FAQs

General Privacy and Security

How is data secured in transit?

All external data transfers use TLS 1.2 to secure the data in transit.

Is First Orion ISO Compliant?

First Orion is ISO 27001:2013 certified.

What Enterprise data is collected for INFORM? How is it used?

INFORM collects and uses ONLY the data required by First Orion to authenticate the Enterprise, including the phone number(s) of the Enterprise, or call originator, and the 32-Character display that will be delivered during a phone call. The originating number is used at the time of the call as a match key within the INFORM platform. The 32-character display is then delivered via the network to the user’s device.

How do INFORM calls comply with Telco regulations?

An Enterprise using INFORM is responsible for legal compliance with all applicable laws and regulations for the calls they make. An Enterprise must already have a relationship with the consumers they intend to call.

INFORM may not be used for prospecting, lead generation, or other telemarketing activities.

INFORM Branded Text Display

What specifically does my Enterprise get with INFORM?

The INFORM solution includes:

  • Dynamic, custom 32-character Display Name
  • Customized name remains in the device's Call Log after the call
  • Ease of set up and management through First Orion's Customer portal and (optionally) APIs
  • The ability to set Time to Live (TTL)
  • A:B Call Pairing (coming soon)
How will content be vetted for INFORM calls?

First Orion’s INFORM programmatically reviews all content at the time of upload. The First Orion Account Support Team subsequently reviews content to be displayed for the initial INFORM programs for an Enterprise, followed by random sample reviews of content thereafter.

First Orion also has restrictions that all Enterprises making INFORM calls contractually agree to follow regarding their display content. These include prohibitions on the display of certain types of unacceptable content, such as:

  • Targeting children under the age of 18
  • Adult, pornographic, sexually explicit, or obscene references
  • References to medical conditions
  • Gambling, weapons, or violence
  • Discriminatory, hateful, offensive, defamatory, or profane language
  • False, misleading, or deceptive claims
  • and more...

First Orion reserves the right to terminate an INFORM contract.

How does First Orion ensure INFORM calls cannot be spoofed?

By only offering INFORM calls to an authenticated Enterprise, First Orion deters illegal spoofers and scammers. First Orion conducts ongoing monitoring of the following to guarantee an authenticated Enterprise remains legitimate and honors the terms of their INFORM agreement:

  • Periodic and ongoing reverification of the Enterprise’s authentication, both random and for cause
  • Monitoring of Calling Numbers through First Orion’s Scam and Nuisance Likely labeling
  • Review and possible termination of an Enterprise’s INFORM contract upon non-compliance with contract terms and conditions
How is INFORM delivered?

The INFORM Display Name replaces the phone number shown on an incoming call with a dynamic, custom enterprise displayed. For example,

  • Instead of a standard phone number display: +1(555)123-4567
  • INFORM displays a 32 character title, such as an Enterprise's name: Good Bank
What is required from an Enterprise to get INFORM working?

When utilizing our Portal:

  • Add/Assign aNumbers
  • Create program and version
  • Define 32-character Display Name
  • Assign aNumber(s) to program version
  • Test and Approve program(s)

When utilizing our APIs:

  • Push Caller Name to First Orion's Transparency Hub
  • Telemetry transmitted back to CDN

May require Enterprise IT involvement.

ENGAGE Branded Caller Display

What specifically does my Enterprise get with ENGAGE?

The ENGAGE solution includes:

  • Enhanced Caller Information (branded imagery)
  • Customized content for end-users
  • Custom text
  • Protection services for Enterprise and Consumers like TTL and A:B Call Pairing
How will displayed content be vetted for ENGAGE enabled calls?

First Orion’s ENGAGE programmatically reviews all content at the time of upload. The First Orion Account Support Team subsequently reviews content to be displayed for the initial ENGAGE-enabled programs for an Enterprise, followed by random sample reviews of content thereafter.

