This post is updated quarterly. Click here to read the latest update.
Transfers of EU personal data to the US and other third countries have long been an area of concern for privacy-conscious EU customers and EU data protection authorities. On July 16, 2020, these concerns came to the fore again when the Court of Justice for the European Union (CJEU) ruled on Schrems II . While Twilio has already taken significant steps to ensure data we process is adequately safeguarded wherever in the world we process it (including, among other things, our Binding Corporate Rules and issuing semi-annual transparency reports), we know that this ruling raises important questions about the impact they may have on your business.
We’re excited to share the following details for how Twilio is taking further action to give customers greater control over personal data transfers, and we’re committed to providing updates on a quarterly basis.
As regions, like Europe, continue to lead in the development of comprehensive privacy and data protection regulation, we continue to anticipate that similar privacy and data protection regulations will soon become more common around the world. The CJEU decisions have only accelerated Twilio’s work. Our teams are actively working on a broad regional strategy that will expand our global infrastructure into EU data centers and update internal processes to further mitigate the concerns raised by the CJEU in relation to cross-border data flows as well as other limitations customers may face in relation to transferring personal data out of the EU.
This will be an iterative process, but there are three core efforts actively underway:
- We’re enabling you to keep user EU personal data in the European Union.
Twilio customers will have control over where their data is physically stored, enabling them to keep EU personal data entirely within the EU region, both at rest and in transit.
- We’re implementing additional security controls, restricting Twilio personnel from accessing EU personal data without appropriate permissions.
Non-EU employees of Twilio will be unable to access EU personal data without explicit permission from an EU entity. This includes implementing controls ensuring that only pseudonymized data is transferred to Twilio systems within the US, while also further expanding our enterprise access control system to enhance oversight and control over access to EU personal data.
- We’re implementing additional legal safeguards for EU customers who contract with Twilio.
Twilio will be updating our contracts to ensure that new EU customers are contracted through our entity in the EU by default. We will also be providing ways for current EU customers to contract through our EU entity upon request.
What we’re delivering in 2021
What we plan to deliver on this year represents a significant stride towards helping address customer concerns associated with cross border transfers of EU personal data; however, we plan to address this process in stages.
First, Twilio is piloting our initial regional offering, beginning with our Voice and Messaging (Chat only) products. In the second half of 2021, we intend to enable these channels within our regional Ireland entity. Following this, we will continue work to incorporate additional Twilio products in 2022.
It's important to note that during 2021, our primary focus for our initial channel offering will be to isolate customers' end user data, such as message details records or call detail records and audio recordings - data for which we act primarily as a processor under GDPR. We will continue to work towards regionalization of other non-end user operational data, such as billing and invoicing, support, regulatory compliance, and business analytics information, in 2022.
We’re dedicated to keeping you informed
Transparency is core to Twilio’s mission of being the world’s most trusted customer communications platform. We are committed to providing additional updates on a quarterly basis as we continue to work aggressively towards the delivery of a broad, regional infrastructure.
Ongoing Updates on Twilio’s Response to ‘Schrems II’
Q2 2021 Update
In February, Twilio published our first edition of this blog post, outlining our response to the 2020 ruling from the Court of Justice for the European Union (CJEU) commonly referred to as ‘Schrems II’ and the subsequent guidelines published by the European Data Protection Board (EDPB) in November 2020. Since that time, product and engineering teams across the Twilio platform have accelerated our work to provide our customers with regionalized products and functionality that help you achieve compliance, and reduce cross-border data transfer risk, around the world. In our first edition, we committed to providing proactive updates on a quarterly basis, and we’re excited to share our first update on the work being done towards this effort.
While we’ve greatly accelerated our regional efforts to ensure that customers can respond proactively, we’ve also taken advantage of what we consider to be a unique opportunity to solve for future regulatory shifts once and for all. As we look into Q3, we’re prepared to begin delivering the value created as a result of this work into customers’ hands.
Q3 2021 Update
Through Q2 and into Q3, our teams worked across key product, infrastructure, billing, and data access control initiatives to prepare for our Australia pilot program launch, which went live in September. This pilot features Twilio’s Programmable Voice, Elastic SIP Trunking, and Voice Client SDK products and expands Twilio’s infrastructure into Australia.
The pilot program is a critical step, paving the way for our team to regionalize Twilio within new geographies, particularly in Europe next quarter, while ensuring that every interaction you have with customers delivers the same level of trust and reliability that you expect from the Twilio platform.
As part of this effort, Twilio is introducing data centers in separate and distinct geographic locations to improve resiliency and further mitigate the risk of a single event impacting Twilio services. Ultimately, this enables you to build and operate your most latency-sensitive applications while meeting local data residency requirements.
For customers interested in participating in the Australian pilot, please contact your Twilio account representative for more information on how to get involved.
