Legal   /   Measures Segment Takes to Safeguard the Privacy of Customer Personal Data

Measures Segment Takes to Safeguard the Privacy of Customer Personal Data

Segment takes seriously its responsibility to safeguard the personal data our customers submit to the Services (“Customer Data”), regardless of where that Customer Data originates.  To that end, Segment has adopted organizational, technical, and contractual safeguards.

Organizational safeguards

Segment, as a wholly-owned Twilio subsidiary, follows Twilio’s documented guidelines for requests from law enforcement and government entities. Before sharing personal data with law enforcement or government agencies, Segment checks that the request is valid, limited, specific, particularized, and made under enforceable legal process. Additionally, Segment will notify our customer when we respond to a request for their information unless we are explicitly prohibited from doing so by law. Further, starting on September 15, 2021, Segment started publishing a semi-annual Transparency Report documenting the requests we have received for Customer Data. 

Technical safeguards

We manage information security based on the ISO 27001 framework and audited annually to maintain our certification, along with conforming to ISO 27017 and 27018, as well as annual SOC II Type II attestation. We encrypt Customer Data both in transit and at rest — we support TLS 1.2 to encrypt network traffic between the Segment Services and Customer’s sources and destinations, and Segment encrypts Customer Data rest utilizing industry standard encryption algorithms. Our backups are encrypted in transit and at rest using strong encryption (volume level, AES - 256) and stored redundantly across multiple availability zones by AWS in the United States. 

For more information about security measures Segment takes to protect your Customer Data, as well as security features and best practices, please see our Information Security Policy. Additionally, please see Schedule 2 of our Data Protection Addendum, which details the 17 technical and organizational measures Segment has in place to protect Customer Data in accordance with the Standard Contractual Clauses.  Lastly, please note that Segment and its Sub-processors only process Customer Data in the United States.

Contractual safeguards

Finally, our standard agreement with our customers includes our Data Protection Addendum, which incorporates the Standard Contractual Clauses, as well as our Information Security Policy.  Furthermore, we contractually require all of our Sub-processors that process Customer Data on our behalf to abide by rigorous privacy and security standards, as further set forth in the Data Protection Addendum.  

For information on our privacy practices, please see our Privacy Policy and Data Protection Addendum.