ORIFONEAI

Security and Compliance Practices

Last Updated: May 2026

This page describes the current security and compliance practices of MSA Mercantile LLC, doing business as OrifoneAI ("OrifoneAI," "we," "us," or "our"), a company registered in Virginia, United States.

MSA Mercantile LLC d/b/a OrifoneAI does not claim SOC 2, HIPAA, HITECH, or FERPA certification at this time.

Data encryption

Encrypted at rest using AES-256-GCM
Encrypted in transit using TLS 1.2 or higher
No call data is stored or transmitted in unencrypted form.

Data retention

Call recordings are stored for 90 days and then permanently deleted.
Call transcripts are stored for 365 days and then permanently deleted.
Users can request deletion by contacting support@orifone.ai.

Access controls

Role-based access controls (RBAC)
Multi-factor authentication (TOTP) available for platform administrator accounts
Organization-scoped data ensuring tenant isolation between accounts
Audit logging for key platform actions
Regular internal access reviews

TCPA compliance controls

Consent-gated outbound interactions
Built-in Do Not Call (DNC) list enforcement
Consent audit trails maintained per campaign
Calling window enforcement (8:00 AM - 9:00 PM local time)
AI disclosure requirements enforced at the platform level

Customers remain solely responsible for obtaining valid prior express written consent and complying with all applicable telemarketing laws.

Contact

MSA Mercantile LLC (d/b/a OrifoneAI) 8327 Ridge Crossing Lane Springfield, Virginia 22152 United States

Email: support@orifone.ai

TCPA compliance controls

Consent-gated outbound interactions

Built-in Do Not Call (DNC) list enforcement

Consent audit trails maintained per campaign

Calling window enforcement (8:00 AM - 9:00 PM local time)

AI disclosure requirements enforced at the platform level

Customers remain solely responsible for obtaining valid prior express written consent and complying with all applicable telemarketing laws.