1. Part I: Introduction to this Processor Policy
  2. Part II: Our obligations
  3. Part III: Delivering compliance in practice
  4. Part IV: Related policies and procedures

Part I: Introduction to this Processor Policy

Starting with Why – Why Do We Have This Policy?

Twilio’s guiding principle when it comes to data protection is “No Shenanigans.” “No Shenanigans” means we are thoughtful about data protection, we comply with the law, and strive to be honest, direct and transparent when it comes to processing personal data. Twilio respects people’s personal data and we demonstrate that respect, not just by what we say about data protection, but in how we treat the personal data with which we have been entrusted to process.

What does this Processor Policy do?

This Binding Corporate Rules: Processor Policy (“Processor Policy”) establishes Twilio’s approach to compliance with applicable data protection laws (and, in particular, European laws) when processing personal data on behalf of a third party controller.

It applies in particular when we process personal data as a processor and either: (a) we transfer personal data between members of our group of companies listed in Appendix 1 ("Group Members"); or (b) a third party controller located in Europe transfers personal data to a Group Member for processing outside of Europe. This Processor Policy applies regardless of whether our Group Members process personal data by manual or automated means.

The standards described in the Processor Policy are worldwide standards that apply to all Group Members when processing any personal data as a processor. Accordingly, this Processor Policy applies regardless of the origin of the personal data that we process, the country in which we process personal data, or the country in which a Group Member is established.

For an explanation of some of the terms used in this Processor Policy, like "controller", "process", and "personal data", please see the section headed "Important terms used in this Processor Policy" below.

Types of personal information within the scope of this Processor Policy

This Processor Policy applies to all personal data that we process as a processor on behalf of a third party controller (referred to as the “Customer” in this Processor Policy), including personal data processed in the course of providing services to a customer or another Group Member – such as the content of voice, video, SMS and other communications that Twilio's Customers or their end-users send and receive via Twilio's API. When a Customer transfers personal data to us for processing in accordance with this Processor Policy, a copy of this Processor Policy shall be incorporated into the contract with that Customer.

Our collective responsibility to comply with this Processor Policy

All Group Members and their staff must comply with this Processor Policy when processing personal data as a processor on behalf of a Customer, irrespective of the country in which they or the Customer are located.

In particular, all Group Members who process personal data as a processor must comply with:

  • the rules set out in Part II of this Processor Policy;
  • the practical commitments set out in Part III of this Processor Policy; and
  • the related policies and procedures appended in Part IV of this Processor Policy.

Responsibility towards the Customer

When Twilio processes personal data as a processor, the Customer on whose behalf Twilio processes personal data will be responsible for complying with the applicable data protection laws that apply to it. As a consequence, the Customer will pass certain data protection obligations on to Twilio in its contract appointing Twilio as its processor. If Twilio fails to comply with the terms of this contract, this may put the Customer in breach of its applicable data protection laws and Customer may initiate proceedings against Twilio for breach of contract, resulting in the payment of compensation or other judicial remedies.

In particular, where a Customer demonstrates that it has suffered damage, and that it is likely that the damage was caused by a breach of this Processor Policy (whether by a Group Member or a third party processor appointed by a Group Member), Twilio will be responsible for demonstrating that such Group Member is not responsible for the breach, or that no such breach took place. For European Customers, Twilio Ireland Limited shall have the burden of proof for demonstrating that the Group Member is not responsible for the breach, or that no such breach took place.

When a Customer transfers personal data to a Group Member for processing in accordance with this Processor Policy, a copy of this Processor Policy shall be incorporated into the contract with that Customer. If a Customer chooses not to rely upon this Processor Policy when transferring personal data to a Group Member outside Europe, that Customer is responsible for implementing other appropriate safeguards in accordance with applicable data protection laws.

Management commitment and consequences of non-compliance

Twilio's management is fully committed to ensuring that all Group Members and their staff comply with this Processor Policy at all times. This Processor Policy ensures that our customers can trust that Twilio will process their personal data appropriately, fairly and lawfully, no matter where that data may be processed within the Twilio organization.

Further, non-compliance with this Processor Policy may cause Twilio to be subject to sanctions imposed by competent data protection authorities and courts, and may cause harm or distress to individuals whose personal data has not been protected in accordance with the standards described in this Processor Policy.

In recognition of the importance of trust to Twilio’s business and the gravity of the risks associated with violating that trust, staff members who do not comply with this Processor Policy will be subject to disciplinary action, up to and including dismissal.

Relationship with Twilio's Binding Corporate Rules: Controller Policy

This Processor Policy applies only to personal data that Twilio processes as a processor in order to provide a service to a Customer.

Twilio has a separate Binding Corporate Rules: Controller Policy that applies when it processes personal data as a controller (i.e. for its own purposes). When a Twilio Group Member processes personal data as a controller, it must comply with the Controller Policy.

In some situations, Group Members may act as both a controller and a processor. Where this is the case, they must comply both with this Controller Policy and also the Processor Policy as appropriate. If in any doubt which policy applies to you, please speak with the Privacy Team whose contact details are provided below.

Where will this Processor Policy be made available?

This Processor Policy is accessible on Twilio's website at www.twilio.com.

Important terms used in this Processor Policy

For the purposes of this Processor Policy:

  • the term applicable data protection laws includes the data protection laws in force in the territory in which the controller of the personal data is located. Where a Group Member processes personal data on behalf of a European controller under this Processor Policy, the term applicable data protection laws shall include the European data protection laws applicable to that controller;
  • the term controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. For example, Twilio is a controller of its HR records and CRM records;
  • the term Controller Policy refers to Twilio’s Binding Corporate Rules: Controller Policy, which is available at www.twilio.com. The Controller Policy applies where Twilio processes personal data as a controller (i.e. for its own purposes);
  • the term Customer refers to the third party controller on whose behalf Twilio processes personal data. It includes Twilio's third party customers, as well as Twilio Group Members, when we process personal data on their behalf in the course of providing data processing services to them.
    • the term Europe as used in this Policy refers to the Member States of the European Economic Area – that is, the Member States of the European Union plus Norway, Lichtenstein and Iceland.
  • the term Group Member means the members of Twilio's group of companies listed in Appendix 1;
  • the term personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • the term processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • the term processor means a natural or legal person which processes personal data on behalf of a controller. For example, Twilio is a processor of personal data contained in communications content data it processes on behalf of its Customers;
  • the term Processor Policy refers to this Binding Corporate Rules: Processor Policy. The Processor Policy applies where Twilio processes personal data as a processor on behalf of a third party;
  • the term special categories of data means information that relates to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. It also includes information about an individual's criminal offences or convictions, as well as any other information deemed sensitive under applicable data protection laws; and
  • the term staff refers to all employees, new hires, individual contractors and consultants, and temporary staff engaged by any Twilio Group Member. All staff must comply with this Processor Policy.

How to raise questions or concerns

If you have any questions regarding this Processor Policy, your rights under this Processor Policy or applicable data protection laws, or any other data protection issues, you can contact Twilio's Privacy Team using the details below. Twilio's Privacy Team will either deal with the matter directly or forward it to the appropriate person or department within Twilio to respond.

