Data Processing Agreement (DPA) FAQs

Telesign connects, protects and defends companies, customers and the digital interactions between them. We verify over five billion unique phone numbers a month, representing half of the world’s mobile users, and provide critical insight into the remaining billions. Our powerful AI and extensive data science deliver identity with a unique combination of speed, accuracy and global reach. At Telesign, privacy is in our DNA – it is embedded in everything that we do in service to our Customers and taken very seriously by all Telesign employees. 

Telesign’s DPA FAQs are designed to assist our Customers when completing the Telesign Data Processing Agreement (DPA) which can be found here:

_{The responses to these FAQs are provided for informational purposes only to provide a better understanding of Telesign’s DPA and privacy practices. The responses are not intended as legal advice. Customers are solely responsible to familiarize themselves with the requirements of applicable privacy regulations as well as the full text of the DPA.}

‍

‍

General

1.     Why do we need a DPA? 

The DPA establishes the rules under which Telesign processes personal data. Exactly what personal data are processed depends on the applicable Services Telesign is providing, as explained under FAQ #4. If your organization is subject to the General Data Protection Regulation (GDPR) or other similar data privacy regulations, you must have a written data processing agreement in place with all your data processors, such as Telesign. A DPA is more paperwork, but it’s also one of the most basic steps of data privacy compliance and is necessary to avoid fine

2.     What are the roles of the parties under the DPA?

Telesign acts as the data processor regarding Customer Personal Data – the personal data of our Customers’ end-users, which is submitted by our Customers to Telesign, and the Customer acts as the data controller. Telesign only has access to and processes the personal data that you, the Customer, has provided us. This means that you are in control of what personal data is processed by Telesign, since you have the power to decide which personal data (if any) will be processed. Additionally, as provided by our DPA, Telesign only processes personal data in accordance with your instructions, so that you retain control over the personal data you provide at all times.

The exception to this rule is when a Customer agrees contractually with Telesign to allow us to re-use certain Customer shared data as a part of our Intelligence service, specifically for offering, maintaining and enhancing the service for the purposes of future fraud identification and prevention. Where this is the case, Customer and Telesign will act as independent Controllers. 

3.     What is the scope of the DPA?

Although the DPA uses certain terminology from specific data privacy laws, (e.g., Controller and Processor from the GDPR), it covers Customers globally and sets out relevant legal obligations and commitments related to the processing of Customer Personal Data. The processing covered by the DPA consists of all data processing activities that are performed by Telesign following the instructions of the Customer, those necessary to deliver the Services to the Customer, and for the ‘Permitted Purposes’ as outlined in the DPA as being specifically for fraud detection, prevention and mitigation purposes; for offering, maintaining and enhancing the Services our or our affiliates offer, as well as to enhance or further develop our services.

4.     What kind of personal data is processed by Telesign?

The personal data processed are those provided by the Customer to Telesign in connection with the Services provided by Telesign; these may include first name, last name, address, e-mail address, telephone number, location data, contact information and device information. Exactly what personal data are processed depends on the applicable Services Telesign is providing. 

5.     Does Telesign make a DPA available to its Customers

Yes, Telesign offers a DPA to its Customers; the document can be found here. The DPA is incorporated by reference into the services agreement signed with Telesign, such as the MSA or Evaluation Agreement. Therefore, there is no need to sign the standalone DPA if you’ve executed one of Telesign’s standard services agreements, such as the MSA or Evaluation Agreement. If you wish to execute the standalone Customer DPA, please reach out to your Account Director or Telesign’s Privacy Office.

6.     Why should we use Telesign’s DPA? 

Telesign’s DPA complies with the requirements of several applicable data privacy laws and addresses specific aspects related to audits, certifications, security measures, indemnification and sub-processing activities, all of which are aligned to the way in which Telesign’s products and services work. Additionally, it connects with the services agreement and other relevant Telesign documentation.

7.     What are the applicable data privacy laws? 

The DPA is drafted using terminology derived from the GDPR, but it also addresses the following data privacy laws in addition to the GDPR

·       California Consumer Privacy Act (CCPA), 

·       Brazilian Lei General de Protecao de Dados (LGPD), 

·       Serbian Zakon o zaštiti podataka o ličnosti (ZZPL), 

·       Chinese Personal Information Protection Law (PIPL), 

·       Singaporean Personal Data Protection Act (PDPA), and 

·       Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).

8.     What is the governing law/jurisdiction of the DPA?

As a US company, Telesign chose to use a neutral jurisdiction where we also have an established entity and data center: Brussels, Belgium. This also means the governing law of the DPA is an EU member state and matches that of the SCC’s for the purposes of the GDPR.

9.     Does the DPA apply to my organization if we do not have offices in Europe?

Yes, the DPA also applies to non-EU Customers. Even though it uses terminology primarily based on EU legislation (the GDPR), it aims to cover all jurisdictions covered by the applicable data privacy laws (such as Brazil or California). Considering this, the majority of its provisions are general and standard privacy-related provisions. Even if both parties are from outside the EU/EEA and there is no personal data involved that is emanating out of the EU/EEA, our DPA also applies as it aims to cover global data privacy laws, by using the highest standards and by focusing on the most relevant and applicable data privacy concerns.

