Twilio's Binding Corporate Rules: Controller Policy

Table of Contents

PART I: INTRODUCTION TO THIS CONTROLLER POLICY

This Binding Corporate Rules: Controller Policy (“Controller Policy”) establishes the Twilio group of companies' ("Twilio") approach to compliance with applicable data protection laws (and, in particular, European laws) when processing personal data for its own purposes as a controller.

1. Scope of this Controller Policy

1.1 Material scope

i. This Controller Policy applies in particular when Group Members process personal data as a controller or a processor on behalf of another Group Member and transfer personal data between the members of our group of companies listed in Appendix 1 ("Group Members"). This Controller Policy applies regardless of whether our Group Members process personal data by manual or automated means.

ii. For an explanation of some of the terms used in this Controller Policy, like "controller", "process", and "personal data", please see the section 7 headed "Important terms used in this Controller Policy" below.

iii. This Controller Policy applies to all personal data that we process for purposes of carrying out our business activities, employment administration and vendor management – such as:

• Human resources data: including personal data of past and current employees, individual consultants, independent contractors, temporary staff and job applicants;
• Customer data: including personal data relating to representatives of business customers who use our business services, other customer contact information, billing information, website use, and information necessary to authenticate customers;
• Communications metadata: metadata about the communications we process in connection with the provision of our services, (such as communications origination and termination information (including phone numbers and IP addresses), time / date of communication, routing information, and similar communications metadata) which is processed for functions such as network management, service optimization, troubleshooting and network security; and
• Vendor and contractor personal data: including personal data of individual contractors and of account managers and staff of third party suppliers who provide services to us.

iv. More details about the material scope of this Controller Policy are provided in Appendix 11.

1.2 Geographical scope

The standards described in the Controller Policy are worldwide standards that apply to all Group Members when processing any personal data as a controller or a processor on behalf of another Group Member. As such, this Controller Policy applies regardless of the origin of the personal data that we process or the location of the individuals concerned, the country in which we process personal data, or the country in which a Group Member is established.

2 Our collective responsibility to comply with this Controller Policy

i. All Group Members and their staff must comply with, and respect, this Controller Policy when processing personal data under this Controller Policy, irrespective of the country in which they are located.

ii. In particular, all Group Members who process personal data under this controller Policy must comply with:

• the rules set out in Part II of this Controller Policy;
• the practical commitments set out in Part III of this Controller Policy;
• the third party beneficiary rights set out in Party IV; and
• the policies and procedures appended in Part V of this Controller Policy.

3. Management commitment and consequences of non-compliance

Twilio's management is fully committed to ensuring that all Group Members and their staff comply with this Controller Policy at all times.

i. This Controller Policy ensures that our staff, service providers, and customers can trust that Twilio will process their personal data appropriately, fairly and lawfully, no matter where that data may be processed within Twilio.

ii. Non-compliance may cause Twilio to be subject to sanctions imposed by competent supervisory authorities and courts, and may cause harm or distress to individuals whose personal data has not been protected in accordance with the standards described in this Controller Policy.

iii. In recognition of the importance of trust to Twilio’s business and the gravity of the risks associated with violating that trust, staff members who do not comply with this Controller Policy will be subject to disciplinary action, up to and including dismissal.

4. Relationahip with Twilio's Binding Corporate Rules: Processor Policy

i. Twilio has a separate Binding Corporate Rules: Processor Policy ("Processor Policy") that applies when it processes personal data as a processor in order to provide a service to a third party (such as a customer). When a Twilio Group Member processes personal data to provide a service, it must comply with the Processor Policy.

ii. In some situations, Group Members may act as both a controller and a processor. Where this is the case, they must comply both with this Controller Policy and also the Processor Policy as appropriate. If in any doubt which policy applies to you, please speak with the Privacy Team whose contact details are provided below.

5. Where will this Controller Policy be made available?

This Controller Policy is accessible on Twilio's corporate website at www.twilio.com/legal.

6. Important terms used in this Controller Policy

For the purposes of this Controller Policy:

• the term applicable data protection laws means the data protection laws in force in the territory from which a Group Member initially transfers personal data under this Controller Policy. Where a European Group Member transfers personal data under this Controller Policy to a non-European Group Member, the term applicable data protection laws shall include the European data protection laws applicable to that European Group Member (including the GDPR);
• the term "competent supervisory authoriy" means the supervisory data protection authority that is competent for the exporter of personal data;
• the term "controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data - For example, Twilio is a controller of its human resources records and customer relationship management records;
• the term "Data Disclosure Request" means a request received from a public authority (e.g. law enforcement or state security body) (together the "Requesting authority") from an importing country to disclose personal data processed by Twilio.
• the term "Europe" as used in this Policy refers to the Member States of the European Economic Area – that is, the Member States of the European Union plus Norway, Liechtenstein and Iceland;
• the term "exporter" means a Group Member who processes personal data subject to the GDPR as a controller or a processor on behalf of another Group Member, and transfers this personal data to another Group Member outside Europe (the importer) for further processing;
• the term "Group Member" means the members of Twilio's group of companies listed in Appendix 1;
• the term "GDPR" means the EU General Data Protection Regulation 2016/679;
• the term "importer" means a Group Member outside Europe who receives personal data from the exporter with a view to further processing this personal data as a controller or processor;
• the term "Lead Supervisory Authority" means teh Irish Data Protection Commission or another supervisory authority appointed as the lead supervisory authority in the future;
• the term "personal data" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• the term "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• the term "processor" means a natural or legal person which processes personal data on behalf of a controller. For the purposes of this Controller Policy, a Processor may be either a third party service provider or another Group Member;
• the term "special categories of data" means information that relates to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. It also includes information about an individual's criminal offences or convictions, as well as any other information deemed sensitive under applicable data protection laws; 
• the term "staff" refers to all employees, new hires, individual contractors and consultants, and temporary staff engaged by any Group Member. 
• the term "third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data; and
• "Twilio" (or "we") means the Twilio group of companies.

7. How to raise questions or concerns

If you have any questions regarding this Controller Policy, your rights under this Controller Policy or applicable data protection laws, or any other data protection issues, you can contact Twilio's Privacy Team using the details below. Twilio's Privacy Team will either deal with the matter directly or forward it to the appropriate person or department within Twilio to respond.

Twilio's Privacy Team is responsible for ensuring that changes to this Controller Policy are notified to the Group Members and to individuals whose personal data is processed by Twilio in accordance with Appendix 9.

If you want to exercise any of your data protection rights, please see the data protection rights procedure set out in Appendix 3. If you are unhappy about the way in which Twilio has used your personal data, you can raise a complaint in accordance with our complaint handling procedure set out in Appendix 7.

PART II: OUR OBLIGATIONS

This Controller Policy applies in all situations where a Group Member processes personal data as a Controller or a processor on behalf of another Group Member anywhere in the world. All staff and Group Members must comply with the following obligations:

PART III: DELIVERING COMPLIANCE IN PRACTICE

To ensure we follow the rules set out in this Controller Policy, in particular the obligations set out in Part II, Twilio and all of its Group Members must also comply with the following practical commitments:

PART IV: THIRD PARTY BENEFICIARY RIGHT

1. Application of this Part IV

This Part IV applies where individuals’ personal data are protected under European data protection laws (including the GDPR). This is the case when:

• those individuals’ personal data are processed in the context of the activities of a Group Member (or its third party processor) established in Europe;
• a non-European Group Member (or its third-party processor) offers goods and services (including free goods and services) to those individuals in Europe; or
• a non-European Group Member (or its third-party processor) monitors the behaviour of those individuals, as far as their behaviour takes place in Europe;

and that Group Member then transfers those individuals’ personal data to a non-European Group Member for processing under the Controller Policy.

