Telesign connects, protects and defends companies, customers and the digital interactions between them. We verify over five billion unique phone numbers a month, representing half of the world’s mobile users, and provide critical insight into the remaining billions. Our powerful AI and extensive data science deliver identity with a unique combination of speed, accuracy and global reach. At Telesign, privacy is in our DNA – it is embedded in everything that we do in service to our Customers and taken very seriously by all Telesign employees.
Telesign’s DPA FAQs are designed to assist our Customers when completing the Telesign Data Processing Agreement (DPA) which can be found here:
The responses to these FAQs are provided for informational purposes only to provide a better understanding of Telesign’s DPA and privacy practices. The responses are not intended as legal advice. Customers are solely responsible to familiarize themselves with the requirements of applicable privacy regulations as well as the full text of the DPA.
The DPA establishes the rules under which Telesign processes personal data. Exactly what personal data are processed depends on the applicable Services Telesign is providing, as explained under FAQ #4. If your organization is subject to the General Data Protection Regulation (GDPR) or other similar data privacy regulations, you must have a written data processing agreement in place with all your data processors, such as Telesign. A DPA is more paperwork, but it’s also one of the most basic steps of data privacy compliance and is necessary to avoid fine
Telesign acts as the data processor regarding Customer Personal Data – the personal data of our Customers’ end-users, which is submitted by our Customers to Telesign, and the Customer acts as the data controller. Telesign only has access to and processes the personal data that you, the Customer, has provided us. This means that you are in control of what personal data is processed by Telesign, since you have the power to decide which personal data (if any) will be processed. Additionally, as provided by our DPA, Telesign only processes personal data in accordance with your instructions, so that you retain control over the personal data you provide at all times.
The exception to this rule is when a Customer agrees contractually with Telesign to allow us to re-use certain Customer shared data as a part of our Intelligence service, specifically for offering, maintaining and enhancing the service for the purposes of future fraud identification and prevention. Where this is the case, Customer and Telesign will act as independent Controllers.
Although the DPA uses certain terminology from specific data privacy laws, (e.g., Controller and Processor from the GDPR), it covers Customers globally and sets out relevant legal obligations and commitments related to the processing of Customer Personal Data. The processing covered by the DPA consists of all data processing activities that are performed by Telesign following the instructions of the Customer, those necessary to deliver the Services to the Customer, and for the ‘Permitted Purposes’ as outlined in the DPA as being specifically for fraud detection, prevention and mitigation purposes; for offering, maintaining and enhancing the Services our or our affiliates offer, as well as to enhance or further develop our services.
The personal data processed are those provided by the Customer to Telesign in connection with the Services provided by Telesign; these may include first name, last name, address, e-mail address, telephone number, location data, contact information and device information. Exactly what personal data are processed depends on the applicable Services Telesign is providing.
Yes, Telesign offers a DPA to its Customers; the document can be found here. The DPA is incorporated by reference into the services agreement signed with Telesign, such as the MSA or Evaluation Agreement. Therefore, there is no need to sign the standalone DPA if you’ve executed one of Telesign’s standard services agreements, such as the MSA or Evaluation Agreement. If you wish to execute the standalone Customer DPA, please reach out to your Account Director or Telesign’s Privacy Office.
Telesign’s DPA complies with the requirements of several applicable data privacy laws and addresses specific aspects related to audits, certifications, security measures, indemnification and sub-processing activities, all of which are aligned to the way in which Telesign’s products and services work. Additionally, it connects with the services agreement and other relevant Telesign documentation.
The DPA is drafted using terminology derived from the GDPR, but it also addresses the following data privacy laws in addition to the GDPR
· California Consumer Privacy Act (CCPA),
· Brazilian Lei General de Protecao de Dados (LGPD),
· Serbian Zakon o zaštiti podataka o ličnosti (ZZPL),
· Chinese Personal Information Protection Law (PIPL),
· Singaporean Personal Data Protection Act (PDPA), and
· Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
As a US company, Telesign chose to use a neutral jurisdiction where we also have an established entity and data center: Brussels, Belgium. This also means the governing law of the DPA is an EU member state and matches that of the SCC’s for the purposes of the GDPR.
