1. Part I: Introduction to this Controller Policy
  2. Part II: Our obligations
  3. Part III: Delivering compliance in practice
  4. Part IV: Appendices

Part I: Introduction to this Controller Policy

Starting with Why – Why Do We Have This Policy?

Twilio’s guiding principle when it comes to data protection is “No Shenanigans.” “No Shenanigans” means we are thoughtful about data protection, we comply with the law, and strive to be honest, direct and transparent when it comes to processing personal data. Twilio respects people’s personal data and we demonstrate that respect, not just by what we say about data protection, but in how we treat the personal data with which we have been entrusted to process.

What does this Controller Policy do?

This Binding Corporate Rules: Controller Policy (“Controller Policy”) establishes the Twilio group of companies' ("Twilio") approach to compliance with applicable data protection laws (and, in particular, European laws) when processing personal data for its own purposes as a controller.

It applies in particular when we process personal data as a controller and transfer personal information between members of our group of companies listed in Appendix 1 ("Group Members"). This Controller Policy applies regardless of whether our Group Members process personal data by manual or automated means.

The standards described in the Controller Policy are worldwide standards that apply to all Group Members when processing any personal data as a controller. As such, this Controller Policy applies regardless of the origin of the personal data that we process, the country in which we process personal data, or the country in which a Group Member is established.

For an explanation of some of the terms used in this Controller Policy, like "controller", "process", and "personal data", please see the section headed "Important terms used in this Controller Policy" below.

Types of personal data within the scope of this Controller Policy

This Controller Policy applies to all personal data that we process as a controller, including personal data processed in the course of its business activities, employment administration and vendor management – such as:

  • Human resources data: including personal data of past and current employees, individual consultants, independent contractors, temporary staff and job applicants;
  • Customer data: including personal data relating to representatives of business customers who use our business services, other customer contact information, billing information, website use, and information necessary to authenticate customers;
  • Communications metadata: metadata about the communications we process in connection with our services, such as communications origination and termination information (including phone numbers and IP addresses), time / date of communication, routing information, and similar communications metadata; and
  • Supply chain management data: including personal data of individual contractors and of account managers and staff of third party suppliers who provide services to us.

Our collective responsibility to comply with this Controller Policy

All Group Members and their staff must comply with, and respect, this Controller Policy when processing personal data as a controller, irrespective of the country in which they are located.

In particular, all Group Members who process personal data as a controller must comply with:

  • the rules set out in Part II of this Controller Policy;
  • the practical commitments set out in Part III of this Controller Policy; and
  • the policies and procedures appended in Part IV of this Controller Policy.

Management commitment and consequences of non-compliance

Twilio's management is fully committed to ensuring that all Group Members and their staff comply with this Controller Policy at all times. This Controller Policy ensures that our employees, service providers, and customers can trust that Twilio will process their personal

data appropriately, fairly and lawfully, no matter where that data may be processed within the Twilio organization.

Non-compliance may cause Twilio to be subject to sanctions imposed by competent data protection authorities and courts, and may cause harm or distress to individuals whose personal information has not been protected in accordance with the standards described in this Controller Policy.

In recognition of the importance of trust to Twilio’s business and the gravity of the risks associated with violating that trust, staff members who do not comply with this Controller Policy will be subject to disciplinary action, up to and including dismissal.

Relationship with Twilio's Binding Corporate Rules: Processor Policy

This Controller Policy applies only to personal data that Twilio processes as a controller (i.e. for its own purposes).

Twilio has a separate Binding Corporate Rules: Processor Policy ("Processor Policy") that applies when it processes personal data as a processor in order to provide a service to a third party (such as a customer or another Group Member). When a Twilio Group Member processes personal data to provide a service, it must comply with the Processor Policy.

In some situations, Group Members may act as both a controller and a processor. Where this is the case, they must comply both with this Controller Policy and also the Processor Policy as appropriate. If in any doubt which policy applies to you, please speak with the Privacy Team whose contact details are provided below.

Where will this Controller Policy be made available?

This Controller Policy is accessible on Twilio's corporate website at www.twilio.com.

Important terms used in this Controller Policy

For the purposes of this Controller Policy:

  • the term applicable data protection laws includes the data protection laws in force in the territory from which a Group Member initially transfers personal data under this Controller Policy. Where a European Group Member transfers personal data under this Controller Policy to a non-European Group Member, the term applicable data protection laws shall include the European data protection laws applicable to that European Group Member;
  • the term controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. For example, Twilio is a controller of its HR records and CRM records;
  • the term Europe as used in this Policy refers to the Member States of the European Economic Area – that is, the Member States of the European Union plus Norway, Lichtenstein and Iceland;
  • the term Group Member means the members of Twilio's group of companies listed in Appendix 1;
  • the term personal data means any information relating to an identified or identifiable natural person. An identifiable natural personal is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that nature personal;
  • the term processing means any operation or set of operations which is performed on personal information or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • the term processor means a natural or legal person which processes personal data on behalf of a controller. For the purposes of this Controller Policy, a Processor may be either a third party service provider or another Group Member;
  • the term special categories of data means information that relates to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. It also includes information about an individual's criminal offences or convictions, as well as any other information deemed sensitive under applicable data protection laws; and
  • the term staff refers to all employees, new hires, individual contractors and consultants, and temporary staff engaged by any Twilio Group Member. All staff must comply with this Controller Policy.

How to raise questions or concerns

If you have any questions regarding this Controller Policy, your rights under this Controller Policy or applicable data protection laws, or any other data protection issues, you can contact Twilio's Privacy Team using the details below. Twilio's Privacy Team will either deal with the matter directly or forward it to the appropriate person or department within Twilio to respond.

Attention:Privacy Team
Email:privacy@twilio.com
Address:375 Beale Street, suite 300
San Francisco, CA 94105

Twilio's Privacy Team is responsible for ensuring that changes to this Policy are notified to the Group Members and to individuals whose personal data is processed by Twilio in accordance with Appendix 9.

If you are unhappy about the way in which Twilio has used your personal data, you can raise a complaint in accordance with our complaint handling procedure set out in Appendix 7.


Part II: Our obligations

This Controller Policy applies in all situations where a Group Member processes personal data as a Controller anywhere in the world. All staff and Group Members must comply with the following obligations:

We must at all times comply with any applicable data protection laws (including Europe's General Data Protection Regulation, when applicable), as well as the standards set out in this Controller Policy, when processing personal data.

As such:

  • where applicable data protection laws exceed the standards set out in this Controller Policy, we must comply with those laws; but
  • where there are no applicable data protection laws, or where applicable data protection laws do not meet the standards set out in this Controller Policy, we must process personal data in accordance with the standards set out in this Controller Policy.

We must provide individuals with the Fair Information Disclosures, also known as Privacy Notices (see Appendix 2), when we process their personal data.

