Version: 1.

0
Updated: 09 10 21

Twilio security Overview

Twilio’s trusted customer engagement platform powers over one
How Twilio securely delivers trillion human interactions annually with flexible APIs built on a

our trusted customer resilient infrastructure to facilitate a superior customer experience

while mitigating the security risks associated with on-demand global
engagement platform communications at scale.

The Twilio Trust & Security team strives to maintain the confidentiality,
Contents availability, and integrity of data and services by proactively mitigating
cybersecurity risks and helping customers meet regulatory demands,
• Overview including data governance, privacy, and transparency.
• Securing our people
• Securing our products by design
• Securing data
• Securing our internal environment As part of our information security management system (ISMS),
• Identifying and responding to threats Twilio services are certified under ISO/IEC 27001, a framework
• Operational resilience that provides specific requirements and practices to bring
• Managing third party security risk information security under management control. In addition,
• M&A risk management we have attestations to ISO/IEC 27017 and ISO/IEC 27018,
• Compliance internationally recognized codes of practice that provide guidance
on controls to address cloud-specific information security threats
• Shared responsibility
and the protection of personally identifiable information (PII).
• Your responsibility
• Learn even more about our security program Twilio Programmable Voice, Programmable Messaging,
Programmable Video, and Authy are compliant with SOC 2 Type II.
Documentation of these certifications and attestations is available
to contracted customers and partners on request.
Twilio security 09 10 21 2

To achieve this goal, we use a set of core principles to guide a strong

security posture:
Securing our people
Our community of Twilions is the most important asset to Twilio. We
• Universal participation. We recognize that any component of the
make the well-being of our people a top priority by providing a safe
organization could be a potential avenue for compromise. Building
and secure working environment. We also ask our workforce to take
a strong security program requires the cooperation of the entire
responsibility for learning and following good security practices.
workforce. Everyone at Twilio is responsible for the security of
our platform.
Twilio maintains a strong security culture and ensures our people
• Risk-based security. An organization’s security focus should
are a robust link in the security chain that protects the company, our
be defined by the set of risks it faces. Maintaining focus means
customers, and your data. We do this by making sure all staff have
continually identifying and managing emerging threats and
the training, tools, and knowledge they need to work securely and are
significant risks.
empowered to help others do the same.
• Least-privilege. Users and systems should have the minimum level
of access necessary to perform their defined functions. Unnecessary Security is represented at the highest levels of the company. Twilio’s
levels of access are restricted. Chief Security Officer meets regularly with executive management
• Defense-in-depth. Overall security cannot be reliant upon a single to discuss challenges and coordinate company-wide security
defense mechanism. If one security control is defeated, other initiatives. Security starts at the top and reaches every member of
controls should compensate to resist the attack. the workforce. Twilio employees are responsible for understanding
and adhering to the guidance contained in our security policies and
• Secure failure. When a system’s availability, integrity, or
standards. Security policies and standards are reviewed and approved
confidentiality is compromised, the system should fail to a secure
by management at least annually and are made available to the Twilio
state and allow for secure recovery.
workforce for their reference.
• Effective authentication and authorization. Establish identity
for authentication and leverage role-based authorization to make Twilio has established an anonymous hotline for the workforce to report
informed access control decisions. unethical behavior where anonymous reporting is legally permitted. Our
• Audit mechanisms. Design and implement audit mechanisms to Trust & Security team is accessible through a number of channels so that
detect unauthorized use and to support incident investigations. people who work for Twilio can always raise concerns or issues about
any security topic, including potential security threats or incidents.
This document describes the security program that protects Twilio
products and the Twilio platform. All Twilio employees and contract personnel are bound by Twilio’s
internal policies and standards regarding proper use and confidentiality
Twilio security 09 10 21 3

of customer data. The Twilio Code of Conduct explicitly addresses risks known device attack vectors such as Bluetooth, physical security, and
such as bribery, corruption, compliance with international trade laws, best practices for using software and handling data.
and human trafficking.
Some employees receive additional security training relevant to their
role, such as secure development and secure design practices.
Employee background checks

A robust security posture starts with knowing your people. Twilio carries Workforce equipment
out background checks in accordance with applicable local laws. Twilio
verifies a new recruit’s education and previous employment, and also Twilio-issued laptops have disk encryption enabled to protect data at
carries out reference checks as necessary. Depending on the role or rest, and restrict mounting of external drives to prevent exfiltration
position of a prospective employee, Twilio may also conduct criminal, of data. Twilio laptops run anti-virus and anti-malware software that
credit, immigration, and security checks as allowed by local labor law or uses behavior-based detection techniques to evaluate actions and
potential actions for threats rather than relying on known malware byte
statutory regulations.
signatures. Additionally, we deployed an insider risk monitoring solution
across all Twilio-managed laptops throughout the enterprise to further
Security awareness reduce the risks to Twilio’s sensitive information.

During onboarding, all new hires must complete Twilio’s Security

Awareness Training, which explains common security threats, security
Passwords
policies, and best practices. New hires are also required to read and
Twilio’s employee password policy is aligned with the NIST 800 63B
agree to Twilio’s Employee Handbook and complete the Twilio Code
guidelines. Employee passwords must be at least 16 characters in
of Conduct Training, which includes information about protecting
length, changed every 180 days, and cannot be the same as any of the
confidential information and company assets, our commitment to
previous 12 passwords. Accounts are locked after seven invalid login
the privacy and integrity of customer data, and our anti-bribery and
attempts. Additionally, access to most systems is centralized with the
corruption policies.
use of single sign on (SSO).

