APS Documentation

Twilio Acceptable Use Policy

Effective Date: March 18, 2020

This Acceptable Use Policy (“AUP”) applies to Customer’s use of the Services offered by Twilio Inc. or any of its Affiliates. In the event of any conflict or inconsistency among the following documents, and, except as otherwise set expressly forth in an Order Form, the order of precedence shall be (1) this AUP, (2) product-specific terms, (3) the Agreement, and (4) the Documentation.

Note: The SendGrid E-Mail Policy is replaced in its entirety by this AUP, made effective as of January 1, 2020, including updates made from time to time to this AUP.

Definitions

“Twilio Services” means the products and services that are ordered by Customer under an Order Form or by using the Twilio account, or provided by Twilio to Customer on a trial basis or otherwise free of charge. Twilio Services generally consist of: (a) platform services, namely access to the Twilio application programming interface (also known as Twilio APIs) and where applicable, (b) connectivity services, that link the Twilio Services to the telecommunication providers’ networks via the Internet.

“SendGrid Services” means the services branded as SendGrid, enabling companies to develop, transmit, analyze, and manage email communications and other related digital communications and tools through the website at http://www.sendgrid.com) including all programs, features, functions and report formats, and subsequent updates or upgrades of any of the foregoing made generally available by Twilio.

“Services” means, collectively, the Twilio Services and SendGrid Services.

“Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother’s maiden name, or date of birth; (f) criminal history; or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable law relating to privacy and data protection.

Capitalized terms in this AUP that are not otherwise defined in this AUP have the meanings given in the Agreement.

Prohibited Uses

Customer agrees not to use, and, not to encourage or allow any End User to use, the Services in the following prohibited ways:

1. Using the Services in a manner that is or otherwise encourages (a) any illegal, fraudulent, or abusive activities or (b) materially interfering with the business or activities of Twilio or harms other Twilio customers.
2. Attempting to bypass or break any security mechanism on any of the Services or using the Services in any other manner that poses a material security or service risk to Twilio or any of its other customers.
3. Reverse-engineering the Services in order to find limitations, vulnerabilities, or evade filtering capabilities.
4. Launching or facilitating, whether intentionally or unintentionally, a denial of service attack on any of the Services or any other conduct that materially and adversely impacts the availability, reliability, or stability of the Services.
5. Transmitting any material, data, or content that contains viruses, Trojan horses, spyware, worms or any other malicious, harmful, or deleterious programs.
6. Violating or facilitating the violation of any applicable laws or regulations of any applicable jurisdiction, including, without limitation, (a) applicable laws or regulations related to the transmission of data and recording or monitoring of phone calls and other forms of communication; (b) applicable laws or regulations that prohibit engaging in any unsolicited advertising, marketing, or transmission of communications; (c) applicable anti-spam laws or regulations such as the CAN SPAM Act of 2003, the Telephone Consumer Protection Act, and the Do-Not-Call Implementation Act; or (d) applicable data protection or privacy laws, regulations, or legislation.
7. Using the Services in connection with unsolicited, unwanted, or harassing communications (commercial or otherwise), including, but not limited to, phone calls, SMS or MMS messages, chat, voice mail, video, email, or faxes.
8. Using the Services to harvest or otherwise collect information about individuals, including email addresses or phone numbers, without their explicit consent or under false pretenses.
9. Using the Services to receive, send or otherwise process Protected Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 as amended, unless Customer has signed a Business Associate Agreement with Twilio or Customer’s use of the Services fits within the “conduit” or some other exception for requiring a Business Associate Agreement.
10. Using the Twilio Services to record or monitor a phone call or other communication without securing consent from the participants to the phone call or other communication as required under applicable law (including, as applicable, California’s Invasion of Privacy Act and similar laws in other jurisdictions).
11. Using the Services in a manner that generates inquiries from a law enforcement, government, or regulatory agency or triggers such an agency to request the suspension of the Services to Customer and/or Customer’s phone numbers.
12. Using the Services to transmit any material, data, or content that infringes the intellectual property rights or other rights of third parties.
13. Using the Services to transmit any material or content that is, facilitates, or encourages libelous, defamatory, discriminatory, or otherwise malicious or harmful speech or acts to any person or entity, including but not limited to hate speech, and any other material or content that Twilio reasonably believes degrades, intimidates, incites violence against, or encourages prejudicial action against anyone based on age, gender, race, ethnicity, national origin, religion, sexual orientation, disability, geographic location or other protected category.
14. Creating a false identity or forged email address or header, or phone number, or otherwise attempting to mislead others as to the identity of the sender or the origin of a message, email, or phone call.
15. Using the Twilio Services in any manner that causes a telecommunications provider to complain about such use to Twilio or materially violates the following: (a) industry standards, policies and applicable guidelines published by (i) the CTIA (Cellular Telecommunications Industry Association), (ii) the Mobile Marketing Association, or (iii) any other generally recognized industry associations; (b) telecommunications provider guidelines and usage requirements as communicated in writing by Twilio to Customer.
16. Using the Twilio Services in a manner that violates the Twilio Messaging Policy available at http://www.twilio.com/legal/messaging-policy.
17. Using the Twilio Services to transmit any material or content that is offensive, inappropriate, pornographic, obscene, illegal, or otherwise objectionable to any person or entity, including any cannabis-related terms or images.
18. Using or attempting to use the Twilio Services to contact or allow End Users to contact Emergency Services, unless certain Twilio Services are expressly approved for Emergency Services and Customer strictly uses those Twilio Services in accordance with the Emergency Services Addendum available at http://www.twilio.com/legal/tos. The Twilio Services that are expressly approved for Emergency Services are also identified at http://www.twilio.com/legal/tos.
19. Having, in a given month, (a) a high volume of unanswered outbound phone calls, (b) a low average outbound call duration (i.e., outbound phone calls, on average, that are generally less than twelve (12) seconds in length), or (c) outbound phone calls that are too short in duration (i.e., outbound phone calls generally less than twelve (12) seconds in length). Twillio will cooperate In trace back investigations by identifying the upstream provider from which the suspected illegal robocall entered Twilio’s network or by identifying its own customer if the call originated in Twilio’s network.
20. Using the SendGrid Services in a way that violates generally recognized industry guidelines, including, without limitation, (a) using non-permission based email lists (i.e., lists in which each recipient has not explicitly granted permission to receive emails from Customer by affirmatively opting-in to receive those emails); (b) using purchased or rented email lists; (c) using third party email addresses, domain names, or mail servers without proper permission; (d) sending emails to non-specific addresses (e.g., webmaster@domain.com or info@domain.com); (e) sending emails that result in an unacceptable number of spam or unsolicited commercial email complaints (even if the emails themselves are not actually spam or unsolicited commercial email); (f) failing to include a working “unsubscribe” link in each email that allows the recipient to remove themselves from Customer’s mailing list; (g) failing to comply with any request from a recipient to be removed from Customer’s mailing list within 10 days of receipt of the request; (h) failing to include in each email a link to the then-current privacy policy applicable to that email; (i) disguising the origin or subject matter of any email or falsifying or manipulating the originating email address, subject line, headers, or transmission path information for any email; (j) failing to include in each email Customer’s valid physical mailing address or a link to that information; and (k) including “junk mail,” “chain letters,” “pyramid schemes,” incentives (e.g., coupons, discounts, awards, or other incentives) or other material in any email that encourages a recipient to forward the email to another recipient.

