Transfer Impact Assessment — Twilio’s Onward Data Transfers

Twilio safeguards the personal data our customers entrust us to process when we must transfer that data to a third country — whether for the purposes of support, security, or sub-processing.

Twilio transfers Customer Content (as defined in Twilio’s Privacy Statement and Data Protection Addendum) outside the United States or the European Union as necessary to provide Twilio products and services to you. For example, we have offices around the world, and in some of those offices, our employees may need to access personal data. In a few circumstances, we may have vendors outside the United States, or our vendors may be in the United States but have operations in other countries.

The transfer impact assessments below identify and describe the risks associated with data transfers of Customer Content to third countries, as well as any supplementary measures we have taken — or have required our vendors to take — to safeguard Customer Content. Please see our Data Protection Addendum for any details, such as the nature of the processing or the retention period of the data, that are not specific to onward transfer. In all cases, the categories of data subjects are Twilio customers and their end users. Please see our list of Sub-processors to see where we transfer data to our vendors outside the United States.

Table of Contents

Frequently asked questions

Q: What is a transfer impact assessment?

A: Twilio’s Data Protection Addendum now incorporates the 2021 versions of the Standard Contractual Clauses (SCCs). In response to the heightened requirements created by the Schrems II decision, these new SCCs require a data importer (such as Twilio) to provide specific information about data transfers it undertakes, and requires importers to conduct a transfer impact assessment to evaluate risks involved with the transfer of personal data to countries outside the EEA. The SCCs also require a data importer to take into account any supplemental technical and organizational security measures and additional assessments may be required to mitigate risks before transferring any personal data across borders.

Q: Is Twilio taking supplementary measures in order to protect personal data?

A: If you are performing your own Transfer Impact Assessment and are interested in information about Twilio’s own supplementary measures, please take a look at this support article and at Schedule 2 of our Data Protection Addendum, which sets out our supplementary measures in detail. We are currently in the process of implementing additional supplementary measures such as regionalized storage, and will continue to watch for additional guidance from our Data Protection Authorities and from the EDPB.

Q: Can I continue to transfer data to the US?

A: Yes. In response to Schrems II, the European Data Protection Board (EDPB) has made clear that Binding Corporate Rules and Standard Contractual Clauses remain valid data transfer mechanisms. As the EDPB states in its guidance, however, transfer mechanisms do not operate in a vacuum, and may need to be paired with supplementary measures that enhance protection of personal data.

Q: I don't want my data to leave Europe. Do you have plans to offer local or regional storage in the EU? Do you have an EU datacenter?

A: Currently, Twilio stores all data in the United States. However, we expect to start offering regionalized storage in the EU in the near future. We have provided an overview of our plans, which we keep updated regularly as information changes.

Return to the top

Australia

Purpose for transfer and any further processing: Internal transfer: Twilio has offices in Australia, and Twilio employees may need to access Customer Content for purposes such as support, anti-fraud, or security.
  
Transfer to sub-processor: Twilio uses a sub-processor who stores data in Australia. Please see our list of Sub-processors for specific information.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Internal transfer: Data is transferred on a continuous basis.
  
Transfer to sub-processor: Data is transferred as directed by the controller.
Categories of personal data transferred: Internal transfer: Customer Content, as defined in Twilio’s Privacy Statement and Data Protection Addendum.
   
Transfer to sub-processor: Please see our list of Sub-processors for specific information about the categories of personal data sent to this country.
Sensitive data transferred (if applicable): We do not intentionally transfer any sensitive data to Australia, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Internal transfer: Twilio’s applied security measures for internal transfers are available in this support article.
   
Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request. Each Twilio sub-processor has shared their technical and organizational security measures to protect Twilio data and have agreed to retain data for a maximum of 60 days.
Supplemental Security Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
   
Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Organizational Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
   
Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Contractual Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
   
Transfer to sub-processor: Each Twilio sub-processor has agreed to contractual measures that are at least as restrictive as those Twilio has agreed to with our controllers.
Twilio Policy for Law Enforcement Requests to Client Data: Internal transfer: Please see Twilio’s Government Requests page.
   
Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request.
Length of processing chain: Internal transfer: Data is transferred internally within Twilio.
   