The Twilio workforce is required to complete the Twilio Security Privileged passwords are more stringent. They must be at least
Awareness Training annually and acknowledge our set of security 20 characters in length, including at least three of the following:
policies and standards. uppercase, lowercase, numbers, and special characters. They must be
changed every 60 days and can’t be the same as any of the previous
Twilio educates its workforce on protecting and securing their home 20 passwords. Multi-factor authentication (MFA) is required where
networks and devices, including recommendations for Wi-Fi networks, possible, and accounts are locked out after three invalid login attempts.
Twilio security 09 10 21 4

Employee access levels of access. The production environment can only be accessed by
authorized personnel via VPN, which requires hardware-based multi-
Twilio follows the principle of least privilege. Users and systems have factor authentication. Twilio production is primarily hosted on Amazon
the minimum level of access necessary to perform their defined Web Services (AWS), and all access to the production environment is
function, and unnecessary levels of access are restricted. Access levels remote, even if a user is on the office network. Remote administration
are audited quarterly, and inappropriate access is revoked. When an requires SSH access that is restricted in three ways: use of a bastion host,
employee’s job responsibilities change, access privileges are revoked or use of SSH Keys instead of passwords, and the use of Yubikey for MFA.
reassigned as needed. Upon termination, an employee’s accounts are
deactivated. Where technically feasible, these accounts are removed
Web filtering
from the system. For a temporary worker or contractor, access privileges
have an automatic expiration date on all accounts to guarantee that
Twilio utilizes a DNS proxy filtration service that provides the first line
access is terminated no later than the end of the contract. Inactive user
of defense against threats on the internet. It is used to prevent access
accounts are disabled after 90 days for Twilio Services.
to inappropriate websites and block phishing sites wherever Twilio
To access production environments, Twilio engineers must complete employees are connected to Twilio’s corporate network via VPN or from
required engineering courses and Secure Coding Training. Every within the office.
engineer must have in-depth knowledge of the relevant systems and
be considered a subject matter expert before being granted access to
Data loss prevention
production systems.

Twilio has a data loss prevention (DLP) system in place that scans for
User authentication sensitive data which may potentially be exposed publicly or improperly
stored and has alerting and quarantine capabilities for our primary
Only Twilio-owned devices (i.e., employee laptops) can access the collaboration systems.
production and confidential environments where Twilio confidential
and customer data is stored. Employees must be connected to a trusted
VPN, and for certain profiles must use multi-factor authentication to Securing our products by design
access the Twilio internal network. Wireless networks are secured using
WPA2-Enterprise using RADIUS integrated with Twilio Active Directory. Twilio prioritizes securing our products, services, and APIs from the
start. Security is engaged at key parts of the design process to offer
Production, corporate, and other networks are physically and logically guidance to our engineers. The Twilio Secure Development Lifecycle
separated and assigned profiles that require appropriately restrictive
Twilio security 09 10 21 5

ensures products are secure by design, both in development and after into the production environment. Software changes and updates follow a
they have been deployed. defined and rigorous process to ensure that changes are valuable, while
minimizing risk. These change control procedures are communicated to
parties who perform system maintenance and updates on Twilio assets.
Twilio Secure Development Lifecycle
In order to maintain a continuous delivery model and ensure a
The Twilio Secure Development Lifecycle defines the standards by which stable production environment, Twilio enforces a consistent change
Twilio creates secure products and the process that product teams management process for software releases across the company. Twilio
must perform at different stages of development (requirements, design, software must complete a series of quality-related checkpoints and pass
implementation, and deployment). Twilio security engineers support related tests before, during, and after deployment.
development with activities including but not limited to:
Change requests are documented using a formal, auditable system of
• Internal security reviews prior to product launch record. The change management process includes the following items:
• Penetration tests performed by specialized third-party firms
• Ongoing bug bounty programs • An assessment of impact and risk of change requested

• Regular threat modeling • Evidence that applicable testing was performed successfully

• Secure development training covering the OWASP Top 10 • Review and approval prior to deployment into production
environment
• Security Champions embedded within development teams
• Communication of changes to relevant people/departments
• Automated static and dynamic application security testing (SAST
and DAST) in the CI/CD pipeline • Rollback procedures

• Automated container scanning in the CI/CD pipeline

Threat modeling
Change management Threat models are leveraged to identify, triage, and mitigate threats
against our products, services, and APIs early in the SDLC. Twilio uses
Twilio uses a continuous software delivery model to ensure a stable
a custom end-to-end threat modeling methodology that combines
production environment for our customers.
a traditional data-flow diagram and the STRIDE model. We prioritize
protection from various attack vectors by examining services and the
Operational change control procedures are in place for products and
information they store and/or transmit. Threat modeling at Twilio is
services within Twilio and include processes for introducing changes
Twilio security 09 10 21 6

supported by comprehensive documentation, data flow architecture, and a

list of all personally identifiable information (PII) used by the application.
Securing data
Twilio’s data governance strategy is designed to ensure data is
Product security: Champions and Partners discoverable, understandable, high-quality, usable, secure, and
compliant with company policies. Our goal is to have reliable data sets
Security Champions bring best-in-class security to their team’s products to evaluate enterprise performance, make management decisions
and services by ensuring new features go through security reviews. across the company, support trust and company reputation, and
Security Champions raise the bar on security and build features that can perform audits. Implementation of this strategy involves people,
support our customers with the highest security and data protection processes, and technology.
needs. Most product engineering teams have at least one dedicated
Security Champion.
Twilio’s Data Governance Program was established to ensure Twilio’s
information assets are formally, proactively, and effectively managed
Security Partners are dedicated points of contact in the Trust & Security
throughout the company. The program’s mission is to enable Twilio
team who maintain knowledge and understanding of the products
to assist with security reviews. Security Partners meet regularly with employees to find, understand, trust, protect, and leverage Twilio’s data
Security Champions, collaborating to perform threat modeling, code assets responsibly.
reviews, penetration tests and resolve security issues found through
manual or automated security testing.
Data classification

