Sendgrid Data Security Info

Twilio's Data Deletion and Retention Policy

Data Deletion:

Twilio Customers:

○ Can delete data they control through normal use of the services.

○ Can utilize the Rest API for specific tasks such as deleting messages or

call recordings.

○ Personal data deletion can be managed through the Twilio console.

Twilio SendGrid Customers:

○ Data is mostly auto-deleted based on a retention schedule.

○ Most data times out after 37 days, but some email event data, devoid of

message body content, is kept in pseudonymized form for up to a year for

security and other purposes.

○ To delete end user personal data, including email bodies, users can review

the Erase Recipients' Email Data API.

Twilio SendGrid Marketing Campaigns Customers:

○ Features available for controlling data like deleting recipients or contact


○ The tools will delete only the content uploaded to SendGrid.

Authy Customers:

○ Users can manage, delete, or hide 2FA tokens.

○ Option to delete the Authy account but need to be cautious if Authy is

linked to other accounts.

Frontline Customers:

○ Can manage data through their account portal or APIs.

○ End users should contact their employer for data update or erasure


Mailing Lists:

○ For Twilio's list, opt-out by clicking the unsubscribe link or through the

Support team.

○ If on a customer’s list sent via SendGrid, contact that customer directly.


○ Twilio acts as a processor, so non-customers need to reach out to the

Twilio customer they interact with to delete their data.

Data Retention:

Twilio Services:

○ Data storage duration depends on the service, type of data, and user


○ Examples: Message and media storage is up to 13 months by default, but

can be adjusted.

○ Message Redaction tool available to prevent storing of recipient details.

○ After account closure, Customer Content is deleted after 30 days and

Customer Account Data typically after 60 days.

SendGrid Service:

○ Email message bodies held only until delivery.

○ Most personal data, including email recipient data, is held for up to 37


○ Email event data retained for about a year in pseudonymized form for

specific purposes.

○ Random content samples, which could include personal data, are held for

7 days.

○ SendGrid service in general deletes data after around 30 days, but some

data, like short links, can be retained for 60 days.

○ Some data, like contact lists in the Marketing Campaigns service, is

retained as long as the account is active.

○ Legal obligations might require longer retention of certain data.

SendGrid's Information Security Overview

Data Centers:

○ Global data centers from top-tier providers.

○ All possess SOC2 Type 2 certifications, ensuring high standards for

physical security.


○ Proactive team ensures that emails sent through SendGrid are compliant

and desired by users.

○ Immediate action against accounts showing suspicious activity.

Application Security (AppSec):

○ Continuous vulnerability scanning of applications through static and

dynamic testing.

○ Offers two-factor authentication to bolster account security.

○ Data in transit is encrypted using TLS.

○ Regular third-party penetration tests are conducted.

Operational Security:

○ System access is limited to essential personnel.

○ Employees undergo background checks and sign confidentiality


○ Procedures in place for access removal after employee termination.

○ Earned the SOC 2 Type II certification for rigorous data protection


○ Ongoing security training for all employees.

Business Continuity/Disaster Recovery:

○ Redundant data centers in diverse locations for consistent service


○ Quick recovery protocols in place in case of data center issues.


○ Commitment to user data confidentiality.

○ No sale of recipient email addresses.

○ Adherence to a strict data retention policy.

Still need help? Contact Us Contact Us