2. Entitlement to effective remedies

When this Part IV applies, individuals have the right to pursue effective remedies in the event their personal data is processed by Twilio in breach of the following provisions of this Controller Policy:

• Parts II (Our Obligations) of this Controller Policy;
• Paragraphs 5 (Complaints Handling), 6 (Cooperation with Competent Data Protection Authorities), 8 (Conflicts between this Controller Policy and national legislation) and 9 (Government requests for disclosure of personal data) under Part III of this Controller Policy; 
• Part IV (Third Party Beneficiary Rights) of this Controller Policy;
• Appendicies referred to in the Part above

These rights to pursue effective remedies do not extend to those elements of the Controller Policy pertaining to internal mechanisms implemented within Twilio, such as Appendix 4 (Privacy Compliance Structure), Appendix 5 (Privacy Training Program), Appendix 6 (Audit Protocol), and Appendix 9 (Updating Procedure).

3. Individuals’ third party beneficiary rights

When this Part IV applies, individuals may exercise the following rights:

i. Complaints: Individuals may complain to a Group Member, in accordance with the Complaints Handling Procedure at Appendix 7;

ii. Complaints to a competent supervisory authority: Individuals may lodge a complaint with a competent supervisory authority, in particular in the EU member state of the data subject’s habitual residence, place of work or place of the alleged infringement in accordance with the Complaints Handling Procedure at Appendix 7;

iii. Proceedings: Individuals may lodge a compliant against a Group Member for violations of this Controller Policy, before a competent court in the EU where the controller or processor has an establishment or where the individual has his or her habitual residence in accordance with the Complaints Handling Procedure at Appendix 7;

iv. Right to judicial remedy and redress: Individuals have the right to an effective judicial remedy and to obtain redress and, where appropriate, compensation in case of any breach of one of the enforceable elements of this Controller Policy. Individuals who have suffered material or non-material damage as a result of an infringement of this Controller Policy have the right to receive compensation from Twilio for the damage suffered;

v. Transparency: Twilio will publish the BCR-C in full on its corporate website as set out in Part I, Section 5 above. Individuals also have the right to obtain a copy of the Controller Policy on request to the Privacy Team at privacy@twilio.com.

4. Responsibility for breaches by non-European Group Members

i. Twilio Ireland Limited will at any given time be responsible for and will take any action necessary to remedy any breach of this Controller Policy by a non-European Group Member.

ii. In particular:

a. If an individual can demonstrate damage it has suffered likely occurred because of a breach of this Controller Policy by a non-European Group Member, Twilio Ireland Limited will have the burden of proof to show that the non-European Group Member is not responsible for the breach, or that no such breach took place.

b. Where a non-European Group Member fails to comply with this Controller Policy, individuals may exercise their rights and remedies at any given time against Twilio Ireland Limited and, where appropriate, receive compensation (as determined by a competent court or other competent authority) from Twilio Ireland Limited for any material or non-material damage suffered as a result of a breach of this Controller Policy.

5. Shared liability for breaches with processors

Where Twilio has engaged a third-party processor to conduct processing on its behalf, and both are responsible for harm caused to an individual by processing in breach of this Controller Policy, Twilio accepts that both Twilio and the processor may be held liable for the entire damage in order to ensure effective compensation of the individual. An individual who has suffered such harm may choose to exercise his or her rights under this Controller Policy against either Twilio or the processor.

PART V: APPENDICIES

Appendix 1

TWILIO GROUP MEMBERS

Part A: Twilio group members in the European Economic Area

Part B. Twilio group members outside of the European Economic Area

Appendix 2

FAIR INFORMATION DISCLOSURES

Fair Information Disclosures are often referred to as Privacy Notices or Privacy Policies

Information to be provided where Twilio collects personal data directly from individuals

1. When Twilio collects personal data directly from individuals , it must, at the time when it collects the personal data, provide those individuals with the following information

a. the identity of the data controller and its contact details;

b. the contact details of the data protection officer, where applicable;

c. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

d. where the processing is based on Twilio's or a third party's legitimate interests, the legitimate interests pursued by Twilio or by the third party

e. the recipients or categories of recipients of their personal data (if any);

f. where applicable, the fact that a Group Member in Europe intends to transfer personal data to a third country or international organisation outside of Europe, and the measures that the Group Member will take to ensure the personal data remains protected in accordance with European Union law and how to obtain a copy of such measures.

1.2. In addition to the information above, Twilio shall, at the time when personal data are obtained, provide individuals with the following further information necessary to ensure fair and transparent processing:

a. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

b. information about the individuals' rights to request access to, rectify or erase their personal data, as well as the right to restrict or object to the processing, and the right to data portability;

c. where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

d. the right to lodge a complaint with the competent supervisory authority;

e. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal data and of the possible consequences of failure to provide such data;

f. the existence of automated decision-making, including profiling, and, where such decisions may have a legal effect or significantly affect the individuals whose personal data are collected, any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for those individuals.

1.3 The requirements to provide the Fair Information Disclosures at paragraphs 1.1 and 1.2 above shall not apply where and insofar as the individual already has the information.

2. Information to be provided where Twilio collects personal data about individuals from a third party source

2.1. Where personal data has not been obtained directly from the individuals concerned, Twilio shall provide those individuals with the following information:

a. The Fair Information Disclosures described in paragraphs 1.1 and 1.2 above;

b. the categories of personal data that are being processed; and

c. from which source the personal data originates, and if applicable, whether it came from publicly accessible sources.

2.2. This information will be provided within a reasonable period after Twilio has obtained the personal data is obtained by Twilio from the individual or, if not practicable to do so at the point of collection, as soon as possible after collection and, at the latest, within one month, having regard to the specific circumstances in which the personal data are processed. In addition:

a. if the personal data are to be used for communication with the individual, the Fair Information Disclosures described above must be provided at the latest at the time of the first communication to that individual; and

b. if a disclosure of the personal data to another recipient is envisaged, the Fair Information Disclosures described above must be provided at the latest when the personal data are first disclosed.

2.3. Where Twilio obtains the personal data from a third party source, the requirements to provide the Fair Information Disclosures as described in this paragraph shall not apply where and insofar as:

a .the individual already has the information;

b. the provision of such information proves impossible or would involve disproportionate effort, and Twilio takes appropriate measures, consistent with the requirements of applicable data protection laws, to protect the individual's rights and freedoms and legitimate interests, including by make the Fair Information Disclosures publicly available;

c. obtaining or disclosure is expressly laid down by applicable laws to which Twilio is subject and these laws provide appropriate measures to protect the individual's legitimate interests; or

d. where the personal data must remain confidential subject to an obligation of professional secrecy regulated by applicable laws to which Twilio is subject, including a statutory obligation of secrecy.

Appendix 3

DATA PROTECTION RIGHTS PROCEDURE

1. Introduction

1.1Twilio's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") safeguard personal data transferred between the Twilio Group Members.

1.2 Individuals whose personal data are processed by Twilio under the Policies have certain data protection rights, which they may exercise by making a request to the controller of their information (whether the controller is Twilio or a Customer) (a “Data Protection Rights Request”).