Attention:Privacy Team
Email:privacy@twilio.com
Address:375 Beale Street, Suite 300
San Francisco, CA 94105

Twilio's Privacy Team is responsible for ensuring that changes to this Policy are notified to the Group Members and to Customers whose personal data is processed by Twilio in accordance with Appendix 9.

If you are unhappy about the way in which Twilio has used your personal data, you can raise a complaint in accordance with our complaint handling procedure set out in Appendix 6.


Part II: Our obligations

This Processor Policy applies in all situations where a Group Member processes personal data as a processor anywhere in the world. All staff and Group Members must comply with the following obligations:

We must at all times comply with any applicable data protection laws (including processor obligations under EU Regulation 2016/679 (the General Data Protection Regulation), when applicable), as well as the standards set out in this Processor Policy, when processing personal information.

Accordingly:

  • where applicable data protection laws exceed the standards set out in this Processor Policy, we must comply with those laws; but
  • where there are no applicable data protection laws, or where applicable data protection laws do not meet the standards set out in this Processor Policy, we must process personal data in accordance with the standards set out in this Processor Policy.

We must assist our Customers to comply with their obligations under applicable data protection laws. We must provide this assistance within a reasonable time and as required under the terms of our contract with the Customer. Assistance may include, for example, helping our Customer to keep the personal data we process on its behalf accurate and up to date, or helping it to provide individuals with access to their personal data, or helping it to conduct data protection impact assessments in accordance with applicable data protection laws.

Our Customer has a duty to explain to the individuals whose data it processes (or instructs us to process), how and why that data will be used. This information must be given in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

This is usually done by means of an easily accessible fair processing statement. We will provide assistance and information to the Customer in accordance with the terms of our contract with the Customer as required to assist them in complying with this requirement.

For example, the terms of our contract with a Customer may require us to provide information about any sub-processors we appoint to process personal data on our Customer’s behalf.

Where we process personal data as a processor, we must only process that personal data on behalf of the Customer and in accordance with its instructions (for example, as set out in the terms of our contract with the Customer).

If we are unable to comply with our Customer’s instructions (or any of our obligations under this Processor Policy), we will inform the Customer promptly. The Customer may then suspend its transfer of personal data to us and/or terminate its contract with us (in accordance with the terms of the contract).

In such circumstances, we will return, destroy or store the personal data, including any copies of the personal data, in a secure manner or as otherwise required, in accordance with the terms of our contract with the Customer.

If legislation prevents us from returning the personal data to our Customer, or from destroying it, we will maintain the confidentiality of the personal data and will not process the personal data further other than in accordance with the terms of our contract with the Customer.

We must assist our Customer to comply with its obligation to keep personal data accurate and up to date. In particular, where a Customer informs us that personal data is inaccurate, we must assist our Customer to update, correct or erase that data without undue delay.

Where a Customer instructs that personal data we process on its behalf is no longer needed for the purposes for which it was collected, we must assist our customer to erase, restrict or anonymise that personal data without undue delay and in accordance with the terms of our contract with the Customer.

Where we provide a service to a Customer which involves the processing of personal data, the contract between us and that Customer will set out the technical and organisational security measures we must implement to safeguard that data consistent with applicable data protection laws.

We must ensure that any staff member who has access to personal data processed on behalf of a Customer does so only for purposes that are consistent with the Customer’s instructions and is subject to a duty of confidence.

When we become aware of a data security incident that presents a risk to the personal data that we process on behalf of a Customer, we must immediately inform the Privacy Team and follow our data security incident management policies.

The Privacy Team will review the nature and seriousness of the data security incident and determine whether it is necessary to notify a Customer. The Privacy Team shall be responsible for ensuring that any such notifications, where necessary, are made without undue delay and in accordance with applicable law.

We must obtain a Customer’s authorisation before appointing, adding or replacing a sub-processor to process personal data on its behalf. Authorisation must be obtained in accordance with the terms of our contract with the Customer.

We must make available to our Customer up-to-date information about the sub-processors we intend to appoint in order to obtain its authorisation. If, on reviewing this information, a Customer objects to the appointment of a sub-processor, that Customer may take such steps as are consistent with the terms of its contract with us and as referred to in Rule 4 of this Processor Policy regarding the return or destruction of the personal data.

We must only appoint sub-processors who provide sufficient guarantees in respect of the commitments made by us in this Processor Policy. In particular, sub-processors must implement appropriate technical and organisational security measures to protect the personal data they process, and such measures must be consistent with our commitments to our Customer under our contractual terms with the Customer.

Where we intend to appoint a sub-processor to process personal data, we must undertake due diligence to ensure it has in place appropriate technical and organisational security measures to protect the personal data. We must impose strict contractual obligations in writing on the sub-processor that require it:

  • to protect the personal data to a standard that is consistent with our commitments to our Customer under the terms of our contract with the Customer;
  • to maintain the security of the personal data, consistent with standards contained in this Processor Policy (and in particular Rules 6, 7 and 8 above);
  • to process personal data only on our instructions (which instructions will be consistent with the instructions of the Customer) or on the Customer’s instructions; and
  • to fulfil such additional obligations as may be necessary to ensure that the commitments made by the sub-processor reflect those made by us in this Processor Policy, and which, in particular, provide for adequate safeguards with respect to the privacy and fundamental rights and freedoms of individuals in respect of any international transfers of personal data.

We must assist our Customer to comply with its duty to respect the data protection rights of individuals, in accordance with the instructions of our Customer and the terms of our contract with the Customer.

In particular, if any Group Member receives a request from any individual wishing to exercise his or her data protection rights in respect of personal data for which the Customer is the controller, the Group Member must transfer such request promptly to the relevant Customer and not respond to such a request unless authorised to do so or required by law (in accordance with the Data Protection Rights Procedure in Appendix 2).

Under European data protection law, individuals whose personal data is processed in Europe by a Group Member acting as a Processor (an "EEA Entity") and/or transferred to a Group Member located outside Europe under the Processor Policy (a "Non-EEA Entity") have certain rights. These individuals may enforce the Processor Policy as third party beneficiaries where they cannot bring a claim against a Customer in respect of a breach of any of the commitments in this Processor Policy by a Group Member (or by a sub-processor) acting as a Processor because:

  1. the Customer has factually disappeared or ceased to exist in law or has become insolvent; and
  2. no successor entity has assumed the entire legal obligations of the Customer by contract or by operation of law.

In such cases, the individual's rights are as follows:

  1. Complaints: Individuals may complain to an EEA Entity in accordance with the Complaint Handling Procedure. They may also complain to: (i) the data protection authority in Ireland (where Twilio's European headquarters is located); (ii) the European data protection authority in the jurisdiction of the transferring EEA Entity; or (iii) if neither (i) or (ii) are possible, the data protection authority of the EEA Member State where the individual resides;
  2. Proceedings: Individuals may bring proceedings against Twilio Ireland Limited before the courts in:
    1. Ireland;
    2. the jurisdiction from which the personal information was transferred; or
    3. if (i) or (ii) are not possible, the jurisdiction of the EEA Member State where the individual resides;
  3. Compensation: Individuals may seek appropriate redress from Twilio Ireland Limited (including the remedy of any breach of the Processor Policy by a Non-EEA Entity) and where appropriate, receive compensation from Twilio Ireland Limited for any damage suffered as a result of a breach of this Processor Policy by:
    1. a Non-EEA Entity; or
    2. any third party processor which is established outside the EEA and which is acting on behalf of an EEA Entity or a Non-EEA Entity; or
    3. in accordance with the determination of the court or other competent authority;
  4. Transparency: Individuals may obtain a copy of this Processor Policy and the Intra-group Agreement entered into by Twilio in connection with this Processor Policy from Twilio or any other EEA Entity upon request.

