SMS (Messaging) API: Product FAQs
Published on: April 23, 2024
1. Is Telesign GDPR compliant? What other data privacy laws does Telesign comply with?
Yes.
At Telesign privacy is embedded in everything we do in service to our Customers and taken very seriously by all Telesign employees.
Telesign has in place a comprehensive data privacy program which encompasses global laws and regulations including the California Consumer Privacy Act (“CCPA”), EU General Data Protection Regulation (“GDPR”), Brazilian Lei General de Protecao de Dados (“LGPD”), Serbian Zakon o zaštiti podata oličnosti (“ZZPL”), Chinese Personal Information Protection Law (“PIPL”), Singaporean Personal Data Protection Act (“PDPA”), and Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”). Our data privacy program is aligned with the key principles of data protection – lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
2. What is the source of the personal data that Telesign uses in Messaging (SMS/RCS/WhatsApp API) solutions? How does Telesign ensure that such data was legally obtained? What is Telesign’s lawful purpose for processing the data in Messaging (SMS/RCS/WhatsApp API) solutions?
Our Customers as Data Controllers.
Customers who provide personal data to Telesign for processing must ensure that End Users (data subjects) have been provided with sufficient notice and choice or that some other lawful basis exists for Telesign’s processing of the personal data (such as legitimate interest). The data subjects have given their permission (consent) to Telesign’s Customers to use their personal data for purposes that have been transparently disclosed to them via the Customers’ privacy notices/terms and conditions; for example, such purposes may include fraud prevention and detection, or account security. In the delivery of our products and services, Telesign acts as a Data Processor, and we are using personal data for approved business purposes, which are defined in relevant contracts with Customers (main business agreement or DPA).
3. What is the personal data provided to us by our Customers (‘Customer Personal Data’) used for in Messaging (SMS/RCS/WhatsApp API)? Why does Telesign need it?
For delivery of SMS via Messaging solutions.
It is necessary for Telesign to use third party providers such as telecommunication carriers, network transit providers or transport service providers and transmit End User phone numbers in order to deliver the requested SMS.
4. How long will Telesign keep the Customer Personal Data used in Messaging (SMS/RCS/WhatsApp API) solutions for?
90 days.
All Customer Personal Data is kept in accordance with Telesign’s Data Retention Policy. This Policy mandates that Customer Personal Data be deleted after 90 days. Additionally, Telesign regularly reviews all personal data in its possession to determine whether it is still needed and whether earlier deletion or pseudonymization may be appropriate in the circumstances.
5. Does Telesign use Customer Personal Data for its own purposes?
Generally, no.
Customer Personal Data is used to provide Services to the Customer. Additionally, Telesign may use the data for maintaining and enhancing Telesign Services if agreed with the Customer in the main agreement and the DPA.
6. Who can access the personal data?
Telesign employees with restricted access on a need-to-know basis.
Customer Personal Data is housed in a shared environment in colocation facilities and classified as confidential. This data is logically separated in Telesign’s databases using a unique customer ID. Technical access controls and internal policies prohibit employees from arbitrarily accessing Customer Personal Data. To protect Customer privacy and security, only select staff members have access to the environment where Customer Personal Data is stored, on a need-to-know basis.
Any exceptions to baseline access permissions (e.g., temporary elevated privileges for a developer to perform a particular function,) are documented using a change request ticket that is reviewed and approved by IT management prior to implementation.
7. Does Telesign share Customer Personal Data with any third parties?
Yes.
For delivery of SMS via Messaging solutions, it is necessary for Telesign to use third party providers such as telecommunication carriers, network transit providers or transport service providers. When we disclose Customer Personal Data to third parties, it is only for the purposes that are identified in Customer contracts. We disclose Customer Personal Data in a reasonably secure manner, with adequate assurance of protection by relevant third parties, according to contracts, laws and other agreements. Any third-party provider who is processing Customer Personal Data on behalf of Telesign, is required to sign a Data Processing Agreement (DPA) with Telesign, committing them to compliance with the applicable data protection laws, as well as to complete a third-party risk assessment during onboarding and regularly throughout third-party engagement.
For an up-to-date list of Telesign’s standard sub-processors please see Appendix 1 of our Customer DPA.
Additionally, Telesign processes Customer Personal Data in our data centers – please see questions 8 and 9 for more details.
8. Will the Customer Personal Data be kept within the EU?
No.
Telesign is headquartered in Los Angeles, California, USA and additionally has offices in Belgrade, Serbia with support from an operational sub processor based in Lithuania (EU). Customer Personal Data is transferred from Telesign’s Customers to the USA and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. Telesign’s current data center set up includes four data centers located in the USA, Belgium (EU) and the Netherlands (EU). The personal data is replicated across all four data centers for the purposes of traffic load balancing and service availability.
9. Where are Telesign’s data centers located?
The USA and EU.
Telesign’s current data center set up includes four data centers: two in the United States (California and Texas), one in Belgium (EU) and one in the Netherlands (EU).
10. Can we do a POC of PhoneID API and have Telesign delete all the Customer Personal Data after the evaluation period?
Yes.
All data is deleted after 90 days automatically, however, upon Customer request, the Customer Personal Data can be deleted sooner.