Twilio Expands Regionalization and Schrems II Efforts

July 18, 2022
Written by
Twilio
Twilion

schrems-ii-update-header.png

This post is updated regularly and from Q2’22 onward is being provided in a consolidated format to summarize past progress. Click here to read the latest update.

Transfers of EU personal data to the US and other third countries have long been an area of concern for privacy-conscious EU customers and EU data protection regulators. On July 16, 2020, these concerns came to the fore following the Court of Justice for the European Union ruling on the Schrems II case. While Twilio has already taken significant steps to ensure data we process is adequately safeguarded wherever in the world we process it (including through our Binding Corporate Rules, Government Data Request Procedure and semi-annual transparency reports), we know that this ruling raises important questions and challenges for your business.

Twilio’s objective is to offer regionalized products and services that give customers control over where their data is ingested, processed, and stored, and the ability to keep personal data entirely within a specific region, at rest and in transit. We’re excited to share details of this initiative to give customers greater control over personal data transfers and mitigate the impact of the Schrems II ruling.

Twilio’s regionalization strategy

Our teams are working on the expansion of our global infrastructure into data centers in the EU and other regions around the world. It is a significant undertaking for us to align our platforms, products, services, and internal processes to achieve this objective. Our regionalization strategy is made up of three key components:

  1. Enabling you to keep EU user personal data in the European Union.
    The development of Twilio products and services that host data in the EU and allow customers to avoid transfers of personal data to the US or other non-EU countries.
  2. Implementing additional controls to restrict access to EU personal data.
    Non-EU employees of Twilio will be unable to access EU personal data for products we have regionalized in the European Economic Area (EEA) without explicit permission from an EU entity and under limited circumstances only. This includes controls to ensure only pseudonymized or anonymized data is transferred to Twilio systems located outside the EEA and an expansion of our enterprise access control system to enhance oversight and control over access to EU personal data.
  3. Implementing additional legal safeguards for EU customers who contract with Twilio.
    We have updated our contracts to ensure that new EU customers are contracted through our entity in the EU by default. We’re working toward providing avenues for current EU customers to also contract through our EU entity upon request.

What we’ve delivered so far

Regional Voice in Ireland

In 2021, we launched a data center in Ireland, and Twilio Voice, our first publicly regionalized channel within the European region, became generally available (GA). This enables existing EU customers to migrate their Voice use cases to the data center in Ireland and establish data residency within the region*. In addition, new customers may select Ireland as their region of choice for Voice-related use cases. There’s no additional cost to use the new data center in Ireland. To learn more about getting started with Regional Voice in Ireland, head over to our developer docs.

Proximity to an in-region data center also provides the additional benefits of reduced latency and enhanced application performance for highly interactive, real-time interactions, such as voice dialing, muting, and sending chat messages.

Regional Voice in Australia

Throughout the first half of 2022, our teams worked towards the launch of our third Twilio Region, Australia, as well as general availability of Regional Voice*, making it the first Twilio product enabled across all available Twilio Regions. Android SDKs are also GA with full regional support from Ireland and Australia.

Twilio Segment in the EU

Lastly, Twilio Segment is now GA in the EU, offering a localized product for Connections, Protocols, and Personas. Twilio Segment makes it easy to collect, unify, and activate your customer data in any system where you need it while giving you the tools and controls to help enable compliance with EU data regulations. To learn more about Twilio Segment in the EU, click here to read the launch blog.

* Voice traffic, which includes data relating to the transmission of telephone calls utilizing Twilio’s platform, such as call recordings, transcripts, time of day, call duration and minutes of use, is ingested, stored and processed in Ireland. Exceptions will occur as necessary to investigate issues of fraud and abuse. At this time, all other data relating to your account and use of our Services will continue to be processed in the United States to allow Twilio to continue to provide and improve our Services to you. We will continue to work towards greater data regionalization for Voice, and other offerings, in the months ahead.


Latest updates on regionalization progress

Our primary focus in 2022 has been isolating customers' end-user data (such as call detail records and audio recordings)—data for which we act primarily as a processor under the General Data Protection Regulation (GDPR).

As we look into the future, our teams are focused on regionalizing Serverless Functions and Assets, Studio, Inbound and Outbound SMS, and Flex. We will continue the work required to regionalize additional Twilio products and services, and other non-end-user operational data, such as billing, support, regulatory compliance, and business analytics information. We will also progress the work required to release data privacy controls that ensure end-user operational data can be safely transferred outside of the EEA in an anonymized or pseudonymized form.

We remain committed to delivering our regionalization strategy and providing you with regular updates on our progress in the quarters to come.

Privacy protection & contracting: Further regionalizing how you do business with Twilio

In addition to the regionalization of our products and services, we are working to improve the way that you do business with Twilio around the world. Our Privacy Engineering team is working to ensure data protection through state-of-the-art methods recognized by the European Data Protection Board (EDPB) and German Society for Data Protection and Data Security (GDD). These controls ensure, for example, that sensitive customer data remains regionalized and accessible only by Twilions in-region as necessary and otherwise inaccessible out-of-region, except when specifically approved.

We’ve also operationalized Twilio Ireland as our latest billing and contracting subsidiary. As of August 2021, new European Twilio customers with either a phone number or a billing country in the region are automatically contracted through our Twilio Ireland subsidiary. We’re working on extending this to existing European customers.

Building a future-proof platform today

The global regulatory landscape is ever-changing, and we’re acutely aware that rulings (like Schrems II) present important, time-sensitive issues that need to be addressed. As we continue to build a globally regionalized Twilio, our team has committed to a strategy that will provide reliable, long-term solutions that deliver on needs today and well into the future—regardless of how regulatory measures, specifically regarding sensitive customer data, may change for years to come. We're excited to bring these updates to you as we make progress.


Forward-looking statements

This blog post contains forward-looking statements within the meaning of the federal securities laws, which statements involve substantial risks and uncertainties. Forward-looking statements generally relate to future events or our future financial or operating performance, product development or marketing position. In some cases, you can identify forward-looking statements because they contain words such as “may,” “can,” “will,” “would,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “forecasts,” “potential” or “continue” or the negative of these words or other similar terms or expressions that concern our expectations, strategy, plans or intentions. Forward-looking statements contained in this blog post include, but are not limited to, statements about: regionalizing Twilio products including Serverless Functions and Assets, Studio, Inbound and Outbound SMS, and Flex. You should not rely upon forward-looking statements as predictions of future events.

Any unreleased products, features, functionality or roadmaps referenced in this blog post are not currently available and may not be delivered on time or at all, as may be determined in our sole discretion. Any such referenced products, features, functionality or roadmaps do not represent promises to deliver, commitments or obligations of Twilio. Customers who purchase our products should make their purchase decisions based upon features that are currently generally available.

The forward-looking statements contained in this blog post are also subject to additional risks, uncertainties, and factors, including those more fully described in Twilio’s most recent filings with the Securities and Exchange Commission, including its Form 10-Q for the quarter ended June 30, 2022. Further information on potential risks that could affect actual results will be included in the subsequent periodic and current reports and other filings that Twilio makes with the Securities and Exchange Commission from time to time. Moreover, Twilio operates in a very competitive and rapidly changing environment, and new risks and uncertainties may emerge that could have an impact on the forward-looking statements contained in this blog post.

Forward-looking statements represent Twilio’s management’s beliefs and assumptions only as of the date such statements are made. Twilio undertakes no obligation to update any forward-looking statements made in this blog post to reflect events or circumstances after the date of this blog post or to reflect new information or the occurrence of unanticipated events, except as required by law.