Where a Non-EEA Entity acts as a Processor on behalf of a third party controller, then if an individual suffers damage and where that individual can demonstrate that it is likely that the damage has occurred because of a breach of this Processor Policy, Twilio Ireland Limited will bear the burden of proof to show that (i) a Non-EEA Entity; or (ii) any third party sub-processor who is established outside the EEA who is acting on behalf of a Non-EEA Entity is not responsible for the breach, or that no such breach took place.

Twilio Ireland Limited will ensure that any action necessary is taken to remedy any breach of the Processor Policy by a Non-EEA Entity or any third party processor which is established outside the EEA and which is processing personal data on behalf of a Customer.


Part III: Delivering compliance in practice

To ensure we follow the rules set out in our Processor Policy, in particular the obligations in Part II, Twilio and all of its Group Members must also comply with the following practical commitments:

Twilio has appointed its Privacy Team to oversee and ensure compliance with this Processor Policy. The Privacy Team is responsible for overseeing and enabling compliance with this Processor Policy on a day-to-day basis.

A summary of the roles and responsibilities of Twilio's Privacy Team is set out in Appendix 3.

Group Members must provide appropriate privacy training to staff members who:

  • have permanent or regular access to personal data; or
  • are involved in the processing of personal data or in the development of tools used to process personal data

We will provide such training in accordance with the Privacy Training Program (see Appendix 4).

We will have data protection audits on a regular basis, which may be conducted by either internal or external accredited auditors. In addition, we will conduct data protection audits on specific request from the General Counsel and Chief Compliance Officer, the Privacy Team, the Audit Committee and/or the Board of Directors.

We will conduct any such audits in accordance with the Audit Protocol (see Appendix 5).

Group Members must enable individuals to raise data protection complaints and concerns (including complaints about processing under this Processor Policy) by complying with the Complaint Handling Procedure (see Appendix 6).

Group Members must cooperate with competent data protection authorities by complying with the Cooperation Procedure (see Appendix 7).

If legislation applicable to any Group Member prevents it from fulfilling its obligations under the Processor Policy or otherwise has a substantial effect on its ability to comply with the Processor Policy, the Group Member must promptly inform:

  • the Customer (consistent with the requirements of Rule 4);
  • the Privacy Team; and
  • the appropriate data protection authority competent for the Customer;

unless otherwise prohibited by law.

If a Group Member receives a legally binding request for disclosure of personal data which is processed on behalf of an EEA Customer under this Processor Policy, it must:

  • notify the EEA Customer promptly unless prohibited from doing so by a law enforcement authority; and
  • use its best efforts to put the request on hold and notify the appropriate data protection authority competent for the EEA Customer by complying with the requirements of its Government Data Request Procedure set out in Appendix 8.

Whenever updating our Processor Policy, we must comply with the Updating Procedure (see Appendix 9).


Part IV: Related policies and procedures

Appendix 1

TWILIO GROUP MEMBERS

Non-EEA Entities:

Name of entityRegistered addressRegistration no.
1.Twilio Australia Pty Ltdc/o McCullough Robertson Lawyers, Level 32, 19 Martin Place, Sydney, NSW 2000618 090 010
2.Twilio Colombia S.A.SCalle 70 A No. 4 – 41, Bogotá, Colombia02547510
3.Twilio Hong Kong LimitedFlat 2, 19/F, Henan Building, 90-92 Jaffe Road, Wanchai, Hong Kong2222131
4.Twilio Inc.375 Beale Street, Suite 300, San Francisco, CA 941054802838
5.Twilio Singapore Pte. LtdShenton Way, #28-03, SGX Centre II, Singapore 068807201529394G

EEA Entities:

Name of entityRegistered addressRegistration no.
1.Twilio Estonia OUVeerenni 24, Entrance D, Second Floor, Tallinn 10135, Estonia12771257
2.Twilio Germany GmbHFrauenlobstraße 2 80337, Munich, GermanyHRB 219708
3.Twilio IP Holding Limited25-28 North Wall Quay, Dublin 1, Ireland554350
4.Twilio Ireland Limited25-28 North Wall Quay, Dublin 1, Ireland557454
5.Twilio Spain, S.L.Calle Monte Esquinza 30, Bajo Izquierda, Madrid, 28012, Madrid, EspanaCIF/NIF B87653549
6.Twilio Sweden ABSödergatan 24, 211 34 Malmö, Sweden556708-1731
7.Twilio UK LimitedOne London Wall, 6th Floor, London, EC2Y 5EB, UK07945978
8.Twilio Berlin GmbH (f/k/a Core Network Dynamics GmbH)Huttenstrasse 34/35, 10553, Berlin, GermanyHRB 152643
9.Twilio Czechia a.s. (f/k/a ytica.com a.s.)Rohanske nabrezi 678/29, Prague 8 - Karlin, Post Code 186 00, Czechia04736435


Appendix 2

DATA PROTECTION RIGHTS PROCEDURE

Global Binding Corporate Rules: Data Protection Rights Procedure

  1. Introduction

    1. Twilio's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal data transferred between the Twilio group members ("Group Members").
    2. Individuals whose personal data are processed by Twilio under the Policies have certain data protection rights, which they may exercise by making a request to the controller of their information (whether the controller is Twilio or a Customer) (a “Data Protection Rights Request”).
    3. This Binding Corporate Rules: Data Protection Rights Procedure (“Procedure”) describes how Twilio will respond to any Data Protection Rights Requests it receives from individuals whose personal data are processed and transferred under the Policies.
  2. Individual’s data protection rights

    1. Twilio must assist individuals to exercise the following data protection rights, consistent with the requirements of applicable data protection laws:
      1. The right of access: This is a right for an individual to obtain confirmation whether a controller processes personal data about them and, if so, to be provided with details of that personal data and access to it. This process for handling this type of request is described further in paragraph 4 below;
      2. The right to rectification: This is a right for an individual to obtain rectification without undue delay of inaccurate personal data a controller may process about him or her. The process for handling this type of request is described further in paragraph 5 below.
      3. The right to erasure: This is a right for an individual to require a controller to erase personal data about them on certain grounds – for example, where the personal data is no longer necessary to fulfil the purposes for which it was collected. The process for handling this type of request is described further in paragraph 5 below.
      4. The right to restriction: This is a right for an individual to require a controller to restrict processing of personal data about them on certain grounds. The process for handling this type of request is described further in paragraph 5 below.
      5. The right to object: This is a right for an individual to object, on grounds relating to his or her particular situation, to a controller’s processing of personal data about him or her, if certain grounds apply. The process for handling this type of request is described further in paragraph 5 below.
      6. The right to data portability: This is a right for an individual to receive personal data concerning him or her from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply. The process for handling this type of request is described further in paragraph 6 below.
  3. Responsibility to respond to a Data Protection Rights Request