Yes, the DPA also applies to non-EU Customers. Even though it uses terminology primarily based on EU legislation (the GDPR), it aims to cover all jurisdictions covered by the applicable data privacy laws (such as Brazil or California). Considering this, the majority of its provisions are general and standard privacy-related provisions. Even if both parties are from outside the EU/EEA and there is no personal data involved that is emanating out of the EU/EEA, our DPA also applies as it aims to cover global data privacy laws, by using the highest standards and by focusing on the most relevant and applicable data privacy concerns.
Telesign will promptly notify the Customer and will not respond directly to the Data Subject without Customer’s prior consent.
Telesign is primarily a business-to-business company, which statistically receive less government requests than do business-to-consumer companies. If Telesign does receive a request from a law enforcement agency seeking access to data belonging to a Customer, we will aim to fully comply with our legal obligations whilst honoring the trust that our Customers place in us. Our privacy and security frameworks are designed to protect Customer data against unauthorized access or disclosure, and if we do receive such requests, where permitted to do so by law, we shall refer the requesting agency to the Customer themselves. Additionally, where we believe a government request for Customer data is invalid or unlawful, we will try to challenge it. In the unlikely event that we are required to disclose Customer data to government agencies, we shall ensure the transfer is necessary and proportionate and shall provide the minimum amount of information possible.
Yes. Telesign is headquartered in Los Angeles, California (US) and additionally has offices in Belgrade, Serbia with support from an operational Sub processor based in Lithuania (EU). Personal data is transferred from the Customer to Telesign’s US and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. Furthermore, Telesign uses various carriers, network transit providers and data service providers (Sub processors) for transmission of telecommunication services, such as SMS and Voice, globally.
For Telesign’s current Sub processor and data center list, please see Appendix 1 of the Telesign DPA.
Telesign shall inform Customer at least one (1) month in advance and by means of a written communication (via Telesign Customer Portal or email) about its intention to engage a Sub processor, including details on the identity of the Sub processor, the location where the data will be processed by such Sub processor and the concerned data processing activities.
Telesign follows a framework and defined process for assessing third-party privacy and security risks and controls for all our Sub processors before they are allowed access to Personal Data. The assessment of the Sub processor’s information security (based on the ISO 27001 security domains) and privacy controls (based on the GDPR, CCPA and other privacy regulations) is conducted by Telesign’s Privacy and Security teams. This process includes signing a DPA with the Sub processor, including executing the EU Standard Contractual Clauses (SCCs) to govern international transfers, where applicable. The Privacy and Security teams are engaged in analyzing and controlling risks associated with the outsourcing of services to Sub processors, including their screening, onboarding, and annual re-assessment. And finally, as described in the DPA, Telesign takes full responsibility for the actions of its Sub processors in relation to the processing of Customer personal data.
United States, Serbia, United Kingdom, the Netherlands (EU) and Lithuania (EU). For Telesign’s current Sub processor and data center list, please see Appendix 1 of the Telesign DPA.
Telesign’s current data center set up includes four data centers; two in the United States (California and Texas), one in Belgium (EU) and one in the Netherlands (EU). The personal data is replicated across all four data centers for purposes of traffic load balancing and service availability.
For Telesign’s current Sub processor and data center list, please see Appendix 1 of Telesign DPA.
Not at the moment. Currently, all personal data is replicated across four data centers (some of which are outside of the EEA) for traffic load balancing and service availability. As a part of Telesign’s ongoing commitment to data privacy and in response to increased Customer requests for EU data residency, Telesign will soon have the capability to ensure that personal data is processed and stored only within the European Union (EU) for most of its Services.
Telesign maintains appropriate technical and organizational measures to protect Customer Personal Data as set forth in Appendix 2 of the DPA – Security Measures. For more information on Telesign’s security framework, please review our Security Whitepaper.
Yes, with prior ninety (90) days written notice and not more than once in any twelve (12) month calendar period, at each Party’s cost and expense, except if required by an instruction of a competent data protection authority or if Customer believes a further audit is necessary due to a personal data breach suffered by Telesign.
Yes, Telesign is ISO/IEC 27001:2013 certified. Please reach out to Telesign’s Privacy Office to obtain the certificate.
We are committed to doing everything we can to stop a breach from ever happening within our systems, but in the event that one was to occur, we will notify the relevant Customers and/or data protection authorities (as applicable) without undue delay upon becoming aware of the breach.