1.3 This Binding Corporate Rules: Data Protection Rights Procedure (“Procedure”) describes how Twilio will respond to any Data Protection Rights Requests it receives from individuals whose personal data are processed and transferred under the Policies.

2. Individual’s data protection rights

2.1 Twilio must assist individuals to exercise the following data protection rights, consistent with the requirements of applicable data protection laws:

a. The right of access: This is a right for an individual to obtain confirmation whether a controller processes personal data about them and, if so, to be provided with details of that personal data and access to it. This process for handling this type of request is described further in paragraph 4 below;

b. The right to rectification: This is a right for an individual to obtain rectification without undue delay of inaccurate personal data a controller may process about him or her. The process for handling this type of request is described further in paragraph 5 below.

c. The right to erasure: This is a right for an individual to require a controller to erase personal data about them on certain grounds – for example, where the personal data is no longer necessary to fulfil the purposes for which it was collected. The process for handling this type of request is described further in paragraph 5 below.

d. The right to restriction: This is a right for an individual to require a controller to restrict processing of personal data about them on certain grounds. The process for handling this type of request is described further in paragraph 5 below.

e. The right to object: This is a right for an individual to object, on grounds relating to his or her particular situation, to a controller’s processing of personal data about him or her, if certain grounds apply. The process for handling this type of request is described further in paragraph 5 below.

f. The right to data portability: This is a right for an individual to receive personal data concerning him or her from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply. The process for handling this type of request is described further in paragraph 6 below.

g. The right to opt-out from marketing communications: This is a right for an individual to object, in an easy-to-exercise manner and free of charge, to the use of their personal data for direct marketing purposes and we will honour all such opt-out requests. The process for handling this type of request is described further in paragraph 7 below.

h. The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects individuals' rights: We will not make any decision, which produces legal effects concerning an individual or that similarly significantly affects them, based solely on the automated processing of that individual's personal data, including profiling, The process for handling this type of request is described further in paragraph 8 below.

3. Responsibility to respond to a Data Protection Rights Request

3.1. Overview

3.1.1. The controller of an individual’s personal data is primarily responsible for responding to a Data Protection Rights Request and for helping the individual concerned to exercise his or her rights under applicable data protection laws.

3.1.2. As such, when an individual contacts Twilio to make any Data Protection Rights Request then:

a. where Twilio is the controller of that individual’s personal data under the Controller Policy, it must help the individual to exercise his or her data protection rights directly in accordance with this Procedure; and

b. where Twilio processes that individual’s personal data as a processor on behalf of a Customer under the Processor Policy, Twilio must inform the relevant Customer promptly and provide it with reasonable assistance to help the individual to exercise his or her rights in accordance with the Customer’s duties under applicable data protection laws.

3.2. Assessing responsibility to respond to a Data Protection Rights Request

3.2.1. If a Group Member receives a Data Protection Rights Request from an individual, it must pass the request to the Privacy Team at privacy@twilio.com immediately upon receipt indicating the date on which it was received together with any other information which may assist the Privacy Team to deal with the request.

3.2.2. The Privacy Team will make an initial assessment of the request as follows:

a. the Privacy Team will determine whether Twilio is a controller or processor of the personal data that is the subject of the request;

b. where the Privacy Team determines that Twilio is a controller of the personal data, it will then determine whether the request has been made validly under applicable data protection laws (in accordance with section 3.3 below), whether an exemption applies (in accordance with section 3.4 below) and respond to the request (in accordance with section 3.5 below); and

c. where the Privacy Team determines that Twilio is a processor of the personal data on behalf of a Customer, it shall pass the request promptly to the relevant Customer in accordance with its contract terms with that Customer and will not respond to the request directly unless authorised to do so by the Customer.

3.3. Assessing the validity of a Data Protection Rights Request

3.3.1. If the Privacy Team determines that Twilio is the controller of the personal data that is the subject of the request, Twilio will then contact the individual in writing to confirm receipt of the Data Protection Rights Request.

3.3.2. A Data Protection Rights request must generally be made in writing, which can include email, unless applicable data protection laws allow a request to be made orally. A Data Protection Rights Request does not have to be official or mention data protection law to qualify as a valid request.

3.3.3. If Twilio has reasonable doubts concerning the identity of the individual making a request, it may request such additional information as is necessary to confirm the identity of the individual making the request. Twilio may also request any further information which is necessary to action the individual's request.

3.4. Exemptions to a Data Rights Protection Rights Request

3.4.1. Twilio will not refuse to act on Data Protection Rights Requests unless it can demonstrate that an exemption applies under applicable data protection laws.

3.4.2. Twilio may be exempt under applicable data protection laws from fulfilling the Data Protection Rights Request (or be permitted to charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested) if it can demonstrate that the individual has made a manifestly unfounded or excessive request (in particular, because of the repetitive character of the request).

3.4.3. If Twilio decides not to take action on the Data Protection Rights Request, Twilio will inform the individual without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the competent data protection authority and seeking a judicial remedy.

3.5. Responding to a Data Protection Rights Request

3.5.1. Where Twilio is the controller of the personal data that is the subject of the Data Protection Rights Request, and Twilio has already confirmed the identity of the requestor and has sufficient information to enable it to fulfil the request (and no exemption applies under applicable data protection laws), then Twilio shall deal with the Data Protection Rights Request in accordance with paragraph 4, 5 or 6 below (as appropriate).

3.5.2. Twilio will respond to a Data Protection Rights Request without undue delay and in no case later than one (1) month of receipt of that request. This one (1) month period may be extended by two (2) further months only if the request is complex or due to the number of requests that have been made. In the event, an individual has Data Protection Rights available under applicable law which allow for the processing of such requests within a period longer than one (1) month, Twilio may accommodate the Data Protection Rights Request in an alternative time period, provided it complies with the time periods as set forth in applicable law.

4. Requests for access to personal data

4.1. Overview

4.1.1. An individual may require a controller to provide the following information concerning processing of his or her personal data:

a. confirmation as to whether the controller holds and is processing personal data about that individual;

b. if so, a description of the purposes of the processing, the categories of personal data concerned, the envisaged period(s) (or the criteria used for determining those periods(s)) for which the personal data will be stored, and the recipients or categories of recipients to whom the information is, or may be, disclosed by the controller;

c. information about the individual’s right to request rectification or erasure of his or her personal data or to restrict or object to its processing;

d. information about the individual’s right to lodge a complaint with a competent data protection authority;

e. information about the source of the personal data if it was not collected from the individual;

f. details about whether the personal data is subject to automated decision-making (including automated decision-making based on profiling) which produces legal effects concerning the individual or similarly significantly affects them; and

g. where personal data is transferred from the European Economic Area to a country outside of the European Economic Area, the appropriate safeguards that Twilio has put in place relating to such transfers in accordance with applicable data protection laws.

4.1.2. An individual is also entitled to request a copy of his or her personal data from the controller. Where an individual makes such a request, the controller must provide that personal data to the individual in intelligible form.

4.2. Process for responding to access requests from individuals

4.2.1 If Twilio receives an access request from an individual, this must be passed to the Privacy Team at privacy@twilio.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

4.2.2 Where Twilio determines it is the controller of the personal data and responsible for responding to the individual directly (and that no exemption to the right of access applies under applicable data protection laws), the Privacy Team will arrange a search of all relevant electronic and paper filing systems.

