1The problem we solve
When SMS is treated as a commodity API, the country loses sovereignty, visibility, and speed in the moments that matter: authentication, public safety, and regulatory oversight.
Data leaves the country. If traffic routes through foreign aggregators, citizen identifiers and one-time passcodes can cross borders — clashing with data-residency expectations and exposing banking, health, and government use cases to foreign jurisdictions.
Fragmented control. Without a unified layer, there is no single sender-ID authority, no consistent DND and fraud story, and no clean CDR path for the regulator — while SIM-boxing, grey routes, and OTP harvesting operate with limited detection surface.
Civil emergency gap. Many countries still lack a practical path to cell-broadcast–class alerting at scale when seconds save lives: floods, earthquakes, and public-safety mass notifications.
Regulated senders in the dark. Banks, ministries, and healthcare providers need a compliant, auditable channel — not ad-hoc content and unregistered sender IDs with no CDR for audit.
Ghasi SMS Gateway is designed to be the in-country system of record for policy, traffic, and evidence: every submission passes a fail-closed compliance gate, every route is MNO-aware, and every significant interaction is auditable, retained, and exportable to the authority that the law names.
2How the platform does it: one message, one pipeline
Every submission is fail-closed: if the compliance path cannot complete an ALLOW verdict, the message is not released to the operator. The platform does not “skip” the gate under load.
AI content classification and a rules pipeline (keyword, rate, volume, DLR health, composite signals) work together. Pre-approved templates for trusted tenants (e.g. banks) can be fingerprint-verified at send time for OTP-class speed without losing the audit story.
3Compliance architecture: the verdict pipeline
| Verdict | What happens | Who / what decides |
|---|---|---|
| ALLOW | Routes toward carrier (subject to lane, health, and TPS) | AI + rules, aligned |
| FLAG | Routes with audit annotation; soft risk signal for analytics | AI soft signal + policy |
| HOLD | Enters admin review queue (e.g. ≤ 4h SLA target in baseline) | Rules threshold |
| BLOCK | Dropped; caller notified; never reaches MNO | Rules engine — hard block |
Trusted-tenant fast path (OTP at scale)
Banks, ministries, and vetted senders can register signed, pre-approved message templates. At send time, content is fingerprint-matched to the template — compliance can run in shadow / logging mode (evidence without blocking the happy path) so OTP keeps ≤ 3s P99 end-to-end including the compliance path, while the audit trail remains complete.
4Traffic priority lanes: bulk never drowns OTP or emergency
Every message is assigned a lane from content type and tenant policy. Marketing and broadcast cannot crowd out authentication or public-safety traffic.
| Lane | Use case | Target (design baseline) |
|---|---|---|
| P0 — Emergency | Civil emergency / cell-broadcast–class delivery | ≤ 1 s to MNO broadcast infra |
| P1 — OTP | Authentication, 2FA, high-trust one-shot codes | ≤ 3 s P99 end-to-end (incl. compliance) |
| P2 — Transactional | Bank alerts, delivery updates, service notices | ≤ 10 s P99 (illustrative) |
| P3 — Marketing | Promotional, bulk, campaigns | ≤ 60 s (illustrative) |
| P4 — Broadcast | Authorised national or large-audience broadcasts | ≤ 5 min (illustrative) |
Illustrative SLAs: confirm against your architecture baseline and regulator commitments.
Design targets (NFRs — see architecture baseline for binding numbers)
5What customers, MNOs, and regulators get
Multi-MNO connectivity
Operator-grade SMPP 3.4 connector pools per MNO, per-bind TPS governors, health-aware routing. A fault on one MNO should not take down the whole country’s traffic.
AI + rules engine
Classification plus a rich rule taxonomy: keyword, regex, geo, rate, volume, DLR-abuse, composites. Fail-closed if the engine is unavailable: messages stay queued, never “leak” around the gate.
National sender-ID & registry
Registration, KYC of registrant, verification, suspension, and regulator export. Once mandated, a durable moat foreign SaaS cannot replicate without in-country policy depth.
Campaigns & two-way
Audiences, template library, schedule, throttles, A/B, kill-switch, and conversation sessions — for marketing, service, and government, all under the same policy spine and lanes.
