to go.
For mobile softphones used by remote employees, the registered E911 address is wherever they typically work. If they travel, dialing 911 from the softphone routes to their registered address — they should use a real cell phone for emergencies while traveling.

Call recording

Recording is configurable per DID, per ring group, per queue, and per extension. Decide what to record and when, and keep tight control over who can listen.
Default is off. Turn on globally, per direction (inbound only / outbound only / both), or per route.

Recording retention

Set how long recordings are kept before automatic deletion.
RetentionUse case
0 daysDon’t record (or delete immediately) — for HIPAA-strict workflows
7-30 daysQuality assurance review window only
90 daysDefault for most businesses
1-7 yearsRegulated industries with retention obligations
Custom per routeDifferent policies for different DIDs
Some industries (healthcare, financial services) have minimum retention requirements; others (HIPAA-covered entities) have maximum restrictions on how long recorded health discussions can persist. Consult counsel for your specific obligations — Hiveku gives you the tools, but the policy is yours.

HIPAA controls

For healthcare-covered entities, Hiveku offers:
  • Encrypted-at-rest recordings — Standard for all accounts
  • Restricted access — Per-user permissions on listening and downloading recordings
  • Audit log — Every listen, download, and config change is logged
  • Custom retention — Down to 0 days, with hard delete after the retention window
  • Business Associate Agreement (BAA) — Available on Business plans and above; required for HIPAA workflows
Contact sales to enable BAA terms on your account.

PCI-DSS

If your agents take credit card numbers over the phone, you must avoid storing the card data in recordings. Use pause and resume: 
Agent: "Let me pause the recording so I can take your card. Pausing now."
[Caller reads the card. Agent enters into payment system.]
Agent: "Resuming. Thanks for your patience."
The pause-resume keypresses or button clicks are logged so you can prove compliance. Or, route card-capture to an automated DTMF entry that the agent can’t hear — see your payment processor’s docs for “agent-assisted DTMF” patterns.

Toll-fraud guard

Toll fraud is what happens when an attacker gets credentials to your phone system and uses it to dial expensive premium numbers — a single incident can cost five figures. Hiveku’s toll-fraud guard protects you with:

Daily spend cap

Configurable per account. When hit, outbound calls are blocked until you raise the cap or wait until the next day.

Concurrent call cap

Maximum simultaneous outbound calls. Defaults to 2x your normal peak. Anomaly trips suspension.

Country whitelist

By default, outbound is allowed to your account’s primary country only. Add more as needed. Premium-rate numbers always require explicit allowlisting.

Anomaly detection

Velocity, destination, and time-of-day patterns. Outliers trigger a soft-suspend — your team gets an alert and can quickly approve or block.

Audit log

Every change to compliance-sensitive settings is logged with user, timestamp, before/after values, and IP address.
EventLogged
Recording listened toUser, recording ID, timestamp
Recording downloadedUser, recording ID, timestamp
Recording deletedUser, recording ID, reason, timestamp
Retention policy changedUser, old policy, new policy
E911 address updatedUser, DID, old address, new address
Toll-fraud cap changedUser, old cap, new cap
User permission changedGranter, grantee, scope
Logs are exportable as CSV for SOC 2 and similar audits.

Opt-out for SMS

By law (TCPA in the US), SMS recipients must be able to opt out at any time. Hiveku enforces this automatically:
  • Inbound STOP, UNSUBSCRIBE, QUIT, CANCEL, END, or OPTOUT (case-insensitive) triggers an opt-out
  • All future SMS to that recipient from any of your numbers is blocked
  • The recipient can text START or UNSTOP to re-opt-in
  • Confirmation messages on opt-out and opt-in are sent automatically
You don’t need to implement this — it’s at the platform level.

Caller ID and STIR/SHAKEN

To reduce spoofing and “Spam Likely” labeling:
  • Hiveku enforces caller ID rewrite — extensions can only outbound from numbers actually owned by your account
  • STIR/SHAKEN attestation is signed automatically for all US outbound
  • For high-volume outbound, register your business with the FCC’s Robocall Mitigation Database (free) for full attestation

Troubleshooting

The address may not be in the carrier’s MSAG database, especially for new constructions or rural addresses. Submit a manual verification request from the address detail page; Hiveku ops will work with the carrier.
Check that recording is enabled on the route the call took (DID → ring group → extension — recording flag at any layer can disable). Storage quota is also worth checking on legacy plans.
Open the alert in the dashboard, review the flagged calls. If legitimate, raise the cap and unsuspend. If fraudulent, change extension passwords immediately and review recent SIP registrations in the audit log.

Next steps

Buy a number

Includes E911 verification step.

Communications overview

Full feature index.