Twilio takes its responsibility to safeguard the personal data our customers entrust us to process seriously, regardless of where that personal data originates or the location of the facilities where we process it. This is why we adopted Binding Corporate Rules (“BCRs”) as our “code of conduct” for our processing of personal data worldwide, and obtained approval of them from EU data protection authorities for use as a safeguard for cross-border transfers in May 2018.
An explicit component of our BCRs, set out in Appendix 10, is our Government Request Policy, which guides how Twilio will respond to requests from law enforcement and government entities. In line with that Policy, Twilio has documented our guidelines for requests from law enforcement and government entities. Before sharing personal data with law enforcement or government agencies, we check that the request is valid, limited, specific, particularized, and made under enforceable legal process. In accordance with our Privacy Statement, Twilio will notify our customer when we respond to a request for their information unless we are explicitly prohibited from doing so by law. Further, Twilio has been publishing semi-annual Transparency Reports documenting the requests we have received for our customers' data since 2015. This includes certain National Security Letters we have sought and obtained permission to publish.
We also manage information security based on the ISO 27001 framework and, among other certifications, have received an ISO 27018 certification as well as SOC II Type II certifications for our SendGrid, Authy, and Programmable Voice products. We encrypt data both in transit and at rest — we support TLS 1.2 to encrypt network traffic between customer applications and Twilio, and Twilio Customer Data is encrypted at rest utilizing industry standard encryption algorithms. Our backups are encrypted in transit and at rest using strong encryption (volume level, AES - 256) and stored redundantly across multiple availability zones and regions in AWS US. For more information about security measures Twilio takes to protect your data, as well as security features and best practices, see our Security site. If you are a SendGrid customer, you can sign into your SendGrid account and review our InfoSec portal which provides 25 downloadable information security related documents such as our GDPR FAQ, SOC 2 Type II, and our 2018 Security Assessment Report. We also provide a contractual security agreement that is tied to both our Binding Corporate Rules and our Standard Contractual Clauses.