We must take appropriate measures to communicate the Fair Information Disclosures to individuals in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Fair Information Disclosures shall be provided in writing, or by other means, including, where appropriate, by electronic means. They may be provided orally, at the request of an individual, provided that the identity of that individual is proven by other means.

In limited cases we may not need to provide the Fair Information Disclosures (for example because the individual already has the information or the provision of the Fair Information Disclosures may prove impossible or involve a disproportionate effort). Where this is the case, the Privacy Team must be informed and will decide what course of action is appropriate to protect the individual's rights, freedoms and legitimate interests.

We must only process personal data for specified, explicit and legitimate purposes that have been communicated to the individuals concerned in accordance with Rule 2. We must not process their personal data in a way that is incompatible for those purposes, except in accordance with applicable law or with the individual's consent.

If we intend to process personal data for a purpose which is incompatible with the purpose for which the personal data was originally collected, we may only do so if such further processing is permitted by applicable law or we have the individual's consent. We must also provide the individual with Fair Information Disclosures about the further processing in accordance with Rule 2.

In assessing whether any processing is compatible with the purpose for which the personal data was originally collected, we must take into account:

  • any link between the purposes for which the personal data was originally collected and the purposes of the intended further processing;
  • the context in which the personal data was collected, and in particular the reasonable expectations of the individuals whose personal data will be processed;
  • the nature of the personal data, in particular whether such information may constitute special categories of data;
  • the possible consequences of the intended further processing for the individuals concerned; and
  • the existence of any appropriate safeguards that we have implemented in both the original and intended further processing operations.

We must only process personal data that is adequate, relevant and limited in order to properly fulfil the desired processing purposes. We must not process personal data that is unnecessary to achieve those purposes.

We must take appropriate measures to ensure that the data we process is accurate and, where necessary, kept up to date – for example, by giving individuals the ability to inform us when their personal data has changed or become inaccurate.

We must take every reasonable step to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

We must not keep personal data in a form which permits identification of individuals for longer than is necessary for the purposes for which that data is processed.

In particular, we must comply with Twilio's record retention policies and guidelines as revised and updated from time to time.

We must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where processing involves transmission of personal data over a network, and against all other unlawful forms of processing.

Such measures will ensure a level of security appropriate to the risk. These measures may include the following, as appropriate in light of the risk:

  • the pseudonymisation or encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In particular, we must comply with the requirements in the security policies in place within Twilio, as revised and updated from time to time, together with any other security procedures relevant to a business area or function.

We must ensure that any staff member who has access to personal data does so only for lawful purposes as authorised and instructed by Twilio.

Where we appoint a service provider to process personal data on our behalf (i.e. a processor), we must impose strict contractual terms on the service provider that require it:

  • to act only on our instructions when processing that information, including with regard to international transfers of personal data;
  • to ensure that any individuals who have access to the data are subject to a duty of confidence;
  • to have in place appropriate technical and organizational security measures to safeguard the personal data;
  • only to engage a sub-processor if we have given our prior specific or general written authorisation, and on condition the sub-processor agreement protects the personal data to the same standard required of the service provider;
  • to assist us in ensuring compliance with our obligations as a controller under applicable data protection laws, in particular with respect to reporting data security incidents under Rule 9 and responding to requests from individuals to exercise their data protection rights under Rule 10;
  • to return or delete the personal data once it has completed its services; and
  • to make available to us all information we may need in order to ensure its compliance with these obligations.

When we become aware of a data security incident that presents a risk to the personal data that we process, we must immediately inform the Privacy Team and follow our data security incident management policies.

The Privacy Team will review the nature and seriousness of the data security incident and determine whether it is necessary under applicable data protection laws to notify competent data protection authorities and/or individuals affected by the incident. The Privacy Team shall be responsible for ensuring that any such notifications, where necessary, are made in accordance with applicable data protection law.

Various data protection laws around the world, including European Union laws, provide individuals with certain data protection rights. These may include:

  • The right of access: This is a right for an individual to obtain confirmation whether we process personal data about them and, if so, to be provided with details of that personal data and access to it;
  • The right to rectification: This is a right for an individual to obtain rectification without undue delay of inaccurate personal data we may process about him or her.
  • The right to erasure: This is a right for an individual to require us to erase personal data about them on certain grounds – for example, where the personal data is no longer necessary to fulfil the purposes for which it was collected.
  • The right to restriction: This is a right for an individual to require us to restrict processing of personal data about them on certain grounds.
  • The right to data portability: This is a right for an individual to receive personal data concerning him or her from us in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply.
  • The right to object: This is a right for an individual to object, on grounds relating to his or her particular situation, to processing of personal data about him or her, if certain grounds apply.

Where an individual wishes to exercise any of its data protection rights, we must respect those rights in accordance with applicable law by following the Data Protection Rights Procedure (see Appendix 3).

Various data protection laws around the world, including European Union laws, prohibit international transfers of personal data to third parties unless appropriate steps are taken to ensure the transferred data continues to remain protected to the standard required in the country or region from which it is transferred.

Where these requirements exist, we must comply with them. Whenever transferring personal data internationally, the Privacy Team must be consulted so that it can ensure appropriate measures, such as standard contractual clauses (for transfers of personal data from the European Economic Area) have been implemented to protect the personal data being transferred.

Twilio will assess whether special categories of data are required for the intended purpose of processing.

In principle, we must obtain the individual's explicit consent to collect and process his or her special categories of data, unless we are required to do so by applicable law or have another legitimate basis for doing so consistent with the applicable law of the country in which the personal data was collected.

When obtaining an individual's consent, that consent must be given freely, and must be specific, informed and unambiguous.

All individuals must have the right to object, free of charge, to the use of their personal data for direct marketing purposes and we will honour all such opt-out requests.

We will not make any decision, which produces legal effects concerning an individual or that similarly significantly affects them, based solely on the automated processing of that individual's personal data, including profiling, unless such decision is:

  • necessary for entering into, or performing, a contract between a Group Member and that individual;
  • authorized by applicable law (which, in the case of personal data about individuals in the European Union, must be European Union or Member State law); or
  • based on the individual's explicit consent.

In the first and third cases above, we must implement suitable measures to protect the individual's rights and freedoms and legitimate interests, including the right to obtain human intervention, to express his or her view and to contest the decision. We must never make automated individual decisions about individuals using their special categories of data unless they have given explicit consent under Rule 12 or another lawful basis applies.

Under European data protection law, individuals whose personal data is processed in Europe by a Group Member acting as a Controller (an "EEA Entity") and/or transferred to a Group Member located outside Europe under the Controller Policy (a "Non-EEA Entity") have certain rights.