General Acceptable Use Guidelines

Phone Number Reclamation. Customer acknowledges that all phone numbers used in connection with the Twilio Services are subject to rules and restrictions imposed by telecommunications providers. In order to comply with such rules and restrictions, Twilio may, at its sole discretion, reclaim Customer’s phone numbers that do not have adequate usage, as determined by such telecommunications providers. Twilio, however, will use commercially reasonable efforts to (a) provide notice to Customer prior to any phone number reclamation and (b) to work with telecommunications providers to prevent the reclamation of any phone numbers. As a general rule of thumb, Twilio recommends that Customer regularly uses its phone numbers.

Separately, Twilio may reclaim, without prior notice, (a) any phone numbers associated with a trial Twilio account that have not been used for more than thirty (30) days or (b) any phone numbers associated with a Twilio account that has been suspended for more than thirty (30) days.

Sensitive Data. Customer acknowledges that the Services are not intended for the processing of Sensitive Data. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing any Sensitive Data over the Services, or prior to permitting End Users to transmit or process Sensitive Data over the Services. Except in the context of a specific agreement between the parties regarding the processing of Sensitive Data, any transmission or processing of Sensitive Data is solely at Customer's own risk. Twilio will have no additional liability, including, without limitation, any indemnification obligations, whatsoever in connection with any Sensitive Data transmitted or processed via the Services.

Updates to this AUP

Prior Notice: Twilio may update the terms of this AUP from time to time by providing Customer with prior written notice of material updates at least thirty (30) days in advance of the effective date. Notice will be given in Customer’s account portal or via an email to the email address owner of Customer’s account. This notice will highlight the intended updates. Except as otherwise specified by Twilio, updates will be effective upon the date indicated at the top of this AUP. The updated version of the AUP will supersede all prior versions.

Your Acceptance: Following such notice, Customer’s continued access or use of the Services on or after the effective date of the changes to the AUP constitutes Customer’s acceptance of any updates. If Customer does not agree to any updates, Customer should stop using the Services.

Exceptions: Twilio may not be able to provide at least thirty (30) days prior written notice of updates to this AUP that result from changes required by law or requirements from telecommunications providers.

Product Specific Terms

Effective Date: January 1, 2020

Capitalized terms used herein that are not otherwise defined shall have the meanings given in the Twilio Terms of Service, Master Sales Agreement, or other similar written agreement for provision and use of the Services.

Add-Ons

Twilio may make available through the Twilio Marketplace additional features, functionality, and services (each, “an Add-on”) offered by its third-party partners (each an “Add-on Provider”). Use of Add-ons by customers is voluntary and Twilio will not require the Customer to use an Add-on. If Customer uses an Add-on, then Customer will be required to accept the Add-on Provider’s terms of service (“Add-on Provider’s Terms”) during the Add-on installation process. Customer shall comply with such Add-on Provider Terms. Any acquisition by Customer of such Add-ons, and any exchange of data between Customer and any Add-on Provider is solely between Customer and the applicable Add-on Provider. For the avoidance of doubt, Add-ons are not part of the Services and Twilio does not provide any support or warranties for Add-ons. Twilio does not warrant or support Add-ons unless expressly provided otherwise in an Order Form. The applicable Add-on Provider (and not Twilio) is solely responsible for that Add-on, the content therein, and any claims that Customer or any other party may have relating to that Add-on or Customer’s use of that Add-on. The Add-on Provider’s Terms shall not modify or otherwise supersede the terms of this Agreement with respect to the Twilio Services. By purchasing an Add-on, Customer grants Twilio permission to share the Customer Applications and Customer Data with the Add-on Provider as necessary in order to provide Customer the Add-on.

Emergency Calling

Approved Products: The following products are available for use withEmergency Services in accordance with the terms that follow:

-Elastic SIP Trunking

Terms of Use: You will be required to agree to additional terms when signing up to use the Services for Emergency Services. These terms are available upon request.

Flex Zendesk Terms

Amendment to Twilio Terms of Service Applicable to Subscribers of the Flex App in the Zendesk Marketplace

This amendment to Twilio's Terms of Services (the “ToS,” collectively, as amended, the “App Terms”) applies to Subscribers. “Subscribers,” as used herein, are Zendesk Customers who are users of the Twilio Services and that are accessing or using or wish to access or use the Twilio Services through the Twilio Flex Application available on the Zendesk Marketplace available at (the “Flex App”). By using the Flex App, you agree to be bound by the App Terms. Any other use of the Twilio Services shall continue to be subject to the ToS. Any capitalized term that is not defined herein shall have the meaning set forth in the ToS.

A. IP Rights and Licenses

Twilio grants Subscriber a limited, non-exclusive, non-transferable license to use the Twilio Services provided in connection with the Flex App during the term solely for use in conjunction with Subscriber’s use of the Zendesk Services.

