Twilio CCPA Notice
Effective November 21, 2019
So, you’ve read the Twilio Privacy Statement and the SendGrid Privacy Statement, but you’re looking for something a little more specifically tailored to California. In particular, you’re looking for a written agreement that addresses Twilio’s responsibilities as a business and as a service provider to you, whether you are a business or a consumer. You’re in the right place.
This notice supplements the Twilio Privacy Statement as well as any other agreement you have with us, such as the Twilio Terms of Service, Master Sales Agreement, or other agreement for the use of our services. Any terms we use in this notice that aren’t defined here will have the meanings we give them in those agreements.
Let’s get oriented
Our Privacy Statement defines Customer Account Data, Customer Usage Data, and Customer Content. We’ll refer to those here, too...but mostly, we’re talking about our customers’ personal information. Personal information is defined in the California Consumer Privacy Act, or “CCPA," and we use that definition.
We will also talk about some other terms from the same law, such as "consumer," "business," “service provider,” “business purpose,” or “commercial purpose,” and those also have the definitions set out in that law.
When we talk about a “sale,” or “selling,” personal information, we are using the definitions of “sale,” and “sell” as defined in the CCPA. It’s important that we be clear on what this means: it means we don’t sell, rent, or otherwise disclose your personal information in exchange for money or something else of value.
Twilio’s relationship with you under California law
The Twilio Privacy Statement describes “controllers” and “processors,” and discusses the purposes for which we process personal information in Customer Account Data, Customer Usage Data, and Customer Content. For the purposes of the CCPA, in the same way that we act as a processor of Customer Content, we act as a service provider for Customer Content. For Customer Account Data and Customer Usage Data, we act as a business, which means that we may use this data for our own business purposes. Regardless of whether we are acting as a business or a service provider, we process, retain, use, and disclose personal information only as necessary to provide the services we have agreed to provide. In other words, we use the personal information we have strictly for business purposes. You can read more about our business purposes for each type of personal information in our Privacy Statement. Regardless, we will not:
- sell your personal information or your end users’ personal information;
- process your personal information for any commercial purpose other than providing the services; or
- retain, use, or disclose your personal information outside of the scope of the agreement we have with you.
To be clear, we are not receiving any of your personal information or your end users’ personal information as consideration for any services or other items of value that we provide to you. We also understand our obligations under the CCPA and will comply with them.
By the same token, you are responsible for ensuring that you have complied, and you will continue to comply, with the requirements of the CCPA in your use of the services we provide to you and your own processing of personal information.
Twilio’s obligations under California law
We will ensure that any person we authorize to process your Customer Content has agreed to protect personal information consistent with our confidentiality obligations under our agreement with you.
We use third party service providers to fulfill our obligations under our agreement with you and for our own business purposes. When we do use service providers, we have entered into a written contract that includes terms substantially similar to this notice. We conduct appropriate due diligence on our service providers and we will remain liable for any breach of this notice that is caused by an act, error, or omission of our service providers.
Your access and deletion rights
As part of the services we provide to you, we provide you with a number of self-service features at no additional cost, including the ability to delete, retrieve, or restrict use of Customer Content, which you may use in complying with your obligations under the CCPA with respect to responding to requests from consumers. If you need more assistance than that, let our Support team know; we will provide reasonable additional and timely assistance to assist you in complying with your obligations with respect to consumer access and deletion requests under the CCPA. If additional assistance requires going above and beyond what Support can provide, further assistance may be at your expense.
In the event that we receive any request, complaint, or other communication from a verifiable consumer, regulatory authority, or third party in connection with our processing of your Customer Content, we will promptly inform you and provide details, to the extent legally permitted. Unless legally obligated to do so, we will not respond to any such request, inquiry or complaint without your prior consent except to confirm that the request relates to you.
Data retention and deletion of content
We hate to see any relationship end. However, if our agreement with you terminates, we will give you thirty days after the termination effective date to obtain a copy of your Customer Content via the Twilio Services. We’ll automatically delete any stored Customer Content thirty days after the termination effective date, and automatically delete any stored Customer Content on our back-up systems sixty days after the termination effective date. If you’re using the SendGrid Services, we’ll retain stored Customer Content on our back-up systems for one year after the termination effective date, after which it will be automatically deleted. During that time, if there’s any Customer Content archived on our back-up systems, we will securely isolate that data and protect it from any further processing, except as otherwise required by applicable law.
Upon termination of our agreement with you, we may retain Customer Content in storage for the periods described in this section, provided that we will ensure that your Customer Content is processed only as necessary for the purpose specified in this notice and no other purpose. Also, at all times, we will ensure that we protect Customer Content as we have promised to, and as the law requires us to.
Of course, if we are required by law to retain any portion of your Customer Content, we may do so, regardless of the requirements of this section. If we must do so, we will ensure we maintain the same security protections on your Customer Content.
Let’s talk about our security protections! Of course, we will implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information we process. You may read more about the measures we take to protect Customer Content from a security breach involving the Twilio Services at https://www.twilio.com/security and involving the SendGrid Services at https://sendgrid.com/policies/security/.
As part of the services, you may elect to use certain features and functionalities that impact the security of the data processed, such as encryption of voice recordings, use of multi-factor authentication on your account, or TLS encryption within the SendGrid Services. You are responsible for reviewing the information we make available regarding our data security, including our audit reports, and making an independent determination as to whether the services we provide to you meet your requirements and legal obligations, including your legal obligations. You are also responsible for properly configuring the services we provide to you and using available features and functionalities to maintain appropriate security in light of the nature of the data you’re processing.
In the event that we become aware of a security breach that involves your Customer Content, we will, to the extent we’re permitted by law, notify you without undue delay via your account owner’s email address. We will make reasonable efforts to identify and, to the extent any security incident is caused by our violation of the requirements of this notice, remediate the cause of the security incident. We will provide reasonable assistance to you in the event that you are required by law to notify a regulatory authority or any individuals of a security incident.
Material changes in our practices or in the law
We may modify this notice where required, such as due to a material change in our business practices with respect to your personal information or due to a material change in the CCPA. If this happens, we’ll notify you before such modifications take effect as our agreement with you provides.