Data & Privacy
Data at restData that is not actively moving from device to device or network to network, such as data stored or archived in a database.
Data in transitData actively moving from one location to another such as across the internet or through a private network.
Make a one-time choice of where your Call Detail Records (CDRs) and Message Detail Records (MDRs) are stored at rest.
Now available for Messaging, Voice, Call Control, Call Recordings, WebRTC and Fax. To enable data locality for your account, contact us.
Coming soon: more detail record types, including Wireless and WhatsApp, and Call Recording Files.
GDPR Frequently Asked Questions
GDPR stands for the General Data Protection Regulation and came into effect on May 25th, 2018. GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU.
Our policy is to respect all laws that apply to our business, and this includes GDPR. We also appreciate that our customers have requirements under GDPR that are directly impacted by their use of Telnyx products and services. We are committed to helping our customers stay in compliance with GDPR and their local requirements.
In addition, here are a few things that Telnyx is committed to doing to ensure our compliance with GDPR and that of our customers:
- Where we are transferring data outside of the EU, Telnyx commits to having the appropriate data transfer mechanisms in place as required by GDPR.
- Telnyx commits to follow appropriate security measures and precautions in accordance with GDPR.
- Telnyx will assist with notifying regulators of breaches and promptly communicating any breaches to customers and users.
- We will ensure that employees authorized to process personal data have committed to confidentiality.
- We will hold any subprocessors that handle personal data, including our data center partners, to the same data management, security, and privacy practices and standards to which we hold ourselves.
- Telnyx commits to carrying out data impact assessments and consulting with EU regulators where a data impact assessment indicates a high risk associated with processing without an appropriate mitigating strategy.
- Where appropriate, we will offer contractual language documenting our commitments to our customers to support their GDPR obligations.
- Telnyx will assist our customers, insofar as possible, to respond to data subject requests our customers may receive under the GDPR.
The California Consumer Privacy Act ("CCPA") provides California residents with specific rights regarding their personal information. This section describes CCPA rights and explains how to exercise those rights.
- The right to access
- The right to opt out of the sale of personal information
- The right to deletion of a consumer's personal information
- The right of data portability
- The right not to be discriminated against for exercising rights under the CCPA.
We provide a summary of the data we collect, organized according to different categories in the section titled "What Kinds of Personal Information Does Telnyx Collect?"
Yes! Telnyx staff that access and process Telnyx customer personal data are trained on how to handle it and are bound to maintain its confidentiality and security.
Our goal is to provide our customers with secure, fast, and reliable services. As a provider of global services, we run our services with common operational practices and features across multiple jurisdictions. Today, we store data in a data centre located in the US, or customers can elect to store data in Germany. We may also allow employees and contractors located around the world to access certain data for product promotion and development, and customer and technical support purposes.
We need to transfer your personal data to other organizations to help us provide services to you. For example, we use Amazon Web Services data centers to assist us in storing your data. In some instances, these are other companies within the Telnyx family. For example, if you request support and assistance, you may speak to our agents at our headquarters in the US or to one of our other support centers.
Whenever we share your data, we remain accountable to you for how it is used by any of these organizations. We require all service providers, including other Telnyx companies, to enter into contracts with us to ensure that our customers' personal data receives the same level of protection and safeguards.
Telnyx understands and respects the rules for onward transfers of personal data outside of the EU. To that end, Telnyx offers customers a Data Processing Agreement (DPA) that includes the EU Standard Contractual Clauses to meet onward transfer requirements under the GDPR. The Telnyx DPA is available for all customers on request which can be electronically signed to meet onward transfer requirements under GDPR.
We are aware that the European Data Protection Board recently issued further guidance on supplementary measures to meet the adequacy requirement of GDPR. We will continue to analyse these requirements and any others issued by European data protection authorities as they arise.
In the meantime, please note that Telnyx:
- Already encrypts data in transit and at rest;
- Provides additional information about our policies and procedures for responding to requests for user data in law enforcement requests;
Yes! We understand that our customers, and in particular, our European customers, will require that, where Telnyx is a processor of EU personal data, we execute additional terms that meet GDPR obligations with respect to the processing of that EU personal data. The Telnyx Data Processing Addendum is available on request and can be signed electronically in order to meet onward transfer requirements under GDPR.
Data Transfer Impact Assessment
Published in January 2022
This document provides information to help Telnyx customers conduct data transfer impact assessments in connection with their use of Telnyx products, in light of the recommendations from the European Data Protection Board.
In particular, this document describes the legal regimes applicable to Telnyx in the US, the safeguards Telnyx puts in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland ("Europe"), and Telnyx's ability to comply with its obligations as "data importer" under the Standard Contractual Clauses ("SCCs").
For more details about Telnyx's GDPR compliance program please visit Telnyx Privacy page.
Where Telnyx processes personal data governed by European data protection laws as a data processor (on behalf of our customers), Telnyx complies with its obligations under its Data Processing Addendum available on request ("DPA"). The Telnyx DPA incorporates the SCCs and provides the following information:
- description of Telnyx's processing of customer personal data (Schedule 1); and
- description of Telnyx's security measures (Appendix II).