    1. Overview
      1. The controller of an individual’s personal data is primarily responsible for responding to a Data Protection Rights Request and for helping the individual concerned to exercise his or her rights under applicable data protection laws.
      2. As such, when an individual contacts Twilio to make any Data Protection Rights Request then:
        1. where Twilio is the controller of that individual’s personal data under the Controller Policy, it must help the individual to exercise his or her data protection rights directly in accordance with this Procedure; and
        2. where Twilio processes that individual’s personal data as a processor on behalf of a Customer under the Processor Policy, Twilio must inform the relevant Customer promptly and provide it with reasonable assistance to help the individual to exercise his or her rights in accordance with the Customer’s duties under applicable data protection laws.
    2. Assessing responsibility to respond to a Data Protection Rights Request
      1. If a Group Member receives a Data Protection Rights Request from an individual, it must pass the request to the Privacy Team at privacy@twilio.com immediately upon receipt indicating the date on which it was received together with any other information which may assist the Privacy Team to deal with the request.
      2. The Privacy Team will make an initial assessment of the request as follows:
        1. the Privacy Team will determine whether Twilio is a controller or processor of the personal data that is the subject of the request;
        2. where the Privacy Team determines that Twilio is a controller of the personal data, it will then determine whether the request has been made validly under applicable data protection laws and whether confirmation of identity, or any further information, is required in order to fulfil the request; and
        3. where the Privacy Team determines that Twilio is a processor of the personal data on behalf of a Customer, it shall pass the request promptly to the relevant Customer in accordance with its contract terms with that Customer and will not respond to the request directly unless authorised to do so by the Customer.
      3. If the Privacy Team determines that Twilio is the controller of the personal data that is the subject of the request, Twilio will then contact the individual in writing to confirm receipt of the Data Protection Rights Request and seek confirmation of identity (if the individual's identity has not already been validated) as well as any further information it may need to action the individual's request. If Twilio is exempted under applicable data protection laws from fulfilling the Data Protection Rights Request (for example, because Twilio can demonstrate that the individual has made a manifestly unfounded or excessive request), then Twilio will notify the individual if it intends to decline the Data Protection Rights Request and the exemption that applies. If the individual disagrees with Twilio's decision to decline a Data Protection Rights Request, he or she may complain, including to a competent data protection authority, in accordance with Twilio's Complaint Handling Procedure.
      4. Where Twilio is the controller of the personal data that is the subject of the Data Protection Rights Request, and Twilio has already confirmed the identity of the requestor and has sufficient information to enable it to fulfil the request (and no exemption applies under applicable data protection laws), then Twilio shall deal with the Data Protection Rights Request in accordance with paragraph 4, 5 or 6 below (as appropriate).
  4. Requests for access to personal data

    1. Overview

      1. An individual is entitled to make a Data Protection Rights Request to a controller to require it to provide the following information concerning processing of his or her personal data:
        1. confirmation as to whether the controller holds and is processing personal data about that individual;
        2. if so, a description of the personal data and categories of personal data concerned, the envisaged period for which the personal data will be stored, the purposes for which they are being held and processed and the recipients or classes of recipients to whom the information is, or may be, disclosed by the controller;
        3. information about the individual’s right to request rectification or erasure of his or her personal data or to restrict or object to its processing;
        4. information about the individual’s right to lodge a complaint with a competent data protection authority;
        5. information about the source of the personal data if it was not collected from the individual;
        6. details about whether the personal data is subject to automated decision-making (including profiling) which produces legal effects concerning the individual or similarly significantly affects them; and
        7. where personal data is transferred from the European Economic Area to a country outside of the European Economic Area, the appropriate safeguards that Twilio has put in place relating to such transfers in accordance with European data protection laws.
      2. An individual is also entitled to request a copy of his or her personal data from the controller. Where an individual makes such a request, the controller must provide that personal data to the individual in intelligible form.
      3. An access request must generally be made in writing, which can include email, unless applicable data protection laws allow an access request to be made orally. An access request does not have to be official or mention data protection law to qualify as a valid request.
      4. A controller must respond to an access request without undue delay and in no case later than one month of receipt of that request.
      5. A controller must not refuse to comply with an access request unless it can demonstrate that it is not in the position to identify the individual who is making the request or an exemption applies under applicable data protection law (for example, if the controller can demonstrate that the individual has made a manifestly unfounded or excessive request). A controller may request such information as is reasonably necessary in order to confirm the identity of the individual making the request and to locate the information sought.
    2. Process for responding to access requests from individuals

      1. If Twilio receives an access request from an individual, this must be passed to the Privacy Team at privacy@twilio.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.
      2. Where Twilio determines it is the controller of the personal data and responsible for responding to the individual directly (and that no exemption to the right of access applies under applicable data protection laws), the Privacy Team will arrange a search of all relevant electronic and paper filing systems.
      3. The Privacy Team may refer any complex cases to the General Counsel / Chief Compliance Officer for advice, particularly where the request concerns information relating to third parties or where the release of personal data may prejudice commercial confidentiality or legal proceedings.
      4. The personal data that must be disclosed to the individual will be collated by the Privacy Team into a readily understandable format. A covering letter will be prepared by the Privacy Team which includes all information required to be provided in response to an individual's access request (including the information described in paragraph 4.1.1).
    3. Exemptions to the right of access

      1. A valid request may be refused on the following grounds:
        1. If the refusal to provide the information is consistent with applicable data protection law (for example, where a European Group Member transfers personal data under the Controller Policy, if the refusal to provide the information is consistent with the applicable data protection law in the European Member State where the Group Member is located);
        2. where the personal data is held by Twilio in non-automated form that is not or will not become part of a filing system;
        3. the personal data does not originate from Europe, has not been processed by any European Group Member, and the provision of the personal data requires Twilio to use disproportionate effort.
      2. The Privacy Team will assess each request individually to determine whether any of the above- mentioned exemptions applies. A Group Member must never apply an exemption unless this has been discussed and agreed with the Privacy Team.
      3. If the requestor disagrees with a decision by Twilio to decline an access request, he or she may complain, including to a competent data protection authority, in accordance with Twilio's Complaint Handling Procedure.
  5. Requests to correct, update or erase personal data, to restrict or cease processing personal data