Bug bounty program Twilio classifies data based on importance, business need, and
operational risk. Classification of the different data risk profiles helps
Twilio runs multiple public and private bug bounty programs through Twilio design systems that meet our business needs, reduce operational
BugCrowd to encourage trusted security researchers from around the
risk, and serve our customers responsibly and ethically.
world to identify and report vulnerabilities for products in scope on
our platform, APIs, core products, and console. We update our public
bug bounty programs on a regular basis to make sure the most recent
releases are being battle tested. Additionally, we review and adjust
our payouts to stay competitive and have paid up to $10,000 for a
single submission.
Twilio security 09 10 21 7

At the Operational level, any employee who defines, produces, or

Classification Description
consumes data is considered a Data Steward. Data Stewards have formal
Secret This is the highest level of data security accountability to write data definitions or policies that follow established
classification and requires the highest level of guidelines. Data Stewards are supported by Domain Stewards at the
security controls. Secret data may represent an Tactical level.
existential threat to the company, its customers, or
end users, and/or would cause exceptionally grave At the Tactical Level, Domain Stewards are the logical role taking the
damage should it be compromised. enterprise view of data and seeking to continually improve governance.
Restricted Restricted data, if compromised, would cause severe Their responsibility is to define the standards of the data in their
damage to Twilio, Twilio’s customers, end users, domains, making sure the appropriate documentation is created and
employees, former employees, customers, vendors, shared across all stakeholders. Additionally, Domain Stewards work on
and/or third parties. the classification of databases, schemas, tables, and columns according
to the Twilio Data Classification Policy and identify any data structures
Confidential Confidential data is intended for internal use only.
that contain PII in accordance with the Twilio Privacy Policy.
Data that is not expressly classified as Secret,
Confidential, and/or Public should be treated as
Finally, at the Strategic level, Twilio’s Data Governance Council makes
Confidential data. Unauthorized disclosure, alteration,
the strategic decisions impacting business and technology areas of
or destruction of that data could result in a moderate
Twilio and setting the data governance strategic direction.
impact to Twilio, its customers, and/or end users.

Public Public data is intended for external release, use

by non-employees, or has been downloaded from Credential management
publicly available sources free of charge. Unauthorized
disclosure of Public data would result in little or no risk Passwords and Twilio API credentials are individually salted and hashed
to Twilio, its customers, and/or end users. before they are stored, using the bcrypt algorithm.

Data stewardship Data encryption

Twilio’s data governance culture extends to all levels of the organization Twilio supports the use of TLS 1.2 to encrypt data in transit between
under a three-level pyramid model: Operational, Tactical and Strategic. the customer application and Twilio over public networks. Databases
At each level of the pyramid exists a relationship entity also known as a housing sensitive customer data are encrypted at rest.
logical role.
Twilio security 09 10 21 8

Data segregation Securing our internal environment

Twilio has implemented logical separation between customers by Twilio takes a number of steps to secure our internal environment.
tagging all communications data with the associated Customer ID We monitor and secure our network and infrastructure through the
to clearly identify ownership. Twilio applications are designed and enforcement of security policies and controls that provide defense in
built to honor these tags and enforce access controls to ensure the depth, ensuring that a compromise in one layer is resisted by additional
confidentiality requirements for each customer are met. These controls
layers of protection.
are reviewed as a part of the security assessment process to ensure one
customer’s communications cannot be accessed by another.
Defense in depth
Data access
Twilio uses the defense in depth strategy to limit the “blast radius”
of harm in case of an intrusion at any level. We create several layers
To minimize the risk of data exposure, Twilio follows the principle
of protection, ensuring that the failure of any single layer does not
of least privilege through a team-based access control model when
provisioning system access. Personnel access to customer data is represent a loss of protection to information and assets, by securing and
restricted based on business need, role and appropriate approvals. containing assets at the account, network, and service level to provide
Employee access to customer data is promptly removed upon a protective operating environment for applications. Potentially weak
termination of employment. Access rights to production environments services are isolated and protected to prevent their vulnerabilities from
are reviewed at least semi-annually. affecting other systems.

Twilio employees adhere to specific data handling guidelines in

conformance with the commitments in Twilio’s Privacy Statement Asset management
and our Binding Corporate Rules. Technical controls exist to prevent
storage on removable media devices (i.e., USB flash drives, external The Twilio Enterprise Security Standard defines requirements for
hard drives, and any pluggable storage devices). There is a limited set the protection of corporate assets and infrastructure. Assets are
of circumstances in which a Twilio employee may directly interact with inventoried and documented to determine necessary security
customer data, including as necessary for legal holds, law enforcement measures. Assets are reviewed regularly to make sure they continue
requests, fraud investigations, troubleshooting or providing support. to meet the security standards.

To access the production environment, an authorized user must have

a unique username and password, multi-factor authentication, and be
connected to Twilio’s Virtual Private Network (VPN).
Twilio security 09 10 21 9

Infrastructure management manage network segregation between different security zones in the
Production environment. Firewalls are used to maintain segregation of
All Twilio-controlled enterprise networks conform to an approved the corporate networks; rules are reviewed quarterly.
security architecture. All network access for Twilio Services between
production hosts is restricted, using AWS security-groups to allow Twilio employs an intrusion detection system (IDS) to monitor access
only authorized services to interact in the production network. Twilio’s events, security-related events, and API authentication. Alerts are sent
security architecture uses technologies to segment and filter traffic to the security staff when anomalous events are detected. Security logs
between security zones. Firewalls manage network segregation between are collected within a log aggregation platform. Logs are retained based
different security zones in the production and corporate environments. on applicable regulatory requirements.

