Sendgrid Data Security Info
Twilio's Data Deletion and Retention Policy
Data Deletion:
● Twilio Customers:
○ Can delete data they control through normal use of the services.
○ Can utilize the Rest API for specific tasks such as deleting messages or
call recordings.
○ Personal data deletion can be managed through the Twilio console.
● Twilio SendGrid Customers:
○ Data is mostly auto-deleted based on a retention schedule.
○ Most data times out after 37 days, but some email event data, devoid of
message body content, is kept in pseudonymized form for up to a year for
security and other purposes.
○ To delete end user personal data, including email bodies, users can review
the Erase Recipients' Email Data API.
● Twilio SendGrid Marketing Campaigns Customers:
○ Features available for controlling data like deleting recipients or contact
lists.
○ The tools will delete only the content uploaded to SendGrid.
● Authy Customers:
○ Users can manage, delete, or hide 2FA tokens.
○ Option to delete the Authy account but need to be cautious if Authy is
linked to other accounts.
● Frontline Customers:
○ Can manage data through their account portal or APIs.
○ End users should contact their employer for data update or erasure
requests.
● Mailing Lists:
○ For Twilio's list, opt-out by clicking the unsubscribe link or through the
Support team.
○ If on a customer’s list sent via SendGrid, contact that customer directly.
● Non-customers:
○ Twilio acts as a processor, so non-customers need to reach out to the
Twilio customer they interact with to delete their data.
Data Retention:
● Twilio Services:
○ Data storage duration depends on the service, type of data, and user
configuration.
○ Examples: Message and media storage is up to 13 months by default, but
can be adjusted.
○ Message Redaction tool available to prevent storing of recipient details.
○ After account closure, Customer Content is deleted after 30 days and
Customer Account Data typically after 60 days.
● SendGrid Service:
○ Email message bodies held only until delivery.
○ Most personal data, including email recipient data, is held for up to 37
days.
○ Email event data retained for about a year in pseudonymized form for
specific purposes.
○ Random content samples, which could include personal data, are held for
7 days.
○ SendGrid service in general deletes data after around 30 days, but some
data, like short links, can be retained for 60 days.
○ Some data, like contact lists in the Marketing Campaigns service, is
retained as long as the account is active.
○ Legal obligations might require longer retention of certain data.
SendGrid's Information Security Overview
● Data Centers:
○ Global data centers from top-tier providers.
○ All possess SOC2 Type 2 certifications, ensuring high standards for
physical security.
● Misuse:
○ Proactive team ensures that emails sent through SendGrid are compliant
and desired by users.
○ Immediate action against accounts showing suspicious activity.
● Application Security (AppSec):
○ Continuous vulnerability scanning of applications through static and
dynamic testing.
○ Offers two-factor authentication to bolster account security.
○ Data in transit is encrypted using TLS.
○ Regular third-party penetration tests are conducted.
● Operational Security:
○ System access is limited to essential personnel.
○ Employees undergo background checks and sign confidentiality
agreements.
○ Procedures in place for access removal after employee termination.
○ Earned the SOC 2 Type II certification for rigorous data protection
controls.
○ Ongoing security training for all employees.
● Business Continuity/Disaster Recovery:
○ Redundant data centers in diverse locations for consistent service
delivery.
○ Quick recovery protocols in place in case of data center issues.
● Privacy:
○ Commitment to user data confidentiality.
○ No sale of recipient email addresses.
○ Adherence to a strict data retention policy.