    1. If Twilio receives a request to correct, update or erase personal data, or to restrict or cease processing of an individual’s personal data, this must be passed to the Privacy Team at privacy@twilio.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.
    2. Once an initial assessment of responsibility has been made then:
      1. where Twilio is the controller of that personal data, the request must be notified to the Privacy Team promptly for it to consider and deal with as appropriate in accordance with applicable data protection laws.
      2. where a Customer is the controller of that personal data, the request must be notified to the Customer promptly for it to consider and deal with as appropriate in accordance with its duties under applicable data protection laws. Twilio shall assist the Customer to fulfil the request in accordance with the terms of its contract with the Customer.
    3. When Twilio must rectify or erase personal data, either in its capacity as controller or on instruction of a Customer when it is acting as a processor, Twilio will notify other Group Members and any sub-processor to whom the personal data has been disclosed so that they can also update their records accordingly.
    4. If Twilio acting as controller has made the personal data public, and is obliged to erase the personal data pursuant to a Data Protection Rights Request, it must take reasonable steps, including technical measures (taking account of available technology and the cost of implementation), to inform controllers which are processing the personal data that the individual has requested the erasure by such controllers of any links to, or copy or replication of, the personal data
  6. Right to data portability

    1. If an individual makes a Data Protection Rights Request to Twilio acting as controller to receive the personal data that he or she has provided to Twilio in a structured, commonly used and machine- readable format and/or to transmit directly such information to another controller (where technically feasible), Twilio’s Privacy Team will consider and deal with the request appropriately in accordance with applicable data protection laws insofar as the processing is based on that individual's consent or on the performance of, or steps taken at the request of the individual prior to entry into, a contract.
  7. Questions about this Data Protection Rights Procedure

    1. All queries relating to this Procedure are to be addressed to the Privacy Team or at privacy@twilio.com.

Appendix 3

PRIVACY COMPLIANCE STRUCTURE

Binding Corporate Rules: Privacy Compliance Structure

  1. Introduction

    1. Twilio's compliance with global data protection laws and the “Binding Corporate Rules: Controller Policy” and “Global Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") is overseen and managed throughout all levels of the business by a global, multi-layered, cross-functional privacy compliance structure.
  2. General Counsel and Chief Compliance Officer

    1. Twilio has appointed its General Counsel and Chief Compliance Officer (“GC/CCO”) who provides executive-level oversight of, and has responsibility for, ensuring Twilio's compliance with applicable data protection laws and the Policies.
    2. The GC/CCO reports directly to the Board of Directors on all material or strategic issues relating to Twilio's compliance with data protection laws and the Policies, and is also accountable to Twilio's independent Audit Committee. The GC/CCO leads and is supported by Twilio’s Privacy Team.
    3. The GC/CCO’s key responsibilities with regard to privacy include:
      • Ensuring that the Policies and other privacy-related policies, objectives and standards are defined and communicated.
      • Providing clear and visible senior management support and resources for the Policies and for privacy objectives and initiatives in general.
      • Evaluating, approving and prioritizing remedial actions consistent with the requirements of the Policies, strategic plans, business objectives and regulatory requirements.
      • Periodically assessing privacy initiatives, accomplishments, and resources to ensure continued effectiveness and improvement.
      • Ensuring that Twilio's business objectives align with the Policies and related privacy and information protection strategies, policies and practices.
      • Facilitating communications on the Policies and privacy topics with the Board of Directors and independent Audit Committee.
      • Dealing with any escalated privacy complaints in accordance with the Global Binding Corporate Rules: Complaint Handling Procedure.
  3. Privacy Team

    1. The Twilio Privacy Team comprises Twilio's GC/CCO, Lead Privacy Counsel, its Vice President of Trust and Chief Information Security Officer, in addition to other representatives from the Legal team and Information Security team. Incorporating members of Twilio’s Legal and Information Security teams ensures appropriate independence and oversight of duties relating to all aspects of Twilio's data protection compliance.
    2. The Privacy Team is accountable for managing and implementing Twilio's data privacy program internally (including the Policies) and for ensuring that effective data privacy controls are in place for any third party service provider Twilio engages. In this way, the Privacy Team is actively engaged in addressing matters relating to Twilio's privacy compliance on a routine, day-to-day basis.
    3. The Privacy Team’s responsibilities include:
      • Providing guidance about the collection and use of personal data subject to the Policies and to assess the processing of personal data by Twilio Group Members for potential privacy-related risks.
      • Responding to inquiries and compliance relating to the Policies from staff members, customers and other third parties raised through its dedicated e-mail address at privacy@twilio.com.
      • Helping to implement the Policies and related policies and practices at a functional and local country level, providing guidance and responding to privacy questions and issues.
      • Providing input on audits of the Policies, coordinating responses to audit findings and responding to inquiries of the data protection authorities.
      • Monitoring changes to global privacy laws and ensuring that appropriate changes are made to the Policies and Twilio's related policies and business practices.
      • Overseeing training for staff on the Policies and on data protection legal requirements in accordance with the Binding Corporate Rules: Privacy Training Program.
      • Promoting the Policies and privacy awareness across business units and functional areas through privacy communications and initiatives.
      • Evaluating privacy processes and procedures to ensure that they are sustainable and effective.
      • Reporting periodically on the status of the Policies to the GC/CCO and Board of Directors and / or Audit Committee as appropriate.
      • Ensuring that the commitments made by Twilio in relation to updating, and communicating updates to the Policies are met in accordance with the Binding Corporate Rules: Updating Procedure.
      • Overseeing compliance with the Binding Corporate Rules: Data Protection Rights Procedure and the handling of any requests made under it.
  4. Data Compliance Team

    1. Twilio's Data Compliance team is a subset of the wider Privacy Team and has a number of specific responsibilities in relation to the implementation and oversight of the Policies and privacy matters more generally, including:
      • Audit of attendance of privacy training courses as set out in the Binding Corporate Rules: Privacy Training Program.
      • Overseeing independent audits of compliance with the Policies as set out in the Binding Corporate Rules: Audit Protocol and ensuring that such audits address all aspects of the Policies.
      • Ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of Twilio's Privacy Team and that any corrective actions are determined and implemented within a reasonable time.
  5. Privacy Committee

    1. Twilio's Privacy Committee comprises functional leads or key representatives from the main functional areas within Twilio, including sales, marketing, HR, procurement, product development, legal and compliance.
    2. The key responsibilities of Members of the Privacy Committee include:
      • Promoting the Policies at all levels in their functional areas.
      • Assisting the Privacy Team with the day-to-day implementation and enforcement of Twilio's privacy policies (including the Policies) within their respective areas of responsibility.
      • Escalating questions and compliance issues or communicate any actual or potential violation of relating to the Policies to the Privacy Team.
      • Through its liaison with the Privacy Team, the Privacy Committee serves as a channel through which the Privacy Team can communicate data privacy compliance actions to all key functional areas of the business.
    3. The Privacy Committee will meet on a formal and regular basis, at a minimum frequency of every six months, to ensure a coordinated approach to data protection compliance across all functions.
  6. Twilio Staff

    1. All staff members within Twilio are responsible for supporting the functional Privacy Committee members on a day-to-day basis and adhering to Twilio privacy policies.
    2. In addition, Twilio personnel are responsible for escalating and communicating any potential violation of the privacy policies to the appropriate Privacy Committee member or, if they prefer, the Twilio Privacy Team. On receipt of a notification of a potential violation of the privacy policy the issue will be investigated to determine if an actual violation occurred. Results of such investigations will be documented.