Any inter-site or network connectivity is established through edge

Logging and monitoring
routers and security devices. All network and VPN connections
terminate in edge zones. Outbound DNS requests from any zone travel
Twilio logs high-risk actions and changes in the production network. We
through DNS resolvers and are auditable and traceable to a single
use automation to identify any deviation from our technical standards
device. Firewall rules allowing traffic between security zones are
and raise issues within minutes of the configuration change occurring.
documented, including a business case, and are approved by the Chief
We log users’ successful and unsuccessful attempts to authenticate to
Security Officer (CSO) or appointed delegate.
the production environment.

For our corporate systems and cloud infrastructure, Twilio assesses

Security logs are collected within a log aggregation platform. Logs are
vulnerabilities using open source and commercial vulnerability scanning
retained based on applicable regulatory requirements. Access to these
tools. We also receive alerts from third parties, including our vendors
security logs is limited to only authorized employees who need access
and the US CERT.
based on their roles.

Network monitoring
Securing our endpoints
Twilio network’s security controls operate at the host level, and as
Twilio uses an automated daily testing platform to continually monitor
such, we do not have a traditional DMZ. Instead, Twilio uses AWS Web
and secure our points of ingress and egress for edge services.
Application Firewall selectively for external services with AWS Shield,
The platform sends regular reports to the appropriate teams with
while leveraging AWS Security Groups and Access Control Lists (ACLs)
information necessary to respond to any incidents.
to manage traffic. AWS VPCs (Virtual Private Clouds) are used to
Twilio security 09 10 21 10

Identifying and responding to threats infrastructure. Security Response Automation is part of the Security
Department’s goal of increasing the speed of event response, reducing
malicious impact, and scaling with Twilio without introducing additional
Twilio maintains processes and tools to identify and respond to
cost. To help other organizations defend their customers against threats
vulnerabilities and other threats. Twilio scans for security threats using
at scale, and encourage the community to contribute to our efforts,
open-source, commercial, and in-house tools.
we’ve released SOCless as an open-source project.

For more information, see Introducing Twilio’s SOCless.

Vulnerability detection and remediation
Identity and access management
Twilio’s Trust & Security team validates the vulnerabilities identified by Twilio manages user access in an auditable system throughout the
these tools and processes, then rates vulnerabilities according to our entire account life cycle. Systems have at least a primary and a backup
risk-based vulnerability management standard. Our risk calculation is approver. For audit purposes, access requests and approvals, as well as
based on multiple factors including existing controls that mitigate the modifications to user access, are documented and preserved for at least
risk, scope, and severity of a potential exploit. Remediation actions to two years.
address vulnerabilities are applied within the timeframes assigned to
risk-ratings as defined in Twilio’s Vulnerability Management Standard. Identity and access management (IAM) Permissions and Security Group
For critical issues, we maintain a 7-day SLA for patches, and a 14-day rules use the principle of least privilege. IAM Permissions are restricted
SLA for vulnerabilities. to resources owned by the service, and limited to the specific action
required. Security Group rules are restricted to individual IP addresses
Patching process and services where possible. Exceptions to these requirements must
Assets are protected against known vulnerabilities by the regular have a business case and be approved by the Trust & Security team.
application of vendor-supplied security patches and updates. Assets
that rely on the use of a base image and do not support live patching are
Security risk management
cycled or refreshed to use the latest available base image to ensure that
applicable security updates are implemented on a 30-day cadence.
The Twilio Security Risk Management Program (RMP) is a flexible
and scalable framework to assess and manage risks in the Twilio
SOCless response automation
environment and provide direction and basis to refine the Twilio ISMS.
Security Engineering provides and supports SOCless, a Security
As the business grows and evolves, and the competitive and regulatory
Orchestration Automation Response (SOAR) platform as a service
environment changes, the Twilio RMP is intended to be reapplied or
(PaaS). SOCless is a unique, serverless platform composed of AWS
adapted within the organization, based on organizational context and
Lambda, Step Function, API Gateway, DynamoDB and other AWS
present and future priorities.
Twilio security 09 10 21 11