Transfer to sub-processor: Data is transferred externally to our sub-processor.
Applicable transfer mechanism: Internal transfer: Binding Corporate Rules.
   
Transfer to sub-processor: Standard Contractual Clauses for onward transfer to our sub-processor.

Return to the top

Bhutan

Purpose for transfer and any further processing: Internal transfer: Twilio uses a sub-processor whose employees may access personal data in Bhutan. Please see our list of Sub-processors for specific information.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Transfer to sub-processor: Data is transferred as directed by the controller.
Categories of personal data transferred: Transfer to sub-processor: Please see our list of Sub-processors for specific information about the categories of personal data sent to this country.
Sensitive data transferred (if applicable): We do not intentionally transfer any sensitive data to Bhutan, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request. Each Twilio sub-processor has shared their technical and organizational security measures to protect Twilio data and have agreed to retain data for a maximum of 60 days.
Supplemental Security Measures: Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Organizational Measures: Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Contractual Measures: Transfer to sub-processor: Each Twilio sub-processor has agreed to contractual measures that are at least as restrictive as those Twilio has agreed to with our controllers.
Twilio Policy for Law Enforcement Requests to Client Data: Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request.
Length of processing chain: Transfer to sub-processor: Data is transferred externally to our sub-processor.
Applicable transfer mechanism: Transfer to sub-processor: Standard Contractual Clauses for onward transfer to our sub-processor.

Return to the top

Brazil

Purpose for transfer and any further processing: Internal transfer: Twilio has an office in Brazil, and Twilio employees may need to access Customer Content for purposes such as support, anti-fraud, or security.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Internal transfer: Data is transferred on a continuous basis.
Categories of personal data transferred: Internal transfer: Customer Content, as defined in Twilio’s Privacy Statement and Data Protection Addendum.
Sensitive data transferred (if applicable): We do not intentionally transfer any sensitive data to Brazil, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Internal transfer: Twilio’s applied security measures for Internal transfers are available in this support article.
Supplemental Security Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Supplemental Organizational Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Supplemental Contractual Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Twilio Policy for Law Enforcement Requests to Client Data: Internal transfer: Please see Twilio’s Government Requests page.
Length of processing chain: Internal transfer: Data is transferred internally within Twilio.
Applicable transfer mechanism: Internal transfer: Binding Corporate Rules.

Return to the top

Colombia

Purpose for transfer and any further processing: Internal transfer Twilio has an office in Colombia, and Twilio employees may need to access Customer Content for purposes such as support, anti-fraud, or security.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Internal transfer: Data is transferred on a continuous basis.
Categories of personal data transferred: Internal transfer: Customer Content, as defined in Twilio’s Privacy Statement and Data Protection Addendum.
Sensitive data transferred (if applicable): We do not intentionally transfer any sensitive data to Colombia, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Internal transfer: Twilio’s applied security measures for Internal transfers are available in this support article.
Supplemental Security Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Supplemental Organizational Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Supplemental Contractual Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Twilio Policy for Law Enforcement Requests to Client Data: Internal transfer: Please see Twilio’s Government Requests page.
Length of processing chain: Internal transfer: Data is transferred internally within Twilio.
Applicable transfer mechanism: Internal transfer: Binding Corporate Rules.

Return to the top

Hong Kong

Purpose for transfer and any further processing: Internal transfer: Twilio has an office in Hong Kong, and Twilio employees may need to access Customer Content for purposes such as support, anti-fraud, or security.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Internal transfer: Data is transferred on a continuous basis.
Categories of personal data transferred: Internal transfer: Customer Content, as defined in Twilio’s Privacy Statement and Data Protection Addendum.
Sensitive data transferred (if applicable): Internal transfer: We do not intentionally transfer any sensitive data to Hong Kong, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Internal transfer: Twilio’s applied security measures for Internal transfers are available in this support article.
Supplemental Security Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Supplemental Organizational Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Supplemental Contractual Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Twilio Policy for Law Enforcement Requests to Client Data: Internal transfer: Please see Twilio’s Government Requests page.
Length of processing chain: Internal transfer: Data is transferred internally within Twilio.
Applicable transfer mechanism: Internal transfer: Binding Corporate Rules.