‍

‍

Duty to notify and cooperate

10.  How does Telesign handle Data Subject Requests?

Telesign will promptly notify the Customer and will not respond directly to the Data Subject without Customer’s prior consent.

11.  What happens if Telesign receives a government access request in respect of Customer Data?

Telesign is primarily a business-to-business company, which statistically receive less government requests than do business-to-consumer companies. If Telesign does receive a request from a law enforcement agency seeking access to data belonging to a Customer, we will aim to fully comply with our legal obligations whilst honoring the trust that our Customers place in us. Our privacy and security frameworks are designed to protect Customer data against unauthorized access or disclosure, and if we do receive such requests, where permitted to do so by law, we shall refer the requesting agency to the Customer themselves. Additionally, where we believe a government request for Customer data is invalid or unlawful, we will try to challenge it. In the unlikely event that we are required to disclose Customer data to government agencies, we shall ensure the transfer is necessary and proportionate and shall provide the minimum amount of information possible.

 

‍

Sub processors and processing locations 

12.  Does Telesign use any Sub processors?

Yes. Telesign is headquartered in Los Angeles, California (US) and additionally has offices in Belgrade, Serbia with support from an operational Sub processor based in Lithuania (EU). Personal data is transferred from the Customer to Telesign’s US and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. Furthermore, Telesign uses various carriers, network transit providers and data service providers (Sub processors) for transmission of telecommunication services, such as SMS and Voice, globally. 

For Telesign’s current Sub processor and data center list, please see Appendix 1 of the Telesign DPA. 

13.  How does Telesign notify its Customers of new Sub processors?

Telesign shall inform Customer at least one (1) month in advance and by means of a written communication (via Telesign Customer Portal or email) about its intention to engage a Sub processor, including details on the identity of the Sub processor, the location where the data will be processed by such Sub processor and the concerned data processing activities.

14.  How does Telesign perform due diligence when engaging Sub processors? 

Telesign follows a framework and defined process for assessing third-party privacy and security risks and controls for all our Sub processors before they are allowed access to Personal Data. The assessment of the Sub processor’s information security (based on the ISO 27001 security domains) and privacy controls (based on the GDPR, CCPA and other privacy regulations) is conducted by Telesign’s Privacy and Security teams. This process includes signing a DPA with the Sub processor, including executing the EU Standard Contractual Clauses (SCCs) to govern international transfers, where applicable. The Privacy and Security teams are engaged in analyzing and controlling risks associated with the outsourcing of services to Sub processors, including their screening, onboarding, and annual re-assessment. And finally, as described in the DPA, Telesign takes full responsibility for the actions of its Sub processors in relation to the processing of Customer personal data. 

15.  Where is the personal data processed by Telesign’s sub-processors?

United States, Serbia, United Kingdom, the Netherlands (EU) and Lithuania (EU). For Telesign’s current Sub processor and data center list, please see Appendix 1 of the Telesign DPA.

16.  Where are Telesign data centers located?

Telesign’s current data center set up includes four data centers; two in the United States (California and Texas), one in Belgium (EU) and one in the Netherlands (EU). The personal data is replicated across all four data centers for purposes of traffic load balancing and service availability.

For Telesign’s current Sub processor and data center list, please see Appendix 1 of Telesign DPA.

17.  Can Telesign keep our Customer Personal Data within the European Economic Area (EEA)?

Not at the moment. Currently, all personal data is replicated across four data centers (some of which are outside of the EEA) for traffic load balancing and service availability. As a part of Telesign’s ongoing commitment to data privacy and in response to increased Customer requests for EU data residency, Telesign will soon have the capability to ensure that personal data is processed and stored only within the European Union (EU) for most of its Services. 

‍

‍

Technical and Organizational Measures 

18.  What security measures are in place to protect Customer Personal Data?

Telesign maintains appropriate technical and organizational measures to protect Customer Personal Data as set forth in Appendix 2 of the DPA – Security Measures. For more information on Telesign’s security framework, please review our Security Whitepaper. 

19.  Does Telesign’s DPA give my organization the right to audit Telesign?

Yes, with prior ninety (90) days written notice and not more than once in any twelve (12) month calendar period, at each Party’s cost and expense, except if required by an instruction of a competent data protection authority or if Customer believes a further audit is necessary due to a personal data breach suffered by Telesign.

20.  Does Telesign hold any certifications? 

Yes, Telesign is ISO/IEC 27001:2013 certified. Please reach out to Telesign’s Privacy Office to obtain the certificate. 

‍

‍

Data Breach Notification 

21.  How would Telesign notify its Customers in case of a personal data breach?  

We are committed to doing everything we can to stop a breach from ever happening within our systems, but in the event that one was to occur, we will notify the relevant Customers and/or data protection authorities (as applicable) without undue delay upon becoming aware of the breach. 

‍

‍

Retention, Return and Deletion of Data 

22.  What is your retention period?

The duration of the processing is limited to the duration needed to perform Telesign’s obligations under the main agreement with Telesign unless a legal obligation applies. The obligations of Telesign as set out in the DPA with regard to the personal data processing continue until the data have been properly deleted or have been returned at the request of the Customer.

