// Trust & Security Report

    Twilio Inc. logo

    Twilio Inc.

    Twilio SendGrid (Email API + Marketing Campaigns)

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Security certifications across Twilio, Segment, and SendGrid: SOC 2, Type II [listed]. Twilio has received SOC II Type II certifications for its SendGrid, Authy, and Programmable Voice products.

    Verify on twilio.com
    SOC 2 Type I
    HELD

    Security certifications across Twilio, Segment, and SendGrid: SOC 2, Type I [listed on security page].

    Verify on twilio.com
    ISO/IEC 27001:2013
    HELD

    ISO/IEC 27001:2013 certified [listed under Security certifications across Twilio, Segment, and SendGrid]. All publicly available Twilio services and features are in scope.

    Verify on twilio.com
    ISO/IEC 27017:2015
    HELD

    ISO/IEC 27017:2015 certified [listed under Security certifications across Twilio, Segment, and SendGrid].

    Verify on twilio.com
    ISO/IEC 27018:2019
    HELD

    ISO/IEC 27018:2019 certified [listed under Security certifications across Twilio, Segment, and SendGrid].

    Verify on twilio.com
    PCI DSS Level 1
    HELD

    PCI DSS Level 1 [listed on security page]. Note: security page cautions 'the credentials listed do not apply to every product across Twilio, Segment, and SendGrid.' PCI DSS applicability to SendGrid Email specifically is unconfirmed.

    Verify on twilio.com
    EU Standard Contractual Clauses (SCCs)
    HELD

    EU Standard Contractual Clauses - For transfers from EEA, Switzerland, Guernsey, or Jersey. DPA explicitly confirms this as a transfer mechanism for SendGrid (where BCRs do not apply).

    Verify on twilio.com
    EU-US Data Privacy Framework
    HELD

    Data Privacy Framework - Twilio Inc. is self-certified under EU-U.S., UK Extension, and Swiss-U.S. frameworks [first listed transfer mechanism in the DPA].

    Verify on twilio.com
    > Show 2 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    SendGrid does not natively support HIPAA compliant data transmission and is not a HIPAA Eligible Service. No, we are not [HIPAA compliant].

    source: twilio.com
    GDPR (Binding Corporate Rules)
    NOT CONFIRMED

    Twilio BCRs do not serve as a transfer mechanism for the SendGrid Services or Private Beta Offerings. However, SendGrid data is covered by EU Standard Contractual Clauses where applicable.

    source: twilio.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Global. Infrastructure on AWS, GCP, and colocation providers (Databank, Lumen, Digital Realty) across geographically diverse regions. EU data covered by SCCs and Data Privacy Framework. SendGrid excluded from Twilio BCRs but covered by SCCs.

    Twilio does not use customer AI/ML content to train other products by default. Section 4.1(b) of the AI/ML Addendum states: 'AI/ML Content will not be used to improve, train, and fine-tune Twilio's other AI/ML Features...without Customer's acceptance of or agreement to supplemental terms.' For non-AI features (standard email sending), customer email content is processed only to deliver the service. Third-party providers (e.g. OpenAI, Anthropic) are contractually prohibited from using customer input to train base models without separate written agreement.

    // Security controls

    Bug Bounty Program

    HackerOne - paid monetary bounties for eligible vulnerabilities in applications and internet-facing assets. Separate Vulnerability Disclosure Program (no monetary reward) open to all.

    twilio.com

    Vulnerability Disclosure Program

    Open to everyone including non-professional researchers. No monetary reward. Quote: 'Our Vulnerability Disclosure Program is open to everyone - whether you're a customer, professional security researcher that does not meet the Bug Bounty Program requirements, or just someone who has discovered a potential issue.'

    twilio.com

    Encryption in Transit

    TLS v1.2 minimum for API; SendGrid Email uses opportunistic TLS v1.1+ with optional enforced TLS available for email transit.

    twilio.com

    Encryption at Rest

    Advanced Encryption Standard (AES). Quote: 'Encryption at rest using Advanced Encryption Standard.'

    twilio.com

    Access Controls

    Multi-factor authentication required for production environment access. Customer accounts support 2FA. Password policy aligned with NIST 800-63B guidance.

    twilio.com

    Authentication Protocols (Email)

    SPF, DKIM, DMARC, and TLS encryption for email authentication and security.

    twilio.com

    Infrastructure

    AWS, GCP, and colocation providers; geographically diverse regions with multiple availability zones; redundant Super Network with disaster recovery backup zones.

    twilio.com

    Penetration Testing

    Regular external audits referenced on trust center. Quote from trust center: 'Twilio is supported by certifications like ISO/IEC 2700[1] and has regular external audits to demonstrate our commitment to enhanced customer trust and assurance.' Specific pen test cadence not publicly disclosed.

    twilio.com

    Uptime SLA

    99.99% uptime SLA stated on the SendGrid Email API product page.

    twilio.com

    // Products & data scope

    SendGrid Email APITransactional Email / Email Delivery API

    data: Processes email content (subject, body, recipients), sender identity, API keys, and delivery/analytics metadata. Not HIPAA eligible. SOC 2 Type II attested. EU data covered by SCCs and Data Privacy Framework. Customer email content is not used for AI model training by default.

    Primary developer-facing product. Supports SMTP relay and RESTful API. Free trial of 100 emails/day for 60 days; paid plans start around $19.95/month for up to 100k emails. Free plan discontinued May 2025.

    SendGrid Marketing CampaignsEmail Marketing Platform

    data: Stores contact lists, campaign content, and engagement analytics (opens, clicks). Contact PII (name, email) is held by Twilio on behalf of the customer. Complies with GDPR via SCCs and Data Privacy Framework. Not HIPAA eligible.

    Marketer-facing product. Includes audience segmentation, dynamic templates, and deliverability insights. Separate pricing from Email API.

    // What to watch

    • SendGrid Email is explicitly NOT HIPAA compliant and cannot be used for PHI transmission - confirm this with customers in regulated healthcare industries.
    • Twilio BCRs do NOT cover SendGrid services; EU data transfers rely on EU SCCs and Data Privacy Framework instead - important distinction for EU procurement.
    • PCI DSS Level 1 is listed on Twilio's security page but the page cautions not all certs apply to every product; applicability to SendGrid Email specifically requires direct confirmation from Twilio.
    • Free plan discontinued May 2025 - all users now on paid plans or 60-day trials only.
    • AI/ML addendum covers opt-in AI features; standard email delivery does not involve AI model training of customer content.

    // At a glance

    Pricing model

    Usage-based SaaS. Free 60-day trial (100 emails/day). Paid Email API from ~$19.95/month (up to 100k emails) with volume discounts. Marketing Campaigns priced separately per contact tier.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Twilio Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    twilio.com

    > Browse all vendor trust reports