Subscriber hereby assigns to Twilio all right, title and interest (including intellectual property rights) in and to any new feature improvement, suggestion, enhancement request, recommendation, correction, idea or other feedback that Subscriber may provide to Twilio relating to the Flex App and Twilio Services (collectively, “Feedback”), and Subscriber agree that Twilio shall be free to use any ideas, concepts, know-how or techniques contained in such Feedback for any purpose whatsoever without compensation to Subscriber.

B. Data Privacy and Acknowledgment of Use

Any of Subscriber’s data, including the personal information of Subscriber and Subscriber’s End Users, collected, transferred, stored or otherwise processed through Subscriber’s use of the Flex App shall be processed in accordance with Twilio’s Privacy Policy, available at . By using the Flex App, as integrated with Zendesk’s Services, Subscriber has the ability to enable features and functionality within the Flex App “the “Features”). Subscriber acknowledges and agrees that by using the Flex App and enabling any of the Features of the Flex App, Subscriber would be transferring data collected and processed by Twilio to Zendesk for use with the Zendesk Service. Any such data transferred to Zendesk would be governed under Zendesk’s privacy policy, available at https://www.zendesk.com/company/customers-partners/privacy-policy/.

Furthermore, Subscriber understands and agrees that it is Subscriber’s responsibility, and not Twilio’s, to appropriately handle and delete any data that is copied from Twilio over to the Zendesk Services through the Flex App. This includes both data with personally identifiable information and data without personally identifiable information.

C. Payment Terms

Subscriber acknowledges and agrees that the payment terms set forth in the App Terms shall govern Subscriber’s payment obligations for any fees accrued based on Subscriber’s use of the Flex App. For the avoidance of doubt, the App Terms shall govern and control in the event of a conflict between the App Terms and any Zendesk payment terms for any payment obligations related to Subscriber’s use of the Flex App.

D. Limitation of Liability

NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THESE APP TERMS, TWILIO’S AGGREGATE LIABILITY TO SUBSCRIBER OR ANY THIRD PARTY ARISING OUT OF THESE APP TERMS OR OTHERWISE IN CONNECTION WITH SUBSCRIBER’S USE OF THE FLEX APP, SHALL IN NO EVENT EXCEED THE LESSER OF ONE HUNDRED DOLLARS ($100.00) OR THE AMOUNTS PAID BY SUBSCRIBER TO TWILIO FOR USE OF THE FLEX APP DURING THE TWELVE (12) MONTHS PRIOR TO THE FIRST EVENT OR OCCURRENCE GIVING RISE TO SUCH LIABILITY. SUBSCRIBER ACKNOWLEDGES AND AGREES THAT THE ESSENTIAL PURPOSE OF THIS SECTION IS TO ALLOCATE THE RISKS UNDER THESE APP TERMS BETWEEN THE PARTIES AND TWILIO HAS RELIED ON THESE LIMITATIONS IN DETERMINING WHETHER TO PROVIDE SUBSCRIBER THE RIGHTS TO ACCESS AND USE THE FLEX APP PROVIDED FOR IN THESE APP TERMS.

E. Availability of the Flex App

Subscriber understands that use of the Flex App is subject to Zendesk permitting the Flex App to be available through the Zendesk Marketplace (the “Marketplace”) and the Zendesk Services. Zendesk may decide to no longer support the Flex App, potentially with little or no notice to Twilio or Subscriber. Subscriber understands this risk and agrees that Twilio shall bear no liability if Subscriber’s use of the Flex App is interrupted, temporarily or permanently, if Twilio is unable to provide it through the Zendesk Marketplace and Zendesk Services on commercially reasonable terms or for any other reason.

F. Required Zendesk Marketplace Terms

(i) For the avoidance of doubt, Twilio is the licensor of the Flex App and Zendesk is not a Party to the App Terms set forth in this Amendment and the TOS.

(ii) Except as otherwise limited by the App Terms imposed or required by the Twilio, Twilio grants Subscriber a perpetual, worldwide, non-exclusive, non-transferable and non-sublicensable license to access, deploy, use and integrate the Flex App in connection with Subscriber’s active Zendesk account for a Zendesk Services.

(iii) Any information that Twilio collects, stores and processes from Subscriber or the systems Subscriber uses to access or deploy the Flex Application, including Service Data, as defined in Zendesk’s terms of service, will be subject to the App Terms, Twilio Privacy Policy, and any other terms that the Twilio provides to Subscriber, and will not be subject to the Zendesk’s privacy policy, except for as otherwise expressly set forth under the App Terms.

(iv) Subscriber may not modify, reverse engineer, decompile or disassemble the Flex App in whole or in part, or create any derivative works from or sublicense any rights in the Flex App, unless otherwise expressly authorized in writing by Twilio.

(v) Each of Subscriber, Zendesk and Twilio shall maintain all rights, title and interest in and to all its respective patents, inventions, copyrights, trademarks, domain names, trade secrets, know-how and any other intellectual property and/or proprietary rights (collectively, “IP Rights”). The rights granted to Subscriber to use the Flex App under these App Terms do not convey any additional rights in the Flex App or Zendesk Services, or in any IP Rights associated therewith. Subject only to limited rights to access and use the Flex App as expressly stated herein, all rights, title and interest in and to the Flex App and all hardware, software and other components of or used to provide the Flex App, including all related IP Rights, will remain with and belong exclusively to Twilio. Twilio shall have a royalty-free, worldwide, transferable, sub-licensable, irrevocable and perpetual license to incorporate into the Flex App or otherwise use any suggestions, enhancement requests, recommendations or other feedback it receives from Subscriber.

G. Modification; Conflict

Unless amended herein, the terms of the ToS shall remain in full force and effect. No modification to the App Terms, nor any waiver of any rights, will be effective unless consented to in a writing signed by both Parties. In the event there is a conflict between the App Terms and the ToS, the App Terms shall prevail.

Phone Numbers

(a) Phone Number Information. In connection with Customer’s use of any phone number for which Twilio is required to have an address, or any other applicable information, for Customer or an End User on record, it is Customer’s obligation to provide Twilio with accurate and up-to-date information to associate with such phone number. Customer is responsible for keeping such information current. Customer agrees to provide reasonable cooperation regarding information requests from law enforcement, regulators, or telecommunications providers.

