Twilio Identity Verification Security Overview
Last Updated: July 14, 2022
This Twilio Identity Verification Security Overview (“Identity Verification Security Overview”) is incorporated into and made a part of the Twilio Identity Verification Requirements available at https://www.twilio.com/legal/service-country-specific-terms/identity-verification (“Identity Verification Requirements”). Any capitalized terms used in this Identity Verification Security Overview that are not defined will have the meanings provided to them in the Identity Verification Requirements.
1. Purpose. This Identity Verification Security Overview describes the security program, security certifications, and technical and organizational security controls applicable to the Identity Verification Services to protect (a) Identity Verification Data from unauthorized use, access, disclosure, or theft and (b) the Identity Verification Services. As security threats change, Twilio continues to update its security program and strategy to help protect Identity Verification Data and the Identity Verification Services. As such, Twilio reserves the right to update this Identity Verification Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Identity Verification Security Overview. The then-current terms of this Identity Verification Security Overview are available at https://www.twilio.com/legal/service-country-specific-terms/identity-verification/security-overview. This Identity Verification Security Overview does not apply to any (a) Identity Verification Services that are identified as alpha, beta, not generally available, limited release, developer preview, or any similar Identity Verification Services offered by Twilio or (b) communications services provided by telecommunications providers or any third-party data sources, including, without limitation, mobile network operators.
2. Security Organization and Program. Twilio maintains a risk-based assessment security program. The framework for Twilio’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Identity Verification Services and confidentiality, integrity, and availability of Identity Verification Data. Twilio’s security program is intended to be appropriate to the nature of the Identity Verification Services and the size and complexity of Twilio’s business operations. Twilio has separate and dedicated Information Security teams that manage Twilio’s security program. There is a team that facilitates and supports independent audits and assessments performed by third parties. Twilio’s security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with Twilio’s Chief Information Security Officer (CISO) meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Twilio employees for their reference.
3. Confidentiality. Twilio has controls in place to maintain the confidentiality of Identity Verification Data in accordance with the Agreement. All Twilio employees and contract personnel are bound by Twilio’s internal policies regarding maintaining the confidentiality of Identity Verification Data and are contractually obligated to comply with these obligations.
4. People Security
4.1 Employee Background Checks. Twilio performs background checks on all new employees at the time of hire in accordance with applicable local laws. Twilio currently verifies a new employee’s education and previous employment and performs reference checks. Where permitted by applicable law, Twilio may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role.
4.2 Employee Training. At least once (1) per year, Twilio employees must complete a security and privacy training which covers Twilio’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Twilio’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. Twilio has also established an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.
5. Third Party Vendor Management
5.1 Vendor Assessment. Twilio may use third party vendors to provide the Services. Twilio carries out a security risk-based assessment of prospective vendors before working with them to validate they meet Twilio’s security requirements. Twilio periodically reviews each vendor in light of Twilio’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal or regulatory requirements. Twilio ensures that Identity Verification Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, telecommunication providers are not considered subcontractors or third-party vendors of Twilio.
5.2 Vendor Agreements. Twilio enters into written agreements with all of its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Identity Verification Data that these vendors may process.
6. Security Certifications. Twilio holds ISO/IEC 27001 certification for the Identity Verification Services.
7. Data Storage, Data Segregation, and Access Controls
7.1 Data Storage. The Identity Verification Services are hosted on Amazon Web Services (“AWS”) and Google Cloud Platform (“GCP”). Twilio ensures all Identity Verification Data that is stored within AWS and GCP is in compliance with the Identity Verification Security Overview, or in any event, requirements that are no less stringent.
7.2 Data Segregation and Access Controls. For the Identity Verification Services, Identity Verification Data is segregated using logical and/or physical access controls to provide protection from unauthorized access. Documented processes are maintained and adhered to for the backup and recovery of Identity Verification Data in accordance with any disaster recovery requirements. System and application configuration files are monitored to detect unauthorized access and/or changes. An authentication method is based on the sensitivity of Identity Verification Data.
8. Physical Security. AWS and GCP are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Twilio headquarters and office spaces have a physical security program that manages visitors, building entrances, closed circuit televisions, and overall office security. All employees, contractors, and visitors are required to wear identification badges.
9. Security by Design. Twilio follows security by design principles when it designs the Identity Verification Services. Twilio also applies the Twilio Secure Software Development Lifecycle (Secure SDLC) standard to perform numerous security-related activities for the Identity Verification Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before deploying new Identity Verification Services or code; (b) penetration tests of new Identity Verification Services by independent third parties; and (c) threat models for new Identity Verification Services to detect potential security threats and vulnerabilities.
10. Change Management. Twilio has a formal change management process it follows to administer changes to the production environment for the Identity Verification Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Identity Verification Services. All changes, including the evaluation of the changes in a test environment, are documented using a formal, auditable system of record. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Identity Verification Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Identity Verification Services.
11. Encryption. Twilio uses encryption technologies for the transmission of Identity Verification Data outside of controlled networks, when stored, or when transmitting Identity Verification Data over any untrusted network. Such encryption technologies will have a minimum encryption strength equal to or greater than Advance Encryption Standard (AES) 128-bits for symmetric encryption and an asymmetric encryption strength equal to or stronger than Rivest-Shamir-Adleman (RSA) 2048-bits or Elliptical Curve Cryptography (ECC) 256-bits. Twilio maintains a documented policy for the management of the encryption keys, including the expiration of encryption keys at least once every two (2) years.
12. Vulnerability Management. Twilio maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. Twilio uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in Twilio’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. Operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the Twilio cluster over a predefined schedule. For high-risk patches, Twilio will deploy directly to existing nodes through internally developed orchestration tools. System and application configuration files are monitored to detect unauthorized access and/or changes.
13. Penetration Testing. Twilio performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. Twilio has installed and uses Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS) that monitor all traffic transmitted via the Identity Verification Services.
14. Security Incidents. Twilio maintains a documented procedure to be followed in the event of a Security Incident (as defined in the Data Protection Addendum, the current version of which is available at https://www.twilio.com/legal/data-protection-addendum (“DPA”)). Twilio will promptly investigate a Security Incident involving Identity Verification Data upon discovery. To the extent permitted by applicable law, Twilio will notify Customer of a Security Incident involving Identity Verification Data in accordance with the DPA. Security Incident notifications will be provided to Customer via email to the email address designated by Customer in its account.