In such cases, the individual's rights are as follows:

  • Complaints: Individuals may complain to an EEA Entity in accordance with the Complaint Handling Procedure. They may also complain to: (i) the data protection authority in Ireland (where Twilio's European headquarters is located); (ii) the European data protection authority in the jurisdiction of the transferring EEA Entity; or (iii) if neither (i) or (ii) are possible, the data protection authority of the EEA Member State where the individual resides;
  • Proceedings: Individuals may bring proceedings to enforce compliance with this Controller Policy against Twilio Ireland Limited before the courts of jurisdiction of Ireland or the jurisdiction of the transferring EEA Entity;
  • Compensation: Individuals may seek appropriate redress from Twilio Ireland Limited (including the remedy of any breach of this Policy by any Non-EEA Entity) and, where appropriate, receive compensation from Twilio Ireland Limited for any damage suffered as a result of a breach of this Policy, in accordance with the determination of a court or other competent authority;
  • Transparency: Individuals also have the right to obtain a copy of the Controller Policy on request.

If an individual suffers damage, where that individual can demonstrate that it is likely that the damage has occurred because of a breach of this Policy, the burden of proof to show that a Non-EEA Entity is not responsible for the breach, or that no such breach took place, will rest with Twilio Ireland Limited.

Where required by applicable data protection laws, we must carry out data protection impact assessments (DPIA) whenever the processing of personal data, particularly using new technologies, is likely to result in a high risk to the rights and freedoms of individuals. Twilio will carry out a DPIA prior to processing which will contain at least the following:

  • A systematic description of the envisaged processing operations and the purposes of the processing;
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • An assessment of the risks to the privacy rights of individuals;
  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with applicable data protection laws.

Where the DPIA indicates that the processing would still result in a high risk to individuals, Twilio will consult with local data protection authorities where required by applicable data protection laws.

When designing and implementing new products and systems which process personal data, we must apply data protection by design and by default. This means we must implement appropriate technical and organisational measures that:

  • are designed to implement the data protection principles in an effective manner and to integrate the necessary safeguards in order to protect the rights of individuals and meet the requirements of applicable data protection laws; and
  • ensure that, by default, only personal data which are necessary for each specific processing purpose are collected, stored, processed and are accessible; in particular, that by default personal data is not made accessible to an indefinite number of people without the individual's intervention.


Part III: Delivering compliance in practice

To ensure we follow the rules set out in our Controller Policy, in particular the obligations set out in Part II, Twilio and all of its Group Members must also comply with the following practical commitments:

Twilio has appointed its Privacy Team to oversee and ensure compliance with this Controller Policy. The Privacy Team who is responsible for overseeing and enabling compliance with this Controller Policy on a day-to-day basis.

A summary of the roles and responsibilities of Twilio's privacy team is set out in Appendix 4.

Group Members must provide appropriate privacy training to staff members who:

  • have permanent or regular access to personal data; or
  • are involved in the processing of personal data or in the development of tools used to process personal data.

We will provide such training in accordance with the Privacy Training Program (see Appendix 5).

We will have data protection audits on a regular basis, which may be conducted by either internal or external accredited auditors. In addition, we will conduct data protection audits on specific request from the General Counsel and Chief Compliance Officer, Privacy Team, Audit Committee and/or the Board of Directors.

We will conduct any such audits in accordance with the Audit Protocol (see Appendix 6).

Group Members must enable individuals to raise data protection complaints and concerns (including complaints about processing under this Controller Policy) by complying with the Complaint Handling Procedure (see Appendix 7).

Group Members must cooperate with competent data protection authorities by complying with the Cooperation Procedure (see Appendix 8).

If legislation applicable to any Group Member prevents it from fulfilling its obligations under the Controller Policy or otherwise has a substantial effect on its ability to comply with the Controller Policy, the Group Member must promptly inform the Privacy Team unless prohibited by a law enforcement authority.

Where there is a conflict between the legislation applicable to a Group Member and this Controller Policy, the Privacy Team will make a responsible decision on the action to take and will consult the data protection authority with competent jurisdiction in case of doubt.

Whenever updating our Controller Policy, we must comply with the Updating Procedure (see Appendix 9).


Part IV: Appendices

Appendix 1

TWILIO GROUP MEMBERS

Non-EEA Entities:

Name of entityRegistered addressRegistration no.
1.Twilio Australia Pty Ltdc/o McCullough Robertson Lawyers, Level 32, 19 Martin Place, Sydney, NSW 2000618 090 010
2.Twilio Colombia S.A.SCalle 70 A No. 4 – 41, Bogotá, Colombia02547510
3.Twilio Hong Kong LimitedFlat 2, 19/F, Henan Building, 90-92 Jaffe Road, Wanchai, Hong Kong2222131
4.Twilio Inc.375 Beale Street, Suite 300, San Francisco, CA 941054802838

EEA Entities:

Name of entityRegistered addressRegistration no.
1.Twilio Estonia OUVeerenni 24, Entrance D, Second Floor, Tallinn 10135, Estonia12771257
2.Twilio Germany GmbHFrauenlobstraße 2 80337, Munich, GermanyHRB 219708
3.Twilio IP Holding Limited25-28 North Wall Quay, Dublin 1, Ireland554350
4.Twilio Spain, S.L.Calle Monte Esquinza 30, Bajo Izquierda, Madrid, 28012, Madrid, EspanaCIF/NIF B87653549
5.Twilio Sweden ABSödergatan 24, 211 34 Malmö, Sweden556708-1731
6.Twilio UK LimitedOne London Wall, 6th Floor, London, EC2Y 5EB, UK07945978


Appendix 2

FAIR INFORMATION DISCLOSURES

Fair Information Disclosures are often referred to as Privacy Notices or Privacy Policies.

Twilio must, at the time when it collects personal data from individuals, provide those individuals with the following information:

  • the identity of the data controller and its contact details;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • where the processing is based on Twilio's or a third party's legitimate interests, the legitimate interests pursued by Twilio or by the third party;
  • the recipients or categories of recipients of their personal data (if any);
  • where applicable, the fact that a Group Member in Europe intends to transfer personal data to a third country or international organisation outside of Europe, and the measures that the Group Member will take to ensure the personal data remains protected in accordance with European Union law.

In addition to the information above, Twilio shall, at the time when personal data are obtained, provide individuals with the following further information necessary to ensure fair and transparent processing:

  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • information about the individuals' rights to request access to, rectify or erase their personal data, as well as the right to restrict or object to the processing, and the right to data portability;
  • where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with the competent supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  • the existence of automated decision-making, including profiling, and, where such decisions may have a legal effect or significantly affect the individuals whose personal data are collected, any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for those individuals.

Where personal data has not been obtained directly from the individuals concerned, Twilio shall provide those individuals, in addition to the information above, with the following information:

  • the categories of personal data that are being processed; and
  • from which source the personal data originates, and if applicable, whether it came from publicly accessible sources.

