First published to the Twilio blog on February 25, 2021. Visit the original post here.
Transfers of EU personal data to the US and other third countries have long been an area of concern for privacy-conscious EU customers and EU data protection authorities. On July 16, 2020, these concerns came to the fore again when the Court of Justice for the European Union (CJEU) ruled on Schrems II. While Twilio has already taken significant steps to ensure data we process is adequately safeguarded wherever in the world we process it (including, among other things, our Binding Corporate Rules and issuing semi-annual transparency reports), we know that this ruling raises important questions about the impact it may have on your business.
We’re excited to share the following details for how Twilio is taking further action to give customers greater control over personal data transfers and are committed to providing updates quarterly.
Our teams are actively working on a broad global strategy that will expand our global infrastructure into data centers in the EU and other countries and regions, such as Australia. This also includes updating our internal processes—all in an effort to mitigate concerns raised by the Schrems II decision—and applicable data protection laws around the world, in relation to cross-border data transfers of personal data.
To properly align our platforms, products, services, and processes to achieve these objectives requires significant effort and resources. Thus, this will be an iterative process, but there are 3 core efforts actively underway:
- We’re enabling you to keep EU user personal data in the European Union.
You’ll have control over where your data is ingested, processed, and stored, enabling you to keep personal data entirely within your region at rest and in transit.
- We’re implementing additional controls to restrict non-EU Twilio personnel from accessing EU personal data.
Non-EU employees of Twilio will be unable to access EU personal data without explicit permission from an EU entity and under limited circumstances only. This includes implementing controls ensuring that only pseudonymized data is transferred to Twilio systems outside of the European Economic Area (EEA) while further expanding our enterprise access control system to enhance oversight and control over access to EU personal data.
- We’re implementing additional legal safeguards for EU customers who contract with Twilio.
Twilio has updated our contracts to ensure that new EU customers are contracted through our entity in the EU by default. We’re working toward providing avenues for current EU customers to contract through our EU entity upon request.
What we’re delivering in 2022
In 2021, we made significant strides toward helping address customer concerns associated with cross-border transfers of EU personal data with the introduction of our first Regional pilot in Australia and the general availability (GA) release of Regional Voice in Ireland. Our primary focus this year was isolating customers’ end-user data, such as call detail records and audio recordings—data for which we act primarily as a processor under the General Data Protection Regulation (GDPR). In addition, we introduced our Twilio Ireland entity, enabling new customers to contract and bill out of the EU.
In 2022, we’ll continue to incorporate additional Twilio products and work on the regionalization of other non-end-user operational data, such as billing, support, regulatory compliance, and business analytics information. In addition, we’re working toward the release of our data privacy controls that ensure end-user operational data can be safely transferred outside of the EEA in an anonymized form.
We’re dedicated to keeping you informed
Transparency is core to Twilio’s mission of being the world’s most trusted customer communications platform. We’re committed to providing additional updates on a quarterly basis as we continue to work aggressively to deliver a broad, regional infrastructure.
Ongoing Updates on Twilio’s Response to Schrems II
Q2 2021 Update
Since February, product and engineering teams across Twilio have accelerated our work to provide you with regionalized products and functionality that help you achieve compliance and reduce cross-border data transfer risk around the world.
We’ve greatly accelerated our regional efforts to ensure you can respond proactively and have also taken advantage of what we consider to be a unique opportunity to solve future regulatory shifts once and for all. As we look into Q3, we’re prepared to begin delivering into your hands the value created as a result of this work.
Q3 2021 Update
Through Q2 and into Q3, our teams worked across key product, infrastructure, billing, and data access control initiatives to prepare for our Australia pilot program launch, which went live in September. This pilot features Twilio’s Programmable Voice, Elastic SIP Trunking, and Voice Client SDK products and expands Twilio’s infrastructure into Australia.
The pilot program is a critical step, paving the way for our team to regionalize Twilio within new geographies, particularly in Europe late next quarter. It also ensures that every interaction you have with your customers delivers the same level of trust and reliability that you expect from the Twilio Platform.
As part of this effort, Twilio is introducing data centers in separate and distinct geographic locations to enable data residency, decrease latency, and offer configurable reliability to further mitigate the risk of a single event impacting all Twilio services globally. Ultimately, this enables you to build and operate your most latency-sensitive applications while meeting local data residency requirements.
In addition, we’ve operationalized Twilio Ireland as our latest billing and contracting subsidiary. As of August, new European Twilio customers with either a phone number or a billing country in the region are automatically contracted through our Twilio Ireland subsidiary. We’re actively working on extending this to existing European customers and will provide updates as we progress. This presents a strong first step in addressing concerns around personal data protection for our customers in Europe.
Q4 2021 Update
This quarter, we’re excited to share that we’ve launched a data center in Ireland, and Twilio Voice, our first publicly regionalized channel within the European region, is now generally available in Ireland! The availability of this data center gives you control over where data is physically stored, enabling you to keep personal data at rest within the region of your choice.*
Existing EU customers can now migrate their Voice use cases to the data center in Ireland to establish data residency within the region. In addition, new customers may now select Ireland as their region of choice for Voice-related use cases. There’s no additional cost to use the new data center in Ireland. To learn more about getting started with Regional Voice in Ireland, head over to our developer docs.
The addition of an in-region data center also means data processing is closer to EU customer applications. Thus, reducing latency and improving application performance for highly interactive, real-time interactions, such as voice dialing, muting, sending chat messages, etc. This is because the distance an application’s data needs to travel to reach Twilio has a direct impact on network latency. Shorter round trips typically result in lower latency and improved quality and responsiveness for the application.