Return to the top

India

Purpose for transfer and any further processing: Internal transfer: Twilio has an office in India, and Twilio employees may need to access Customer Content for purposes such as support, anti-fraud, or security.

Transfer to sub-processor: Twilio uses a sub-processor whose employees may access personal data in India. Please see our list of Sub-processors for specific information.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Internal transfer: Data is transferred on a continuous basis.

Transfer to sub-processor: Data is transferred as directed by the controller.
Categories of personal data transferred: Internal transfer: Customer Content, as defined in Twilio’s Privacy Statement and Data Protection Addendum.

Transfer to sub-processor: Please see our list of Sub-processors for specific information about the categories of personal data sent to this country.
Sensitive data transferred (if applicable): We do not intentionally transfer any sensitive data to India, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Internal transfer: Twilio’s applied security measures for Internal transfers are available in this support article.

Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request. Each Twilio sub-processor has shared their technical and organizational security measures to protect Twilio data and have agreed to retain data for a maximum of 60 days.
Supplemental Security Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.

Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Organizational Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.

Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Contractual Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.

Transfer to sub-processor: Each Twilio sub-processor has agreed to contractual measures that are at least as restrictive as those Twilio has agreed to with our controllers.
Twilio Policy for Law Enforcement Requests to Client Data: Internal transfer: Please see Twilio’s Government Requests page.

Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request.
Length of processing chain: Internal transfer: Data is transferred internally within Twilio.

Transfer to sub-processor: Data is transferred externally to our sub-processor.
Applicable transfer mechanism: Internal transfer: Binding Corporate Rules.

Transfer to sub-processor: Standard Contractual Clauses for onward transfer to our sub-processor.

Return to the top

Japan

Purpose for transfer and any further processing: Internal transfer: Twilio has an office in Japan, and Twilio employees may need to access Customer Content for purposes such as support, anti-fraud, or security.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Internal transfer: Data is transferred on a continuous basis.
Categories of personal data transferred: Internal transfer: Customer Content, as defined in Twilio’s Privacy Statement and Data Protection Addendum.
Sensitive data transferred (if applicable): We do not intentionally transfer any sensitive data to Japan, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Internal transfer: Twilio’s applied security measures for Internal transfers are available in this support article.
Supplemental Security Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Supplemental Organizational Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Supplemental Contractual Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Twilio Policy for Law Enforcement Requests to Client Data: Internal transfer: Please see Twilio’s Government Requests page.
Length of processing chain: Internal transfer: Data is transferred internally within Twilio.
Applicable transfer mechanism: Internal transfer: Binding Corporate Rules.

Return to the top

Philippines

Purpose for transfer and any further processing: Internal transfer: Twilio uses sub-processors whose respective employees in the Philippines may access personal data. Please see our list of Sub-processors for specific information.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Transfer to sub-processor: Data is transferred as directed by the controller.
Categories of personal data transferred: Transfer to sub-processor: Please see our list of Sub-processors for specific information about the categories of personal data sent to this country.
Sensitive data transferred (if applicable): We do not intentionally transfer any sensitive data to the Philippines, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request. Each Twilio subprocessor has shared their technical and organizational security measures to protect Twilio data and have agreed to retain data for a maximum of 60 days.
Supplemental Security Measures: Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Organizational Measures: Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Contractual Measures: Transfer to sub-processor: Each Twilio sub-processor has agreed to contractual measures that are at least as restrictive as those Twilio has agreed to with our controllers.
Twilio Policy for Law Enforcement Requests to Client Data: Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request.
Length of processing chain: Transfer to sub-processor: Data is transferred externally to our sub-processors.
Applicable transfer mechanism: Transfer to sub-processor: Standard Contractual Clauses for onward transfer to our sub-processors.

Return to the top

Singapore

Purpose for transfer and any further processing: Internal transfer: Twilio has an office in Singapore, and Twilio employees may need to access Customer Content for purposes such as support, anti-fraud, or security.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Internal transfer: Data is transferred on a continuous basis.
Categories of personal data transferred: Internal transfer: Customer Content, as defined in Twilio’s Privacy Statement and Data Protection Addendum.
Sensitive data transferred (if applicable): We do not intentionally transfer any sensitive data to Singapore, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Internal transfer: Twilio’s applied security measures for Internal transfers are available in this support article.
Supplemental Security Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Supplemental Organizational Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Supplemental Contractual Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.
Twilio Policy for Law Enforcement Requests to Client Data: Internal transfer: Please see Twilio’s Government Requests page.
Length of processing chain: Internal transfer: Data is transferred internally within Twilio.
Applicable transfer mechanism: Internal transfer: Binding Corporate Rules.