(b) Phone Number Porting. Twilio has certain rights with respect to the porting of phone numbers if such phone numbers are used as part of the Twilio Services. “Porting” means to take an existing phone number from one provider and transfer it to another. Unless otherwise required by applicable Law, Twilio, in its sole discretion, reserves the right to refuse to allow Customer to port away any phone number ported into Twilio or purchased from Twilio. Furthermore, Customer understands that phone numbers are “locked” by default (i.e., Twilio will dispute port-away requests unless Customer provides clear notice to Twilio of its intent to port the number away from Twilio) to prevent phone numbers from being ported away maliciously or mistakenly from Twilio. Regardless, Twilio may, in its sole discretion, allow Customer to port away phone numbers that Customer purchases from Twilio and will allow Customer to port away phone numbers that Customer ports into Twilio, provided that Customer (i) has a production-grade Twilio account in good standing; (ii) has either ported in or purchased the phone number more than ninety (90) days prior to the port-away date; (iii) provides clear notice to Twilio of its intent to port the phone numbers away from Twilio before execution of the port-away request; and (iv) is in compliance with the terms of this Agreement. If Twilio informs Customer of a request to port a phone number away from Twilio and Customer has resold or re-provisioned that phone number to a third party, then Customer agrees to promptly validate the port-away request with such third party. If such third party approves the port-away request, then Customer agrees to (i) inform Twilio of such third party’s approval for the port-away request and (ii) not take any action to prevent the execution of such port-away request.

Twilio Pay Terms and Conditions

By selecting “PCI Mode Enabled”, you will be able to build PCI- compliant voice applications. Read the Responsibility Matrix (coming soon) to learn how to build PCI-compliant voice applications.

Introduction

Twilio provides Twilio <Pay> Connectors and/or the Twilio <Pay> Verb (further defined below and collectively called, "Twilio <Pay>") subject to these Twilio <Pay> Terms and Conditions (“Agreement"). In this Agreement, "we,” “us,” “our” or “Twilio” will refer to Twilio Inc., a Delaware corporation, headquartered at 375 Beale Street, Suite 300, San Francisco, CA 94105. The terms “you,” “your” and “Customer” will refer to you. If you are installing Twilio <Pay> on behalf of an organization, you are agreeing to these terms, as they pertain to your use of Twilio <Pay> only, for that organization and promising Twilio that you have the authority to bind that organization to this Agreement and your Twilio Agreement (as defined below) (and, in which case, the terms "you" and "your" or "customer" will refer to that organization).

When we refer to "Twilio <Pay>" in this Agreement, we are referring to your installation and/or use of two separate Twilio tools: (1) the Twilio <Pay> Verb, which orchestrates the capture of payment details and (2) Twilio <Pay> Connectors, which transmits transactions with the Payment Processor Provider (as defined below) of your choice on your behalf. Both the Twilio <Pay> Verb and Twilio <Pay> Connectors are Payment Card Industry Data Security Standard (PCI DSS) Level-1 compliant. When we refer to the "Twilio Services" in this Agreement, we mean to include our platform services, which includes all of our programs, features, functions and report formats, instructions, code samples, the TwiML markup language, on-line help files and technical documentation, our website, account portal, technical support, Add-ons as well as any upgrades or updates to any of these, made generally available by us, and includes any of our SDKs or APIs in connection with your use of our services or any cloud-based software provided to you by Twilio, and our connectivity services. You must review and accept the terms of this Agreement by clicking on the "Accept and Continue" button or other mechanism provided. PLEASE REVIEW THIS AGREEMENT CAREFULLY. ONCE ACCEPTED, THIS AGREEMENT BECOMES A BINDING LEGAL COMMITMENT BETWEEN YOU AND TWILIO. IF YOU DO NOT AGREE TO BE BOUND BY THIS AGREEMENT, YOU SHOULD NOT SELECT “PCI MODE ENABLED” AND CLICK THE "ACCEPT AND CONTINUE" BUTTON WITHIN THE TWILIO CONSOLE AND YOU SHOULD NOT USE TWILIO <PAY>.

Relationship to Other Agreements

To be eligible to use Twilio <Pay>, you must first register for a Twilio account and agree to the Twilio Terms of Service or a separate written agreement that you entered into with Twilio for your use of the Twilio Services (“Twilio Agreement") and click “PCI Mode Enabled” on Twilio Programmable Voice within the Twilio Console. By using the Twilio <Pay>Verb and/or installing any Twilio <Pay> Connector, you expressly agree to the terms of this Agreement, your Twilio Agreement, and any updates or modifications to either of those documents made from time to time. NOTWITHSTANDING ANYTHING IN THE TWILIO AGREEMENT, THIS AGREEMENT IS HEREBY INCORPORATED INTO AND SUBJECT TO THE TERMS OF YOUR TWILIO AGREEMENT, AND IN THE EVENT OF A CONFLICT BETWEEN THE TERMS OF THIS AGREEMENT AND YOUR TWILIO AGREEMENT, THE TERMS OF THIS AGREEMENT SHALL CONTROL. Capitalized terms not defined herein shall have the definitions provided in your Twilio Agreement.

Twilio, via its third-party partners (each a "Payment Processing Provider"), is connecting you with payment processing services ("Payment Processing Services"). As part of the installation process, you may also be required to accept the Payment Processing Provider's terms of service ("Payment Processing Provider's Terms"). You acknowledge, for each Payment Processor Service you install through the Twilio Console, the Payment Processing Provider's Terms constitute a binding agreement between you and the applicable Payment Processing Provider only. You acknowledge that you are agreeing to the Payment Processing Provider's Terms for the applicable Payment Processing Provider; Twilio is not a party to that agreement between you and the Payment Processing Provider with respect to that Payment Processing Service; and Twilio is not responsible for that Payment Processing Service, the content therein, or any claims that you or any other party may have relating to that Payment Processing Service or your use of that Payment Processing Service. Your agreement to the Payment Processing Provider's Terms shall not modify or otherwise supersede the terms of this Agreement and/or your Twilio Agreement nor any other terms or policies incorporated by reference.

