Twilio takes its responsibility to safeguard the personal data our customers entrust us to process seriously, regardless of where that personal data originates, or the location of the facilities where we process it. To that end, Twilio has adopted organizational, technical, and contractual safeguards.
As an organization, we have adopted Binding Corporate Rules (BCRs) as our “code of conduct” for our processing of personal data worldwide, and obtained approval of them from EU data protection authorities for use as a safeguard for cross-border transfers in May 2018.
An explicit component of our BCRs, set out in Appendix 10, is our Government Request Policy, which guides how Twilio will respond to requests from law enforcement and government entities. In line with that policy, Twilio has documented our guidelines for requests from law enforcement and government entities. Before sharing personal data with law enforcement or government agencies, we check that the request is valid, limited, specific, particularized, and made under enforceable legal process. In accordance with our Privacy Statement, Twilio will notify our customer when we respond to a request for their information unless we are explicitly prohibited from doing so by law. Further, Twilio has been publishing semi-annual Transparency Reports documenting the requests we have received for our customers' data since 2015. This includes certain National Security Letters we have sought and obtained permission to publish.
We manage information security based on the ISO 27001 framework and, among other certifications, have received an ISO 27018 certification as well as SOC II Type II certifications for our SendGrid, Authy, and Programmable Voice products. We encrypt data both in transit and at rest — we support TLS 1.2 to encrypt network traffic between customer applications and Twilio, and Twilio Customer Data is encrypted at rest utilizing industry standard encryption algorithms. Our backups are encrypted in transit and at rest using strong encryption (volume level, AES - 256) and stored redundantly across multiple availability zones and regions in AWS US. For more information about security measures Twilio takes to protect your data, as well as security features and best practices, see our Security site. In addition, Twilio offers certain product features which customers can adopt to further enhance protection of personal data processed by Twilio. These include Message Redaction and Voice Recording Encryption.
Finally, we provide a Data Protection Addendum, which incorporates our BCRs and the EU Standard Contractual Clauses, as well as a contractual security agreement, to all of our customers as part of our standard agreement with them. Furthermore, we contractually require all vendors that process personal data on our behalf to abide by rigorous privacy and security standards.