4.2.3 The Privacy Team may refer any complex cases to the Chief Legal Officer / Chief Compliance Officer for advice, particularly where the request concerns information relating to third parties or where the release of personal data may prejudice commercial confidentiality or legal proceedings.

4.2.4 The personal data that must be disclosed to the individual will be collated by the Privacy Team into a readily understandable format. A covering letter will be prepared by the Privacy Team which includes all information required to be provided in response to an individual's access request (including the information described in paragraph 4.1.1).

4.3. Exemptions to the right of access

4.3.1. A valid request may be refused on the following grounds:

a. If the refusal to provide the information is consistent with applicable data protection law (for example, where a European Group Member transfers personal data under the Controller Policy, if the refusal to provide the information is consistent with the applicable data protection law in the European Member State where the Group Member is located);

b. where the personal data is held by Twilio in non-automated form that is not or will not become part of a filing system; or

c. the personal data does not originate from Europe, has not been processed by any European Group Member, and the provision of the personal data requires Twilio to use disproportionate effort.

4.3.2. The Privacy Team will assess each request individually to determine whether any of the above- mentioned exemptions applies. A Group Member must never apply an exemption unless this has been discussed and agreed with the Privacy Team.

5. Requests to correct, update or erase personal data, or to restrict or cease processing personal data

5.1. If Twilio receives a request to correct, update or erase personal data, or to restrict or cease processing of an individual’s personal data, this must be passed to the Privacy Team at privacy@twilio.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

5.2. Once an initial assessment of responsibility has been made then:

a. where Twilio is the controller of that personal data, the request must be notified to the Privacy Team promptly for it to consider and deal with as appropriate in accordance with applicable data protection laws.

b. where a Customer is the controller of that personal data, the request must be notified to the Customer promptly for it to consider and deal with as appropriate in accordance with its duties under applicable data protection laws. Twilio shall assist the Customer to fulfil the request in accordance with the terms of its contract with the Customer.

5.3. To assist the Privacy Team in assessing an individual's request for restriction of processing of his or her personal data, the grounds upon which an individual may request restriction are when:

a. the accuracy of the personal data is contested by the individual, for a period enabling Twilio to verify the accuracy of the personal data;

b. the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of its use instead;

c. Twilio no longer needs the personal data for the purposes of the processing, but it is required by the individual for the establishment, exercise or defence of legal claims; or

d. Twilio has exercised his or her right to object pending the verification whether the legitimate grounds of the controller override his or her objection right.

5.4. To assist the Privacy Team in assessing an individual's request for erasure of his or her personal data, the grounds upon which an individual may request erasure are when:

a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b. the individual withdraws consent on which the processing is based and there is no other legal ground for the processing;

c. the individual exercises its right to object to processing of his or her personal data and there are no overriding legitimate grounds for continue processing;

d. the personal data have been unlawfully processed;

e. the personal data have to be erased for compliance with a legal obligation to which the controller is subject; or

f. the personal data have been collected in relation to the offer of information society services to a child under the age of 16 and a parent or guardian has not consented to the processing.

5.5. When Twilio must rectify or erase personal data, either in its capacity as controller or on instruction of a Customer when it is acting as a processor, Twilio will notify other Group Members and any sub-processor to whom the personal data has been disclosed so that they can also update their records accordingly.

5.6. Where Twilio acting as a controller must restrict processing of an individual's personal data, it must inform the individual before it subsequently lifts any such restriction.

5.7. If Twilio acting as controller has made the personal data public, and is obliged to erase the personal data pursuant to a Data Protection Rights Request, it must take reasonable steps, including technical measures (taking account of available technology and the cost of implementation), to inform controllers which are processing the personal data that the individual has requested the erasure by such controllers of any links to, or copy or replication of, the personal data.

6. Right to data portability

6.1. If an individual makes a Data Protection Rights Request to Twilio acting as controller to receive the personal data that he or she has provided to Twilio in a structured, commonly used and machine- readable format and/or to transmit directly such information to another controller (where technically feasible), Twilio’s Privacy Team will consider and deal with the request appropriately in accordance with applicable data protection laws insofar as the processing is based on that individual's consent or on the performance of, or steps taken at the request of the individual prior to entry into, a contract.

7. Right to opt-out from marketing communications

7.1. If an individual makes a Data Protection Rights Request to Twilio, acting as a controller, to opt-out from marketing communications, Twilio’s Privacy Team will forward the request to the relevant business function or otherwise provide a mechanism that is accessible to the individual for the purpose of exercising their right to opt-out of marketing communications.

8. Right not to be subject to a decision based solely on automated processing

8.1. If individual makes a Data Protection Rights Request to Twilio to not be subject to a decision based solely on automated processing, including profiling, Twilio’s Privacy Team will ensure the individual is exempted from such processes, unless such decision is: (i) necessary for entering into, or performing, a contract between a Group Member and that individual; (ii) authorized by applicable law (which, in the case of personal data about individuals in Europe, must be European Union or Member State law); or (iii) based on the individual's explicit consent. In the (i) and (iii) cases above, we must implement suitable measures to protect the individual's rights and freedoms and legitimate interests, including the right to obtain human intervention, to express his or her view and to contest the decision. We must never make automated individual decisions about individuals using their special categories of data unless they have given explicit consent or another lawful basis applies.

9. Questions about this Data Protection Rights Procedure

9.1. All queries relating to this Procedure are to be addressed to the Privacy Team or at privacy@twilio.com.

Appendix 4

PRIVACY COMPLIANCE STRUCTURE

1. Introduction

1.1. Twilio's compliance with global data protection laws and the “Binding Corporate Rules: Controller Policy” and “Global Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") is overseen and managed throughout all levels of the business by a global, multi-layered, cross-functional privacy compliance structure.

1.2. Twilio's Privacy Compliance Structure has the full support of Twilio's executive management. Further information about Twilio's Privacy Compliance Structure is set out below and in the structure chart provided at Annex A.

2. Chief Privacy Officer

2.1. Twilio has appointed a Chief Privacy Officer (“CPO”) who provides executive-level oversight of, and has responsibility for, ensuring Twilio's compliance with applicable data protection laws and the Policies.

2.2. The CPO reports directly to the Board of Directors on all material or strategic issues relating to Twilio's compliance with data protection laws and the Policies, and is also accountable to Twilio's independent Audit Committee. The CPO can inform the Board of Directors if any questions or problems arise during the performance of his/her duties. The CPO leads and is supported by Twilio’s Privacy Team.

2.3. The CPO’s key responsibilities with regard to privacy include:

• Ensuring that the Policies and other privacy-related policies, objectives and standards are defined and communicated.
• Reporting at least annually (and more often, if needed, in response to specific risks or concerns), on global data protection compliance to Twilio's Board of Directors.
• Providing clear and visible senior management support and resources for the Policies and for privacy objectives and initiatives in general.
• Evaluating, approving and prioritizing remedial actions consistent with the requirements of the Policies, strategic plans, business objectives and regulatory requirements.
• Periodically assessing privacy initiatives, accomplishments, and resources to ensure continued effectiveness and improvement.
• Ensuring that Twilio's business objectives align with the Policies and related privacy and information protection strategies, policies and practices.
• Facilitating communications on the Policies and privacy topics with the Board of Directors and independent Audit Committee.
• Dealing with any escalated privacy complaints in accordance with the Binding Corporate Rules: Complaint Handling Procedure.
• Dealing with competent supervisory authorities' investigations.
• Supporting the conduct of any data protection audits carried out by supervisory authorities, in accordance with the Binding Corporate Rules: Cooperation Procedure.