This information will be provided when personal data is obtained by Twilio from the individual or, if not practicable to do so at the point of collection, as soon as possible after collection.


Appendix 3

DATA PROTECTION RIGHTS PROCEDURE

Global Binding Corporate Rules: Data Protection Rights Procedure

  1. Introduction

    1. Twilio's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal data transferred between the Twilio group members ("Group Members").

    2. Individuals whose personal data are processed by Twilio under the Policies have certain data protection rights, which they may exercise by making a request to the controller of their information (whether the controller is Twilio or a Customer) (a “Data Protection Rights Request”).

    3. This Binding Corporate Rules: Data Protection Rights Procedure (“Procedure”) describes how Twilio will respond to any Data Protection Rights Requests it receives from individuals whose personal data are processed and transferred under the Policies.

  2. Individual’s data protection rights

    1. Twilio must assist individuals to exercise the following data protection rights, consistent with the requirements of applicable data protection laws:
      1. The right of access: This is a right for an individual to obtain confirmation whether a controller processes personal data about them and, if so, to be provided with details of that personal data and access to it. This process for handling this type of request is described further in paragraph 4 below;
      2. The right to rectification: This is a right for an individual to obtain rectification without undue delay of inaccurate personal data a controller may process about him or her. The process for handling this type of request is described further in paragraph 5 below.
      3. The right to erasure: This is a right for an individual to require a controller to erase personal data about them on certain grounds – for example, where the personal data is no longer necessary to fulfil the purposes for which it was collected. The process for handling this type of request is described further in paragraph 5 below.
      4. The right to restriction: This is a right for an individual to require a controller to restrict processing of personal data about them on certain grounds. The process for handling this type of request is described further in paragraph 5 below.
      5. The right to object: This is a right for an individual to object, on grounds relating to his or her particular situation, to a controller’s processing of personal data about him or her, if certain grounds apply. The process for handling this type of request is described further in paragraph 5 below.
      6. The right to data portability: This is a right for an individual to receive personal data concerning him or her from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply. The process for handling this type of request is described further in paragraph 6 below.
  3. Responsibility to respond to a Data Protection Rights Request

    1. Overview
      1. The controller of an individual’s personal data is primarily responsible for responding to a Data Protection Rights Request and for helping the individual concerned to exercise his or her rights under applicable data protection laws.
      2. As such, when an individual contacts Twilio to make any Data Protection Rights Request then:
        1. where Twilio is the controller of that individual’s personal data under the Controller Policy, it must help the individual to exercise his or her data protection rights directly in accordance with this Procedure; and
        2. where Twilio processes that individual’s personal data as a processor on behalf of a Customer under the Processor Policy, Twilio must inform the relevant Customer promptly and provide it with reasonable assistance to help the individual to exercise his or her rights in accordance with the Customer’s duties under applicable data protection laws.
    2. Assessing responsibility to respond to a Data Protection Rights Request
      1. If a Group Member receives a Data Protection Rights Request from an individual, it must pass the request to the Privacy Team at privacy@twilio.com immediately upon receipt indicating the date on which it was received together with any other information which may assist the Privacy Team to deal with the request.
      2. The Privacy Team will make an initial assessment of the request as follows:
        1. the Privacy Team will determine whether Twilio is a controller or processor of the personal data that is the subject of the request;
        2. where the Privacy Team determines that Twilio is a controller of the personal data, it will then determine whether the request has been made validly under applicable data protection laws and whether confirmation of identity, or any further information, is required in order to fulfil the request; and
        3. where the Privacy Team determines that Twilio is a processor of the personal data on behalf of a Customer, it shall pass the request promptly to the relevant Customer in accordance with its contract terms with that Customer and will not respond to the request directly unless authorised to do so by the Customer.
      3. If the Privacy Team determines that Twilio is the controller of the personal data that is the subject of the request, Twilio will then contact the individual in writing to confirm receipt of the Data Protection Rights Request and seek confirmation of identity (if the individual's identity has not already been validated) as well as any further information it may need to action the individual's request. If Twilio is exempted under applicable data protection laws from fulfilling the Data Protection Rights Request (for example, because Twilio can demonstrate that the individual has made a manifestly unfounded or excessive request), then Twilio will notify the individual if it intends to decline the Data Protection Rights Request and the exemption that applies. If the individual disagrees with Twilio's decision to decline a Data Protection Rights Request, he or she may complain, including to a competent data protection authority, in accordance with Twilio's Complaint Handling Procedure.
      4. Where Twilio is the controller of the personal data that is the subject of the Data Protection Rights Request, and Twilio has already confirmed the identity of the requestor and has sufficient information to enable it to fulfil the request (and no exemption applies under applicable data protection laws), then Twilio shall deal with the Data Protection Rights Request in accordance with paragraph 4, 5 or 6 below (as appropriate).
  4. Requests for access to personal data

    1. Overview

      1. An individual is entitled to make a Data Protection Rights Request to a controller to require it to provide the following information concerning processing of his or her personal data:
        1. confirmation as to whether the controller holds and is processing personal data about that individual;
        2. if so, a description of the personal data and categories of personal data concerned, the envisaged period for which the personal data will be stored, the purposes for which they are being held and processed and the recipients or classes of recipients to whom the information is, or may be, disclosed by the controller;
        3. information about the individual’s right to request rectification or erasure of his or her personal data or to restrict or object to its processing;
        4. information about the individual’s right to lodge a complaint with a competent data protection authority;
        5. information about the source of the personal data if it was not collected from the individual;
        6. details about whether the personal data is subject to automated decision-making (including profiling) which produces legal effects concerning the individual or similarly significantly affects them; and
        7. where personal data is transferred from the European Economic Area to a country outside of the European Economic Area, the appropriate safeguards that Twilio has put in place relating to such transfers in accordance with European data protection laws.
      2. An individual is also entitled to request a copy of his or her personal data from the controller. Where an individual makes such a request, the controller must provide that personal data to the individual in intelligible form.
      3. An access request must generally be made in writing, which can include email, unless applicable data protection laws allow an access request to be made orally. An access request does not have to be official or mention data protection law to qualify as a valid request.
      4. A controller must respond to an access request without undue delay and in no case later than one month of receipt of that request.
      5. A controller must not refuse to comply with an access request unless it can demonstrate that it is not in the position to identify the individual who is making the request or an exemption applies under applicable data protection law (for example, if the controller can demonstrate that the individual has made a manifestly unfounded or excessive request). A controller may request such information as is reasonably necessary in order to confirm the identity of the individual making the request and to locate the information sought.
    2. Process for responding to access requests from individuals

