Legal

Compliance

Last updated: March 2026

1. Compliance Overview

Momo Pulse is a cloud communications platform that processes voice calls, SMS, WhatsApp messages, and AI-assisted interactions on behalf of our customers (Tenants). Given the nature of this data and the industries we serve, we maintain rigorous compliance standards to protect customer data, meet regulatory obligations, and build lasting trust with the organizations that rely on us.

This page outlines the regulatory frameworks, security practices, and operational controls that govern how Momo Pulse handles data, infrastructure, and customer communications. Our compliance posture is not a point-in-time achievement — it is an ongoing discipline embedded into our engineering practices, organizational processes, and product design decisions.

2. Regulatory Framework

Momo Pulse operates in compliance with the following regulatory and legal frameworks:

Tanzania Communications Regulatory Authority (TCRA)

As a provider of communications services operating within Tanzania, Momo Pulse adheres to the regulations and guidelines established by the Tanzania Communications Regulatory Authority (TCRA). This includes compliance with:

  • Electronic and Postal Communications Act (EPOCA): Governs the licensing, operation, and regulation of electronic communications in Tanzania. We comply with all provisions related to content transmission, network operations, and communications data handling.
  • TCRA Consumer Protection Regulations: We follow mandated practices for fair treatment of end users, transparent billing, and accessible dispute resolution mechanisms.
  • Numbering & Addressing Regulations: Our handling of phone numbers, sender IDs, and short codes complies with TCRA's numbering plan and allocation policies.
  • Quality of Service Regulations: We monitor and report on service quality metrics in accordance with TCRA benchmarks for voice, messaging, and data services.

Personal Data Protection Act (PDPA) — Tanzania

The PDPA establishes the legal framework for the protection of personal data in Tanzania. Momo Pulse complies with its provisions, including:

  • Lawful and transparent data processing with clear purpose limitation.
  • Collection of only the minimum personal data necessary for the specified purpose (data minimization).
  • Secure storage and processing with defined retention periods.
  • Providing data subjects with access, correction, and deletion rights.
  • Notification to the relevant authority and affected individuals in the event of a personal data breach.

International Data Protection Standards

While Momo Pulse is headquartered in Tanzania, we recognize that our customers may operate across borders. We align our practices with internationally recognized data protection principles, including:

  • General Data Protection Regulation (GDPR): For customers or end users located in the European Economic Area, we apply GDPR-aligned safeguards including data processing agreements, lawful basis documentation, and cross-border transfer protections.
  • African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention): We support the principles of this convention as part of our commitment to pan-African data governance standards.

Anti-Money Laundering (AML) & Financial Compliance

Our wallet-based billing system and mobile money payment integrations are designed to comply with:

  • Anti-Money Laundering Act of Tanzania: We implement transaction monitoring, customer verification, and suspicious activity reporting where applicable.
  • Bank of Tanzania (BOT) Mobile Money Regulations: Our integration with mobile money providers (M-Pesa, Tigo Pesa, Airtel Money, HaloPesa, T-Pesa, Ezypesa) follows BOT guidelines for electronic payment processing.
  • Payment Card Industry Data Security Standard (PCI DSS): Credit and debit card payment processing is handled entirely by PCI DSS-compliant payment gateway partners. Momo Pulse never stores full card numbers, CVVs, or magnetic stripe data.

3. Data Protection & Privacy

Protecting the personal data of our customers and their end users is fundamental to our platform. Our data protection practices are described in detail in our Privacy Policy. Key principles include:

Data Processing Roles

  • Data Controller: For account registration data, billing information, and website visitor data, Momo Pulse acts as the data controller — we determine the purpose and means of processing.
  • Data Processor: For communications data (call records, messages, recordings) processed on behalf of Tenants, Momo Pulse acts as a data processor — we process data only according to the Tenant's instructions and our service agreement.