RMP strategies evolve in accordance with business drivers for response/handling is an immediate, effective response with minimal
risk‑based decision making and requirements for information. The risk impact to confidentiality, integrity, or availability.
management lifecycle defined in the Twilio RMP is adapted to manage
risks in various services within Twilio and to perform functional risk Twilio maintains a security incident management program and policies
assessments. Twilio top-level management is responsible for review and based on NIST SP 800-61 guidance to enable the effective management
prioritization of exceptions, findings, and vulnerabilities. of security incidents. The Twilio Security Incident Response Team (SIRT)
assesses the threat of all relevant vulnerabilities or security incidents
The security risk management framework with supporting processes and establishes remediation and mitigation actions. The program
is used as the basis for the ongoing identification, assessment, includes procedures for:
treatment, and reporting of security risks at Twilio. Potential security
risks and assessment of those risks are compiled and communicated to • Preparation
management. Appropriate actions are taken to avoid, accept, transfer,
• Detection and analysis
or reduce those security risks based on the potential impact to the
business and the likelihood of occurrence. • Containment
• Eradication
Penetration testing
• Recovery
Twilio performs penetration tests internally as well as externally by
engaging leading security vendors across the globe. Twilio engages • Post-incident activities
independent third parties to conduct application-level penetration
tests on an annual basis, to meet compliance obligations. Results of Twilio’s SIRT is responsible for managing and coordinating activities
penetration tests are prioritized, triaged by Twilio’s Trust & Security during a security incident. The team uses information gathered from the
team and remediated promptly in partnership with Twilio’s R&D teams. evaluation of past security incidents to help identify recurring themes or
high-impact threats.
Customers are not permitted to perform penetration testing or scans
against Twilio systems. Instead, they may participate in our public bug Customer incident notification
bounty program abiding by the rules of engagement. Twilio maintains an incident reporting policy that defines conditions
under which security incidents are responded to and reported, including
Incident response levels of severity and risk for various types of vulnerabilities. SIRT
Response to security incidents is a critical component of business receives alerts from upstream vendors and is capable of responding
continuity, risk management, the maintenance and management of the 24x7. The team assesses the threat of all relevant vulnerabilities and
security infrastructure, and in some cases, compliance with laws and establishes remediation actions and timelines for all events.
contractual obligations. The fundamental tenet of security incident
Twilio security 09 10 21 12

Twilio notifies customers of an incident by sending an email to an • Provide actionable cyber threat intelligence reports to internal Twilio
account’s specified security contact in the Twilio console. See Twilio stakeholders to continuously improve Twilio’s security posture
data protection addendum for additional details. • Build information sharing relationships with external partners

DDoS prevention Insider risk

Twilio leverages industry leading platforms and SIRT to detect, mitigate, Twilio’s Insider Risk Program executes several strategic initiatives
and prevent DDoS attacks. Twilio uses AWS Shield Advanced for designed to deter, detect, and mitigate insider threats to Twilio’s people
DDoS protection. Additionally, Twilio has predefined incident alerts and resources. These initiatives establish a framework for protecting
set throughout the platform, and testing is performed during annual Twilio’s workforce and safeguarding our sensitive information:
penetration tests. Our infrastructure incorporates multiple DDoS
mitigation techniques in addition to maintaining multiple backbone • User activity monitoring (UAM)—this capability, deployed across
connections. We work closely with our providers to quickly respond to all endpoints throughout the enterprise, works with other efforts to
events and enable advanced DDoS mitigation controls when needed. detect internal threats to Twilio endpoints and reduce the risks to
sensitive information. In addition, this program helps set and enforce
Intrusion detection system policies for properly protecting, interpreting, storing, and limiting the
Twilio employs GuardDuty, a network-based intrusion detection system access to UAM methods and results to authorized personnel.
(IDS) provided by Amazon Web Services, to analyze AWS CloudTrail,
• Partnerships among internal stakeholders—the Insider Risk Program
VPC Flow Logs, and AWS DNS logs. The service is optimized for near
maintains strong internal partnerships to deter, detect, and mitigate
real-time processing of security detections, using threat intelligence
insider risk, bridging the gaps between teams to establish a shared
feeds such as lists of malicious IPs and domains, and machine learning
vision. The program engages stakeholders on mutual agreements
to identify unexpected and potentially unauthorized and malicious
for information sharing, and standardized, repeatable processes for
activity within the Twilio AWS environment.
deterring, detecting, and mitigating insider threats.

Threat intelligence • Analysis and response—this initiative maintains an insider threat

The goal of the Threat Intelligence program is to understand and analytic and response capability to gather, integrate, review, assess,
proactively manage external threats to Twilio’s assets, data, people, and and mitigate anomalous information derived from multiple sources.
systems. The team’s core objectives are to: The Program works to mitigate insider risks through referral or
response, in order to protect Twilio’s people and resources.
• Obtain and maintain comprehensive visibility of threat actors and • Workforce education—this initiative helps to build a culture of
threat actor tactics, techniques, and procedures posing a threat knowledge and individual responsibility to help harden Twilio against
to Twilio insider risk. The program builds the culture through recurring
Twilio security 09 10 21 13

training and education, including the importance of identifying business impact analysis to plan development and testing. Twilio
possible threats; how to identify high-risk behavior; and how to share performs an annual business impact analysis (BIA) to understand
concerns. One goal of the Program is to develop a team of insider risk business requirements, set recovery objectives, and identify gaps and
professionals, leveraging existing industry training. areas of vulnerability. The requirements and objectives set during the
• Program oversight and employee privacy—the Insider Risk Program BIA inform the strategy analysis and Business Continuity Plans (BCPS)
has established oversight mechanisms and procedures to ensure which are tested annually. Risks identified during the BIA are included in
proper handling and use of records and data, restricting access the Trust & Security’s risk management processes. BIAs are reviewed,
to insider risk personnel who require the information to perform updated, and approved annually by leadership, or as significant
authorized functions. organizational changes occur.