      1. If Twilio receives an access request from an individual, this must be passed to the Privacy Team at privacy@twilio.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.
      2. Where Twilio determines it is the controller of the personal data and responsible for responding to the individual directly (and that no exemption to the right of access applies under applicable data protection laws), the Privacy Team will arrange a search of all relevant electronic and paper filing systems.
      3. The Privacy Team may refer any complex cases to the General Counsel / Chief Compliance Officer for advice, particularly where the request concerns information relating to third parties or where the release of personal data may prejudice commercial confidentiality or legal proceedings.
      4. The personal data that must be disclosed to the individual will be collated by the Privacy Team into a readily understandable format. A covering letter will be prepared by the Privacy Team which includes all information required to be provided in response to an individual's access request (including the information described in paragraph 4.1.1).
    3. Exemptions to the right of access

      1. A valid request may be refused on the following grounds:
        1. If the refusal to provide the information is consistent with applicable data protection law (for example, where a European Group Member transfers personal data under the Controller Policy, if the refusal to provide the information is consistent with the applicable data protection law in the European Member State where the Group Member is located);
        2. where the personal data is held by Twilio in non-automated form that is not or will not become part of a filing system;
        3. the personal data does not originate from Europe, has not been processed by any European Group Member, and the provision of the personal data requires Twilio to use disproportionate effort.
      2. The Privacy Team will assess each request individually to determine whether any of the above- mentioned exemptions applies. A Group Member must never apply an exemption unless this has been discussed and agreed with the Privacy Team.
      3. If the requestor disagrees with a decision by Twilio to decline an access request, he or she may complain, including to a competent data protection authority, in accordance with Twilio's Complaint Handling Procedure.
  5. Requests to correct, update or erase personal data, to restrict or cease processing personal data

    1. If Twilio receives a request to correct, update or erase personal data, or to restrict or cease processing of an individual’s personal data, this must be passed to the Privacy Team at privacy@twilio.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

    2. Once an initial assessment of responsibility has been made then:

      1. where Twilio is the controller of that personal data, the request must be notified to the Privacy Team promptly for it to consider and deal with as appropriate in accordance with applicable data protection laws.
      2. where a Customer is the controller of that personal data, the request must be notified to the Customer promptly for it to consider and deal with as appropriate in accordance with its duties under applicable data protection laws. Twilio shall assist the Customer to fulfil the request in accordance with the terms of its contract with the Customer.
    3. When Twilio must rectify or erase personal data, either in its capacity as controller or on instruction of a Customer when it is acting as a processor, Twilio will notify other Group Members and any sub-processor to whom the personal data has been disclosed so that they can also update their records accordingly.

    4. If Twilio acting as controller has made the personal data public, and is obliged to erase the personal data pursuant to a Data Protection Rights Request, it must take reasonable steps, including technical measures (taking account of available technology and the cost of implementation), to inform controllers which are processing the personal data that the individual has requested the erasure by such controllers of any links to, or copy or replication of, the personal data

  6. Right to data portability

    1. If an individual makes a Data Protection Rights Request to Twilio acting as controller to receive the personal data that he or she has provided to Twilio in a structured, commonly used and machine- readable format and/or to transmit directly such information to another controller (where technically feasible), Twilio’s Privacy Team will consider and deal with the request appropriately in accordance with applicable data protection laws insofar as the processing is based on that individual's consent or on the performance of, or steps taken at the request of the individual prior to entry into, a contract.
  7. Questions about this Data Protection Rights Procedure

    1. All queries relating to this Procedure are to be addressed to the Privacy Team or at privacy@twilio.com.

Appendix 4

PRIVACY COMPLIANCE STRUCTURE

Binding Corporate Rules: Privacy Compliance Structure

  1. Introduction

    1. Twilio's compliance with global data protection laws and the “Binding Corporate Rules: Controller Policy” and “Global Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") is overseen and managed throughout all levels of the business by a global, multi-layered, cross-functional privacy compliance structure.
  2. General Counsel and Chief Compliance Officer

    1. Twilio has appointed its General Counsel and Chief Compliance Officer (“GC/CCO”) who provides executive-level oversight of, and has responsibility for, ensuring Twilio's compliance with applicable data protection laws and the Policies.
    2. The GC/CCO reports directly to the Board of Directors on all material or strategic issues relating to Twilio's compliance with data protection laws and the Policies, and is also accountable to Twilio's independent Audit Committee. The GC/CCO leads and is supported by Twilio’s Privacy Team.
    3. The GC/CCO’s key responsibilities with regard to privacy include:
      • Ensuring that the Policies and other privacy-related policies, objectives and standards are defined and communicated.
      • Providing clear and visible senior management support and resources for the Policies and for privacy objectives and initiatives in general.
      • Evaluating, approving and prioritizing remedial actions consistent with the requirements of the Policies, strategic plans, business objectives and regulatory requirements.
      • Periodically assessing privacy initiatives, accomplishments, and resources to ensure continued effectiveness and improvement.
      • Ensuring that Twilio's business objectives align with the Policies and related privacy and information protection strategies, policies and practices.
      • Facilitating communications on the Policies and privacy topics with the Board of Directors and independent Audit Committee.
      • Dealing with any escalated privacy complaints in accordance with the Global Binding Corporate Rules: Complaint Handling Procedure.
  3. Privacy Team

    1. The Twilio Privacy Team comprises Twilio's GC/CCO, Lead Privacy Counsel, its Vice President of Trust and Chief Information Security Officer, in addition to other representatives from the Legal team and Information Security team. Incorporating members of Twilio’s Legal and Information Security teams ensures appropriate independence and oversight of duties relating to all aspects of Twilio's data protection compliance.
    2. The Privacy Team is accountable for managing and implementing Twilio's data privacy program internally (including the Policies) and for ensuring that effective data privacy controls are in place for any third party service provider Twilio engages. In this way, the Privacy Team is actively engaged in addressing matters relating to Twilio's privacy compliance on a routine, day-to-day basis.
    3. The Privacy Team’s responsibilities include:
      • Providing guidance about the collection and use of personal data subject to the Policies and to assess the processing of personal data by Twilio Group Members for potential privacy-related risks.
      • Responding to inquiries and compliance relating to the Policies from staff members, customers and other third parties raised through its dedicated e-mail address at privacy@twilio.com.
      • Helping to implement the Policies and related policies and practices at a functional and local country level, providing guidance and responding to privacy questions and issues.
      • Providing input on audits of the Policies, coordinating responses to audit findings and responding to inquiries of the data protection authorities.
      • Monitoring changes to global privacy laws and ensuring that appropriate changes are made to the Policies and Twilio's related policies and business practices.
      • Overseeing training for staff on the Policies and on data protection legal requirements in accordance with the Binding Corporate Rules: Privacy Training Program.
      • Promoting the Policies and privacy awareness across business units and functional areas through privacy communications and initiatives.
      • Evaluating privacy processes and procedures to ensure that they are sustainable and effective.
      • Reporting periodically on the status of the Policies to the GC/CCO and Board of Directors and / or Audit Committee as appropriate.
      • Ensuring that the commitments made by Twilio in relation to updating, and communicating updates to the Policies are met in accordance with the Binding Corporate Rules: Updating Procedure.
      • Overseeing compliance with the Binding Corporate Rules: Data Protection Rights Procedure and the handling of any requests made under it.
  4. Data Compliance Team