First Orion also has restrictions that all Enterprises making ENGAGE-enabled calls contractually agree to follow regarding their display content. These include prohibitions on the display of certain types of unacceptable content, such as:

  • Targeting children under the age of 18
  • Adult, pornographic, sexually explicit, or obscene references
  • References to medical conditions
  • Gambling, weapons, or violence
  • Discriminatory, hateful, offensive, defamatory, or profane language
  • False, misleading, or deceptive claims
  • and more...

First Orion reserves the right to terminate an ENGAGE contract.

How does First Orion ensure ENGAGE calls cannot be spoofed?

By only offering ENGAGE-enabled calls to an authenticated Enterprise, First Orion excludes illegal spoofers and scammers.

First Orion conducts the following ongoing activities to guarantee an authenticated Enterprise remains legitimate and honors the terms of their ENGAGE agreement.

  • Periodic and ongoing reverification of the Enterprise’s authentication, both random and for cause
  • Investigation into complaints from users in the ENGAGE community regarding ENGAGE-enabled content
  • Review and possible termination of an Enterprise’s ENGAGE contract upon non-compliance with contract terms and conditions
  • Limiting the amount of time that the content will remain on the phone prior to the Enterprise executing an ENGAGE program will drastically reduce the likelihood that a call could be spoofed
What is the difference between a user's ENGAGE experience on iOS versus Android?

If the app is not open on an iOS device, the end user will receive a Pre-Notification alert of the upcoming call and a Post-Notification alert that the calling window is closed. When the app is not in the foreground iOS needs Push notifications for ENGAGE-enabled calls.

Android does not require any Push notifications.

Which users can receive ENGAGE content?

First Orion has a continually expanding network of ENGAGE users who have authorized their phones to receive branded, rich-media displays when they receive an ENGAGE-enabled call. This is accomplished by installing an ENGAGE SDK that enables the ENGAGE functionality on the user’s phone.

The user must also enable certain user permissions on their phone to permit the ENGAGE display to work. These permissions differ slightly based on the phone’s operating system. The primary required permission is Access to Contacts. ENGAGE requires access to the user’s Contacts in order to store the ENGAGE message content so it can be accessed when the call is received. No information from the user’s Contacts ever leaves their device.

What versions of Android and iOS are required?

iOS

  • 10.x or higher

Android

  • 4.4 or higher
How does First Orion ensure ENGAGE calls cannot be spoofed?

By only offering ENGAGE-enabled calls to an authenticated Enterprise, First Orion excludes illegal spoofers and scammers.

First Orion conducts the following ongoing activities to guarantee an authenticated Enterprise remains legitimate and honors the terms of their ENGAGE agreement.

  • Periodic and ongoing reverification of the Enterprise’s authentication, both random and for cause
  • Investigation into complaints from users in the ENGAGE community regarding ENGAGE-enabled content
  • Review and possible termination of an Enterprise’s ENGAGE contract upon non-compliance with contract terms and conditions
  • Limiting the amount of time that the content will remain on the phone prior to the Enterprise executing an ENGAGE program will drastically reduce the likelihood that a call could be spoofed
What is the difference between a user's ENGAGE experience on iOS versus Android?

If the app is not open on an iOS device, the end user will receive a Pre-Notification alert of the upcoming call and a Post-Notification alert that the calling window is closed. When the app is not in the foreground iOS needs Push notifications for ENGAGE-enabled calls.

Android does not require any Push notifications.

Which users can receive ENGAGE content?

First Orion has a continually expanding network of ENGAGE users who have authorized their phones to receive branded, rich-media displays when they receive an ENGAGE-enabled call. This is accomplished by installing an ENGAGE SDK that enables the ENGAGE functionality on the user’s phone.

The user must also enable certain user permissions on their phone to permit the ENGAGE display to work. These permissions differ slightly based on the phone’s operating system. The primary required permission is Access to Contacts. ENGAGE requires access to the user’s Contacts in order to store the ENGAGE message content so it can be accessed when the call is received. No information from the user’s Contacts ever leaves their device.

Can users opt out of receiving ENGAGE enabled calls?

