EU Data Processing Locations
The General Data Protection Regulation (GDPR) of the European Union doesn't require providers to store and process data within the EU. Many company policies, contract requirements, or industry standards require this feature. Twilio designed Email Data Residency for storage and processing your customers personal information, including: email event data, opens, clicks, unsubscribes, and recipient email addresses.
Twilio manages recipient personal information for customers sending as a configured EU Data Resident Subuser.
Your configuration secures your data
If you configure accounts improperly, Twilio might store your data, process your data, or both outside of the EU.
Article 4(1) of the GDPR defines "processing" as:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
When data might be processed elsewhere, only engineering and support teams have access. Engineering teams troubleshoot, repair, and improve systems. This might result in data leaving the EU. Support teams are limited to individuals responding to support requests. They access data only at the time of request, but never store it outside of the EU.
| Processing | Description | Covers as processing events | Processing location | Note on data leaving EU |
|---|---|---|---|---|
| Collection | Gathering personal data from the data subject or another source. | First interaction like filling out a form, scraping a site, or taking a survey | EU-West-1, EU-Central-1, DUB1, AMS1 | |
| Recording | Capturing or preserving the data in digital or physical form. | All initial forms of documenting or logging data | EU-West-1, EU-Central-1, DUB1, AMS1 | |
| Organization | Structuring the data to improve access or understanding like sorting into folders or tagging. | Backend activities such as putting personal data into a CRM or database schema | EU-West-1, EU-Central-1, DUB1, AMS1 | |
| Structuring | Creating a framework or format for storing the data. | Beyond organization, like design and data architecture actions | EU-West-1, EU-Central-1, DUB1, AMS1 | |
| Storage | Retaining the data in any digital or physical format. | Passive data-holding that triggers obligations under GDPR | EU-West-1, EU-Central-1, DUB1, AMS1 | 1 |
| Adaptation or Alteration | Changing the data in any way like updating data or converting to another format. | Edits, corrections, or format changes | EU-West-1, EU-Central-1, DUB1, AMS1 | |
| Retrieval | Accessing or pulling the data from storage. | Reading or viewing personal data | Global access to: EU-West-1, EU-Central-1, DUB1, AMS1 | 2 |
| Consultation | Viewing or reading the data like looking at a profile or file. | Passive viewing, like reading a user profile | Global access to: EU-West-1, EU-Central-1, DUB1, AMS1 | 2 |
| Use | Doing anything with the data for a purpose like targeting, emailing, or analytics. | Catch all for any other active or passive usage | Global access to: EU-West-1, EU-Central-1, DUB1, AMS1 | 2 |
| Disclosure by Transmission | Sharing the data with another party or system through direct action or APIs. | Sending to any target, whether to third parties or affiliates | EU-West-1, EU-Central-1, DUB1, AMS1 | 3 |
| Dissemination | Making data available to others by publishing online or having unsecured access. | Open or careless publication | EU-West-1, EU-Central-1, DUB1, AMS1 | |
| Alignment or Combination | Merging or linking data sets like linking an email to a purchase record. | Data enrichment or profiling activities | EU-West-1, EU-Central-1, DUB1, AMS1 | |
| Restriction | Limiting access or use of the data. | Quarantine-like actions or freezing a record as part of a compliance measure | Global access to: EU-West-1, EU-Central-1, DUB1, AMS1 | |
| Erasure | Deleting or wiping the data. | Rights like the "right to be forgotten" | EU-West-1, EU-Central-1, DUB1, AMS1 | |
| Destruction | Eliminating data in a complete and irreversible way. | Physical destruction like shredding | Deletion Request: USA | 4 |
| Identifier | Physical location |
|---|---|
| EU-Central-1 | Frankfurt, Germany |
| EU-West-1 | Dublin, Ireland |
| DUB1 | Dublin, Ireland |
| AMS1 | Amsterdam, Netherlands |
-
Retains recipient personal information in the EU. Anonymized data with all recipient personal information removed transfers outside of the EU to global locations. ↩
-
Support Engineering may retrieve EU recipient personal information when requested by the customer for ticket support. Engineering teams may retrieve recipient personal information when troubleshooting issues. ↩ ↩2 ↩3
-
Shares data with third-party cloud systems within the EU (AWS infrastructure). ↩
-
If a customer requests Point Delete Services, data leaves the region for up to 24 hours before permanent deletion. ↩