    1. Twilio's Data Compliance team is a subset of the wider Privacy Team and has a number of specific responsibilities in relation to the implementation and oversight of the Policies and privacy matters more generally, including:
      • Audit of attendance of privacy training courses as set out in the Binding Corporate Rules: Privacy Training Program.
      • Overseeing independent audits of compliance with the Policies as set out in the Binding Corporate Rules: Audit Protocol and ensuring that such audits address all aspects of the Policies.
      • Ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of Twilio's Privacy Team and that any corrective actions are determined and implemented within a reasonable time.
  5. Privacy Committee

    1. Twilio's Privacy Committee comprises functional leads or key representatives from the main functional areas within Twilio, including sales, marketing, HR, procurement, product development, legal and compliance.
    2. The key responsibilities of Members of the Privacy Committee include:
      • Promoting the Policies at all levels in their functional areas.
      • Assisting the Privacy Team with the day-to-day implementation and enforcement of Twilio's privacy policies (including the Policies) within their respective areas of responsibility.
      • Escalating questions and compliance issues or communicate any actual or potential violation of relating to the Policies to the Privacy Team.
      • Through its liaison with the Privacy Team, the Privacy Committee serves as a channel through which the Privacy Team can communicate data privacy compliance actions to all key functional areas of the business.
    3. The Privacy Committee will meet on a formal and regular basis, at a minimum frequency of every six months, to ensure a coordinated approach to data protection compliance across all functions.
  6. Twilio Staff

    1. All staff members within Twilio are responsible for supporting the functional Privacy Committee members on a day-to-day basis and adhering to Twilio privacy policies.
    2. In addition, Twilio personnel are responsible for escalating and communicating any potential violation of the privacy policies to the appropriate Privacy Committee member or, if they prefer, the Twilio Privacy Team. On receipt of a notification of a potential violation of the privacy policy the issue will be investigated to determine if an actual violation occurred. Results of such investigations will be documented.

Appendix 5

PRIVACY TRAINING PROGRAMME

Binding Corporate Rules: Privacy Training Requirements

  1. Background

    1. The “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal data between Twilio's group members ("Group Members"). The document sets out the requirements for Twilio to train its staff members on the requirements of the Policies.
    2. Twilio must train staff members (including new hires, temporary staff and individual contractors whose roles bring them into contact with personal data) on the basic principles of data protection, confidentiality and information security awareness. This must include training on applicable data protection laws, including European data protection laws. Training shall also include guidance on data protection best practices and any security certifications applicable to Twilio such as ISO 27001.
    3. Staff members who have permanent or regular access to personal data and who are involved in the processing of personal data or in the development of tools to process personal data must receive additional, tailored training on the Policies and specific data protection issues relevant to their role. This training is further described below and is repeated on a regular basis.
  2. Responsibility for the Privacy Training Program

    1. Twilio's Privacy team has overall responsibility for privacy training at Twilio, with input from colleagues from other functional areas, including Legal, Information Security, Data Compliance, HR and other departments, as appropriate. The Privacy team will review training from time to time to ensure it addresses all relevant aspects of the Policies and that it is appropriate for individuals who have permanent or regular access to personal data, who are involved in the processing of personal data or in the development of tools to process personal data.
    2. Twilio's senior management is committed to the delivery of data protection training courses, and will ensure that staff are required to participate, and given appropriate time to attend, such courses. Course attendance must be recorded and monitored via regular audits of the training process. These audits are performed by Twilio's Data Compliance team and/or independent third party auditors.
    3. If these training audits reveal persistent non-attendance, this will be escalated to the Privacy Team for action. Such action may include escalation of non-attendance to appropriate managers within Twilio who will be responsible and held accountable for ensuring that the individual(s) concerned attend and actively participate in such training.
  3. Delivery of the training courses

    1. Twilio will deliver mandatory training courses, either in person or electronically, supplemented by face to face training for staff members. The courses are designed to be both informative and user-friendly, generating interest in the topics covered.
    2. All Twilio staff members must complete data protection training (including training on the Policies): 1. as part of their induction program; 1. as part of a regular refresher training at least every year; 1. as and when necessary to stay aware of changes in the law; and 1. as and when necessary to address any compliance issues arising from time to time.
    3. Certain staff members must receive supplemental specialist training, in particular staff members who handle customer or employee personal data in Product Development, HR and Customer Support or whose business activities include processing sensitive personal data. Specialist training shall be delivered as additional modules to the basic training package, and will be tailored as necessary to the course participants.
  4. Training on data protection

    1. Twilio's training on data protection and the Policies will cover the following main areas:
      1. Background and rationale:
        1. What is data protection law?
        2. What are key data protection terminology and concepts?
        3. What are the data protection principles?
        4. How does data protection law affect Twilio internationally?
        5. What are Twilio’s BCR Policies?
      2. The Policies:
        1. An explanation of the Policies
        2. The scope of the Policies
        3. The requirements of the Policies
        4. Practical examples of how and when the Policies apply
        5. The rights that the Policies give to individuals
        6. The privacy implications arising from processing personal data for clients
      3. Where relevant to a staff member's role, training will cover the following procedures under the Policies:
        1. Data Subject Rights Procedure
        2. Audit Protocol
        3. Updating Procedure
        4. Cooperation Procedure
        5. Complaint Handling Procedure
        6. Government Data Request Procedure

Appendix 6

AUDIT PROTOCOL

Binding Corporate Rules: Audit Protocol

  1. Background

    1. Twilio's “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal data transferred between the Twilio group members ("Group Members").
    2. Twilio must audit its compliance with the Policies on a regular basis, and this document describes how and when Twilio must perform such audits. Although this Audit Protocol describes the formal assessment process by which Twilio will audit its compliance with the Policies, this is only one way in which Twilio ensures that the provisions of the Policies are observed and corrective actions taken as required.
    3. In particular, Twilio's Privacy team provides ongoing guidance about the processing of personal data and continually assesses the processing of personal data by Group Members for potential privacy-related risks and compliance with these Policies.
  2. Conduct of an audit
    Overview of audit requirements