Yes! End users can opt out of receiving ENGAGE-enabled calls by:

  • Disabling the ENGAGE feature in an Enterprise's app
  • Deleting the host app(s) utilizing First Orion's ENGAGE SDK.
What is the file size of the ENGAGE SDK?

iOS

  • Less than 2MB, even less if the host app has bitcode enabled

Android

  • Less than 200KB
How does the ENGAGE SDK interact with an Enterprise's app?

The ENGAGE SDK uses very little battery life as it is only active when it receives a push message from the First Orion system or when it is invoked from the host application. It only collects the minimal data needed to deliver the ENGAGE content.

The SDK will not in any way slow any other functions on the device, and does not change the existing user experience within the host's app beyond the enriched calling display.

The only interactions with the Enterprise app include:

  • Response to an ENGAGE phone call
  • Pushtoken renewal
  • Content push and cleanup
How does ENGAGE interact with the native call?

ENGAGE does not interact directly with the call but inserts a native contact that is displayed during the call.

What if a user has my Enterprise app and another application utilizing the ENGAGE SDK?

ENGAGE employs a first-qualified-app-on-device approach, also known as: First on Gets It (FOGI). The app that first enabled ENGAGE on the device, and can display the content, is the one that will be dominant and display the content. This applies to both iOS and Android.

How is encryption leveraged in the app?

The ENGAGE platform utilizes AWS KMS to secure data at rest and the majority of the configs with sensitive data. It utilizes hashing to protect certain data elements, such as bNumbers. First Orion also uses AWS Secrets to protect database credentials and other configuration data.

How is the source code secured?

The ENGAGE platform utilizes docker containers under AWS ECS for most services. Source code is compiled and placed in a docker image under AWS ECR.

How does First Orion adhere to the latest Privacy and Data Protection Standards?

First Orion never retains any phone numbers of the ENGAGE-enabled users. A phone number is only used during initial verification to ensure the submitted phone number matches the ENGAGE-enabled device. Once the verification is complete, the number is hashed and deleted.

The hashed number is used thereafter for matching and delivery of ENGAGE content. First Orion uses encrypted transmission technology to communicate with all Enterprises and ENGAGE-enabled users.

How do ENGAGE enabled calls comply with Telco regulations?

An Enterprise using ENGAGE is responsible for legal compliance with all applicable laws and regulations for the calls they make. ENGAGE calls are treated as an auto-dialer call with the display contact considered to be a pre-recorded message.

Therefore, ENGAGE calls must comply with all Robocall legal requirements under the local laws of each country. At a minimum, an Enterprise must already have a relationship with the consumers they intend to call.

What Enterprise data is collected to make ENGAGE-enabled calls? How is it used?

ENGAGE collects and uses only the data needed to authenticate the Enterprise, deliver the content to the user’s phone, and maintain a record of content delivery. This includes the Enterprise's:

  • Registration information
  • Phone number(s) used to place calls (aNumbers)
  • Client phone number(s) to be called (bNumbers)
  • Content to display when calling
  • Content delivery information
  • Upon receipt, First Orion hashes and then deletes the phone numbers to be called.

What permissions are required to deliver an ENGAGE-enabled call?

iOS

  • Contacts
  • Notifications, when app is not in foreground

Android

  • Contacts
  • Call Log (not required, but highly recommended)
  • Phone State (not required, but highly recommended)
What device data does ENGAGE collect? How is it used?

First Orion requires a unique identifier for the device, either a phone number or algorithmic hash. That unique identifier is used to verify that the device installed with the ENGAGE SDK is reachable and belongs to the user.

There are two methods in which the verification process may be completed: First Orion SDK sends a verification code via text to the device using two-factor authentication (2FA), or the host app may send a trusted algorithmic hash after the host app has performed its own two-factor authentication.

If the First Orion SDK has performed the two-factor authentication, once completed, the phone number is hashed and discarded. If the host app performs the two-factor authentication, First Orion stores the algorithmic hash received from the host app.

In either case, the hashed number is associated with the Token for the device created by Google or Apple. From that point on, the hashed number is used for all activities and functions in the platform. It is important to note the device phone number is not stored within the Engage platform.