Data Processing Agreements

Enterprise and regulated-industry customers may request a formal Data Processing Agreement (DPA) that documents the terms under which Momo Pulse processes personal data on their behalf. DPAs cover:

  • Categories of data subjects and personal data processed.
  • Purpose and duration of processing.
  • Technical and organizational security measures.
  • Sub-processor management and notification requirements.
  • Data breach notification obligations and timelines.
  • Data return and deletion upon contract termination.

Data Subject Rights

We support and facilitate the following data subject rights in accordance with applicable law:

  • Right of Access: Individuals can request a copy of the personal data we hold about them.
  • Right to Rectification: Individuals can request correction of inaccurate or incomplete data.
  • Right to Erasure: Individuals can request deletion of their personal data, subject to legal retention obligations.
  • Right to Restrict Processing: Individuals can request that we limit how we process their data in certain circumstances.
  • Right to Data Portability: Where technically feasible, individuals can request their data in a structured, machine-readable format.
  • Right to Object: Individuals can object to data processing based on legitimate interests or direct marketing.

Requests can be submitted via our Data Deletion Request form or by emailing legal@momopulse.com.

4. Communications Compliance

As a platform that facilitates voice calls, SMS campaigns, and WhatsApp messaging, we take communications compliance seriously:

SMS & Messaging Compliance

  • Sender ID Registration: All sender IDs used through our platform must be properly registered and approved through applicable regulatory channels before use.
  • Opt-Out & Blacklist Management: Our SMS platform includes built-in blacklist controls, allowing recipients to opt out of future messages. Tenants are responsible for maintaining lawful consent for their messaging campaigns.
  • Content Restrictions: We enforce content policies that prohibit spam, phishing, fraudulent, or illegal content from being transmitted through our platform. Violations may result in immediate account suspension.
  • Campaign Governance: SMS campaigns include pause, resume, and cancel controls, enabling Tenants to respond quickly if compliance issues are identified during a send.

Voice & Call Compliance

  • Call Recording Disclosure: Where call recording is enabled, Tenants are responsible for providing appropriate disclosure and obtaining consent from call participants in accordance with local laws. Momo Pulse provides the recording infrastructure; compliance with recording consent laws is the Tenant's obligation.
  • Call Data Retention: Call detail records (CDRs) and recordings are retained according to configurable retention policies. Tenants can configure retention periods appropriate to their regulatory requirements.
  • Number Management: Phone number procurement, assignment, and porting follow TCRA guidelines and carrier policies.

WhatsApp Cloud API Compliance

  • Meta Business Verification: Tenants using the WhatsApp Cloud API integration must complete Meta's business verification process and comply with WhatsApp's Commerce Policy and Business Messaging Policy.
  • Template Message Approval: Marketing and utility template messages are subject to Meta's approval process before they can be sent. Momo Pulse surfaces template status within the platform.
  • Webhook Signature Verification: All inbound WhatsApp webhooks are verified using cryptographic signature validation to prevent spoofing and unauthorized data injection.

5. Infrastructure & Security

Our platform infrastructure is designed with security at every layer:

Hosting & Network Security

  • Cloud Infrastructure: Momo Pulse is hosted on enterprise-grade cloud infrastructure with built-in physical security, environmental controls, and redundancy.
  • Network Segmentation: Our production, staging, and development environments are isolated using separate network segments and access controls. Database servers are not publicly accessible.
  • DDoS Protection: We employ distributed denial-of-service mitigation at the network edge to protect against volumetric and application-layer attacks.
  • Web Application Firewall (WAF): All HTTP traffic passes through a WAF that filters and blocks malicious requests, including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 attack vectors.
  • TLS Encryption: All data in transit between clients and our servers is encrypted using TLS 1.2 or higher. We enforce HSTS headers to prevent protocol downgrade attacks.