    1. Compliance with the Policies is overseen on a day to day basis by the Data Compliance team. The Data Compliance team is responsible for overseeing independent audits of compliance with the Policies and will ensure that such audits address all aspects of the Policies.
    2. The Data Compliance team is responsible for ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of the Privacy Team and that any corrective actions are determined and implemented within a reasonable time. Serious non-compliance issues will be escalated to General Counsel and Chief Compliance Officer and, ultimately, the Board of Directors in accordance with paragraph 10..
    3. Where Twilio acts as a processor, the Customer (or auditors acting on its behalf) may audit Twilio for compliance with the commitments made in the Processor Policy and may extend such audits to any sub-processors acting on Twilio's behalf in respect of such processing. Such audits shall be conducted in accordance with the terms of Customer's contract with Twilio.
      Frequency of audit
    4. Audits of compliance with the Policies are conducted:
      1. at least annually in accordance with Twilio's audit procedures; and/or
      2. at the request of the General Counsel and Chief Compliance Officer and / or the Board of Directors; and/or
      3. as determined necessary by the Privacy Team or Audit Committee (for example, in response to a specific incident) and / or
      4. (with respect to audits of the Processor Policy), as required by the terms of the Customer's contract with Twilio.
        Scope of audit
    5. The Privacy Team will determine the scope of an audit following a risk-based analysis that takes into account relevant criteria such as:
      1. areas of current regulatory focus;
      2. areas of specific or new risk for the business;
      3. areas with changes to the systems or processes used to safeguard data;
      4. areas where there have been previous audit findings or complaints;
      5. the period since the last review; and
      6. the nature and location of the personal data processed.
    6. In the event that a Customer exercises its right to audit Twilio for compliance with the Processor Policy, the scope of the audit shall be limited to the data processing facilities, data files and documentation relating to that Customer. Twilio will not provide a Customer with access to systems which process personal data of another Customer.
      Auditors
    7. Audit of the Policies (including any related procedures and controls) will be undertaken by independent and experienced professional auditors appointed by Twilio and acting under a duty of confidence.
    8. In the event that a Customer exercises its right to audit Twilio for compliance with the Processor Policy, such audit may be undertaken by that Customer, or by independent and suitably experienced auditors approved by that Customer, in accordance with the terms of the Customer's contract with Twilio.
    9. In addition, Twilio agrees that competent data protection authorities may audit Group Members for the purpose of reviewing compliance with the Policies (including any related procedures and controls) in accordance with the Binding Corporate Rules: Cooperation Procedure.
      Reporting
    10. Data protection audit reports must be submitted to the General Counsel and Chief Compliance Officer, Lead Privacy Counsel, and the Vice President of Trust and Chief Information Security Officer, and, if the report reveals breaches or the potential for breaches of a serious nature (for example, presenting a risk of potential harm to individuals or to the business), to the Board of Directors.
    11. Upon request and subject to applicable law and respect for the confidentiality and trade secrets of the information provided, Twilio will:
      1. provide copies of the results of data privacy audits of the Policies (including any related procedures and controls) to competent data protection authorities; and
      2. to the extent that an audit of compliance with the Processor Policy relates to personal data Twilio processes on behalf of a Customer, to that Customer.
    12. The Lead Privacy Counsel is responsible for liaising with the competent data protection authorities for the purpose of providing the information outlined in paragraph 2.11.

Appendix 7

COMPLAINT HANDLING PROCEDURE

Binding Corporate Rules: Complaint Handling Procedure

  1. Background

    1. Twilio's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal data transferred between the Twilio group members ("Group Members").
    2. This Complaint Handling Procedure describes how complaints brought by an individual whose personal data is processed by Twilio under the Policies must be addressed and resolved.
    3. This procedure will be made available to individuals whose personal data is processed by Twilio under the Controller Policy and to Customers on whose behalf Twilio processes personal data under the Processor Policy.
  2. How individuals can bring complaints

    1. Any individuals may raise a data protection question, concern or complaint (whether related to the Policies or not) by e-mailing Twilio’s Privacy Team at privacy@twilio.com or by writing to Twilio’s Privacy Team at 375 Beale Street, Suite 300, San Francisco, CA 94105.
  3. Complaints where Twilio is a controller

    1. Who handles complaints?
      1. The Privacy Team will handle all questions, concerns, or complaints in respect of personal data for which Twilio is a controller (such as personal data processed in the context of HR admin or customer relationship management), including questions, concerns or complaints arising under the Controller Policy. The Privacy Team will liaise with colleagues from relevant business and support units as necessary to address and resolve such questions, concerns and complaints.
    2. What is the response time?
      1. Twilio will acknowledge receipt of a question, concern or complaint to the individual concerned within five (5) working days, investigating and making a substantive response within one (1) month.
      2. If, due to the complexity of the complaint, a substantive response cannot be given within this period, Twilio will advise the individual accordingly and provide a reasonable estimate (not exceeding three (3) months) of the timescale within which a substantive response will be provided.
    3. What happens if an individual disputes a finding?
      1. If the individual notifies Twilio that it disputes any aspect of the response finding, the Privacy Team will refer the matter to the General Counsel and Chief Compliance Officer (GC/CCO). The GC/CCO will review the case and advise the individual of his or her decision either to accept the original finding or to substitute a new finding. The GC/CCO will respond to the complainant within one (1) month from being notified of the escalation of the dispute.
      2. As part of its review, the GC/CCO may arrange to meet the parties to the dispute in an attempt to resolve it. If, due to the complexity of the dispute, a substantive response cannot be given within one (1) month of its escalation, the GC/CCO will advise the complainant accordingly and provide a reasonable estimate for the timescale within which a response will be provided which will not exceed three (3) months from the date the dispute was escalated.
      3. If the complaint is upheld, the GC/CCO will arrange for any necessary steps to be taken as a consequence.
  4. Complaints where Twilio is a processor

    1. Communicating complaints to the Customer
      1. Where a complaint is brought in respect of the processing of personal data for which Twilio is a processor on behalf of a Customer, Twilio will communicate the details of the complaint to the relevant Customer promptly.
      2. Twilio will cooperate with the Customer to investigate the complaint, in accordance with the terms of its contract with the Customer and if so instructed by the Customer.
    2. What happens if a Customer no longer exists?
      1. In circumstances where a Customer has disappeared, no longer exists or has become insolvent, and no successor entity has taken its place, individuals whose personal data are processed under the Processor Policy have the right to complain to Twilio and Twilio will handle such complaints in accordance with paragraph 3 of this Complaint Handling Procedure.
      2. In such cases, individuals may also have the right to complain to a competent data protection authority and/or to lodge a claim with a court of competent jurisdiction, including where they are not satisfied with the way in which their complaint has been resolved by Twilio. Such complaints and proceedings will be handled in accordance with paragraph 5 of this Complaint Handling Procedure.
  5. Right to complain to a competent data protection authority and to commence proceedings

    1. Where individuals' personal data:

      1. are processed in Europe by a Group Member acting as a controller and/or transferred to a Group Member located outside Europe under the Controller Policy; or
      2. are processed in Europe by a Group Member acting as a processor and/or transferred to a Group Member located outside Europe under the Processor Policy;

      then those individuals have certain additional rights to pursue effective remedies for their complaints, as described in paragraphs 5.2 to 5.5 below.