The rights granted to you to use any Payment Processing Provider Services are personal to you, and are not transferable to your End Users, unless Payment Processing Provider Services are incorporated into Customer's solution. You may not provide a Payment Processing Service as a standalone option to your End Users or resell Payment Processing Services to others except in connection with the use of each Customer Application, in accordance with the Documentation and Twilio Acceptable Use Policy. You acknowledge and understand that using Twilio <Pay> will not make you PCI-compliant, unless you agree to adhere to Twilio guidance on setting up a PCI-compliant solution (such directions may be found within the PCI Responsibility Matrix, soon to be available).

Our Use of End User Personal Data

Your use of Twilio <Pay> requires Twilio to transmit certain data on behalf of your End User to the Payment Processing Provider of your choice in order to assist your End User with submitting payment for goods or services via your Application. This information includes, but is not limited to, the End User's credit card number, credit card expiration date, first and last name, zip code, and card verification value (CVV) (collectively, "Transaction Data"). Transaction Data is considered personally identifiable information ("PII") or personal data ("Personal Data") under applicable data protection laws. It is your responsibility to understand any and all privacy regulations as they impact your End User's PII or Personal Data and safeguard it accordingly.

By installing and using Twilio <Pay>, you grant Twilio permission to transmit information about your Application and Transaction Data to the applicable Payment Processing Provider. For purposes of clarity, Twilio will only transmit Transaction Data and Twilio's infrastructure will not store (except to the extent such Transaction Data may be visible within the Payment Processor Provider's dashboard, platform, account, or portal), nor otherwise use Transaction Data for any purpose whatsoever, subject to the confidentiality obligations under your Twilio Agreement and applicable law.

Representations and Warranties

You represent, warrant, and covenant that you will obtain all necessary consents from your End Users before permitting them to submit their Transaction Data via your Application for any purpose, including those purposes other than processing payments.

You represent, warrant, and covenant that your use of Transaction Data will be in compliance with Twilio's Privacy Statement. Transaction Data is a type of Customer Content, as defined in Twilio's Privacy Statement.

You represent, warrant, and covenant you will have a privacy policy that tells your End Users what Transaction Data you access and how you will use, display, or transfer that Transaction Data. You will include a prominent link to your privacy policy which must be at least as protective as Twilio's Privacy Statement.

You represent, warrant, and covenant you will use best efforts to protect and secure Transaction Data from unauthorized use or disclosure and will immediately notify Twilio of any such unauthorized breach or disclosure.

You represent, warrant, and covenant that when your End Users use Twilio <Pay>, it is your responsibility to ensure the credentials provided to you by the Payment Processor Provider provided to Twilio can only give, when possible, or are only scoped to give, Twilio access to (a) tokenize and/or (b) charge the End User's credit card.

You represent, warrant, and covenant that you are responsible for any Activity (defined below) initiated by you, your End Users, on your behalf, using your credentials, or your Customer Application to process a transaction for Payment Processing Services, or your use of a Payment Processor Provider's account, either through the Payment Processor Provider's dashboard, portal, or through the Payment Processor Provider's platform. Actions submitted by you, your End Users, or on your behalf, are referred to as "Activity", and this includes the communication of information about transactions and includes Transaction Data.

You represent, warrant, and covenant that you alone are responsible for refunds, reversals, adjustments, the handling of disputes, chargebacks and will have to deal directly with the Payment Processor Provider in order to resolve any such issues for yourself, or on behalf of your End Users.

You represent, warrant, and covenant you are solely responsible for, and Twilio disclaims all liability for, the provision of any goods or services sold to your End Users as part of your use of Twilio <Pay> and the Twilio Services, and any obligations you may owe to your End Users. While you may agree to share some liability with your End Users or the Payment Processing Provider of your choice, you are always financially liable to Twilio for all Losses (defined below).

You represent, warrant, and covenant that all of the information that you provide to us directly or through your Application is accurate and complete. You represent, warrant, and covenant that you have sufficient rights and authority to enter into this Agreement, and to grant the rights and assume all of their respective rights and obligations set forth herein. The person signing on behalf of its respective party represents and warrants that it has the authority to execute and bind its respective party to this Agreement.

You represent, warrant, and covenant that, during the Term, you shall comply with the applicable law relating to its respective activities under this Agreement.

You represent, warrant, and covenant that you have provided adequate notices and obtained the necessary permissions and consents to provide Transaction Data to Twilio for use and disclosure subject to Twilio's confidentiality obligations under your Twilio Agreement.

You represent, warrant, and covenant that you are responsible for the security of Transaction Data, including, but not limited to, cardholder data, the Payment Processing Provider possesses or otherwise stores, processes, or transmits on your behalf and your End Users, including to the extent that this impacts the cardholder's data environment. As such, you agree your internal policies and procedures related to your End User engagement process and any templates used for written agreements should include provision of an applicable PCI DSS acknowledgement to your End Users. The method by which you provide written acknowledgment should be agreed upon between you and your End Users.

You represent, warrant, and covenant that it is your responsibility to assist your End Users with refunds, reversals, make adjustments, handle chargebacks, etc. and that Twilio <Pay> cannot support this functionality.

You represent, warrant, and covenant your use of Twilio <Pay> does not itself constitute authorization to Twilio to initiate the requested payment.

Beta Offerings

YOU ACKNOWLEDGE YOU ARE USING TWILIO <PAY> WHICH IS IN PUBLIC BETA MODE. THESE BETA OFFERINGS ARE NOT GENERALLY AVAILABLE AND MAY CONTAIN BUGS, ERRORS, DEFECTS OR HARMFUL COMPONENTS. ACCORDINGLY, TWILIO IS PROVIDING THE BETA OFFERINGS TO CUSTOMER "AS IS." TWILIO MAKES NO WARRANTIES OF ANY KIND WITH RESPECT TO THE BETA OFFERINGS, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. NOTWITHSTANDING ANY PUBLISHED DOCUMENTATION THAT STATES OTHERWISE, TWILIO DOES NOT WARRANT THAT THE BETA OFFERING WILL BE ERROR-FREE OR THAT THEY WILL MEET ANY SPECIFIED SERVICE LEVEL, OR WILL OPERATE WITHOUT INTERRUPTIONS OR DOWNTIME.