CDR, TAP/RAP, regulator delivery
Mediation, partitioned immutable storage, signed nightly bundles (e.g. TAP 3.12 / RAP), SFTP or API to regulator. Lawful intercept and complaint flows where law requires — separate mTLS, not a marketing tab.
Cell-broadcast bridge & P0
Bridge compatible with 3GPP/ETSI-style emergency paths; P0 pre-empts other traffic. Procurement-grade for civil defence, NDMA, and public health buyers.
Multi-channel future
Designed path: SMS → MMS → RCS → WhatsApp Business → voice OTP → email with the same policy spine — channel-router maturity over time, one compliance story.
Resilience & security posture
Multi-region active-active (where deployed), zero-trust east-west, HSM-backed keys, idempotency everywhere, immutable append-only audit — aligned to enterprise and regulator expectations.
6Regulator story: CDRs and evidence (example flow)
Regulators do not get screenshots; they get signed, schedulable, auditable artifacts. A representative pipeline:
- DLR from MNO → delivery confirmed via SMPP.
- CDR event generated (e.g.
cdr.generated.v1) and mediated to a canonical schema. - Partitioned, immutable storage (object store) by time partition.
- Daily / nightly roll-up: TAP 3.12 / RAP (or RAP-style) file, signed with a regulator-approved key.
- Automated delivery to regulator SFTP or API; analytics in columnar store for investigation.
- Corrections as adjustment records — never silent overwrites.
- Compliance audit: 13 months hot, 7 years cold
- CDR: long cold retention (e.g. 7 years WORM-class)
- Evaluation traces, webhooks: shorter windows per policy
A single, trusted export path for sender registry, CDR, and LI interfaces reduces dispute cost and makes national policy executable — not aspirational.
7Product surfaces: who logs in where
All customer-facing and operator surfaces sit behind a gateway (TLS, auth, rate limits, correlation IDs). Regulator entry is a separate trust boundary.
admin.ghasi.io (NOC) · app.ghasi.io (tenant) · developers.ghasi.io (DX) · regulator.ghasi.io (mTLS only) — adjust to your deployment DNS.
8How this earns: durable revenue and moat
| Stream | Why it lasts |
|---|---|
| Per-message & tiered API | Scales with national adoption; lane-based pricing matches OTP vs. marketing economics. |
| Registry & compliance services | Once mandated, high retention — foreign aggregators cannot replicate in-country policy depth or LI posture. |
| Premium compliance & trusted-tenant | Banks and government pay for evidence and SLAs, not a generic pipe. |
| Government & emergency | Cell-broadcast bridge, P0, multi-year civil contracts — hard to displace without rebuilding physical and legal stack. |
| Campaign & engagement SaaS | Mailchimp/Braze-class capability on the sovereign backbone — no foreign content processing for the core path. |
Strategic moat (in one line): A non-resident operator cannot offer in one stack sovereign compliance AI, national sender authority, integrated regulator CDR, cell-broadcast–class emergency, and a government-only portal — all from in-country. That is not a “feature gap” for Twilio-style APIs; it is a structural gap.
9Extensibility: channels, countries, and sensors
Multi-country. The control plane (billing, rules, sender-ID, analytics) is designed to be shared; each new country brings regional Kubernetes, MNO connector pools, and local rule packs — not a forked product line.
Multi-channel. Cascading fallback (SMS → MMS → RCS → WhatsApp Business → voice OTP → email) keeps deliverability under network and handset reality while preserving one policy spine.
Public safety & sensor ingest. Alert sources (seismic, hydrology, AQI, grid, weather, epidemic signals, wildfire) can publish into existing priority-lane subjects; the P0 / CBC path is the delivery rail — new sensors add adapters, not a second messaging core.
10Architecture principles (why buyers trust the design)
| Principle | What it means for you |
|---|---|
| Fail-closed compliance | No code path routes without an ALLOW verdict. |
| Idempotency everywhere | Safe retries at any stage; no duplicate silent sends. |
| Async-first | Event backbone for scale; sync paths only where latency demands. |
| Sovereign AI path | Content classification does not require foreign LLM by design. |
| Immutable audit & CDR | Append-only, long-retention, regulator-grade evidence. |
National infrastructure — not a messaging widget
See executive-brief-2026-04-25.md in the same docs/reports/ folder for the full stakeholder narrative, NFR tables, and architecture maturity index. This HTML is a print-friendly view for MNO, investor, and regulator conversations.