The duration of the processing is limited to the duration needed to perform Telesign’s obligations under the main agreement with Telesign unless a legal obligation applies. The obligations of Telesign as set out in the DPA with regard to the personal data processing continue until the data have been properly deleted or have been returned at the request of the Customer.
Yes. The Customer can request deletion of personal data after the POC. Please reach out to your assigned Account Director.
The data is either deleted after ninety (90) days or returned at the request of the Customer.
Under the GDPR, personal data cannot be transferred outside of the EEA to organizations located in third countries unless (a) the importing country is deemed adequate by European authorities (the European Commission, UK Information Commissioner (ICO) or the Swiss Federal Data Protection and Information Commissioner (FDPIC)), or (b) appropriate safeguards are in place to ensure that transferred personal data is subject to an adequate level of data protection, such as the SCCs.
Standard Contractual Clauses (SCCs).
Yes, the DPA has been updated to include the pre-signed 2021 SCCs. The SCCs are incorporated by reference in Section 3 of the DPA. You may review the full SCCs here.
Module II: Controller (Customer) to Processor (Telesign) and Module I: Controller (Customer) to Controller (Telesign) with respect to the Intelligence service.
Given the length of the SCCs, Telesign has chosen to incorporate the SCCs into its DPA.
Customers may execute the SCCs separately. Please reach out to your Account Director or Telesign’s Privacy Office.
Telesign has updated its DPA in 2021 to include the new SCCs. All Customers that have the DPA referenced in their Agreement have received notification via Customer Portal. New Customers can enter into the SCCs by signing any of Telesign’s standard agreements, such as the MSA or the Evaluation Agreement, standalone Customer DPA or by executing standalone SCCs. If you wish to execute the 2021 SCCs, please reach out to your Account Director or Telesign’s Privacy Office.
Considering the Schrems II decision and complex processing activities that exist in the world today, the European Commission updated the SCCs to address the additional transparency requirements covering law enforcement agencies access requests, and to assess the laws of the importing country for compliance with the terms in the SCCs. The prior version of the SCCs applied only to controller-controller and controller-processor transfers of personal data from the EU to countries without an adequacy decision by the European Commission. The new clauses are expanded to also include processor-processor and processor-controller transfers.
The DPA contains the latest 2021 SCCs, allowing Customers to apply the protections afforded therein. Telesign has no reason to believe our data transfers from the EU to the US present the type of data protection risks that concerned the CJEU in Schrems II. The EU-US personal data typically transferred for the provision of Telesign services involves ordinary commercial information, such as phone numbers, IP addresses, and names of end users. The use cases for Telesign’s services involves authentication, fraud prevention and securing end user accounts on behalf of its Customers. Such transferred data would not be of interest to US foreign intelligence agencies. To date Telesign has not received any government requests to disclose data under FISA 702.
Telesign maintains, in accordance with good industry practice, measures for protection of personal data from interception (including in transit from the Customer to Telesign and between different systems and services). This includes having in place and maintaining network protection intended to deny the ability to intercept data and encryption of personal data whilst in transit. Telesign encrypts all customer transactions to our APIs via the Internet with TLS 1.2, as well as customer access to our management console, Customer Portal. Advanced Encryption Standard (AES) and Secure Hash Algorithm 2 (SHA-2) are the most widely used encryption and hashing algorithms within Telesign.
For more information, please visit out Transfer Impact Analysis page.
Yes. From March 21, 2022, the new SCCs were recognized by the UK Parliament as a valid instrument for international data transfers when supplemented by an Addendum (“UK Addendum”). The UK Addendum takes into account the UK GDPR and the binding judgement of the European Court of Justice in the Schrems II case when making restricted transfers. Telesign has updated its DPA to take into account provisions of the UK Addendum.
Telesign Services: https://www.Telesign.com/services
Transfer Impact Analysis based on EDPB recommendations on supplementary measures for personal data transfers from the EEA/EU: https://www.Telesign.com/transfer-impact-analysis
Telesign Privacy Notice: https://www.Telesign.com/privacy-notice
Telesign Security Whitepaper: https://www.Telesign.com/security
Please reach out to Telesign’s Privacy Office.