Twilio’s Chief Security Officer oversees the program directly. Annually,

Disaster recovery
or as required by Twilio policy, the Legal department conducts
oversight review to ensure compliance with applicable laws, policies,
Twilio’s Disaster Recovery (DR) Program establishes a framework
and standards to ensure all legal and privacy issues are appropriately
to support its critical business functions to an acceptable level
addressed for each part of the Program.
within a predetermined period of time following a disruption. Twilio
infrastructure uses a variety of tools and mechanisms to achieve high

Operational resilience availability and resiliency. Twilio provides customer-facing copies of

DR Test Reports, when available, to customers who have current non-
disclosure agreements (NDAs) in place.
Twilio takes measures to protect customers and their services through
our high-availability platform architecture, resiliency practices and
Backups
requirements built into our development and operational processes.
Twilio performs daily backups of Twilio account information, call
We maintain Business Continuity, Disaster Recovery, and Crisis
records, call recordings, and other critical data using Amazon S3 cloud
Management programs staffed with industry experts who have helped
storage. Backups are encrypted in transit and at rest using strong
scale similar programs for Fortune 500 companies, with a focus on
encryption (volume level, AES - 256) and stored redundantly across
regulatory compliance frameworks and cloud service architecture.
multiple US availability zones and regions in AWS S3 buckets (cloud).
Backup data is kept for one year.
Business continuity
Redundancy
Twilio ensures continued delivery of our products and services by Twilio maintains redundant inbound and outbound connectivity with
following an annual program cadence of core activities ranging from multiple network carriers and real-time systems to dynamically route
Twilio security 09 10 21 14

each call or message via the carrier with the most reliable connectivity diverse, with independent power grids and redundant power, HVAC and
at any time, responding automatically to carrier availability and fire suppression systems. The AWS data centers use state-of-the-art
reliability, in addition to operating Twilio services across several AWS practices for fault tolerance at each level of the system infrastructure,
Availability Zones within the US-East region. including Internet connectivity, power and cooling. Additional details on
the physical security services provided by Amazon Web Services (AWS)
are available at AWS Data Centers.
Crisis management

The mission of the Crisis Management program at Twilio is to Managing third party security risk
avert potential crisis events and manage those that occur. This is
accomplished by preparing response and recovery plans for a wide Twilio contracts with third parties to provide a broad range of services
range of high-impact adverse events, such as a major cybersecurity ranging from office chairs and advertising to IT software and data center
event, severe product failures, or safety and security issues affecting a services. Prior to entering into a relationship with third parties (i.e.,
large portion of Twilions. vendors), Twilio’s Third Party Security team reviews the security posture
of the vendors by conducting a risk-based security assessment. This
Read more about operational resilience at Twilio. assessment identifies security risks and potential threats of connecting
to systems and/or sharing sensitive data with a vendor. Security risks
identified in the assessment are tracked to remediation. If several
Physical security
high severity security issues are identified for a third party, a security
exception must be filed and approved before engaging with the third
The Corporate Security Operations team manages functions within the
party for services.
company that are responsible for facility security, physical security, travel
security, employee protection, and threat response and intelligence.
Third party agreements include confidentiality, privacy and security
Twilio headquarters and office spaces are protected by a physical
obligations (when applicable) to ensure data vendors may access,
security program that manages visitors, building entrances, CCTVs
store, and/or process maintain an appropriate level of security
(closed circuit television), and overall office security. All employees,
controls/protection.
contractors and visitors are required to wear identification badges.

Twilio’s production infrastructure is housed primarily in Amazon Tiering of third parties

Web Services (AWS) data centers, which are secured by professional
security staff as well as a variety of physical controls at the perimeter Third parties are tiered according to the inherent risk they might pose
and building ingress points. AWS data centers are geographically to Twilio. The program takes into account the types of systems or
Twilio security 09 10 21 15

data accessed, volume and classification of data in scope, business implications both for customer facing and internal systems. The program
continuity and disaster recovery concerns, along with legal and takes a risk-based approach to assess the acquisition target’s overall
regulatory requirements. security posture and effectiveness of its security controls to protect
against breaches and other cybersecurity threats.

Third party monitoring The program facilitates collaboration across multiple cross-functional
teams such as the Integration Management Office, Tech Services, R&D,
Twilio periodically conducts security monitoring assessments of Privacy, and Legal, in three phases:
existing critical third parties. Monitoring assessments include evaluating
whether there have been any changes to the scope of the services 1. Due diligence: Pre-acquisition security assessment of the target to
provided to Twilio and whether any system outages or breaches have identify issues and assess the security posture prior to deal signing
occurred, requesting updated security documentation and obtaining
2. Integration planning: Pre-integration readiness, gap analysis
remediation status for any risk issues previously identified.
3. Post-close integration: People and systems integration into Twilio

Third party offboarding

Compliance
Upon the termination of a contract, the Third-Party Security Risk
Management team is notified via the Global Procurement process for Twilio maintains and monitors compliance with applicable security
off-boarding ensuring all data is securely deleted and/or destroyed, frameworks and regulations. On an ongoing basis, Twilio evaluates the
if applicable. need to meet certain legal, regulatory, and contractual information
security requirements. Twilio is committed to abiding by contractual
terms with its customers and service providers.
M&A risk management
Audit findings and remediation activities are documented and retained
The purpose of the Mergers & Acquisitions (M&A) Risk Management according to the Twilio Legal Data Retention Policy and/or authorized
program is to protect Twilio by identifying and raising cybersecurity by Legal. Audit findings are communicated to the appropriate owners,
risks prior to completing an acquisition. Results from the security due relevant Trust & Security team members, and appropriate Twilio
diligence process enable Twilio leadership to make informed decisions on management. Audit findings are placed on a defined remediation
the potential impact of an acquisition, as well as the time and resources program in order to track and achieve resolution. Audit findings found
required to resolve any issues after the deal closes. The program also to be high risks to Twilio or customers are addressed with the highest
manages integration planning efforts where there are potential security handling priority.
Twilio security 09 10 21 16