3. Privacy Team

3.1. The Twilio Privacy Team consists of Twilio’s in-house privacy counsel, as well as other non-legal privacy operations staff.  The Privacy Team reports directly to Twilio’s CPO , who in turn, reports to the Chief Legal Officer. Reporting to the CPO ensures appropriate independence and oversight of duties relating to all aspects of Twilio's data protection compliance.

3.2. The Privacy Team is accountable for managing and implementing Twilio's data privacy program internally (including the Policies) and for ensuring that effective data privacy controls are in place for any third party service provider Twilio engages. In this way, the Privacy Team is actively engaged in addressing matters relating to Twilio's privacy compliance on a routine, day-to-day basis.

3.3. The Privacy Team’s responsibilities include:

• Providing guidance about the collection and use of personal data subject to the Policies and to assess the processing of personal data by Twilio Group Members for potential privacy-related risks.
• Responding to inquiries and compliance relating to the Policies from staff members, customers and other third parties raised through its dedicated e-mail address at privacy@twilio.com.
• Helping to implement the Policies and related policies and practices at a functional and local country level, providing guidance and responding to privacy questions and issues.
• Providing input on audits of the Policies, coordinating responses to audit findings and responding to inquiries of the data protection authorities.
• Monitoring changes to global privacy laws and ensuring that appropriate changes are made to the Policies and Twilio's related policies and business practices.
• Overseeing training for staff on the Policies and on data protection legal requirements in accordance with the Binding Corporate Rules: Privacy Training Program.
• Promoting the Policies and privacy awareness across business units and functional areas through privacy communications and initiatives.
• Evaluating privacy processes and procedures to ensure that they are sustainable and effective.
• Reporting periodically on the status of the Policies to the CPO and Board of Directors and / or Audit Committee as appropriate.
• Ensuring that the commitments made by Twilio in relation to updating, and communicating updates to the Policies are met in accordance with the Binding Corporate Rules: Updating Procedure.
• Overseeing compliance with the Binding Corporate Rules: Data Protection Rights Procedure and the handling of any requests made under it.

4. Security Compliance and Assurance Team

4.1. Twilio’s Security Compliance and Assurance team, which is made up of members of the wider Trust and Security Team, reports to the Chief Digital Officer. This team has a number of specific responsibilities in relation to the implementation and oversight of the Policies and privacy matters more generally, including:

• Audit of attendance of privacy training courses as set out in the Binding Corporate Rules: Privacy Training Program.
• Overseeing independent audits of compliance with the Policies as set out in the Binding Corporate Rules: Audit Protocol and ensuring that such audits address all aspects of the Policies.
• Ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of Twilio's Privacy Team and that any corrective actions are determined and implemented within a reasonable time.

5. Privacy & Security Committee

5.1. Twilio's Privacy & Security Committee comprises functional leads or key representatives from the main functional areas within Twilio, including security, sales, marketing, HR, procurement, product development, legal and compliance.

5.2. The key responsibilities of members of the Privacy & Security Committee include:

• Promoting the Policies at all levels in their functional areas.
• Assisting the Privacy Team with the day-to-day implementation and enforcement of Twilio's privacy policies (including the Policies) within their respective areas of responsibility.
• Escalating questions and compliance issues or communicating any actual or potential violation of relating to the Policies to the Privacy Team.
• Through its liaison with the Privacy Team, the Privacy & Security Committee serves as a channel through which the Privacy Team can communicate data privacy compliance actions to all key functional areas of the business.

5.3. The Privacy & Security Committee will meet on a formal and regular basis, at a minimum frequency of every six months, to ensure a coordinated approach to data protection compliance across all functions.

6. Data Protection Officer

6.1 Twilio has appointed a DPO who assists Group Members and provides oversight of Twilio's compliance with applicable data protection laws and the Policies. The DPO reports directly to executive management, including Twilio's independent Audit Committee. Twilio’s DPO is also responsible for:

• informing and advising staff who carry out processing of their obligations pursuant to applicable data protection laws and the Controller Policy;
• monitoring compliance with data protection regulations, the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
• providing advice where requested as regards the data protection impact assessment and monitoring its performance;
• cooperating with the competent supervisory authority;
• acting as the contact point for the competent supervisory authorities on issues relating to processing, including prior consultation, and consulting, where appropriate, with regard to any other matter.

7. Twilio Staff

7.1. All staff members within Twilio are responsible for supporting the functional Privacy & Security Committee members on a day-to-day basis and adhering to Twilio privacy policies.

7.2. In addition, Twilio staff are responsible for escalating and communicating any potential violation of the privacy policies to the appropriate Privacy & Security Committee member or, if they prefer, the Twilio Privacy Team. On receipt of a notification of a potential violation of the privacy policy the issue will be investigated to determine if an actual violation occurred. Results of such investigations will be documented.

8. Contact Details

8.1 Twilio’s DPO and Privacy Team and Privacy & Security Committee can be directly contacted at privacy@twilio.com or by writing to Twilio Privacy at 101 Spear St. Ste. 500, San Francisco, CA 94105

Appendix 5

PRIVACY TRAINING PROGRAM

1. Background

1.1 The “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") provide a framework for the transfer of personal data between Twilio's Group Members. The document sets out the requirements for Twilio to train its staff members on the requirements of the Policies.

1.2. Twilio must train staff members (including new hires, temporary staff and individual contractors whose roles bring them into contact with personal data) on the basic principles of data protection, confidentiality and information security awareness. This must include training on applicable data protection laws, including European data protection laws. Training shall also include guidance on data protection best practices and any security certifications applicable to Twilio such as ISO 27001. This training is repeated on a regular basis, as specified in section 3.2 below. 

1.3. Staff members who have permanent or regular access to personal data and who are involved in the processing of personal data or in the development of tools to process personal data must receive additional, tailored training on the Policies and specific data protection issues relevant to their role.

1.4. These trainings are further described below.

2. Responsibility for the Privacy Training Program

2.1. Twilio's Privacy Team has overall responsibility for privacy training at Twilio, with input from colleagues from other functional areas, including Legal, Information Security, Security Compliance and Assurance, HR and other departments, as appropriate. The Privacy Team will review training from time to time to ensure it addresses all relevant aspects of the Policies and that it is appropriate for individuals who have permanent or regular access to personal data, who are involved in the processing of personal data or in the development of tools to process personal data.

2.2. Twilio's senior management is committed to the delivery of data protection training courses, and will ensure that staff are required to participate, and given appropriate time to attend, such courses. Course attendance must be recorded and monitored via regular audits of the training process. These audits are performed by Twilio's Security Compliance and Assurance Team and/or independent third party auditors.

2.3. If these training audits reveal persistent non-attendance, this will be escalated to the Privacy Team for action. Such action may include escalation of non-attendance to appropriate managers within Twilio who will be responsible and held accountable for ensuring that the individual(s) concerned attend and actively participate in such training.

3. Delivery of the training courses

3.1. Twilio will deliver mandatory training courses, either in person or electronically, supplemented by face to face training for staff members. The courses are designed to be both informative and user-friendly, generating interest in the topics covered.

3.2. All Twilio staff members must complete data protection training (including training on the Policies):

a. as part of their induction program;

b. as part of a regular refresher training at least every year;

c. as and when necessary to stay aware of changes in the law; and

d. as and when necessary to address any compliance issues arising from time to time.