Return to the top

United Kingdom

Purpose for transfer and any further processing: Internal transfer: Twilio has an office in the United Kingdom, and Twilio employees may need to access Customer Content for purposes such as support, anti-fraud, or security.

Transfer to sub-processor: Twilio uses a sub-processor located in the UK. Please see our list of Sub-processors for specific information.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Internal transfer: Data is transferred on a continuous basis.

Transfer to sub-processor: Data is transferred as directed by the controller.
Categories of personal data transferred: Internal transfer: Customer Content, as defined in Twilio’s Privacy Statement and Data Protection Addendum.

Transfers to sub-processor: Please see our list of Sub-processors for specific information about the categories of personal data sent to this country.
Sensitive data transferred (if applicable): We do not intentionally transfer any sensitive data to the United Kingdom, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Internal transfer: Twilio’s applied security measures for Internal transfers are available in this support article.

Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request. Each Twilio sub-processor has shared their technical and organizational security measures to protect Twilio data and have agreed to retain data for a maximum of 60 days.
Supplemental Security Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.

Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Organizational Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.

Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Contractual Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.

Transfer to sub-processor: Each Twilio sub-processor has agreed to contractual measures that are at least as restrictive as those Twilio has agreed to with our controllers.
Twilio Policy for Law Enforcement Requests to Client Data: Internal transfer: Please see Twilio’s Government Requests page.

Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request.
Length of processing chain: Internal transfer: Data is transferred internally within Twilio, and externally to the sub-processor(s) listed above.

Transfer to sub-processor: Data is transferred externally to our sub-processor.
Applicable transfer mechanism: Internal transfer: Binding Corporate Rules.

Transfer to sub-processor: Standard Contractual Clauses for onward transfer to our sub-processor.

Return to the top

United States

Purpose for transfer and any further processing: Internal transfer: Twilio stores all personal data in the United States. Twilio’s headquarters and many Twilio offices are located in the United States, and Twilio employees located in the United States need to access Customer Content for purposes such as support, anti-fraud, or security.

Transfer to sub-processor: Twilio uses several sub-processors who store data in the United States and whose employees may access personal data in the United States. Please see our list of Sub-processors for specific information.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Internal transfer: Data is transferred on a continuous basis.

Transfer to sub-processor:
  • In the case of AWS, Twilio transfers data on a continuous basis for storage and backup purposes.
  • In the case of each other United States-based sub-processor, data is transferred as directed by the controller.
Categories of personal data transferred: Internal transfer: Customer Content, as defined in Twilio’s Privacy Statement and Data Protection Addendum.

Transfer to sub-processor: Please see our list of Sub-processors for specific information about the categories of personal data sent to this country.
Sensitive data transferred (if applicable): We do not intentionally transfer any sensitive data to the United States, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Internal transfer: Twilio’s applied security measures for Internal transfers are available in this support article.

Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request. Each Twilio sub-processor has shared their technical and organizational security measures to protect Twilio data and have agreed to retain data for a maximum of 60 days.
Supplemental Security Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.

Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Organizational Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.

Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures.
Supplemental Contractual Measures: Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in this support article.

Transfer to sub-processor: Each Twilio sub-processor has agreed to contractual measures that are at least as restrictive as those Twilio has agreed to with our controllers.
Twilio Policy for Law Enforcement Requests to Client Data: Internal transfer: Please see Twilio’s Government Requests page.

Transfer to sub-processor: Each Twilio sub-processor has a law enforcement request policy in place and will notify Twilio, where permitted by law, before disclosing information in response to a request.
Length of processing chain: Internal transfer: Data is transferred internally within Twilio.

Transfer to sub-processor: Data is transferred externally to our sub-processors.
Applicable transfer mechanism: Internal transfer: Binding Corporate Rules.

Transfer to sub-processor: Standard Contractual Clauses for onward transfer to our sub-processors.

Return to the top

Have more questions? Submit a request
Powered by Zendesk