Application Security

  • Secure Development Lifecycle: Our engineering team follows secure coding practices, including code reviews, static analysis, and dependency vulnerability scanning as part of our CI/CD pipeline.
  • Dependency Management: We monitor third-party dependencies for known vulnerabilities and apply patches promptly. Critical vulnerabilities are addressed within 24 hours of disclosure.
  • Input Validation: All user inputs are validated and sanitized on both client and server sides. Database queries use parameterized statements to prevent injection attacks.
  • CSRF Protection: All state-changing requests require a valid CSRF token to prevent cross-site request forgery attacks.
  • Rate Limiting: API endpoints and authentication flows are protected by rate limiting to prevent brute-force attacks and abuse.

6. Access Control & Authentication

  • Role-Based Access Control (RBAC): Access to platform features and data is governed by role-based permissions. Tenants can assign different roles to their team members, controlling who can view, modify, or administer specific resources.
  • Multi-Tenant Isolation: Each Tenant's data is logically isolated at the database level. API requests, dashboard views, and webhook payloads are scoped to the authenticated Tenant. Cross-tenant data access is architecturally prevented.
  • Password Security: Passwords are hashed using industry-standard algorithms (bcrypt) with unique salts. We enforce minimum password complexity requirements and support password reset workflows.
  • Session Management: User sessions have configurable timeouts. Sessions are invalidated on password change and can be revoked by administrators. Concurrent session limits may be enforced.
  • Internal Access Controls: Employee access to production systems follows the principle of least privilege. Access is reviewed regularly and revoked upon role change or departure. Administrative actions on production data are logged.

7. Data Handling & Encryption

Encryption at Rest

All data stored in our databases and file storage systems is encrypted at rest using AES-256 encryption. This includes:

  • Tenant account and configuration data.
  • Call detail records and messaging metadata.
  • Call recordings and media files.
  • Wallet transaction records and billing data.
  • AI agent configurations and tool definitions.
  • IVR flow definitions and voice assets.

Encryption in Transit

All data transmitted between Momo Pulse and its users, third-party services, and internal systems is encrypted using TLS 1.2 or higher. This includes:

  • Browser-to-server communication (dashboard, API calls).
  • Server-to-server communication between microservices.
  • Webhook payloads sent to and received from external services.
  • Payment gateway communication.
  • Real-time call signaling and media (SRTP for voice).

Data Retention & Deletion

  • Communications data is retained according to Tenant-configurable retention policies and applicable regulatory minimums.
  • Deleted data is removed from active systems promptly and from backups within the backup rotation cycle (typically 30 days).
  • Tenants can request full data export and deletion upon account termination in accordance with our Privacy Policy.

8. Audit Logging & Monitoring

We maintain comprehensive audit trails and monitoring systems to ensure accountability and support incident investigation:

  • Activity Logging: All significant user and system actions are recorded, including login events, configuration changes, API calls, and administrative actions. Logs include timestamps, user identity, IP address, and action details.
  • Immutable Audit Trails: Critical audit logs are stored in append-only systems and cannot be modified or deleted by platform operators. These logs are retained for a minimum of 12 months.
  • Real-Time Monitoring: Our infrastructure is monitored 24/7 for availability, performance anomalies, and security events. Automated alerts are triggered for threshold breaches and suspicious activity patterns.
  • Webhook & Delivery Logs: All inbound and outbound webhook events are logged with payloads, timestamps, response codes, and retry history. These logs are available to Tenants through the platform dashboard.
  • Security Information & Event Management (SIEM): Security-relevant events from application logs, network devices, and infrastructure components are aggregated and correlated for threat detection and incident response.

9. Incident Response

Momo Pulse maintains a formal incident response plan that defines procedures for detecting, containing, investigating, and recovering from security incidents:

Incident Classification

SeverityDescriptionInitial Response
Critical (P1)Confirmed data breach, platform-wide outage, or active exploitationWithin 30 minutes
High (P2)Partial service degradation, suspected unauthorized access, or data integrity concernWithin 1 hour
Medium (P3)Isolated system errors, minor service impact, or policy violationWithin 4 hours
Low (P4)Informational findings, potential vulnerabilities, or minor anomaliesWithin 24 hours

Breach Notification

In the event of a personal data breach, Momo Pulse will:

  • Notify the relevant data protection authority within 72 hours of becoming aware of the breach, as required by applicable law.
  • Notify affected Tenants without undue delay, providing details of the breach, data involved, containment measures taken, and recommended actions.
  • Document the incident thoroughly, including root cause analysis and preventive measures implemented.