3.3. Certain staff members must receive supplemental specialist training, in particular staff members who handle customer or employee personal data in Product Development, HR and Customer Support or whose business activities include processing special categories of personal data. Specialist training shall be delivered as additional modules to the basic training package, and will be tailored as necessary to the course participants.

4. Training on data protection

4.1. Twilio's training on data protection and the Policies will cover the following main areas:

4.1.1 Background and rationale:

a. What is data protection law?

b. What are key data protection terminology and concepts?

c. What are the data protection principles?

d. How does data protection law affect Twilio internationally?

e. What are Twilio’s BCR Policies?

4.1.2. The Policies:

a. An explanation of the Policies

b. The scope of the Policies

c. The requirements of the Policies

d. Practical examples of how and when the Policies apply

e. The rights that the Policies give to individuals

f. The privacy implications arising from processing personal data for clients

4.1.3. Where relevant to a staff member's role, training will cover the following procedures under the Policies:

a. Data Subject Rights Procedure

b. Audit Protocol

c. Updating Procedure

d. Cooperation Procedure

e. Complaint Handling Procedure

f. Government Data Request Procedure, including how to handle requests for access to personal data by public authorities

Appendix 6

AUDIT PROTOCOL

1. Background

1.1. Twilio's “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") safeguard personal data transferred between the Twilio Group Members.

1.2. Twilio must audit its compliance with the Policies on a regular basis, and this document describes how and when Twilio must perform such audits. Although this Audit Protocol describes the formal assessment process by which Twilio will audit its compliance with the Policies, this is only one way in which Twilio ensures that the provisions of the Policies are observed and corrective actions taken as required.

1.3. In particular, Twilio's Privacy Team provides ongoing guidance about the processing of personal data and continually assesses the processing of personal data by Group Members for potential privacy-related risks and compliance with these Policies.

2. Conduct of an audit

Overview of audit requirements

2.1. Compliance with the Policies is overseen on a day to day basis by the Security Compliance and Assurance Team. The Security Compliance and Assurance Team is responsible for overseeing independent audits of compliance with the Policies and will ensure that such audits address all aspects of the Policies including methods and action plans ensuring that corrective actions have been implemented.

2.2. The Security Compliance and Assurance Team is responsible for ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of the Privacy Team and that any corrective actions are determined and implemented within a reasonable time. Serious non-compliance issues will be escalated to Chief Legal Officer and Chief Compliance Officer and, ultimately, the Board of Directors in accordance with paragraph 2.10.

2.3. Where Twilio acts as a processor, the Customer (or auditors acting on its behalf) may audit Twilio for compliance with the commitments made in the Processor Policy and may extend such audits to any sub-processors acting on Twilio's behalf in respect of such processing. Such audits shall be conducted in accordance with the terms of Customer's contract with Twilio.

2.4. Frequency of audits of compliance with the Policies will be determined on the basis of the risk(s) posed by the processing activities covered by the Policies to the rights and freedoms of data subjects and audits will be conducted:

a. at least annually in accordance with Twilio's audit procedures; and/or

b. at the request of the Chief Legal Officer and Chief Compliance Officer and / or the Board of Directors; and/or

c. as determined necessary by the Privacy Team or Audit Committee (for example, in response to a specific incident) and / or

d. (with respect to audits of the Processor Policy), as required by the terms of the Customer's contract with Twilio.

Scope of audit

2.5. The Privacy Team will determine the scope of an audit following a risk-based analysis that takes into account relevant criteria such as:

a. areas of current regulatory focus;

b. areas of specific or new risk for the business;

c. areas with changes to the systems or processes used to safeguard data;

d. use of innovative new tools, systems or technologies;

e. areas where there have been previous audit findings or complaints;

f. the period since the last review; and

g. the nature and location of the personal data processed.

2.6. In the event that a Customer exercises its right to audit Twilio for compliance with the Processor Policy, the scope of the audit shall be limited to the data processing facilities, data files and documentation relating to that Customer. Twilio will not provide a Customer with access to systems which process personal data of another Customer.

Auditors

2.7 Audit of the Policies (including any related procedures and controls) will be undertaken by internal or external independent and experienced professional auditors appointed by Twilio and acting under a duty of confidence and in possession of the required professional qualifications as necessary to perform audits of the Policies.

2.8 In the event that a Customer exercises its right to audit Twilio for compliance with the Processor Policy, such audit may be undertaken by that Customer, or by independent and suitably experienced auditors approved by that Customer, in accordance with the terms of the Customer's contract with Twilio.

2.9. The competent data protection authorities may audit Group Members for the purpose of reviewing compliance with the Policies (including any related procedures and controls) in accordance with the Binding Corporate Rules: Cooperation Procedure.

Reporting

2.10. Data protection audit reports must be submitted to the Chief Legal Officer and Chief Compliance Officer, Lead Privacy Counsel, the Chief Digital Officer, and, provided that it cannot result in a conflict of interests, to the Data Protection Officer, and the board of Twilio Ireland Limited and where appropriate, Twilio Inc's board.

2.11. Upon request and subject to applicable law Twilio will provide copies of the results of data protection audits of the Policies (including any related procedures and controls) to competent supervisory authorities.

2.12 Upon request and subject to applicable law and respect for the confidentiality and trade secrets of the information provided, Twilio will to the extent that an audit of compliance with the Processor Policy relates to personal data Twilio processes on behalf of a Customer, to that Customer.

Appendix 7

COMPLAINT HANDLING PROCEDURE

1. Background

Twilio's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") safeguard personal data transferred between the Twilio Group Members.

This Complaint Handling Procedure describes how complaints brought by an individual whose personal data is processed by Twilio under the Policies must be addressed and resolved.

This procedure will be made available to individuals whose personal data is processed by Twilio under the Controller Policy and to Customers on whose behalf Twilio processes personal data under the Processor Policy.

2. How individuals can bring complaints

Any individuals may raise a data protection question, concern or complaint (whether related to the Policies or not) by e-mailing Twilio’s Privacy Team at privacy@twilio.com or by writing to Twilio’s Privacy Team at 101 Spear St, Ste 500, San Francisco, CA 94105. We encourage using this point of contact, however, complaints received by other means will also be addressed. 

3. Complaints related to the processing under this Controller Policy

Who handles complaints?

3.1.1 The Privacy Team will handle all questions, concerns, or complaints in respect of personal data processed under the Controller Policy (such as personal data processed in the context of human resources administration HR admin or customer relationship management), including questions, concerns or complaints arising under the Controller Policy. The Privacy Team will liaise with colleagues from relevant business and support units as necessary to address and resolve such questions, concerns and complaints.

What is the response time?

3.1.2. Twilio will acknowledge receipt of a question, concern or complaint to the individual concerned without undue delay, investigating and providing information on actions taken to the complainant without undue delay and in any event within one (1) month.  Our substantive response to a data subject complaint will include details of any remedial action taken.

3.1.3. If, due to the complexity of the complaint or the number of requests received, a substantive response cannot be given within this period, Twilio will advise the individual accordingly and provide a reasonable estimate (not exceeding two (2) further months, i.e. three (3) months in total) of the timescale within which a substantive response will be provided.

What happens if an individual disputes a finding?

3.1.4. If the individual notifies Twilio that it disputes any aspect of the response finding, the Privacy Team will refer the matter to the Chief Privacy Officer (CPO). The CPO will review the case and advise the individual of his or her decision either to accept the original finding or to substitute a new finding. The CPO will respond to the complainant within one (1) month from being notified of the escalation of the dispute.

