Track 3 platforms and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is Twilio's official list of sub-processors, the third-party companies Twilio uses to help deliver its services that may access or process personal data belonging to Twilio's customers or their end users. The list covers Twilio's communications platform, Segment customer data platform, and SendGrid email services, identifying for each sub-processor the entity name, the nature of the processing activity, and the country where processing occurs. Customers who have signed Twilio's Data Protection Addendum are entitled under GDPR Article 28 to receive advance notice before Twilio adds or changes a sub-processor, with the option to object if the change creates data protection compliance concerns.
This document is Twilio's publicly disclosed sub-processor list, published at twilio.com/en-us/legal/sub-processors, serving as the Article 28 GDPR-compliant disclosure of third-party entities that Twilio engages to process personal data on behalf of its customers as data controller or data processor. The document functions as a transparency mechanism required under GDPR Article 28(2), which obligates data processors to inform controllers of intended sub-processors and obtain authorization before engaging new ones; Twilio's Data Protection Addendum (DPA) typically governs the operative contractual obligations referenced by this list. The list is notable for covering Twilio's full product suite including Twilio Communications, Twilio Segment, and Twilio SendGrid, meaning the sub-processor exposure for any given customer depends on which products they use, a conditional scope that the document does not always make granular per-processor. This document engages GDPR (particularly Articles 28 and 46 regarding international transfers), the UK GDPR, the Swiss Federal Act on Data Protection (nFADP), CCPA/CPRA to the extent Twilio acts as a service provider processing California residents' personal information, and standard contractual clause frameworks governing cross-border data transfers to processors in non-adequate third countries. Compliance teams should note that the list is subject to update, and Twilio's DPA typically requires advance notice of sub-processor changes, making monitoring cadence a material operational consideration for customers operating under GDPR or equivalent frameworks.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Get ComplianceMonitoring
Twilio has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Get ComplianceCross-platform context
See how other platforms handle International Data Transfer Locations and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.