Indemnification

You will defend, indemnify and hold Twilio and its affiliates, its shareholders, directors, officers, employees, agents, and Payment Processor Providers harmless against any actual or threatened claim, liability, proceeding, third-party discovery demand, governmental investigation, enforcement action, damages, reasonable attorneys' fees, penalties, fines, and fees ("Losses"), imposed by any third party, payment method provider, financial services provider, and/or government entity arising out of or relating to: (i) your activities under this Agreement, (ii) your breach of this Agreement, (iii) your acts or omissions in connection with you and/or your End Users' use of Twilio <Pay>, and/or (iv) any intellectual property claims related to your provision of the Customer Application and/or the combination or integration of the Customer Application with Twilio <Pay> or the Twilio Services, (v) your failure to properly describe or deliver goods or services, (vi) to comply with your legal or contractual obligations to your End Users, or (vii) security breaches involving the loss of any End User's Transaction Data, Personal Data (as defined by the E.U. Global Data Protection Regulation), or Personally Identifiable Information (as defined under applicable law) ("Claim") as the above pertains to Twilio <Pay>. The Payment Processor Provider may deduct any amounts from your account, as applicable, to cover its Losses or require you to immediately pay such Losses to the Payment Processor Provider. It is your responsibility to review information about the transactions being processed by you, your End Users, or on your behalf via the Payment Processor Provider's dashboard, portal, platform, or account, as applicable.

We and our affiliates will cooperate as fully as reasonably required in the defense of any Claim, at your expense. We reserve the right, at your expense, to retain separate counsel for ourselves in connection with any Claim or, if you have not responded reasonably to the applicable Claim, to assume the exclusive defense and control of any Claim in which you are a named party and that is otherwise subject to indemnification under this section. You will pay all costs, reasonable attorneys' fees and any settlement amounts or damages awarded against us in connection with any Claim. You will also be liable to us for any costs and attorneys' fees we incur to successfully establish or enforce our right to indemnification under this Section.

Limitation of Liability

Twilio is not responsible for the acts or omissions of any Payment Processing Provider in providing services to you or your End Users, or for any non-compliance by a Payment Processing Provider with the terms of your Payment Processing Provider's Terms. Twilio is also not responsible for your obligations to your End User (including to properly describe and deliver the goods or services being sold to your End Users). You are solely responsible for, and Twilio expressly disclaims all liability for, your compliance with applicable laws and obligations related to your provision of the goods or services to your customers, or receipt of charitable donations. This may include providing customer service, notification and handling of charges, chargebacks, refunds, reversals, or consumer complaints, provision of receipts, registering your legal entity, or other actions not related to the Twilio Services or Twilio <Pay>. Furthermore, Twilio is not responsible for the following, but is not limited to, network connectivity problems between Twilio and the Payment Processing Provider, any hosting service provider's connectivity issues, or failure to process any transactions by Twilio and/or the Payment Processing Provider.

Other General Legal Terms

Term

The term of this Agreement will begin when you install Twilio <Pay> and will end when terminated by you or by Twilio, as described in this Agreement.

Termination and Suspension

You may terminate this Agreement at any time, for any or no reason, by immediately ceasing your use of Twilio <Pay>. However, your obligations under your Twilio Agreement for all other Twilio products other than Twilio <Pay> shall continue to remain in effect. And if you commence using Twilio <Pay> again, you are consenting to this Agreement. Twilio may, in its sole discretion, suspend or terminate this Agreement immediately (a) if we suspect you are in breach of this Agreement or your Twilio Agreement (including any terms or policies incorporated by reference); (b) if you are the subject of any voluntary or involuntary bankruptcy or insolvency petition or proceeding; (c) if Twilio determines that you are engaged in activity that is suspected or actually fraudulent, illegal or otherwise malicious or fails to comply with applicable law; (d) causes a significant risk of reputational harm to Twilio; or (e) to prevent harm to the security, stability, availability, or integrity of Twilio.

Survival

All provisions giving rise to continuing obligations will survive termination of this Agreement. As stated above, this Agreement governs your use of Twilio <Pay>, so the termination of this Agreement will not immediately trigger termination of your Twilio Agreement. All obligations in your Twilio Agreement will only be terminated in accordance with its terms and conditions. Termination of your Twilio Agreement will cause this Agreement to automatically terminate.

Entire Agreement

This Agreement, your Twilio Agreement, and the terms and policies incorporated by reference constitute the entire agreement between you and Twilio with respect to Twilio <Pay>. Your Twilio Agreement sets forth your exclusive remedies with respect to Twilio <Pay>. If any provision or portion of this Agreement is held to be invalid or unenforceable under applicable law, then it will be interpreted to accomplish the objectives of such provision to the greatest extent possible, and all remaining provisions will continue in full force and effect.

Services

“Services” means the products and services that are ordered by Customer under an Order Form or by using the Twilio or SendGrid account, or provided by Twilio to Customer on a trial basis or otherwise free of charge. Services may include products that provide both (a) the platform services, including access to any application programming interface (“API”) and (b) where applicable, connectivity services, that link the Services to the telecommunication providers’ networks via the Internet.

SendGrid Services

“SendGrid Services” means the services branded as SendGrid, enabling companies to develop, transmit, analyze, and manage email communications and other related digital communications and tools through the website at http://www.sendgrid.com) including all programs, features, functions and report formats, and subsequent updates or upgrades of any of the foregoing made generally available by Twilio. The SendGrid Services exclude any Twilio Services.

Short Codes

(a) Short Code Application. Customer agrees that each short code application or request for a short code submitted by Customer or on Customer’s behalf by Twilio (each, a “Short Code Application”) is subject to approval from the applicable telecommunications provider. Twilio has no control over a telecommunications provider’s approval process for short codes and will bear no liability if a Short Code Application is rejected by a telecommunications provider. Furthermore, if a telecommunications provider rejects a Short Code Application, then Twilio has no obligation to refund any short code-related fees paid by Customer to Twilio prior to such telecommunications provider’s rejection of such Short Code Application.

(b) Short Code Use. If Customer uses a short code with Twilio, then:

(i) Customer will not change its short code use case (e.g., a campaign) approved by the applicable telecommunications provider without first working with Twilio to have the new short code use case approved by such telecommunications provider;

(ii) Customer will stop sending additional messages to any party that replies by texting “STOP” (or the equivalent) to the short code, except for sending a single text message confirming that such party has been successfully opted out of the short code; and

Customer will follow all applicable telecommunications provider rules with respect to the use of short codes, including, without limitation, telecommunications provider rules with respect to ensuring that each of Customer’s End Users knowingly and explicitly opts in to receive messages from the short code prior to receiving any such messages.