Please refer to Exhibit A of the DPA for information on the nature of Telnyx's processing activities in connection with the provision of the Services, the types of customer personal data we process and transfer, and the categories of data subjects.
A list of all of our data sub-processors where you can stay up-to-date on changes is available at request.
We may transfer customer personal data wherever we or our third-party service providers operate for the purpose of providing you the Services. The main processing location will depend on the particular Telnyx Services you will use, as outlined in the chart below.
Product(s) and Services In what countries does Telnyx store Customer Personal Data? In what countries does Telnyx process (e.g., access, transfer, or otherwise handle) Customer Personal Data? Telnyx business operations and analytics (“Usage Data”) USA USA, Canada, EU, Australia, Singapore Telnyx Customer support USA USA, Canada, EU, Australia, Singapore Telnyx Customer web-portal USA USA, Canada, EU, Australia, Singapore Telnyx Customer cloud profile USA USA, Canada, EU, Australia, Singapore
Where personal data originating from Europe is transferred to Telnyx, Telnyx relies upon the European Commission's SCCs to provide an appropriate safeguard for the transfer. To review Telnyx's Data Processing Addendum (which incorporates the SCCs) please ask for a copy of the Data Processing Addendum.
Where customer personal data originating from Europe is transferred between Telnyx group companies or transferred by Telnyx to third-party subprocessors, Telnyx shall enter into DPAs with those parties.
U.S. Surveillance Laws
FISA 702 and Executive Order 12333
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
- FISA Section 702 ("FISA 702") -- allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
- Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.
Regarding FISA 702 the whitepaper notes:
For most companies, the concerns about national security access to company data highlighted by Schrems II are "unlikely to arise because the data they handle is of no interest to the U.S. intelligence community." Companies handling "ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data."
There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
Regarding Executive Order 12333 the whitepaper notes:
- EO 12333 does not on its own "authorize the U.S. government to require any company or person to disclose data." Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
- Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.
For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.
The whitepaper notes:
- The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
- The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance.
Is Telnyx subject to FISA 702 or EO 12333?
Telnyx, like most US-based SaaS companies, could technically be subject to FISA 702 where it is deemed to be a RCSP. However, Telnyx does not process personal data that is likely to be of interest to US intelligence agencies.
Furthermore, Telnyx is not likely to be subject to upstream surveillance orders under FISA 702, the type of order principally addressed in, and deemed problematic by, the Schrems II decision. Telnyx does not provide internet backbone services, but instead only carries services, such as voip, sms, involving its own customers. To date, the U.S. Government has interpreted and applied FISA 702 upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).
EO 12333 contains no authorization to compel private companies (such as Telnyx) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that Telnyx processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance. To date, Telnyx has never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with customer personal data.
Telnyx provides the following technical measures to secure customer data:
- Encryption: Telnyx offers data encryption at rest and in transit
- Security and certifications: Additional information about Telnyx's security practices and certifications are available on request and outlined in DPA.
Telnyx's contractual measures are set out in Telnyx's DPA which incorporates the SCCs. In particular, we are subject to the following requirements:
- Technical measures: Telnyx is contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data (both under the Data Processing Addendum as well as the SCCs we enter into with customers, service providers).
- Transparency: Telnyx is obligated under the SCCs to notify its customers in the event it is made subject to a request for government access to customer personal data from a government authority. In the event that Telnyx is legally prohibited from making such a disclosure, Telnyx is contractually obligated to challenge such prohibition and seek a waiver.
- Actions to challenge access: Under the SCCs, Telnyx is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.
Telnyx's organizational measures to secure customer data include:
- Policy for government access: Telnyx follows U.S. law enforcement guidance in responding to any government requests for data. To obtain data from Telnyx, law enforcement officials must provide a legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.
- Onward transfers: Whenever we share your data with Telnyx service providers, we remain accountable to you for how it is used. We require all service providers to undergo a thorough cross-functional diligence process by subject matter experts in our Security, Privacy, and Risk & Compliance teams to ensure our customers' personal data receives adequate protection. This process includes a review of the data plans to share with the service provider and the associated level of risk, the supplier's security policies, measures, and third party audits, and whether the service provider has a mature privacy program that respects the rights of data subjects.
- Privacy by design: Telnyx's Privacy Notice outlines Telnyx's approach to privacy, which is available here.
- Employee training: Telnyx provides data protection training to all Telnyx staff.
In light of the information provided in this document, including Telnyx's practical experience dealing with government requests and the technical, contractual, and organizational measures, Telnyx has implemented to protect customer personal data, Telnyx considers that the risks involved in transferring and processing European personal data in/to the US do not impinge on our ability to comply with our obligations under the SCCs (as "data importer") or to ensure that individuals' rights remain protected. Therefore, no additional supplementary measures are necessary at this time.
Telnyx will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
Legal Notice: Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current Telnyx product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from Telnyx and its affiliates, suppliers or licensors. The responsibilities and liabilities of Telnyx to its customers are controlled by Telnyx agreements, and this document is not part of, nor does it modify, any agreement between Telnyx and its customers.