Business Continuity for a Resilient Global Communications Solution
A white paper on Twilio’s business continuity program that details our approach and priorities.Download Whitepaper
Business Continuity for a Resilient Global Communications Solution
Organizations of all sizes rely on Twilio’s cloud communications platform to exchange millions of calls and messages every single day. These communications facilitate deliveries, power customer support, and keep mission critical applications running non-stop. We understand the reliability of our platform, products, and people is essential to helping you build connections and trust with your customers, partners, and employees at scale. We take measures to protect our customers and their services through our high-availability platform architecture; resiliency practices and requirements built into our development and operational processes; and by maintaining a business continuity program to mitigate risks and to provide protection to our people, customers, and products.
This document provides an overview of the Twilio Business Continuity program, including how we align to best practices and industry standards to protect the people, products, and processes that keep Twilio running.
Our business continuity program is committed to providing solutions and strategies that protect Twilio’s top priorities: our people, products, and customers. The program is aligned to ISO 22301 Business Continuity Management System and the Business Continuity Institutes’ Good Practice Guidelines, including the formation of a Business Continuity and IT Disaster Recovery (BCDR) Steering Committee composed of key company leaders overseeing the program. The committee meets quarterly to guide priorities, review progress, approve findings, and ensure regular reporting of the program status to the Internal Audit Committee.
The scope of the Twilio Business Continuity program will cover all customer-facing products and services, as well as the internal processes and teams supporting the delivery of these products. This program kicked off in 2018, and products are being onboarded based on business priority. The first set of finalized and approved plans were rolled out in Q1 of 2019, with many more in the pipeline. Please talk to your Twilio representative if you’d like to know the current status of any product.
Twilio has a dedicated Business Continuity and Disaster Recovery Team, seated within the Trust & Security organization. The BCDR team is comprised of industry experts who have designed and implemented custom business continuity and disaster recovery programs for organizations of all sizes and industries, with extensive experience in regulated frameworks and cloud service architecture. This purposeful placement allows our BCDR team to collaborate with other risk disciplines and facilitate information sharing. The team works closely with all business functions across the organization to plan for potential or actual crises and ensure the continuation of Twilio’s business.
How do we define business continuity?
Twilio has adopted the ISO 22301 definition of business continuity: “The capability of the business to continue the delivery of products and services at acceptable, predefined levels following a business disruption.” Ultimately, we aim to provide our employees, partners, and customers the highest possible degree of confidence in our ability to provide our products and continue our business. Maintaining this level of resilience requires continual effort, as our business and the environment that we operate in changes every single day.
Twilio uses a top-down approach to scope our business continuity program. That means we start with the products and services we offer and work backwards to include the teams, functions, and resources that support their delivery. Our program encompasses not only the engineering teams that directly support the delivery of Twilio’s products, but also the many back-office teams and functions that enable Twilio in less direct but equally important ways.
Why is this important to us?
Twilio believes that investing in business continuity planning—and proactive measures to protect our business—is important for several reasons.
Our investment in business continuity is an investment in our people. Addressing vulnerabilities that could compromise the safe, healthy working environment we provide for Twilions is of the utmost importance.
Manage threats & reduce risk
Twilio’s business continuity program assesses and tracks risk across all areas of the business. By taking a holistic approach to identifying, reporting, and managing risks, we are able to proactively mitigate threats, and reduce siloed approaches to solving problems.
To continue to support the future of communications, it is crucial that we take steps to provide reliable services for our customers. Business continuity planning, and the associated strategy development, enables our teams to consider the broad spectrum of risks that could threaten Twilio’s ability to serve our customers.
Internationally recognized standards
Twilio’s ISO 27001 certification requires business continuity plans be in place. We believe that part of being a world-class organization includes exemplifying best practices, so we went a step further and built our entire program to be aligned to ISO 22301, the international business continuity management systems standard.
A successful business continuity program requires a holistic approach to identifying and addressing risk, making sure we’re considering all areas that support our business. As a tech company, we understand how easy it is to fall into the trap of only planning for disruptions on the technology side. However, we know it takes much more than a secure platform and high-availability architecture to maintain the standard of operations our customers have come to expect from us. We ensure our strategies for risk mitigation, response, and recovery address not only our platform, but also the systems, facilities, third-party relationships, and incredible Twilions that keep our lights on.
Business impact analysis
Twilio performs an annual business impact analysis (BIA) to understand business requirements, set recovery objectives, and identify gaps and areas of vulnerability. The requirements and objectives set during the BIA inform the strategy analysis and planning processes. Risks identified during the BIA are reported to the BCDR Steering Committee for prioritization and are tracked through a formal mitigation process.
Following the BIA, our team works closely with the Steering Committee and functional owners to identify current-state strategies for recovery should an event occur. We also acknowledge and document where our capabilities can be improved, and determine how to do just that.
Business continuity planning
With our strategy in place, we update our business continuity plans to specify how our teams would respond and recover during a disruptive incident. Business continuity plans are in place for each in-scope team, and teams have ownership of their plans—validating the plan content is usable, actionable, and accurate. Plans are reviewed, updated, and approved annually, or as significant organizational changes occur.
We use a resource-based planning approach and focus on documenting realistic, current-state strategies in the event of a loss of a key resource such as an application, technology system, facility, third-party software or equipment, personnel, or any other key enabler of critical functions.
All business continuity plans are structured to enable the recovery and restoration of our products. Our Recovery Time Objectives (RTOs) are set based on possible impacts from a disruption, enabling and protecting our customer-facing SLAs. While we don’t provide RTOs for review, understand that our timeframes are designed to ensure we can meet our obligations, both internally and externally. Customers can subscribe to real time status updates for Twilio products at https://status.twilio.com/.
Twilio has developed incident response protocols that include triggers and escalation criteria based on the severity of an incident. This includes processes for activating plans, assembling recovery teams, and making critical decisions.
A crisis management plan is in place to govern a global response following an incident impacting Twilio. The plan includes the assembly of a core team of leaders and procedures for decision-making and communications.
Twilio maintains an up-to-date Pandemic Plan that provides strategies, procedures, and information to guide Twilio’s response during a wide-spread pandemic. The plan is advised by the protocols and standards set by the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).
All plans will be tested as part of the annual execution of the program lifecycle. Plans are tested via tabletop exercises, plan walkthroughs, and simulations. We have a formal process in place to document and track any corrective actions and lessons learned during the exercises.
Twilio evaluates the business continuity capabilities of key vendors and third-parties through a vendor assessment procedure managed by the Security team. We are currently expanding the vetting process for business critical third parties to better understand potential vulnerabilities and threats to Twilio.
Twilio’s Business Continuity Program is a critical component in maintaining the standard of service we’ve established as we continue to grow and expand our product offerings. Resiliency is a continual effort and our investment in the business continuity program reflects our commitment to protecting our people, customers, and products.
For further details or questions about business continuity at Twilio, reach out to your Account Executive or visit https://www.twilio.com/help/sales.
- Twilio maintains a business continuity program to ensure we are able to continue the delivery of our most important products in the event of a business disruption
- Twilio prioritizes our people, solutions, and customers that rely on us to exchange millions of calls and messages daily
- The program is aligned to ISO 22301 Business Continuity Management System and the Business Continuity Institutes' Good Practice Guidelines