Twilio Services

“Twilio Services” means the products and services that are ordered by Customer under an Order Form or by using the Twilio account, or provided by Twilio to Customer on a trial basis or otherwise free of charge. Twilio Services generally consist of: (a) platform services, namely access to the Twilio application programming interface (referred to herein as Twilio APIs) and where applicable, (b) connectivity services, that link the Twilio Services to the telecommunication providers’ networks via the Internet. The Twilio Services exclude any SendGrid Services.

Security Overview for Twilio Services and SendGrid Services

Effective: January 1, 2020

1. This Security Overview is incorporated into and made a part of Twilio’s Terms of Service as set forth at https://www.twilio.com/legal/tos to which Customer has agreed and accepted or a signed Master Sales Agreement or other similar written agreement between Twilio and Customer ( “Agreement”). In this Security Overview for the Twilio Services and SendGrid Services, (Security Overview), references to “Twilio” will refer collectively to Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105 and its Affiliates. The terms “Customer” will refer to you, the Customer and its Affiliates.
2. Purpose. Twilio is committed to maintaining customer trust. The purpose of this Security Overview is to describe the security program for the Twilio Services and SendGrid Services (collectively the “Services”). This Security Overview describes the minimum security standards that Twilio maintains in order to protect Customer Data (as defined in the Agreement) from unauthorized use, access, disclosure, theft, or manipulation. In addition to this Security Overview, Twilio’s API security documentation is available at https://www.twilio.com/docs/api/security. As security threats shift and evolve, Twilio continues to update its security program and strategy to help protect Customer Data. Twilio reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. Any capitalized term not defined in this Security Overview will have the meaning given in the Agreement or the Data Protection Addendum.

3. Services Covered. This Security Overview describes the architecture, administrative, technical and physical controls as well as third party security audit certifications that are applicable to the Services. Beta Offerings and any services provided by telecommunication providers involved in routing and connecting Customer communications are not covered by this Security Overview.

4. Security Organization & Program. Twilio maintains a risk-based assessment security program. The framework for Twilio’s security program includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Data. Twilio’s security program is intended to be appropriate to the nature of Twilio Services and SendGrid Services, size and complexity of Twilio’s business operations. Twilio has a separate dedicated team that manages Twilio’s security program. This team facilitates and supports independent audits and assessments by third parties. Twilio’s security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, as well as Security Monitoring and Incident Response. Security is represented at the highest levels of the company, with Twilio’s Chief Trust and Security Officer meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Twilio employees for their reference.

5. Confidentiality. Twilio has controls in place to maintain the confidentiality of Customer Data that Customer makes available to the Services, in accordance with the Agreement. All Twilio employees and contract personnel are bound by Twilio’s internal policies regarding maintaining confidentiality of Customer Data and contractually commit to these obligations

6. People Security.

6.1 Employee Background Checks. Twilio carries out background checks on individuals joining Twilio in accordance with applicable local laws. Twilio currently verifies the individual’s education and previous employment, and also carries out reference checks. Where local labor law or statutory regulations permit, and dependent on the role or position of the prospective employee, Twilio may also conduct criminal, credit, immigration, and security checks.

6.2 Employee Training. At least once a year, all Twilio employees must complete the Twilio security and privacy training which covers Twilio’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Twilio’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. Twilio has also established an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.

7. Third Party Vendor Management.

7.1 Vendor Assessment. Twilio may use third party vendors to provide Services. Twilio carries out a security risk-based assessment of prospective vendors before working with those vendors to validate that prospective vendors meet Twilio’s security requirements. Twilio periodically reviews each vendor in light of Twilio’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements. Twilio ensures that Customer Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, telecommunication providers are not considered subcontractors of Twilio.

7.2. Vendor Agreements. Twilio enters into written agreements with all of its Vendors which include confidentiality, privacy and security obligations that provide an appropriate level of protection for the personal data contained within the Customer Data that these Vendors may process

8. Security Certificates.

8.1 Twilio Certificates:

Twilio has obtained the following security-related certifications for the Twilio Services only:

• ISO/IEC 27001:2013 certification. ISO 27001 is an information security standard originally published in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). In September 2013, ISO 27001:2013 was published, and it supersedes the original 2005 standard. ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s information security management system (ISMS).

Twilio has obtained the following security-related certifications for the Twilio Services and SendGrid Services:

• System and Organization Control (“SOC”) 2 - Type II. Twilio maintains SOC 2 - Type II certification for (a) Twilio Services described as two factor authentication service or otherwise named Authy and (b) SendGrid Services. Twilio’s SOC 2 reports for Authy addresses trust services principles and criteria (security). Twilio’s SOC 2 report for the SendGrid Services addresses trust services principles and criteria (security and availability). SOC 2 audits for the Twilio Services and SendGrid Services are conducted once a year by an independent third-party auditor. The SOC 2 audits validate Twilio’s physical and environmental safeguards for production data centers, backup and recovery procedures, software development processes, and logical security controls.
• Payment Card Industry Data Security Standard (“PCI DSS”). PCI DSS is a proprietary information security standard administered by the PCI Security Standards Council. PCI DSS applies to all entities that store, process or transmit cardholder data and/or sensitive authentication data including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. For more information, or to request the PCI DSS Attestation of Compliance and Responsibility Summary, see https://www.pcisecuritystandards.org/pci_security/. Twilio maintains PCI DSS Level 1 compliance for its Programmable Voice service. Twilio maintains PCI DSS Level 4 Merchant compliance for its SendGrid Services.

8.2 AWS Certifications.

In addition, the Services use and leverage AWS data centers. Twilio uses and leverages AWS data centers, with a reputation of being highly scalable, secure, and reliable. Information about AWS audit certifications are available at AWS Security website https://aws.amazon.com/security/ and AWS Compliance website https://aws.amazon.com/compliance/.