Twilio services certifications and compliance II). Twilio’s current SOC 2 Type II reports include the Security and
As part of our information security management system (ISMS), Twilio Availability criteria. Twilio maintains SOC 2 Type II compliance for the
is certified under ISO/IEC 27001, has attestations to ISO/IEC 27017 and following services:
ISO/IEC 27018, and maintains SOC 2 compliance.
• Programmable Voice
ISO/IEC 27001:2013 • Programmable Video
ISO/IEC 27001 is a globally-recognized, standards-based approach to • Programmable SMS
security that outlines requirements for an organization’s information
• Twilio Flex
security management system (ISMS). Twilio has considered all sections
of the ISO 27001 standard in scope and has no exclusions in the ISO • Verify
27001 Statement of Applicability. For all areas of the standard, Twilio has • Lookup
demonstrated adherence to the requirements as validated by our auditors.
• Twilio Conversations
• Studio
ISO/IEC 27017
Conforming to ISO/IEC 27017 demonstrates our commitment to • Twilio Authy
managing security at every level of our organization. Alignment with • Twilio SendGrid
these globally recognized best practices specific to cloud services
strengthens Twilio’s ISMS to ensure controls in place are continuing to CSA STAR Self-Assessment
align with industry best practices. The Cloud Security Alliance Security, Trust, Assurance, and Risk
(STAR) Registry documents the security and privacy controls provided
ISO/IEC 27018 by cloud computing offerings. Twilio has completed the CSA STAR
Conforming to ISO/IEC 27018 demonstrates our commitment to Self-Assessment.
protecting our customer’s content. Through the implementation of
these internationally recognized best practices, Twilio has expanded
Twilio helps customers comply
our ISMS to include controls that are focused on public cloud Personally
Identifiable Information (PII).
As Twilio evolves to serve larger enterprises and customers in highly
regulated industries, we recognize the need for elevated security
System and Organization Control (SOC) 2 controls and capabilities. This has led to an increased investment in
The SOC 2 reports provide assurance that controls at a service growing our team of security professionals, expanding our technology,
organization relevant to selected criteria are operating as designed, and partnering with customers to make sure they can leverage our
either as of a point in time (Type I) or over a period of time (Type services securely.
Twilio security 09 10 21 17

FIPS 140-2 Level 3 Payment Card Industry Data Security Standard (PCI DSS)
Federal Information Processing Standards (FIPS) are applicable across PCI DSS is a proprietary information security standard administered by
a number of industries, especially the Financial Services vertical. the Payment Card Industry Security Standards Council (PCI SSC). PCI
Twilio has deployed the ability for qualifying customers to request DSS applies to all entities that store, process or transmit cardholder data
their accounts be enabled with technology that meets the FIPS Level 3 and/or sensitive authentication data including merchants, processors,
compliance requirements. acquirers, issuers, and service providers. The PCI DSS is mandated by
the payment brands and administered by the PCI SSC.
HIPAA eligibility
The Health Insurance Portability and Accountability Act (HIPAA) was Twilio’s Programmable Voice <Pay> service is PCI DSS Level 1 compliant
signed into law in 1996 as part of a larger healthcare reform in the US. and can be used to collect and tokenize credit card data over the phone
Part of the legislation is aimed at providing security and data privacy and/or optionally make a payment on behalf of customer applications.
protections around access, use, and disclosure of protected health Twilio does not store cardholder data on our platform. See Twilio’s PCI
information (PHI). HIPAA covers any organizations that meet the whitepaper and responsibility matrix.
definition of “covered entities” or “business associates”.
For payments made to Twilio, a third party handles all Twilio’s credit card
transactions. We are a PCI Level 3 Merchant, which means that we can
Under HIPAA, companies that use a service provider to process PHI
accept credit cards as a form of payment but credit card numbers do not
on their behalf must put in place a business associate agreement
enter our environment during customer payment for Twilio services.
with that service provider. Accordingly, customers that are subject to
HIPAA compliance and intend to utilize Twilio’s products and services
to develop communication workflows containing PHI must execute Data privacy
a Business Associate Addendum (BAA) to Twilio’s Terms of Service.
Twilio’s BAA was developed taking into account the specific products Twilio strives to maintain the confidentiality, availability, and integrity
and services that Twilio offers and considers HIPAA compliance as a of our data and services while maintaining compliance with legislative,
shared responsibility between the customer and Twilio. regulatory, and contractual requirements. To achieve this goal, a set
of core security principles is leveraged to guide the creation of this
HIPAA supports Twilio’s goal of elevating our data privacy and security to Information Security Policy. From these guiding principles, Twilio builds
meet the needs of our Healthcare and Lifesciences customers. Twilio is and maintains the foundations of a strong security posture.
committed to providing a platform trusted by qualifying customers and
their patients. To support this, Twilio has developed the Architecting for Binding Corporate Rules (BCRs)
HIPAA on Twilio whitepaper for our customers to use as a resource; this BCRs are binding data protection policies that are approved by
whitepaper is updated as more of Twilio’s platform is made HIPAA eligible. European data protection authorities after significant consultation
Twilio security 09 10 21 18