In addition, we are excited to announce that we’ve operationalized Twilio Ireland as our latest billing and contracting subsidiary. As of August, new European Twilio customers with either a phone number or a billing country in the region are automatically contracted through our Twilio Ireland subsidiary. We are actively working on extending this to existing European customers and will provide updates as we progress. This presents a strong first step in addressing concerns around personal data protection for our customers in Europe.
Timelines for regionalized Twilio products in Europe
In Q4 2021, we will be introducing Twilio Voice, our first publicly regionalized channel within the European region, with data centers in Ireland. In addition, the Conversations API will be available, supporting chat use cases this quarter. This launch will be followed by support for inbound and outbound SMS within the region during the first half of 2022, with additional products like Video, Email, Flex, MMS, and Conversations (SMS and WhatsApp) are expected during the second half of the year. Finally, our team is actively working to ensure that the teams supporting other Twilio entities, like Segment (acquired by Twilio in November 2020), are equally equipped to meet the same stringent standards set by our regional teams. The Twilio Segment team has delivered general availability for regional data ingestion in Q2, and will be releasing the Regional Connections and Protocols (which includes data ingestion and storage) as well as Regional Personas, into general availability in the first half of 2022.
|Q3 2021||Q4 2021||H1 2022||H2 2022|
• Voice Pilot (Australia)
• Twilio Segment Regional Data Ingestion GA (Ireland, Australia, & Singapore)
• Voice (Ireland)
• Conversations - chat only (Ireland)
• Inbound & Outbound SMS (Ireland)
• Video (Ireland)
Access & Contracting: Further regionalizing how you do business with Twilio
In addition to the regionalization of our products and services, our teams are also working in tandem to improve the way that you do business with Twilio around the world. Teams are actively working to build and implement new, robust enterprise-ready access controls. These controls ensure (for example) that sensitive customer data remains regionalized and accessible only by Twilions in-region as necessary. They also ensure this sensitive data remains inaccessible out of region, except when specifically approved. We’re also working to introduce new billing and contracting opportunities that protect your business relationship with Twilio formally under a regionalized European entity, Twilio Ireland, when legally necessary or simply preferred. In Q3, we updated our terms of service and operationalized Twilio Ireland so that new customers are now contracting with this in-region entity. These are just two examples of the many safeguards actively being put into place to ensure our customers have the tools to operate in a fully-compliant manner, anywhere in the world.
Building a future-proof platform, today
The global regulatory landscape is ever-changing, and we’re acutely aware that rulings (like ‘Schrems II’) present important, time-sensitive issues that need to be addressed thoughtfully. As we continue to build a globally regionalized Twilio, our team has committed to a strategy that provides reliable, long-term solutions that deliver on needs today and well into the future--regardless of how regulatory measures, specifically with regards to sensitive customer data, may change for years to come. It’s a promise that Twilio is uniquely capable of delivering on, and we’re excited to bring these updates to you over the coming weeks and months.
This blog post contains forward-looking statements within the meaning of the federal securities laws, which statements involve substantial risks and uncertainties. Forward-looking statements generally relate to future events or our future financial or operating performance, product development or marketing position. In some cases, you can identify forward-looking statements because they contain words such as “may,” “can,” “will,” “would,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “forecasts,” “potential” or “continue” or the negative of these words or other similar terms or expressions that concern our expectations, strategy, plans or intentions. Forward-looking statements contained in this blog post include, but are not limited to, statements about: the pilot launch of Twilio’s Voice products, regionalizing Twilio in Europe, expansion of Twilio’s infrastructure into Australia, and support for additional products in these regions as we release public betas for regional data ingestion and storage. You should not rely upon forward-looking statements as predictions of future events.
Any unreleased products, features, functionality or roadmaps referenced in this blog post are not currently available and may not be delivered on time or at all, as may be determined in our sole discretion. Any such referenced products, features, functionality or roadmaps do not represent promises to deliver, commitments or obligations of Twilio. Customers who purchase our products should make their purchase decisions based upon features that are currently generally available.
The forward-looking statements contained in this blog post are also subject to additional risks, uncertainties, and factors, including those more fully described in Twilio’s most recent filings with the Securities and Exchange Commission, including its Form 10-Q for the quarter ended March 31, 2021. Further information on potential risks that could affect actual results will be included in the subsequent periodic and current reports and other filings that Twilio makes with the Securities and Exchange Commission from time to time. Moreover, Twilio operates in a very competitive and rapidly changing environment, and new risks and uncertainties may emerge that could have an impact on the forward-looking statements contained in this blog post.
Forward-looking statements represent Twilio’s management’s beliefs and assumptions only as of the date such statements are made. Twilio undertakes no obligation to update any forward-looking statements made in this blog post to reflect events or circumstances after the date of this blog post or to reflect new information or the occurrence of unanticipated events, except as required by law.