Appendix 4

PRIVACY TRAINING PROGRAM

Binding Corporate Rules: Privacy Training Requirements

  1. Background

    1. The “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal data between Twilio's group members ("Group Members"). The document sets out the requirements for Twilio to train its staff members on the requirements of the Policies.
    2. Twilio must train staff members (including new hires, temporary staff and individual contractors whose roles bring them into contact with personal data) on the basic principles of data protection, confidentiality and information security awareness. This must include training on applicable data protection laws, including European data protection laws. Training shall also include guidance on data protection best practices and any security certifications applicable to Twilio such as ISO 27001.
    3. Staff members who have permanent or regular access to personal data and who are involved in the processing of personal data or in the development of tools to process personal data must receive additional, tailored training on the Policies and specific data protection issues relevant to their role. This training is further described below and is repeated on a regular basis.
  2. Responsibility for the Privacy Training Program

    1. Twilio's Privacy team has overall responsibility for privacy training at Twilio, with input from colleagues from other functional areas, including Legal, Information Security, Data Compliance, HR and other departments, as appropriate. The Privacy team will review training from time to time to ensure it addresses all relevant aspects of the Policies and that it is appropriate for individuals who have permanent or regular access to personal data, who are involved in the processing of personal data or in the development of tools to process personal data.
    2. Twilio's senior management is committed to the delivery of data protection training courses, and will ensure that staff are required to participate, and given appropriate time to attend, such courses. Course attendance must be recorded and monitored via regular audits of the training process. These audits are performed by Twilio's Data Compliance team and/or independent third party auditors.
    3. If these training audits reveal persistent non-attendance, this will be escalated to the Privacy Team for action. Such action may include escalation of non-attendance to appropriate managers within Twilio who will be responsible and held accountable for ensuring that the individual(s) concerned attend and actively participate in such training.
  3. Delivery of the training courses

    1. Twilio will deliver mandatory training courses, either in person or electronically, supplemented by face to face training for staff members. The courses are designed to be both informative and user-friendly, generating interest in the topics covered.
    2. All Twilio staff members must complete data protection training (including training on the Policies):
      1. as part of their induction program;
      2. as part of a regular refresher training at least every year;
      3. as and when necessary to stay aware of changes in the law; and
      4. as and when necessary to address any compliance issues arising from time to time.
    3. Certain staff members must receive supplemental specialist training, in particular staff members who handle customer or employee personal data in Product Development, HR and Customer Support or whose business activities include processing sensitive personal data. Specialist training shall be delivered as additional modules to the basic training package, and will be tailored as necessary to the course participants.
  4. Training on data protection

    1. Twilio's training on data protection and the Policies will cover the following main areas:
      1. Background and rationale:
        1. What is data protection law?
        2. What are key data protection terminology and concepts?
        3. What are the data protection principles?
        4. How does data protection law affect Twilio internationally?
        5. What are Twilio’s BCR Policies?
      2. The Policies:
        1. An explanation of the Policies
        2. The scope of the Policies
        3. The requirements of the Policies
        4. Practical examples of how and when the Policies apply
        5. The rights that the Policies give to individuals
        6. The privacy implications arising from processing personal data for clients
      3. Where relevant to a staff member's role, training will cover the following procedures under the Policies:
        1. Data Subject Rights Procedure
        2. Audit Protocol
        3. Updating Procedure
        4. Cooperation Procedure
        5. Complaint Handling Procedure
        6. Government Data Request Procedure

Appendix 5

AUDIT PROTOCOL

Binding Corporate Rules: Audit Protocol

  1. Background

    1. Twilio's “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal data transferred between the Twilio group members ("Group Members").
    2. Twilio must audit its compliance with the Policies on a regular basis, and this document describes how and when Twilio must perform such audits. Although this Audit Protocol describes the formal assessment process by which Twilio will audit its compliance with the Policies, this is only one way in which Twilio ensures that the provisions of the Policies are observed and corrective actions taken as required.
    3. In particular, Twilio's Privacy team provides ongoing guidance about the processing of personal data and continually assesses the processing of personal data by Group Members for potential privacy-related risks and compliance with these Policies.
  2. Conduct of an audit
    Overview of audit requirements

    1. Compliance with the Policies is overseen on a day to day basis by the Data Compliance team. The Data Compliance team is responsible for overseeing independent audits of compliance with the Policies and will ensure that such audits address all aspects of the Policies.
    2. The Data Compliance team is responsible for ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of the Privacy Team and that any corrective actions are determined and implemented within a reasonable time. Serious non-compliance issues will be escalated to General Counsel and Chief Compliance Officer and, ultimately, the Board of Directors in accordance with paragraph 2.10.
    3. Where Twilio acts as a processor, the Customer (or auditors acting on its behalf) may audit Twilio for compliance with the commitments made in the Processor Policy and may extend such audits to any sub-processors acting on Twilio's behalf in respect of such processing. Such audits shall be conducted in accordance with the terms of Customer's contract with Twilio.
      Frequency of audit
    4. Audits of compliance with the Policies are conducted:
      1. at least annually in accordance with Twilio's audit procedures; and/or
      2. at the request of the General Counsel and Chief Compliance Officer and / or the Board of Directors; and/or
      3. as determined necessary by the Privacy Team or Audit Committee (for example, in response to a specific incident) and / or
      4. (with respect to audits of the Processor Policy), as required by the terms of the Customer's contract with Twilio.
        Scope of audit
    5. The Privacy Team will determine the scope of an audit following a risk-based analysis that takes into account relevant criteria such as:
      1. areas of current regulatory focus;
      2. areas of specific or new risk for the business;
      3. areas with changes to the systems or processes used to safeguard data;
      4. areas where there have been previous audit findings or complaints;
      5. the period since the last review; and
      6. the nature and location of the personal data processed.
    6. In the event that a Customer exercises its right to audit Twilio for compliance with the Processor Policy, the scope of the audit shall be limited to the data processing facilities, data files and documentation relating to that Customer. Twilio will not provide a Customer with access to systems which process personal data of another Customer.
      Auditors
    7. Audit of the Policies (including any related procedures and controls) will be undertaken by independent and experienced professional auditors appointed by Twilio and acting under a duty of confidence.
    8. In the event that a Customer exercises its right to audit Twilio for compliance with the Processor Policy, such audit may be undertaken by that Customer, or by independent and suitably experienced auditors approved by that Customer, in accordance with the terms of the Customer's contract with Twilio.
    9. In addition, Twilio agrees that competent data protection authorities may audit Group Members for the purpose of reviewing compliance with the Policies (including any related procedures and controls) in accordance with the Binding Corporate Rules: Cooperation Procedure.
      Reporting
    10. Data protection audit reports must be submitted to the General Counsel and Chief Compliance Officer, Lead Privacy Counsel, and the Vice President of Trust and Chief Information Security Officer, and, if the report reveals breaches or the potential for breaches of a serious nature (for example, presenting a risk of potential harm to individuals or to the business), to the Board of Directors.
    11. Upon request and subject to applicable law and respect for the confidentiality and trade secrets of the information provided, Twilio will:
      1. provide copies of the results of data privacy audits of the Policies (including any related procedures and controls) to competent data protection authorities; and
      2. to the extent that an audit of compliance with the Processor Policy relates to personal data Twilio processes on behalf of a Customer, to that Customer.
    12. The Lead Privacy Counsel is responsible for liaising with the competent data protection authorities for the purpose of providing the information outlined in paragraph 2.11.

