Data Privacy FAQs

Why is Twilio a Controller of Customer Account Data? 

Customer Account Data includes:

  • The names or contact information of individuals that you authorized to set up and access your account and manage billing; and 

  • Personal data that Twilio may need to administer your account or your use of Twilio’s products and services, including verification of the identity of your end users for Know-Your-Customer (KYC) or other identity verification purposes.

Twilio’s use of Customer Account Data is fundamental to establishing and managing its direct business relationship with its customers. Twilio needs this data to create and manage its customer accounts, handle billing, verify its customers’ identities for KYC compliance and fraud prevention, fulfill legal recordkeeping obligations, and make decisions about account access and authorization. 

These are core business functions where Twilio actively and independently determines why and how Customer Account Data is collected and used - key criteria for being a controller. Twilio cannot outsource these controller responsibilities because Twilio is directly establishing and managing the business relationship with its customers. Additionally, much of Twilio’s processing of Customer Account Data is tied to Twilio’s own legal obligations (e.g., KYC compliance requirements) - areas where Twilio must act as a controller since it is directly responsible for compliance.

Why is Twilio a Controller of Customer Content?

Customer Content includes:

  • Personal data in communications content exchanged as a result of using Twilio’s product and services, such as text message bodies, voice, sound, video media, images, email bodies, subject lines, and recipients and, where applicable, in any data (1) that you submit to Twilio’s products and services from its designated software applications or its other products and services or (2) generated for your use as part of Twilio’s products and services; and 

  • Personal data stored on your behalf, such as (1) communications content, transcripts, recordings, or communications logs, within Twilio’s products and services or (2) marketing campaign data that you have uploaded to Twilio’s products and services.

Twilio only processes Customer Content as a controller where needed for specific legitimate business purposes outlined in Section 3 (Processing of Customer Personal Data as a Controller) of the Data Protection Addendum (DPA).

As an example, Twilio may need to use Customer Content in order to combat spam, fraud and other illegal activity. Fraud detection and management is fundamental to Twilio being able to protect its customers and business. Twilio’s Fraud Operations team is constantly evolving how it combats fraud in response to the tactics of bad actors and determines why and how any personal data in Customer Content may be used for that purpose. 

Twilio also has various contractual obligations to the telecommunications (e.g., carriers) and other communications service providers it uses. For example, these telecommunications providers require Twilio to notify them when there has been fraud or Twilio’s products and services have been used for illegal purposes. Twilio is responsible for determining when and how these notifications are required and is therefore in control of Customer Content for those purposes and acts as a controller under applicable data protection laws and regulations. 

Why is Twilio a Controller of Communications Usage Data (formerly referred to as Customer Usage Data)? 

Communications Usage Data includes electronic communications metadata processed by Twilio for the purpose of transmitting, distributing, or exchanging Customer Content through communications networks including: 

  • Phone numbers;

  • Any personal data used to trace and identify the source and destination of a communication, including data on the location of the device generated in the context of providing Twilio’s products and services, and the date, time, duration, and the type of communication; and

  • Activity logs used to identify the source of Twilio product or service requests, to optimize and maintain performance of Twilio’s products and services, and to investigate and prevent system abuse.

Twilio is a communications service provider that operates a cloud communications platform, offering businesses access to telecommunications or other communications networks for voice calls, SMS/MMS messaging, email, and other communication services through its application programming interfaces (APIs). By maintaining direct relationships with telecommunications providers worldwide and providing the necessary communications infrastructure, Twilio enables its customers to integrate communications features like automated calls, messaging, and authentication into their software applications without having to establish their own relationships with telecommunications providers or building their own complex communications infrastructure.

While some software-as-a-service (SaaS) providers operate solely as data processors, Twilio's position is distinct due to its dual role as both a software provider and an electronic communications service provider. This distinction carries significant regulatory and operational implications that necessitate Twilio’s controller status for Communications Usage Data. As such, Twilio is a controller of any personal data required for the provision of the communications services that Twilio provides. 

Additionally, Twilio processes Communications Usage Data in order to deliver communications (e.g., text messages and voice calls) through different types of communication channels and for the following purposes: 

  • Accurately billing customers for their use of the communications services; 

  • Maintaining the performance of the services;

  • Routing messages; 

  • Maintaining the security and operation of Twilio’s systems; 

  • Making telecommunications provider interconnection payments and paying taxes; 

  • Investigating, detecting, and preventing spam, fraud, and abuse; and 

  • complying with applicable laws and regulations, such as country-specific phone number regulations.

In using Communications Usage Data in this way, Twilio acts as a controller because it determines how and why Communications Usage Data needs to be processed for these purposes. Twilio also determines how long Communications Usage Data needs to be retained for these purposes and, once it is no longer needed, Twilio either removes the Communications Usage Data from Twilio systems or anonymizes, de-identifies, or aggregates it such that it no longer identifies its customers, its customers’ end users, or any other individual. 

This controller position follows the guidance from the European Data Protection Board (EDPB):

“Providing an electronic communications service such as an electronic mail service involves processing of personal data. The provider of such services will normally be considered a controller in respect of the processing of personal data that is necessary for the operation of the service as such (e.g., traffic and billing data).” 

Twilio can only process Communications Usage Data for purposes unrelated to the operation of its communications services with the authorization its customers provide in the Data Protection Addendum (DPA), which is part of the contractual agreement with Twilio, or any service-specific terms customers agree to or otherwise accept, and in accordance with applicable data protection laws and regulations. 

Why are telecommunications providers not treated as sub-processors by Twilio and included in Twilio’s sub-processor list?

Twilio’s telecommunications providers are not considered to be Twilio's processors (or Twilio's customers' sub-processors) under the GDPR because telecommunications providers transmitting Customer Content are not considered to be processing the personal data contained in the communication. 

There are a number of reasons behind this position:

  • Customer Content merely transits a telecommunications provider’s network or service without significant processing being involved, as laws protecting the confidentiality of communications prohibit telecommunications providers from gaining access.

  • “Disclosure by transmission" is called out in the GDPR definition for “processing” rather than transmission without disclosure, so that no “processing” is involved where there is transmission alone; and

  • Any other position would be impossible to implement given the complexity of the telecommunications value chain, with many parties involved in the origination, transit, and termination of Customer Content.

As a result, telecommunications providers act as mere conduits for the transmission of the Customer Content, as they: 

  • do not initiate the transmission; 

  • do not select the receiver of the transmission;

  • do not select or modify the information contained in the transmission; and 

  • do not store the data, except transient storage for the sole purpose of carrying out the transmission. 

Please note that this position is industry standard and reflects guidance from supervisory authorities and case law.

*****

Please note that telecommunications providers used by Twilio are not processors of Twilio or sub-processors of Twilio’s customers. Additional information about this position can be found here.