and which enable multinational businesses, such as Twilio, to make jurisdiction; have an enforceable subpoena, court order, search warrant,
intra‑organizational transfers of personal data across borders in or equivalent legal process, compel us to produce the information
compliance with EU data protection law. BCRs function as a code of requested; and states the categories of records sought and specific time
conduct for Twilio’s data protection practices, based on strict principles period. To learn more about how Twilio Submits to Law Enforcement
established by EU data protection authorities and the General Data Requests, check out this page.
Protection Regulation’s (GDPR) standards and requirements.
Check here for a complete product compliance list.
Twilio’s BCRs were approved in May 2018 and demonstrate Twilio group
members’ commitment to provide adequate protection of personal data Note: In July 2020, the European Court of Justice (ECJ) invalidated the
throughout the organization, regardless of the group members’ location EU-U.S. Privacy Shield with the Schrems I and Schrems II rulings. The U.S.
in the world. Twilio’s BCRs enable the transfer of personal data to Twilio government disputes the merits of the ECJ’s ruling, but an alternative
group members across borders in compliance with EU data protection has not been proposed.
law. For more information, see Twilio’s Binding Corporate Rules.
AWS certifications
General Data Protection Regulation (GDPR)
Twilio leverages AWS data centers, trusted to be highly scalable, secure,
The GDPR is a data protection regulation established in the EU and
and reliable. Information about AWS audit certifications is available on
EEA in May 2018. Over the ensuing years, it has become the global
the AWS Security website and AWS Compliance website.
standard for privacy and data protection law. Twilio views the GDPR
as an opportunity to build a stronger data protection foundation for
the benefit of all. Twilio is committed to ensuring that our platform is
Shared responsibility
GDPR compliant.

Twilio acknowledges that security is a shared responsibility between

For new products, enhancements or material changes in processing, we
Twilio, our partners, and our customers. To remain resilient against
proactively apply the Data Protection by Design principles. We apply GDPR
future threats, we must always be evolving together.
standards to all data, not just EU personal data. This strategy provides
Twilio the agility to maintain compliance with existing, new and revised
Twilio’s responsibility
data protection regulatory frameworks around the world. For more
Twilio is responsible for our APIs, our products and services, and our
information, see Twilio & the General Data Protection Regulation (GDPR).
customer and partner data. The Twilio Security Overview incorporated
into and made a part of (a) Twilio’s Terms of Service; (b) the Twilio
Government requests for information
Platform Agreement; or (c) a similar written agreement between
Twilio only responds to requests that are sent from a government
Twilio and Customer for Customer’s use of the Services describes
agency via registered email domain; are issued where Twilio is subject to
Twilio security 09 10 21 19

Twilio’s security program, security certifications, and technical and call recordings and other critical data using Amazon S3 cloud storage.
organizational security controls to protect (a) Customer Data from Backups are encrypted in transit and at rest using strong encryption.
unauthorized use, access, disclosure, or theft and (b) the Services. Backup files are stored redundantly across multiple availability zones in
U.S data centers and are encrypted.
Our APIs
We’re responsible for faithfully executing API calls your app makes,
securely and in accordance with our documentation. It’s up to us to
Your responsibility
provide you information sufficient for you to determine whether you can
As a partner or customer, you are responsible for ensuring your
use Twilio in a compliant manner.
compliance with applicable laws and regulations, and for protecting your
customers’ data. You are always responsible for the security of anything
Identity and access management
under your direct control.
Twilio is responsible for securing our own systems, including determining
appropriate levels of privilege across our organization and infrastructure,
Compliance
and for ensuring that our APIs are secured. Direct access to infrastructure,
When it comes to compliance with regulations and laws, you are
networks, and data is minimized to the greatest extent possible.
responsible for ensuring that it is possible for you to use Twilio in a
Where possible, control planes are used to manage services running in
compliant manner, and that your software applications’ instructions to
production, to reduce direct access to host infrastructure, networks, and
Twilio comply with applicable law.
data. Direct access to production resources is restricted to employees
requiring access as part of their job function and requires approval, strong Your application
multi-factor authentication, and access via a bastion host. It’s your responsibility to secure your code throughout the entire
software development lifecycle, including protecting your repositories,
Information security testing the application throughout the process, and securing
Twilio supports encryption to protect communications between production systems and any other connected systems or networks.
Twilio and your application. We also take steps to protect your You, our customer and the builder of the software application,
account information, including call records. Twilio secures your are responsible for implementing and maintaining appropriate
digital authentication credential secrets using industry best practice configuration properties for the Twilio products, services, or API you
methods to salt and repeatedly hash your credentials before they are use and for the instructions your software application sends to Twilio.
stored. Users can add another layer of security to their account by You must protect your API key, auth token or other credentials from
using two-factor authentication (2FA) for the Twilio console. Twilio unauthorized access, and must never hard code credentials in your
performs regular backups of Twilio account information, call records, app or push them to your repository.
Twilio security 09 10 21 20

Identity and access management About Twilio

You are responsible for your identity and access management
controls, including determining appropriate levels of privilege across Millions of developers around the world have used Twilio to
your organization. It’s your responsibility to create and maintain unlock the magic of communications to improve any human
authentication and authorization systems, including all mechanisms experience. Twilio has democratized communications
needed to secure them properly. channels like voice, text, chat, video, and email by
virtualizing the world’s communications infrastructure
Information security
through APIs that are simple enough for any developer
You are in charge of the security of your information and your
to use, yet robust enough to power the world’s most
customers’ data, including how it is accessed, processed, and stored.
demanding applications. By making communications a part
Network security of every software developer’s toolkit, Twilio is enabling
You are responsible for your network, including any connection innovators across every industry—from emerging leaders
points to the cloud or other networks. It’s up to you to secure your to the world’s largest organizations—to reinvent how
on-premises infrastructure, employee or user devices, and any companies engage with their customers.
applications that run on these devices or infrastructure. Best practice is
to set up monitoring and alerting to help you detect and respond to any Do you need more information? Talk to an expert.
potential incidents or threats.

Learn even more about our

security program
• Twilio Trust & Security
• Operational resilience at Twilio
• Twilio & HIPAA
• Twilio & PCI DSS
• Twilio & GDPR
• Twilio’s Binding Corporate Rules (BCR)
• Anti-fraud developer’s guide Millions of software developers use Twilio’s platform
and communication APIs to help businesses build more
meaningful relationships with their customers.