Appendix 6

COMPLAINT HANDLING PROCEDURE

Binding Corporate Rules: Complaint Handling Procedure

  1. Background

    1. Twilio's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal data transferred between the Twilio group members ("Group Members").
    2. This Complaint Handling Procedure describes how complaints brought by an individual whose personal data is processed by Twilio under the Policies must be addressed and resolved.
    3. This procedure will be made available to individuals whose personal data is processed by Twilio under the Controller Policy and to Customers on whose behalf Twilio processes personal data under the Processor Policy.
  2. How individuals can bring complaints

    1. Any individuals may raise a data protection question, concern or complaint (whether related to the Policies or not) by e-mailing Twilio’s Privacy Team at privacy@twilio.com or by writing to Twilio’s Privacy Team at 375 Beale Street, Suite 300, San Francisco, CA 94105.
  3. Complaints where Twilio is a controller

    1. Who handles complaints?
      1. The Privacy Team will handle all questions, concerns, or complaints in respect of personal data for which Twilio is a controller (such as personal data processed in the context of HR admin or customer relationship management), including questions, concerns or complaints arising under the Controller Policy. The Privacy Team will liaise with colleagues from relevant business and support units as necessary to address and resolve such questions, concerns and complaints.
    2. What is the response time?
      1. Twilio will acknowledge receipt of a question, concern or complaint to the individual concerned within five (5) working days, investigating and making a substantive response within one (1) month.
      2. If, due to the complexity of the complaint, a substantive response cannot be given within this period, Twilio will advise the individual accordingly and provide a reasonable estimate (not exceeding three (3) months) of the timescale within which a substantive response will be provided.
    3. What happens if an individual disputes a finding?
      1. If the individual notifies Twilio that it disputes any aspect of the response finding, the Privacy Team will refer the matter to the General Counsel and Chief Compliance Officer (GC/CCO). The GC/CCO will review the case and advise the individual of his or her decision either to accept the original finding or to substitute a new finding. The GC/CCO will respond to the complainant within one (1) month from being notified of the escalation of the dispute.
      2. As part of its review, the GC/CCO may arrange to meet the parties to the dispute in an attempt to resolve it. If, due to the complexity of the dispute, a substantive response cannot be given within one (1) month of its escalation, the GC/CCO will advise the complainant accordingly and provide a reasonable estimate for the timescale within which a response will be provided which will not exceed three (3) months from the date the dispute was escalated.
      3. If the complaint is upheld, the GC/CCO will arrange for any necessary steps to be taken as a consequence.
  4. Complaints where Twilio is a processor

    1. Communicating complaints to the Customer
      1. Where a complaint is brought in respect of the processing of personal data for which Twilio is a processor on behalf of a Customer, Twilio will communicate the details of the complaint to the relevant Customer promptly.
      2. Twilio will cooperate with the Customer to investigate the complaint, in accordance with the terms of its contract with the Customer and if so instructed by the Customer.
    2. What happens if a Customer no longer exists?
      1. In circumstances where a Customer has disappeared, no longer exists or has become insolvent, and no successor entity has taken its place, individuals whose personal data are processed under the Processor Policy have the right to complain to Twilio and Twilio will handle such complaints in accordance with paragraph 3 of this Complaint Handling Procedure.
      2. In such cases, individuals may also have the right to complain to a competent data protection authority and/or to lodge a claim with a court of competent jurisdiction, including where they are not satisfied with the way in which their complaint has been resolved by Twilio. Such complaints and proceedings will be handled in accordance with paragraph 5 of this Complaint Handling Procedure.
  5. Right to complain to a competent data protection authority and to commence proceedings

    1. Where individuals' personal data:

      1. are processed in Europe by a Group Member acting as a controller and/or transferred to a Group Member located outside Europe under the Controller Policy; or
      2. are processed in Europe by a Group Member acting as a processor and/or transferred to a Group Member located outside Europe under the Processor Policy;

      then those individuals have certain additional rights to pursue effective remedies for their complaints, as described in paragraphs 5.2 to 5.5 below.

    2. The individuals described in paragraph 5.1 have the right to complain to a competent data protection authority and/or to commence proceedings in a court of competent jurisdiction in accordance with applicable data protection laws, whether or not they have first complained directly to the Customer in question or to Twilio.
    3. If such an individual wishes to complain to a data protection authority, he or she may complain to the data protection authority competent for the controller of the personal data (where personal data is processed under the Controller Policy, the controller will be the relevant Twilio Group Member in Europe; where personal data is processed under the Processor Policy, the controller will be the Customer). If this is not possible because the controller has disappeared, no longer exists or has become insolvent (and no successor entity has taken its place), then the individual may also complain to:
      1. the data protection authority in Ireland (where Twilio's European headquarters is located);
      2. the data protection authority in the country from which the personal data in question was transferred; or
      3. if neither (a) or (b) is possible, the data protection authority of the European Member State where he or she resides.
    4. If such an individual wishes to commence court proceedings, he or she may bring proceedings against the controller of the personal data (where personal data is processed under the Controller Policy, the controller will be the relevant Twilio Group Member in Europe; where personal data is processed under the Processor Policy, the controller will be the Customer). If this is not possible because the controller has disappeared, no longer exists or has become insolvent (and no successor entity has taken its place), then the individual may bring proceedings against Twilio:
      1. in Ireland (where Twilio's European headquarters is located);
      2. in the country from which the personal data in question was transferred; or
      3. if neither (a) or (b) are possible, in the country of the European Member State where he or she resides.
    5. Where an individual has brought proceedings against Twilio (either under the Controller Policy or the Processor Policy), it will be for Twilio to prove that Group Member outside of Europe or the external sub-processor was not responsible for the breach of the Policy giving rise to the damage, or that no such breach took place. If Twilio can prove this, it will discharge itself from any responsibility.
    6. Twilio accepts that complaints and claims made under this Complaint Handling Procedure may be lodged by a non-for-profit body, organisation or association acting on behalf of any such individuals concerned.

Appendix 7

CO-OPERATION PROCEDURE

Binding Corporate Rules: Cooperation Procedure

  1. Introduction

    1. This Binding Corporate Rules: Cooperation Procedure sets out the way in which Twilio will cooperate with competent data protection authorities in relation to the "Twilio Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy").
  2. Cooperation Procedure

    1. Where required, Twilio will make the necessary personnel available for dialogue with a competent data protection authority in relation to the Policies.
    2. Twilio will review, consider and (as appropriate) implement:
      1. any advice or decisions of relevant competent data protection authorities on any data protection law issues that may affect the Policies; and
      2. any guidance published by data protection authorities (including Europe’s Article 29 Working Party or any successor to it) in connection with Binding Corporate Rules for Processors and Binding Corporate Rules for Controllers.
    3. Subject to applicable data protection law and respect for the confidentiality and trade secrets of the information provided, Twilio will provide upon request copies of the results of any audit of the Policies to a competent data protection authority.
    4. Twilio agrees that:

      1. a competent data protection authority may audit any Group Member located within its jurisdiction for compliance with the Controller Policy, in accordance with the applicable data protection law(s) of that jurisdiction; and
      2. a competent data protection authority may audit any Group Member who processes personal data on behalf of a Customer established within the jurisdiction of that data protection authority for compliance with the Processor Policy, in accordance with the applicable data protection law(s) of that jurisdiction;

      and with full respect to the confidentiality of the information obtained and to the trade secrets of Twilio (unless this requirement is in conflict with applicable data protection law).{# #}

    5. Twilio agrees to abide by a formal decision of any competent data protection authority against which a right to appeal is not exercised on any issues relating to the interpretation and application of the Policies.