3.1.5. As part of its review, the CPO may arrange to meet the parties to the dispute in an attempt to resolve it. If, due to the complexity of the dispute, a substantive response cannot be given within one (1) month of its escalation, the CPO will advise the complainant accordingly and provide a reasonable estimate for the timescale within which a response will be provided which will not exceed three (3) months from the date the dispute was escalated.

3.1.6. If the complaint is upheld, the CPO will arrange for any necessary steps to be taken as a consequence. If the complaint is rejected, the CPO will notify the individual within the timescales set out above.

3.1.7. Individuals who are not satisfied by the response finding from Twilio, may go straight to the procedure in Section 5, below.

4. Complaints where Twilio is a processor

Communicating complaints to the Customer

4.1.1. Where a complaint is brought in respect of the processing of personal data for which Twilio is a processor on behalf of a Customer, Twilio will communicate the details of the complaint to the relevant Customer without delay and without handling it (unless Twilio has agreed in the terms of its contract with the Customer to handle complaints).

4.1.2. Twilio will cooperate with the Customer to investigate the complaint, in accordance with the terms of its contract with the Customer and if so instructed by the Customer.

What happens if a Customer no longer exists?

4.1.3 In circumstances where a Customer has disappeared, no longer exists or has become insolvent, and no successor entity has taken its place, individuals whose personal data are processed under the Processor Policy have the right to complain to Twilio and Twilio will handle such complaints in accordance with paragraph 3 of this Complaint Handling Procedure.

4.1.4 In such cases, individuals also have the right to complain to a competent data protection authority and to file a claim with a court of competent jurisdiction, including where they are not satisfied with the way in which their complaint has been resolved by Twilio. Such complaints and proceedings will be handled in accordance with paragraph 5 of this Complaint Handling Procedure.

5. Right to complain to a competent supervisory authority and to commence proceedings

Overview

5.1.1 Where individuals' personal data:

a. are processed in Europe by a Group Member acting as a controller and/or transferred to a Group Member located outside Europe under the Controller Policy; or

b. are processed in Europe by a Group Member acting as a processor and/or transferred to a Group Member located outside Europe under the Processor Policy;

then those individuals have certain additional rights to pursue effective remedies for their complaints, as described below.

5.1.2. The individuals described in above have the right to complain to a competent supervisory authority (in accordance with paragraph 5.2) and/or to commence proceedings in a court of competent jurisdiction (in accordance with paragraph 5.3), whether or not they have first complained directly to the Customer in question or to Twilio.

5.1.3. Twilio accepts that complaints and claims made pursuant to paragraphs 5.2 and 5.3 may be lodged by a not-for-profit body, organization or association acting on behalf of the individuals concerned.

5.2. Complaint to a competent supervisory authority

5.2.1 If such an individual wishes to complain about Twilio's processing of his or her personal data to a data protection authority on the basis that a European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection laws, he or she may complain about that European Group Member to the competent supervisory authority in the European territory:

a. of his or her habitual residence;
b. of his or her place of work; or
c. where the alleged infringement occurred.

5.2.2. If an individual wishes to complain about Twilio's processing of his or her personal data to a competent supervisory authority on the basis that a non-European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection laws, then Twilio Ireland Limited will submit to the jurisdiction of the competent supervisory authority (determined in accordance with paragraph 5.2.1 above) in place of that non-European Group Member, as if the alleged breach had been caused by Twilio Ireland Limited.

5.3. Proceedings before a national court

5.3.1. If an individual wishes to commence court proceedings against Twilio on the basis that a European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection 12 laws, then he or she may commence proceedings against that European Group Member in the European territory:

a. In which that European Group Member is established; or
b. of his or her habitual residence.

5.3.2. If an individual wishes to commence court proceedings against Twilio on the basis that a non-European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection laws, then Twilio Ireland Limited will submit to the jurisdiction of the competent court (determined in accordance with paragraph 5.3.1 above) in place of that non-European Group Member, as if the alleged breach had been caused by Twilio Ireland Limited.

Appendix 8

CO-OPERATION PROCEDURE

1. Introduction

1.1. This Binding Corporate Rules: Cooperation Procedure sets out the way in which Twilio will cooperate with competent supervisory authorities in relation to the "Twilio Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy").

2. Cooperation Procedure

2.1. Where required, Twilio will make the necessary personnel available for dialogue with a competent supervisory authority in relation to the Policies.

2.2. Twilio will review, consider and (as appropriate) abide by:

i. any advice or decisions of relevant competent supervisory authorities on any data protection law issues that may affect the Policies; and

ii. any guidance published by the European Data Protection Board or any successor to it in connection with Binding Corporate Rules for Processors and Binding Corporate Rules for Controllers.

2.3 Subject to applicable data protection law, Twilio will provide upon request (i) any information about the processing operations covered by the Policies and (ii) copies of the results of any audit it conducts of the Policies to a competent supervisory authority.

2.4 Twilio agrees that:

i. a competent supervisory authority may audit (including where necessary, on-stie) any Group Member for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction; and

ii. a competent supervisory authority may audit any Group Member who processes personal data for a Customer established within the jurisdiction of that data protection authority for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction;

2.5. Twilio agrees to abide by a formal decision of any competent supervisory authority on any issues relating to the interpretation and application of the Policies (unless and to the extent that Twilio is entitled to appeal any such decision and has chosen to exercise such right of appeal).

2.6 Any dispute related to a competent supervisory authority's exercise of supervision of compliance with the Controller Policy will be resolved by the courts of the EU member state of that supervisory authority, in accordance with that member state's procedural law. The Group Members agree to submit themselves to the jurisdiction of these courts.

Appendix 9

UPDATING PROCEDURE

1. Introduction

1.1. This Binding Corporate Rules: Updating Procedure describes how Twilio must communicate changes to the "Binding Corporate Rules: Controller Policy" ("Controller Policy") and to the "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies") to competent supervisory authorities, individual data subjects, its Customers and to Twilio Group Members bound by the Policies.

1.2. Any reference to Twilio in this procedure is to the Privacy Team who is accountable for ensuring that the commitments made by Twilio in this Updating Procedure are met.

2. Records keeping

2.1. Twilio must maintain a change log which sets out details of each and every revision made to the Policies, including the nature of the revision, the reasons for making the revision, the date the revision was made, and who authorised the revision.

2.2. Twilio must also maintain an accurate and up-to-date list of Group Members that are bound by the Policies and of the sub-processors appointed by Twilio to process personal data on behalf of Customers. This information will be made available online and provided to data subjects and upon request to competent supervisory authorities and to Customers.

2.3. The Privacy team shall be responsible for ensuring that the records described in this paragraph 2 are maintained and kept accurate and fully up-to-date.

3. Changes to the Policies

3.1. All proposed changes to the Policies must be reviewed and approved by the Lead Privacy Counsel in order to ensure that a high standard of protection is maintained for the data protection rights of individuals who benefit from the Policies. No changes to the Policies shall take effect unless reviewed and approved by the Lead Privacy Counsel.