10. Vendor & Third-Party Management

We carefully evaluate and monitor all third-party vendors and service providers that process data on our behalf:

  • Due Diligence: Before engaging a new vendor, we assess their security posture, compliance certifications, data handling practices, and incident response capabilities.
  • Contractual Safeguards: All data-processing vendors are bound by contractual obligations that include confidentiality clauses, data protection requirements, breach notification obligations, and audit rights.
  • Ongoing Monitoring: We conduct periodic reviews of vendor compliance and security practices. Vendors that fail to meet our standards are placed on remediation plans or replaced.
  • Sub-Processor Transparency: We maintain a list of sub-processors and notify Tenants of material changes to our sub-processor list in advance, giving them the opportunity to raise objections.

Key Infrastructure Partners

Our platform relies on vetted infrastructure and service partners including cloud hosting providers, telephony carriers, SMS gateways, payment processors, and AI model providers. Each partner is selected based on their compliance posture, operational reliability, and alignment with our security requirements.

11. Business Continuity & Disaster Recovery

  • Redundant Infrastructure: Our platform is deployed across redundant infrastructure with automatic failover to minimize single points of failure.
  • Database Backups: Automated database backups are performed daily with point-in-time recovery capability. Backups are encrypted and stored in geographically separated locations.
  • Recovery Time Objective (RTO): Our target RTO for critical services is 4 hours. Non-critical services have an RTO of 24 hours.
  • Recovery Point Objective (RPO): Our target RPO is 1 hour, meaning no more than 1 hour of data loss in a worst-case disaster scenario.
  • Disaster Recovery Testing: We conduct regular disaster recovery drills to validate our recovery procedures, measure actual recovery times, and identify areas for improvement.
  • Change Management: All changes to production systems follow a formal change management process with peer review, staging validation, and rollback procedures.

12. Employee Security Practices

  • Security Training: All employees complete security awareness training upon hiring and receive regular refresher training. Engineering staff receive additional training on secure coding practices and threat modeling.
  • Background Checks: Employees with access to customer data or production systems undergo appropriate background verification.
  • Confidentiality Agreements: All employees and contractors sign confidentiality and non-disclosure agreements that cover customer data and proprietary information.
  • Device Security: Employee devices accessing company systems must meet minimum security requirements including disk encryption, screen lock, and current operating system patches.
  • Offboarding: When an employee departs, all system access is revoked within 24 hours. Physical assets are collected, and access credentials are rotated where applicable.

13. Continuous Compliance

Compliance is not a one-time event. We maintain and improve our compliance posture through:

  • Regular Internal Audits: We perform periodic internal audits of our security controls, access policies, and data handling procedures.
  • Vulnerability Management: Regular vulnerability scans and penetration tests are conducted to identify and remediate security weaknesses. Critical findings are remediated within defined SLAs.
  • Policy Review Cycle: All compliance and security policies are reviewed at least annually and updated to reflect changes in regulations, technology, and business operations.
  • Regulatory Monitoring: We actively monitor regulatory developments in Tanzania and internationally to ensure our practices remain current with evolving legal requirements.
  • Stakeholder Feedback: We welcome feedback from customers, regulators, and security researchers to help us improve our compliance and security practices.

14. Contact Us

For compliance-related inquiries, data processing agreement requests, audit information, or to report a security concern, please contact us:

Need a Data Processing Agreement or compliance documentation?

Enterprise and regulated-industry customers can request formal compliance documentation, including Data Processing Agreements, security questionnaire responses, and audit reports.

Request compliance documentation →