What Twilio is Doing to Protect Your Data

October 30, 2017
Written by
Tom Tobin

What Twilio is doing to protect your data
  • Five major product requirements for GDPR-Compliance.
  • What Twilio is doing about GDPR.
  • New data protection features.

You may have already seen Twilio’s blog post series from our Lead Privacy Counsel about the GDPR. These posts cover the legal side of this new regulation, and include such details as “What is the GDPR?” and whether you, Twilio, both, or neither a “controller or processor.” However, you may still be wondering, what exactly is Twilio doing for you? How do you know that you can trust Twilio with your data? Or, if you just aren’t sure what you should be doing yourself, what kinds of things is Twilio doing?

I’m a product manager at Twilio and our product teams are working hard to make sure your use of Twilio will support you becoming GDPR compliant in 2018. There a bunch of work to make us GDPR compliant, but we want to be sure our customers are, too.

GDPR and Twilio Products

Twilio manages the conversations between you and your customers and employees. When we looked at GDPR, we deduced five major product requirements that apply as we manage these communications:

  1. Access control: Only people and machines who need to use the data should see it.
  2. Account and record deletion: If you ever decide to leave Twilio, all your data should be removed from all of Twilio. We’d love to have you back, but if you come back, your data, of course, will really have been deleted.
  3. Security: Even inside Twilio’s services, personal data should be properly secured, such as through encryption, when moving between machines or stored on a disk.
  4. Store and process: Data minimization throughout Twilio’s systems. Each service within the Twilio system that holds personal data must have a reason for holding personal data (for example, for billing or routing, or because we’re holding on your behalf for your use in tax calculations or for your record-keeping purposes). Each service must also delete that personal data when that reason no longer exists.
  5. Audit and Log: Access to your data or the policies on it should be logged.

There are other sections of the GDPR that are relevant to Twilio, of course, like notification of a breach and appointment of a data protection officer, but those aren’t specifically product changes.


What Twilio is Doing About GDPR

Whether we’re processing messages to doctors or bank password resets, Twilio manages some very sensitive information. So, we understand that it is imperative that we provide a secure and trusted place for a business to put their customer conversations. Here are some of the things we’re doing to respond to GDPR requirements relevant to Twilio’s products and services.

  1. For access control, we’re ensuring that we restrict access to data to only those who need to see it. For instance, the part of Twilio that handles billing for a text message doesn’t need to access the body of the message, just know how to bill it. This kind of separation means that even if somebody gets access to call records or tax systems, they can’t know what was said.
  2. For account and record deletion, we’re working to align with the GDPR requirements to make sure that if you leave Twilio and close your account, or remove a specific record, your data will go away, throughout Twilio’s systems, except where other laws (like taxation, SOX audits or requests for legal hold) say we have to keep it. If you leave or ask us to delete a record, we’ll work to track down data across warehouses, logs, and other storage to ensure every identifiable part of the data is deleted. So when you want something gone, we’re working to make sure it’s really gone.
  3. For security, we’re making sure data gets encrypted any time it could be read or intercepted by a third party.
  4. For store and process, we’re auditing and streamlining all of our data processing systems to ensure that personal data processing is limited to what helps us to deliver our products and services to you. This way the personal data is actually providing utility, not just creating liability.
  5. For audit and logging, we’re tracking all data as it’s moving, being changed, or being queried, and we’re recording that access. So, if your account gets compromised, we can better tell you what somebody saw. And if you need to notify people of a breach, we can tell you what was exposed.

We’re doing all of these things across all Twilio features—from Messaging and Voice to Notify and TaskRouter. So whatever Twilio product you use, you can rest assured that we’re working hard to keep your data safe.

New Data Protection Features

There are also three new features, Phone Number Redaction, Message Body redaction, and Call Recording Encryption, that can help you with your GDPR-compliance. These three recent features allow you to remove personally identifiable information (PII), or encrypt it so that no one can see it but you.

You can request access to Message Body Redaction for SMS, and the Phone number Redaction, new features in Programmable Messaging. These products allow you to ask us to truncate a phone number and remove the message body for all of your messages or any subset of messages you want. This means Twilio will not keep the body of your messages in any sort of long-term storage. This might make it hard to debug problems with message delivery or prove billing because the message body can’t be examined. But it does allow you to restrict the locations where sensitive data might be stored. And, if you don’t have consent to store data, you could request access to Message Body Redaction to avoid having Twilio ever store it (outside of the storage needed as we transmit it).

With Call Recording Encryption, a new feature for Programmable Voice that provides additional security for recordings on our platform, we will encrypt the recordings as soon as the call is done. When Call Recording Encryption is enabled, access to recordings will be limited to only the holder of the corresponding private key—you! So no one will be able to listen to the audio, unless they have the private key. If you’re using recordings for training or support, then you can make sure only the team that has the keys can access the recordings.


Twilio is already working hard to complete these efforts so you can assure your stakeholders that you are GDPR-compliant while continuing conversations about data protection with your customers, employees, or partners.