Phone ID Product FAQs

1.   Is Telesign GDPR compliant? What other data privacy laws does Telesign comply with? 

Yes. At Telesign privacy is embedded in everything we do in service to our Customers and taken very seriously by all Telesign employees. 

Telesign has in place a comprehensive data privacy program which encompasses global laws and regulations including the California Consumer Privacy Act (“CCPA”), EU General Data Protection Regulation (“GDPR”), Brazilian Lei General de Protecao de Dados (“LGPD”), Serbian Zakon o zaštiti podata oličnosti (“ZZPL”), Chinese Personal Information Protection Law (“PIPL”), Singaporean Personal Data Protection Act (“PDPA”), and Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”). Our data privacy program is aligned with the key principles of data protection – lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. 
‍

2.   What is the source of the personal data that Telesign uses in PhoneID API? How does Telesign ensure that such data was legally obtained? What is Telesign’s lawful purpose for processing the data in PhoneID API?  

The personal data used to fuel Telesign’s PhoneID API is provided to us by trusted companies Telesign has contracted with to provide us such data (“Data Providers”).

Personal data obtained from Data Providers: When the personal data is provided to Telesign from a Data Provider, we take several steps to ensure that such company complies with all obligations under applicable data privacy law and that they are providing the personal data to us lawfully and in line with data subjects’ expectations. 

Our Data Providers acquire personal data from a variety of different sources: publicly available databases, public search engines, telecom operators’ directories, consumer transaction records and scoring services. Telesign conducts due diligence on all Data Providers to ensure that such sources of personal data are legitimate and in line with applicable data privacy laws and regulations. 

We carry out a comprehensive risk assessment to thoroughly assess the Data Providers data privacy and security program and practices. We will only contract with companies that provide sufficient answers and guarantees that ensure us that they are acting in compliance with data privacy laws and treating personal data in a manner aligned with the key principles of data protection. If the third party Data Provider does not pass this initial assessment, then Telesign will not contract with them. 

Once the Data Provider has passed this initial assessment, they can then enter into a business contract with Telesign. All our business contracts obligate the Data Provider to adhere to Telesign’s information security and privacy policies and standards as well as complying with all applicable data privacy laws. This again ensures that the personal data provided to Telesign for use in our products is only sourced via lawful means, based on a lawful basis and with respect for the rights and freedoms of data subjects. 

Data subjects are made aware of the fact their data will be shared with Telesign by the Data Provider via the Data Providers own consent forms, privacy notices and/or other privacy information. Telesign’s privacy notice also provides full transparency regarding the sources we obtain personal data from, including where such data is not obtained directly from the data subject.
‍

3.   What is the personal data provided to us by our Customers (‘Customer Personal Data’)  used for in PhoneID API? Why does Telesign need it?  

Customer Personal Data enables Telesign to provide the PhoneID API to our Customers. It is more important than ever for online businesses to identify and authenticate customer identities to reduce fraud and comply with applicable laws and regulations. The Customer Personal Data provided to Telesign is used to provide real-time behavioral, phone and user data. These insights help our customers establish identity confidence, strengthen user authentications, proactively identify account-based fraud risks, and improve the overall user experience.

4.   How long will Telesign keep the Customer Personal Data used in PhoneID API for?

90 days. All Customer Personal Data is kept in accordance with Telesign’s Data Retention Policy. This Policy mandates that Customer Personal Data be deleted after 90 days. Additionally, Telesign regularly reviews all personal data in its possession to determine whether it is still needed and whether earlier deletion or pseudonymization may be appropriate in the circumstances. 
‍

5.   Does Telesign use Customer Personal Data for its own purposes?

Generally, no. Customer Personal Data is used to provide Telesign’s services, including PhoneID API, to the Customer. Additionally, Telesign may use Customer Personal Data for maintaining and enhancing Telesign’s services only if agreed with the Customer contractually in the main agreement and the Data Processing Agreement (‘DPA’).
‍

6.   Who can access the personal data?

Telesign employees with restricted access on a need-to-know basis. Customer Personal Data is housed in a shared environment in colocation facilities and classified as confidential. This data is logically separated in Telesign’s databases using a unique customer ID. Technical access controls and internal policies prohibit employees from arbitrarily accessing Customer Personal Data. To protect Customer privacy and security, only select staff members have access to the environment where Customer Personal Data is stored, on a need-to-know basis.  

Any exceptions to baseline access permissions (e.g., temporary elevated privileges for a developer to perform a particular function,) are documented using a change request ticket that is reviewed and approved by IT management prior to implementation. 

7.   Does Telesign share Customer Personal Data with any third parties?

Where contractually agreed upon, Telesign shares Customer Personal Data with select third-party sub-processors for operational, technical, and billing support to provide the PhoneID services. For an up-to-date list of Telesign’s standard sub-processors please see Appendix 1 of our Customer DPA. 

Additionally, Telesign processes Customer Personal Data in our data centers – please see questions 8 and 9 for more details. 
‍

8.   Will Customer Personal Data be kept within the EU?

No. Telesign is headquartered in Los Angeles, California, USA and additionally has offices in Belgrade, Serbia with support from an operational sub processor based in Lithuania (EU). Customer Personal Data is transferred from Telesign’s Customers to the USA and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. Telesign’s current data center set up includes four data centers located in the USA, Belgium (EU) and the Netherlands (EU). The personal data is replicated across all four data centers for the purposes of traffic load balancing and service availability. 

 
9.   Where are Telesign’s data centers located?

The USA and EU. Telesign’s current data center set up includes four data centers: two in the United States (California and Texas), one in Belgium (EU) and one in the Netherlands (EU). 
‍

10. Can we do a POC of PhoneID API and have Telesign delete all the Customer Personal Data after the evaluation period?

Yes. All data is deleted after 90 days automatically, however, upon Customer request, the Customer Personal Data can be deleted sooner. 

‍