Appendix 8

GOVERNMENT DATA REQUEST PROCEDURE

Binding Corporate Rules: Government Data Request Procedure

  1. Introduction

    1. This Binding Corporate Rules: Government Data Request Procedure sets out Twilio's procedure for responding to a request received from a law enforcement or other government authority (together the "Requesting Authority") to disclose personal data processed by Twilio on behalf of an EEA Customer (hereafter "Data Disclosure Request").
    2. Where Twilio receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this Procedure. If applicable data protection law(s) require a higher standard of protection for personal data than is required by this Procedure, Twilio will comply with the relevant requirements of applicable data protection law(s).
  2. General principle on Data Disclosure Requests

    1. As a general principle, Twilio does not disclose personal data in response to a Data Disclosure Request unless either:
      • it is under a compelling legal obligation to make such disclosure; or
      • taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.
    2. Even where disclosure is required, Twilio's policy is that the EEA Customer should have the opportunity to protect the personal data requested because it has the greatest interest in opposing, or is in the better position to comply with, a Data Disclosure Request.
    3. For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Twilio will first consult with the competent data protection authorities and provide the EEA Customer with details of the Data Disclosure Request. Twilio will cooperate with the competent data protection authorities and the EEA Customer to address the Data Disclosure Request.
  3. Handling of a Data Disclosure Request

    1. Receipt of a Data Disclosure Request
      1. If a Twilio Group Member receives a Data Disclosure Request, the recipient of the request must pass it to Twilio's Legal Requests team immediately upon receipt, indicating the date on which it was received together with any other information that may assist Twilio's Legal Requests team to deal with the request.
      2. The request does not have to be made in writing, made under a Court order, or mention data protection law to qualify as a Data Disclosure Request. Any Data Disclosure Request, howsoever made, must be notified to the Legal Requests Team for review.
    2. Initial steps
      1. Twilio's Legal Requests team will carefully review each and every Data Disclosure Request on a case-by-case basis. Twilio's Legal Requests team will liaise with others within the legal department and outside counsel as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, as well as its validity under applicable laws, in order to identify whether action may be needed to challenge the Data Disclosure Request.
  4. Notice of a Data Disclosure Request

    1. Notice to the EEA Customer
      1. After assessing the nature, context, purposes, scope and urgency of the Data Protection Request, Twilio will notify and provide the EEA Customer with the details of the Data Disclosure Request prior to disclosing any personal data, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
    2. Notice to the competent Data Protection Authorities
      1. Twilio will also put the request on hold in order to notify and consult with the competent Data Protection Authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
      2. Where Twilio is prohibited from notifying the competent Data Protection Authorities and suspending the request, Twilio will use its best efforts (taking into account the nature, context, purposes, scope and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the request on hold so that Twilio can consult with the competent Data Protection Authorities, which may also, in appropriate circumstances, include seeking a court order to this effect. Twilio will maintain a written record of the efforts it takes.
  5. Transparency reports

    1. Where, in the above cases, Twilio is not in a position to notify the competent Data Protection Authorities of the request, Twilio commits to preparing a report (a “Transparency Report”), at least annually, which reflects to the extent permitted by applicable laws, the number and type of Data Disclosure Requests it has received for the preceding period and the Requesting Authorities who made those requests. Twilio shall make this report available upon request to competent Data Protection Authorities.

Appendix 9

UPDATING PROCEDURE

Binding Corporate Rules: Updating Procedure

  1. Introduction

    1. This Binding Corporate Rules: Updating Procedure describes how Twilio must communicate changes to the "Binding Corporate Rules: Controller Policy" ("Controller Policy") and to the "Binding Corporate Rules: Processor Policy" ("Processor Policy) (together the "Policies") to competent data protection authorities, individual data subjects, its Customers and to Twilio group members ("Group Members") bound by the Policies.
    2. Any reference to Twilio in this procedure is to the Privacy Team who is accountable for ensuring that the commitments made by Twilio in this Updating Procedure are met.
  2. Records keeping

    1. Twilio must maintain a change log which sets out details of each and every revision made to the Policies, including the nature of the revision, the reasons for making the revision, the date the revision was made, and who authorised the revision.
    2. Twilio must also maintain an accurate and up-to-date list of Group Members that are bound by the Policies and of the sub-processors appointed by Twilio to process personal data on behalf of Customers. This information will be made available online or provided upon request from Twilio to competent data protection authorities and to Customers and individuals who benefit from the Policies.
    3. The Data Compliance team shall be responsible for ensuring that the records described in this paragraph 2 are maintained and kept accurate and up-to-date.
  3. Changes to the Policies

    1. All proposed changes to the Policies must be reviewed and approved by the Lead Privacy Counsel in order to ensure that a high standard of protection is maintained for the data protection rights of individuals who benefit from the Policies. No changes to the Policies shall take effect unless reviewed and approved by the Lead Privacy Counsel.
    2. Twilio will communicate all changes to the Policies (including reasons that justify the changes):
      1. to the Group Members bound by the Policies via written notice (which may include e-mail);
      2. systematically to Customers and the individuals who benefit from the Policies via www.twilio.com (and, if any changes are material in nature, they must be communicated to Customers before they take effect, in accordance with paragraph 4.2 below); and
      3. to competent data protection authorities upon request.
  4. Communication of material changes

    1. If Twilio makes any material changes to the Policies or to the list of Group Members bound by the Policies, it will actively report such changes (including the reasons that justify such changes) at least once a year to:
      1. the Data Protection Authority that was the lead authority for the purposes of granting Twilio’s BCR authorisation (the “Lead Authority”); and
      2. to any other relevant data protection authorities as may either be directed by the Lead Authority or as the Privacy Team considers necessary taking into account Twilio’s obligations under applicable data protection laws and guidance from the data protection authorities.
    2. If a proposed change to the Processor Policy will materially affect Twilio’s processing of personal data on behalf of a Customer, Twilio will also:
      1. actively communicate the proposed change to the affected Customer before it takes effect, and with sufficient notice to enable the affected Customer to raise objections; and
      2. the Customer may then suspend the transfer of personal data to Twilio and/or terminate the contract, in accordance with the terms of its contract with Twilio.
  5. Transfers to new Group Members

    1. If Twilio intends to transfer personal data to any new Group Members under the Policies, it must first ensure that all such new Group Members are bound by the Policies before transferring personal data to them.