Third-Party Risk Assessment
Published on: April 23, 2024
General
At Telesign privacy is embedded in everything we do in service to our Customers and taken very seriously by all Telesign employees.
Telesign has in place a comprehensive data privacy program which encompasses global laws and regulations including the California Consumer Privacy Act (“CCPA”), EU General Data Protection Regulation (“GDPR”), Brazilian Lei General de Protecao de Dados (“LGPD”), Serbian Zakon o zaštiti podata oličnosti (“ZZPL”), Chinese Personal Information Protection Law (“PIPL”), Singaporean Personal Data Protection Act (“PDPA”), and Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”). Our data privacy program is aligned with the key principles of data protection – lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
Telesign is headquartered in Los Angeles, California, USA and additionally has offices in Belgrade, Serbia with support from an operational sub processor based in Lithuania (EU). Personal data, including Customer data, is transferred from the Customer to the US and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. Telesign’s current data center set up includes four data centers two in the United States (California and Texas), one in Belgium (EU) and one in the Netherlands (EU). The personal data is replicated across all four data centers for the purposes of traffic load balancing and service availability. Furthermore, Telesign uses various carriers, network transit providers and data service providers (Sub processors) for transmission of telecommunication services, such as SMS and Voice, globally.
Risk Assessment Process
Telesign follows a framework and a defined process for assessing third-party privacy and security risks for all our Third-Party Providers (external vendors, suppliers, consultants, service providers and individual contractors) that provide goods and services to Telesign before they are allowed access to Personal Data. The assessment of the Third-Party Provider’s information security (based on the ISO 27002:2013 security domains) and privacy controls (based on EU’s GDPR, CA’s CCPA and other applicable data protection laws) is conducted by Telesign’s Privacy and Security teams. The team is engaged in analyzing and controlling risks associated with the outsourcing of services to Third-Party Providers, their screening, onboarding, offboarding, privacy and security due diligence and annual re-assessment. Telesign also has in place a Vendor Management Policy in line with the ISO 27001 and applicable privacy regulations that allows for uniformity and consistency in how we treat Third-Party Providers and assess associated risks.
When Personal Data is transferred to a Third-Party Provider acting as Telesign’s processor, we enter into a written agreement with such Provider requiring that the Provider collect and use Personal Data from Data Subjects solely for the purpose of providing services to Telesign and that it will do so in a manner that provides at least the same level of privacy and data protection as is required by: (1) applicable data protection laws (such as the GDPR, CCPA, etc.), (2) Telesign’s Internal Privacy Policy (IPP) and Global Information Security Policy (GISP), and (3) any other representations that we have made to relevant Data Subjects, Customers, or partners in agreements or otherwise.
Any Third-Party Provider who is processing Personal Data on behalf of Telesign must sign a Data Processing Agreement (DPA) with Telesign, committing the Third-Party Provider to compliance with applicable data protection law. They must also complete a Vendor Self-Assessment (VSA) questionnaire which allows Telesign’s Privacy and Security teams to assess the overall risk involved.
The VSA requires Third-Party Providers to provide details about their organization’s privacy and security practices., This enables Telesign to carry out an assessment of these practices in advance of contracting with such third party. The questions in the VSA are divided into 10 groups based on the requirements defined within ISO 27002:2013. Precise answers with respective comments and supporting documentation (such as ISO certification or SOC2 reports) must be provided. Only after the risk assessment process is completed, the Third-Party Provider may enter into a business contract with Telesign, which is reviewed and approved by Telesign’s Legal team. The VSA responses are annually re-assessed.
Continuous Third-Party Risk Management
At Telesign we ensure we continuously manage third-party risk, including in the following ways:
· Maintaining an up-to-date inventory of all Third-Party Providers
· Having an established owner of third-party risk management
· Having a Vendor Management Policy in line with the ISO 27001
· Carrying out annual third-party risk re-assessments
· Established contingency and incident management plans if a third-party is deemed to be below quality or if a Personal Data breach occurs.
Conclusion
Staying ahead of third-party risk and gaining visibility into Third-Party Provider’s ecosystems is key to staying safe and protecting personal data in today’s threat landscape and is critical to maintaining Customer trust.
For more information on Telesign’s data privacy practices and what we are doing to protect personal data, please see our Privacy Hub.