Intelligence: Our Use of Customer Data
Published on: April 23, 2024
Intro
At Telesign privacy is embedded in everything we do in service to our Customers and taken very seriously by all Telesign employees.
Telesign has in place a comprehensive data privacy program which encompasses global laws and regulations including the General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA), and the Serbian Personal Data Protection Law (ZZPL). Our data privacy program is aligned with the key principles of data protection – lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
Below we answer some of the most frequently asked questions about the use of personal data provided to us by Customers (‘Customer Data’) for use in our Intelligence product.
How will the Customer Data we share with Telesign be used to determine a risk Intelligence?
Customer Data is used in our Intelligence product on an ongoing basis for the purposes of fraud detection, prevention, and mitigation. Customer Data, along with insights from other traffic in Telesign’s platform, is used to power Telesign’s customized machine learning models, which use historical indicators to uncover hidden insights and predict future events. The use of Customer Data in Intelligence therefore enables Intelligence to stay up to date, meaning that the most accurate risk scores can continue to be provided to Telesign’s Customers.
The use of Customer Data in Intelligence enables us to further increase the effectiveness and accuracy of Intelligence’s algorithms and fraud detection capabilities and means Telesign can continue to deliver up-to-date user phone number reputation intelligence, enabling our Customers to continue to automate their decision-making for transactions, new users, and existing customers, and prevent spam, phishing attacks, promo abuse and other costly fraud from occurring.
For how long is Customer Data used and stored by Telesign before it is deleted?
All Customer Data is kept in accordance with Telesign’s Data Retention Policy. This Policy mandates that personal data received from our Customers be deleted after 90 days.
The exception to this is when a Customer agrees contractually with Telesign to allow us to re-use certain Customer Data for the purposes of future fraud identification and prevention as a part of our Intelligence Service. Where this is the case, such data will be pseudonymized after 90 days via hashing. Hashing is a form of cryptographic security and a pseudonymization technique that, taking into consideration the costs of and the amount of time required with the available technology at the time of the processing, makes it very unlikely that the data can be attributed to a specific individual. Pseudonymization is recognized in the General Data Protection Regulation (‘GDPR’) as both a security and data protection by design mechanism.
Additionally, Telesign regularly reviews all personal data in its control to determine whether it is still needed and whether earlier deletion or pseudonymization may be appropriate in the circumstances.
How is Customer Data stored by Telesign?
The security of Customer Data is of paramount importance to us. Telesign maintains a comprehensive information security program designed to ensure the security of such data by implementing physical, technical, and administrative measures and safeguards.
We follow best practices and generally accepted standards to store and protect the personal data we collect, both during transmission and once received and stored, including utilization of encryption where appropriate. For personal data collected or received over unsecure Internet channels, we encrypt the transmission of that information using secure socket layer technology (SSL/TLS).
Who has access to Customer Data?
Customer transaction data is housed in a shared environment in colocation facilities and classified as confidential. This data is logically separated in Telesign’s databases using a unique customer ID. Technical access controls and internal policies prohibit employees from arbitrarily accessing Customer Data. To protect Customer privacy and security, only select staff members have access to the environment where Customer Data is stored, on a need-to-know basis.
Any exceptions to baseline access permissions (e.g., temporary elevated privileges for a developer to perform a particular function,) are documented using a change request ticket that is reviewed and approved by IT management prior to implementation.
How does Telesign ensure Customer Data is securely transferred between our organizations?
Telesign maintains, in accordance with good industry practice, measures for the protection of personal data from interception (including in transit from the Customer to Telesign and between different systems and services). This includes having in place and maintaining network protection intended to deny the ability to intercept data, as well as encryption of personal data whilst in transit.
Telesign encrypts all Customer transactions to our APIs via the Internet with TLS 1.2 in transit, as well as Customer access to our customer portals. Advanced Encryption Standard (AES) and Secure Hash Algorithm 2 (SHA-2) are the most widely used encryption and hashing algorithms within Telesign.
Will the Customer Data we share remain in our country?
Telesign is headquartered in Los Angeles, California, USA and additionally has offices in Belgrade, Serbia with support from an operational sub processor based in Lithuania (EU). Personal data, including Customer Data, is transferred from the Customer to the US and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. Telesign’s current data center set up includes four data centers located in the US (2), Belgium (EU), and the Netherlands (EU). The personal data is therefore replicated across all four data centers for the purposes of traffic load balancing and service availability.
All Customer Data is transferred using appropriate safeguards to ensure that individuals’ personal data is protected. Telesign executes a Data Processing Agreement (DPA) that incorporates the EU Commission’s Standard Contractual Clauses (SCCs) with all Customers and Sub processors where applicable. In the DPA, Telesign commits to the obligations of data processors under the GDPR, and flows down these obligations to all our processors and sub processors, including the commitment to only transfer personal data using appropriate safeguards and technical and organizational measures.
To find out more:
Telesign takes data protection very seriously and is committed to protecting all Customer Data in line with applicable data protection laws. For more information on our privacy practices please see https://www.Telesign.com/privacy.