As we look to 2022, we’re looking forward to regionalizing even more Twilio products in the EU and other regions.
*Voice traffic, which includes data relating to the transmission of telephone calls utilizing Twilio’s platform, such as call recordings, transcripts, time of day, call duration, and minutes of use, is ingested, stored, and processed in Ireland. Exceptions will occur as necessary to investigate issues of fraud and abuse. At this time, all other data relating to your account and use of our Services will continue to be processed in the United States to allow Twilio to continue to provide and improve our Services to you. We will continue to work toward greater data regionalization for Voice, and other offerings, in the months ahead.
Timelines for regionalized Twilio products in Europe
The Twilio Voice in Ireland launch will be followed by the GA of Twilio Voice in Australia, as well as support for Conversations (Chat only) in Ireland. Public beta for Verified/Outgoing Caller ID and Serverless (Functions and Assets) are planned to debut within the region during the first half of 2022, with additional products like inbound and outbound SMS (beta), Media Streams, Marketplace, Outbound Email (beta), and Flex (pilot) expected during the second half of the year.
Finally, we’re ensuring that the teams supporting other Twilio entities, such as Segment (acquired by Twilio in November 2020), are equally equipped to meet the same stringent standards set by our regional teams. The Twilio Segment team has delivered regional data ingestion to GA in Q2 of 2021 and will be releasing Regional Segment with in-region Connections, Protocols, and Personas into GA in the EU during Q1 of 2022. It’ll give EU customers in-region data ingestion, processing, and storage, along with in-region audience creation.
|Q3 2021||Q4 2021||Q1 2022||Q2 2022||H2 2022|
|•Voice Pilot (Australia)
•Twilio Segment Regional Data Ingestion GA (Ireland, Australia, & Singapore)
|•Voice GA (Ireland)||
•Twilio Segment Regional Connections, Protocols, & Personas GA (Ireland)
|•Conversations – Chat Only (Ireland)
•Voice GA (Australia)
• Serverless – Functions/Assets Public Beta (Ireland)
|•Verified/Outgoing Caller ID (Global)
•Inbound & Outbound SMS Beta (Ireland)
•Media Streams (Ireland)
•Flex Pilot (Ireland)
Privacy protection & contracting: Further regionalizing how you do business with Twilio
In addition to the regionalization of our products and services, our teams are also working in tandem to improve the way that you do business with Twilio around the world. Our Privacy Engineering team is actively working to ensure data privacy rights are protected through state-of-the-art methods recognized by the European Data Protection Board (EDPB) and German Society for Data Protection and Data Security (GDD). These controls ensure, for example, that sensitive customer data remains regionalized and accessible only by Twilions in-region as necessary and this sensitive data remains inaccessible out-of-region, except when specifically approved.
We’re also working to introduce new billing and contracting opportunities that protect your business relationship with Twilio formally under a regionalized European entity, Twilio Ireland, when legally necessary or simply preferred. In Q3 of 2021, we updated our terms of service and operationalized Twilio Ireland so that new customers are now able to contract and bill with this in-region entity. These are just 2 examples of the many safeguards actively being put into place to ensure you have the tools to operate in a fully compliant manner anywhere in the world.
Building a future-proof platform today
The global regulatory landscape is ever-changing, and we’re acutely aware that rulings (like Schrems II) present important, time-sensitive issues that need to be addressed thoughtfully. As we continue to build a globally regionalized Twilio, our team has committed to a strategy that provides reliable, long-term solutions that deliver on needs today and well into the future—regardless of how regulatory measures, specifically regarding sensitive customer data, may change for years to come. It’s a promise that Twilio is uniquely capable of delivering on, and we’re excited to bring these updates to you over the coming quarters.
This blog post contains forward-looking statements within the meaning of the federal securities laws, which statements involve substantial risks and uncertainties. Forward-looking statements generally relate to future events or our future financial or operating performance, product development or marketing position. In some cases, you can identify forward-looking statements because they contain words such as “may,” “can,” “will,” “would,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “forecasts,” “potential” or “continue” or the negative of these words or other similar terms or expressions that concern our expectations, strategy, plans or intentions. Forward-looking statements contained in this blog post include, but are not limited to, statements about: the pilot launch of Twilio’s Voice products, regionalizing Twilio in Europe, expansion of Twilio’s infrastructure into Australia, and support for additional products in these regions as we release public betas for regional data ingestion and storage. You should not rely upon forward-looking statements as predictions of future events.
Any unreleased products, features, functionality or roadmaps referenced in this blog post are not currently available and may not be delivered on time or at all, as may be determined in our sole discretion. Any such referenced products, features, functionality or roadmaps do not represent promises to deliver, commitments or obligations of Twilio. Customers who purchase our products should make their purchase decisions based upon features that are currently generally available.
The forward-looking statements contained in this blog post are also subject to additional risks, uncertainties, and factors, including those more fully described in Twilio’s most recent filings with the Securities and Exchange Commission, including its Form 10-Q for the quarter ended March 31, 2021. Further information on potential risks that could affect actual results will be included in the subsequent periodic and current reports and other filings that Twilio makes with the Securities and Exchange Commission from time to time. Moreover, Twilio operates in a very competitive and rapidly changing environment, and new risks and uncertainties may emerge that could have an impact on the forward-looking statements contained in this blog post.
Forward-looking statements represent Twilio’s management’s beliefs and assumptions only as of the date such statements are made. Twilio undertakes no obligation to update any forward-looking statements made in this blog post to reflect events or circumstances after the date of this blog post or to reflect new information or the occurrence of unanticipated events, except as required by law.