9. Architecture and Data Segregation.

a. Twilio Services. The cloud communication platform for the Twilio Services is hosted by Amazon Web Services (“AWS”). The current location of the AWS data center infrastructure used in providing Twilio Services is located in the United States. Further information about security provided by AWS is available from the AWS security webpage available at https://aws.amazon.com/security/. In addition, the overview of AWS’s security process is available at https://aws.amazon.com/whitepapers/overview-of-security-processes/. Twilio’s production environment within AWS, where Customer Data and customer-facing applications sit, is a logically isolated Virtual Private Cloud (VPC).

b. SendGrid Services. For the SendGrid Services, Twilio leverages colocation data centers, provided by Zayo and Centurylink, and located in the United States.

For both Twilio Services and SendGrid Services, all network access between production hosts is restricted, using firewalls to allow only authorized services to interact in the production network. Firewalls are in use to manage network segregation between different security zones in the production and corporate environments. Firewall rules are reviewed regularly. Twilio separates Customer Data using logical identifiers tagging all communications data with the associated Customer ID to clearly identify ownership. Twilio’s APIs are designed and built to designed and built to identify and allow access only to and from these tags and enforce access controls to ensure the confidentiality and integrity requirements for each Customer are appropriately addressed. These controls are in place so one customer's communications cannot be accessed by another customer.

10. Physical Security. AWS data centers that host Twilio Services and the colocation data centers provided by Zayo and Centurylink that are used for the SendGrid Services are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. More details about the physical security of AWS data centers used by Twilio for the Twilio Services, are available at https://aws.amazon.com/whitepapers/overview-of-security-processes/. In addition, Twilio headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit television), and overall office security. All employees, contractors and visitors are required to wear identification badges.

11. Security by Design. The Twilio Security Development Lifecycle (TSDL) standard defines the process by which Twilio creates secure products and the activities that the product teams must perform at different stages of development (requirements, design, implementation, and deployment). Twilio security engineers perform numerous security activities for the Services including:

• internal security reviews before products are launched;
• periodic penetration tests performed by independent third-party contractors; and
• conduct threat models for the Twilio Services including documenting any detection of attacks.

Twilio has implemented a Bug Bounty Program, available at https://bugcrowd.com/twilio through which researchers may report design and implementation issues or possible vulnerabilities.

12. Access Controls.

11.1 Provisioning Access. To minimize the risk of data exposure, Twilio follows the principles of least privilege through a team-based-access-control model when provisioning system access. Twilio personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval of the employee’s manager. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password, multi-factor authentication and be connected to Twilio’s Virtual Private Network (VPN). Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal trainings for such access including trainings on the relevant team’s systems. Twilio logs high risk actions and changes in the production environment. Twilio leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.

11.2 Password Controls. Twilio’s current policy for employee password management follows the NIST 800-63B guidance, and as such, our policy is to use longer passwords, with multi-factor authentication but not require special characters or frequent changes. For the SendGrid Services, password requirements include a 10 character minimum, with at least three of the following characteristics: upper case letter, lower case letter, number, special character. When a Customer logs into its Twilio account, Twilio hashes the credentials of the user before it is stored. A customer may also require its users to add another layer of security to their account by using two-factor authentication (2FA).

13. Change Management. Twilio has a formal change management process to manage changes to software, applications and system software that will be deployed within the production environment. Change requests are documented using a formal, auditable, system of record. Prior to a high-risk change being made, an assessment is carried out to consider the impact and risk of a requested change, evidence acknowledging applicable testing for the change, approval of deployment into production by appropriate approvers(s) and roll back procedures. A change is reviewed and tested before being deployed to production.

14. Encryption in Transit. For the Twilio Services, Twilio’s cloud platform supports TLS 1.2 to encrypt network traffic transmitted between a Customer application and Twilio’s cloud infrastructure. For the SendGrid Services, Twilio utilizes opportunistic TLS to transmit Customer’s emails. This means that if Customer opts to use TLS, such email is encrypted end-to-end on the wire provided that the recipient’s email service provider supports TLS.

15. Vulnerability Management. Twilio maintains controls and policies to mitigate the risk from security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. Twilio uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in Twilio’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested and applied proactively. For the Twilio Services, operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the Twilio cluster over a predefined schedule. For high-risk patches, Twilio will deploy directly to existing nodes through internally developed orchestration tools.

16. Penetration Testing. Twilio performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Results of penetration tests are prioritized, triaged and remediated promptly by Twilio’s security team.

17. Security Incident Management. Twilio maintains security incident management policies and procedures in accordance with NIST SP 800-61. Twilio Security Incident Response Team (T-SIRT), assesses the threat of all relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events. Twilio retains security logs for 180 days. Access to these security logs is limited to T-SIRT. Twilio utilizes AWS platforms and third-party tools to detect, mitigate, and to help prevent Distributed Denial of Service attacks (DDoS) attacks.

18. Discovery, Investigation and Notification of a Security Incident. A “Security Incident” has the meaning given in the Data Protection Addendum which can be found online here www.twilio.com/legal/data-protection-addendum, or which is incorporated into the Agreement. Upon discovery or notification of any Security Incident, Twilio will:

• promptly investigate such Security Incident;
• to the extent that is permitted by applicable law, promptly notify Customer. Customer will receive notification via email to the owner of the Twilio account. Refer to the Agreement and the Data Protection Addendum to the Agreement for additional information on Customer notification and follow on steps.

19. Resilience and Service Continuity. Twilio infrastructure for both the Twilio Services and SendGrid Services uses a variety of tools and mechanism to achieve high availability and resiliency. For the Twilio Services, Twilio’s infrastructure spans multiple fault-independent AWS availability zones in geographic regions physically separated from one another. For the Twilio Services, there are manual or automatic capabilities to re-route and regenerate hosts within Twilio’s infrastructure. Twilio’s infrastructure is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup. Twilio leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone and colocation data centers. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, then these specialized tools will increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Twilio will also be notified immediately and have the ability to take prompt action to correct the cause(s) behind these issues if the specialized tools are unable to do so.

20. Backups and Recovery. Twilio performs regular backups of Twilio account information, call records, call recordings and other critical data using Amazon cloud storage. Backup data are retained redundantly across availability zones and are encrypted in transit and at rest using 256-bit Advanced Encryption Standard (AES-256) server-side encryption.