23.  Can we do a Proof of Concept (POC) and have Telesign delete all the data?

Yes. The Customer can request deletion of personal data after the POC. Please reach out to your assigned Account Director. 

24.  What happens to Customer Personal Data after termination or expiration of an agreement with Telesign?  

The data is either deleted after ninety (90) days or returned at the request of the Customer. 

‍

‍

International Data Transfers 

25.  What is an international data transfer mechanism?

Under the GDPR, personal data cannot be transferred outside of the EEA to organizations located in third countries unless (a) the importing country is deemed adequate by European authorities (the European Commission, UK Information Commissioner (ICO) or the Swiss Federal Data Protection and Information Commissioner (FDPIC)), or (b) appropriate safeguards are in place to ensure that transferred personal data is subject to an adequate level of data protection, such as the SCCs.

26.  Which transfer mechanism does Telesign offer in its DPA?

Standard Contractual Clauses (SCCs). 

27.  Does the DPA include the 2021 SCCs?

Yes, the DPA has been updated to include the pre-signed 2021 SCCs. The SCCs are incorporated by reference in Section 3 of the DPA. You may review the full SCCs here.

28.  Which Module of the 2021 SCCs applies to my relationship with Telesign?

Module II: Controller (Customer) to Processor (Telesign) and Module I: Controller (Customer) to Controller (Telesign) with respect to the Intelligence service.

29.  Why are the SCCs not attached to the DPA?

Given the length of the SCCs, Telesign has chosen to incorporate the SCCs into its DPA. 

Customers may execute the SCCs separately. Please reach out to your Account Director or Telesign’s Privacy Office.

30.  How do Customers enter into the 2021 SCCs?

Telesign has updated its DPA in 2021 to include the new SCCs. All Customers that have the DPA referenced in their Agreement have received notification via Customer Portal. New Customers can enter into the SCCs by signing any of Telesign’s standard agreements, such as the MSA or the Evaluation Agreement, standalone Customer DPA or by executing standalone SCCs. If you wish to execute the 2021 SCCs, please reach out to your Account Director or Telesign’s Privacy Office.

31.  What changes do the EU’s new SCCs (2021) contain?

Considering the Schrems II decision and complex processing activities that exist in the world today, the European Commission updated the SCCs to address the additional transparency requirements covering law enforcement agencies access requests, and to assess the laws of the importing country for compliance with the terms in the SCCs. The prior version of the SCCs applied only to controller-controller and controller-processor transfers of personal data from the EU to countries without an adequacy decision by the European Commission. The new clauses are expanded to also include processor-processor and processor-controller transfers.

32.  How does the latest Telesign DPA address the Schrems II decision and associated EDPB recommendations 01/2020?

The DPA contains the latest 2021 SCCs, allowing Customers to apply the protections afforded therein. Telesign has no reason to believe our data transfers from the EU to the US present the type of data protection risks that concerned the CJEU in Schrems II. The EU-US personal data typically transferred for the provision of Telesign services involves ordinary commercial information, such as phone numbers, IP addresses, and names of end users. The use cases for Telesign’s services involves authentication, fraud prevention and securing end user accounts on behalf of its Customers. Such transferred data would not be of interest to US foreign intelligence agencies. To date Telesign has not received any government requests to disclose data under FISA 702. 

Telesign maintains, in accordance with good industry practice, measures for protection of personal data from interception (including in transit from the Customer to Telesign and between different systems and services). This includes having in place and maintaining network protection intended to deny the ability to intercept data and encryption of personal data whilst in transit. Telesign encrypts all customer transactions to our APIs via the Internet with TLS 1.2, as well as customer access to our management console, Customer Portal. Advanced Encryption Standard (AES) and Secure Hash Algorithm 2 (SHA-2) are the most widely used encryption and hashing algorithms within Telesign.

For more information, please visit out Transfer Impact Analysis page.

33.  Do the new SCCs apply to transfers of personal data from the UK to the US?

Yes. From March 21, 2022, the new SCCs were recognized by the UK Parliament as a valid instrument for international data transfers when supplemented by an Addendum (“UK Addendum”). The UK Addendum takes into account the UK GDPR and the binding judgement of the European Court of Justice in the Schrems II case when making restricted transfers. Telesign has updated its DPA to take into account provisions of  the UK Addendum.

‍

‍

Miscellaneous 

34.  Where can I find additional legal documentation and information about Telesign?

DPA: https://www.Telesign.com/DPA

SCCs: https://www.Telesign.com/Telesign-Standard-Contractual-Clauses

Telesign Services: https://www.Telesign.com/services 

Transfer Impact Analysis based on EDPB recommendations on supplementary measures for personal data transfers from the EEA/EU: https://www.Telesign.com/transfer-impact-analysis 

Telesign Privacy Notice: https://www.Telesign.com/privacy-notice 

Telesign Security Whitepaper: https://www.Telesign.com/security 

35.  What if I have additional questions not answered in this FAQ?

Please reach out to Telesign’s Privacy Office. 

‍