    2. The individuals described in paragraph 5.1 have the right to complain to a competent data protection authority and/or to commence proceedings in a court of competent jurisdiction in accordance with applicable data protection laws, whether or not they have first complained directly to the Customer in question or to Twilio.
    3. If such an individual wishes to complain to a data protection authority, he or she may complain to the data protection authority competent for the controller of the personal data (where personal data is processed under the Controller Policy, the controller will be the relevant Twilio Group Member in Europe; where personal data is processed under the Processor Policy, the controller will be the Customer). If this is not possible because the controller has disappeared, no longer exists or has become insolvent (and no successor entity has taken its place), then the individual may also complain to:
      1. the data protection authority in Ireland (where Twilio's European headquarters is located);
      2. the data protection authority in the country from which the personal data in question was transferred; or
      3. if neither (a) or (b) is possible, the data protection authority of the European Member State where he or she resides.
    4. If such an individual wishes to commence court proceedings, he or she may bring proceedings against the controller of the personal data (where personal data is processed under the Controller Policy, the controller will be the relevant Twilio Group Member in Europe; where personal data is processed under the Processor Policy, the controller will be the Customer). If this is not possible because the controller has disappeared, no longer exists or has become insolvent (and no successor entity has taken its place), then the individual may bring proceedings against Twilio:
      1. in Ireland (where Twilio's European headquarters is located);
      2. in the country from which the personal data in question was transferred; or
      3. if neither (a) or (b) are possible, in the country of the European Member State where he or she resides.
    5. Where an individual has brought proceedings against Twilio (either under the Controller Policy or the Processor Policy), it will be for Twilio to prove that Group Member outside of Europe or the external sub-processor was not responsible for the breach of the Policy giving rise to the damage, or that no such breach took place. If Twilio can prove this, it will discharge itself from any responsibility.
    6. Twilio accepts that complaints and claims made under this Complaint Handling Procedure may be lodged by a non-for-profit body, organisation or association acting on behalf of any such individuals concerned.

Appendix 8

CO-OPERATION PROCEDURE

Binding Corporate Rules: Cooperation Procedure

  1. Introduction

    1. This Binding Corporate Rules: Cooperation Procedure sets out the way in which Twilio will cooperate with competent data protection authorities in relation to the "Twilio Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy").
  2. Cooperation Procedure

    1. Where required, Twilio will make the necessary personnel available for dialogue with a competent data protection authority in relation to the Policies.
    2. Twilio will review, consider and (as appropriate) implement:
      1. any advice or decisions of relevant competent data protection authorities on any data protection law issues that may affect the Policies; and
      2. any guidance published by data protection authorities (including Europe’s Article 29 Working Party or any successor to it) in connection with Binding Corporate Rules for Processors and Binding Corporate Rules for Controllers.
    3. Subject to applicable data protection law and respect for the confidentiality and trade secrets of the information provided, Twilio will provide upon request copies of the results of any audit of the Policies to a competent data protection authority.
    4. Twilio agrees that:

      1. a competent data protection authority may audit any Group Member located within its jurisdiction for compliance with the Controller Policy, in accordance with the applicable data protection law(s) of that jurisdiction; and
      2. a competent data protection authority may audit any Group Member who processes personal data on behalf of a Customer established within the jurisdiction of that data protection authority for compliance with the Processor Policy, in accordance with the applicable data protection law(s) of that jurisdiction;

      and with full respect to the confidentiality of the information obtained and to the trade secrets of Twilio (unless this requirement is in conflict with applicable data protection law).

    5. Twilio agrees to abide by a formal decision of any competent data protection authority against which a right to appeal is not exercised on any issues relating to the interpretation and application of the Policies.

Appendix 9

UPDATING PROCEDURE

Binding Corporate Rules: Updating Procedure

  1. Introduction

    1. This Binding Corporate Rules: Updating Procedure describes how Twilio must communicate changes to the "Binding Corporate Rules: Controller Policy" ("Controller Policy") and to the "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies") to competent data protection authorities, individual data subjects, its Customers and to Twilio group members ("Group Members") bound by the Policies.
    2. Any reference to Twilio in this procedure is to the Privacy Team who is accountable for ensuring that the commitments made by Twilio in this Updating Procedure are met.
  2. Records keeping

    1. Twilio must maintain a change log which sets out details of each and every revision made to the Policies, including the nature of the revision, the reasons for making the revision, the date the revision was made, and who authorised the revision.
    2. Twilio must also maintain an accurate and up-to-date list of Group Members that are bound by the Policies and of the sub-processors appointed by Twilio to process personal data on behalf of Customers. This information will be made available online or provided upon request from Twilio to competent data protection authorities and to Customers and individuals who benefit from the Policies.
    3. The Data Compliance team shall be responsible for ensuring that the records described in this paragraph 2 are maintained and kept accurate and up-to-date.
  3. Changes to the Policies

    1. All proposed changes to the Policies must be reviewed and approved by the Lead Privacy Counsel in order to ensure that a high standard of protection is maintained for the data protection rights of individuals who benefit from the Policies. No changes to the Policies shall take effect unless reviewed and approved by the Lead Privacy Counsel.
    2. Twilio will communicate all changes to the Policies (including reasons that justify the changes):
      1. to the Group Members bound by the Policies via written notice (which may include e-mail);
      2. systematically to Customers and the individuals who benefit from the Policies via www.twilio.com (and, if any changes are material in nature, they must be communicated to Customers before they take effect, in accordance with paragraph 4.2 below); and
      3. to competent data protection authorities upon request.
  4. Communication of material changes

    1. If Twilio makes any material changes to the Policies or to the list of Group Members bound by the Policies, it will actively report such changes (including the reasons that justify such changes) at least once a year to:
      1. the Data Protection Authority that was the lead authority for the purposes of granting Twilio’s BCR authorisation (the “Lead Authority”); and
      2. to any other relevant data protection authorities as may either be directed by the Lead Authority or as the Privacy Team considers necessary taking into account Twilio’s obligations under applicable data protection laws and guidance from the data protection authorities.
    2. If a proposed change to the Processor Policy will materially affect Twilio’s processing of personal data on behalf of a Customer, Twilio will also:
      1. actively communicate the proposed change to the affected Customer before it takes effect, and with sufficient notice to enable the affected Customer to raise objections; and
      2. the Customer may then suspend the transfer of personal data to Twilio and/or terminate the contract, in accordance with the terms of its contract with Twilio.
  5. Transfers to new Group Members

    1. If Twilio intends to transfer personal data to any new Group Members under the Policies, it must first ensure that all such new Group Members are bound by the Policies before transferring personal data to them.