Get Started

Security

The Twilio Cloud Communications Platform offers a highly scalable, highly secure API and application development platform designed to ensure the privacy and security of your data. Ensuring the confidentiality, integrity and availability of your systems and data is core to our engineering design principles and business practices.

Data Security

Data in Transit

All data sent to and from Twilio is encrypted to industry standards.

  • SSL Twilio uses SSL / TLS to encrypt web session traffic to and from Twilio. We also support request validation by signing our strings with HMAC-SHA1.
  • HTTP Digest Authentication Twilio supports HTTP Basic and Digest Authentication. This allows you to password protect your TwiML URLs (containing usernames and passwords) on your web server so that only you and Twilio can access them.
  • Signature Validation Twilio cryptographically signs its HTTP requests with "X-Twilio-Signature HTTP headers" for outbound requests to your application. This signature can be used to validate the authenticity of requests originating from Twilio to your application.

Data at Rest

All customer data stored on our servers is encrypted at AES-256.

Datacenter Security

Twilio uses world-class, highly secure data centers that are ISO 27001 certified, Level 1 PCI certified, and undergo annual SOC1 audits. These state-of-the-art data centers utilize advanced electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis.

Customer Data Privacy

Policy

Your privacy is important to us. Twilio only collects the data we need to run our business. For more information on what data is collected and how we use it, please visit our Privacy page: https://www.twilio.com/legal/privacy.

Compliance

PCI DSS

You can build PCI-complaint applications. Twilio is PCI DSS compliant. We use a validated Level 1 PCI DSS Compliant Service Provider for credit card processing.

Customer HIPAA Compliance

Twilio supports a variety of use cases employed by companies engaged in HIPAA covered activities. We provide an open platform to send and receive messages and calls, the contents and compliance of which are solely your company's responsibility. It is important that you consult your own legal counsel to determine if you are subject to HIPAA regulations, and what you need to do to secure your application and data.

Application Security

Making Your App Secure

Twilio offers many resources on our site to assist you in building efficient and secure apps, including QuickStart Guides, HowTo’s, and Helper Libraries. We also recommend checking out our featured blog post: "Best Practices For Securing Your Twilio App" for more information.

Application Security Checklist

  • Keep your AuthToken secure. (It not only enables access to the REST API, but also to request signatures.)
  • Always enable secure authentication.
  • Always enable input validation.
  • Apply all relevant security patches as soon as possible to keep software up to date.

Disaster Recovery

The data centers and environmental systems we use are designed to minimize the impact of disruptions to operations. We utilize real time replication between multiple geographic regions and Availability Zones. In the event of a primary system failure, a backup location will continue the service.

API Uptime, Reliability and Trust

Companies large and small rely on Twilio for their critical communication needs. Please visit our webpage to get more details.