3.2. Twilio will communicate all other changes to the Policies (including a brief explanation of the reasons that justify the changes) and changes to the list of Group Members bound by the Policies:

i. without undue delay to all the Group Members bound by the Policies via written notice (which may include e-mail);

ii. systematically to Customers and the individuals who benefit from the Policies via www.twilio.com (and, if any changes are materially affect Twilio's processing operations on behalf of a Customer, they must be communicated to Customers before they take effect, in accordance with paragraph 4.2 below); and

iii. to the supervisory authority  via the Lead Supervisory Authority once a year.

4. Communication of substantial changes

4.1. If Twilio makes any substantial changes to the Policies that would detrimentaly affect the level of protection offered by the Policies, or otherwise significantly affect the Policies (for example, by making changes to the binding nature of the Policies, change of the liable Group Memebers, etc.), Twilio will communicate any such changes in advance to the competent supervisory authorities via the Lead Supervisory Authority with a brief explanation of the reasons for the update. 

4.2. If a proposed change to the Processor Policy will materially affect Twilio’s processing of personal data on behalf of a Customer, Twilio will also:

a. actively communicate the proposed change to the affected Customer before it takes effect, and with sufficient notice to enable the affected Customer to raise objections; and

b. the Customer may then suspend the transfer of personal data to Twilio and/or terminate the contract, in accordance with the terms of its contract with Twilio.

Appendix 10

Government Data Request Procedure

1. Introduction

1.1. This Binding Corporate Rules: Government Data Request Procedure sets out Twilio's procedure for responding to a Data Disclosure Request.

1.2. Where Twilio receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this Procedure. If applicable data protection law(s) require a higher standard of protection for personal data than is required by this Procedure, Twilio will comply with the relevant requirements of applicable data protection law(s).

2. General principle on Data Disclosure Requests

2.1. As a general principle, Twilio does not disclose personal data in response to a Data Disclosure Request unless either:
a. it is under a compelling legal obligation to make such disclosure; or
b. taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.

2.2. For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Twilio will notify and cooperate with the competent data protection authorities and, where it processes the requested personal data on behalf of a Customer, the Customer, in order to address the Data Disclosure Request. Even where disclosure is required, Twilio's policy is that the Customer should have the opportunity to protect the personal data requested because it has the greatest interest in opposing, or is in the better position to comply with, a Data Disclosure Request.

3. Handling of a Data Disclosure Request

3.1 All Data Disclosure Requests must be passed to Twilio's Legal Requests team immediately upon receipt, indicating the date on which it was received together with any other information that may assist Twilio's Legal Requests team to deal with the request. Twilio's Legal Requests Team will consult with the Privacy Team about the privacy implications of the Data Disclosure Request and any data protection measures that must be taken, and will notify and confer with the Privacy Team when necessary.

3.2 Data Disclosure Requests Regarding Personal Data Protected Under European Data Protection Laws

3.2.1 If a Group Member acting as an importer:

(i) receives a legally binding Data Disclosure Request, under the laws of the country of destination or of another third country, for disclosure of personal data transferred pursuant to the Controller Policy, it must notify promptly the Group Member acting as the exporter and, where possible, the data subjects (if necessary with the help of the exporter). Such notification must include information about the Requesting Authority, the personal data that is requested, the legal basis on which the Data Disclosure Request is based and the response provided, 

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to the Controller Policy in accordance with the laws of the country of destination, it must notify promptly the Group Member acting as the exporter and, where possible, the data subjects (if necessary with the help of the exporter). 

3.2.2 If prohibited from notifying the exporter or the data subjects, the importer will carefully consider whether to request a waiver of such prohibition and will maintain a record of the decision to request a waiver to provide upon request of the exporter.

3.3 Reviewing a Data Disclosure Request

3.3.1 Twilio's Legal Requests team will carefully review the legality of each and every Data Disclosure Request on a case-by-case basis, in particular whether the Data Disclosure Request remains within the powers granted to the Requesting Authority. Twilio's Legal Requests team will liaise with the legal department and outside counsel as appropriate to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, as well as its validity under applicable laws, in order to identify whether action may be needed to challenge the Data Disclosure Request.

3.4 Challenging a Data Disclosure Request

3.4.1. Twilio will challenge the request if, after careful assessment, it appears that there are reasonable grounds to consider that the request is unlawful under the applicable laws of the country in which the recipient is located, or under applicable obligations under international law, and principles of international comity.  

3.4.2. When challenging a request, Twilio will seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It will not disclose the personal data requested until required to do so under the applicable procedural rules.

3.4.3. Where applicable, Twilio may appeal the decision of the Requesting Authority in accordance with the procedural laws of the country in which the recipient is located.

3.5 Responding to a Data Disclosure Request

3.5.1. Twilio shall provide the minimum amount of personal data permissible when responding to a Data Disclosure Request, based on a reasonable interpretation of the request.

4. Data Disclosure Requests Pertaining To Data of A European Customer

4.1. Notice to the European Customer

4.1.1. Where Group Members is acting as an importer and processing personal data on behalf of a European Customer pursuant to the Processor Policy, after assessing the nature, context, purposes, scope and urgency of the Data Protection Request, Twilio will notify and provide the European Customer with the details of the Data Disclosure Request prior to disclosing any personal data, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

4.2. Notice to the Competent Supervisory Authorities

4.2.1. Twilio will also put the request on hold in order to notify and consult with the competent upervisory authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

4.2.2. Twilio will also notify and consult with competent supervisory authorities and suspend the request unless prohibited from doing so. In this case Twilio will use its best efforts (taking into account the nature, context, purposes, scope and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the request on hold so that Twilio can consult with the competent supervisory authorities, which may also, in appropriate circumstances, include seeking a court order to this effect. Twilio will maintain a written record of the efforts it takes.

5. Transparency Reports

5.1. If, despite having used its best efforts, Twilio is not in a position to notify the competent supervisory authorities of the request, Twilio commits to preparing an annual report (a “Transparency Report”) which reflects to the extent permitted by applicable laws, the number and type of Data Disclosure Requests it has received in the preceding year and, if possible, the Requesting Authorities who made those requests. Twilio shall provide this report to the lead data protection authority which authorized its BCR (and any other data protection authorities that the lead authority may direct) once a year.

6. Documentation

6.1. Twilio shall document its legal assessment and any challenge to the Data Disclosure Request and, to the extent permissible under the national/local laws of the country where the importer is located, make the documentation available to the exporter and to the competent supervisory authorities, upon request.

6.2. The importer shall provide the exporter, at regular intervals upon request, with information on the Data Disclosure Requests received (including the number of requests, type of data requested, requesting authorities and outcome). If the importer is or becomes partially or completely prohibited from providing this information to the exporter, it shall, without undue delay, inform the exporter accordingly.

6.3 The importer shall preserve the above mentioned information in paragraph 6.1 for as long as the personal data are subject to the safeguards under this Controller Policy, and shall make it available to the competent supervisory authorities upon request.

7. Bulk Transfers

7.1. In no event will any Group Member provide access to personal data to a Requesting Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.

Appendix 11

Material Scope of this Controller Policy

1. Background

1.1 This Controller Policy provides a framework for the transfer of personal data between Twilio Group Members.  

1.2 This Appendix sets out the material scope of the Controller Policy.  It specifies the categories of data transfers, including the nature and categories of personal data, the type of processing and its purposes, the types of individuals affected, and the third country or countries, as well as the relevant lawful bases for processing.

2. Employees, Applicants and other Personnel personal data

3. Customer Personal Data

4. Vendor and Contractor personal data

Appendix 12

Twilio Group Entities

List of Exporting entities

List of Importing entities