Bandwidth Transfer Impact Assessment FAQs
Updated on February 22, 2024
Bandwidth services have a global reach, and we are attentive to the protection of data involved in international transfers, including data exported from the EU/EEA to other jurisdictions. We have taken appropriate steps to ensure an adequate level of protection with respect to our data transfers around the world, and we support our customers and business partners in their efforts to do the same.
This document includes information regarding international data transfers of personal data exported from the EU/EEA among Bandwidth affiliates and to third parties in connection with our services, including the main findings of the Transfer Impact Assessment(s) (TIA) and Privacy Impact Assessment(s) (PIA) conducted by Bandwidth. Our customers may use this FAQ to gather relevant information for their independent assessment of vendors and partners and to complete their TIAs and PIAs.
Bandwidth maintains separate and regionalized storage of customer data: either (1) in the EU (Belgium, Germany, and Ireland) for customers using global services or (2) in the US for customers using domestic/North American services.
However, Bandwidth provides its services on a global scale and, as an international organization, has offices in various countries, including the US, South Korea, Singapore and Turkey.
As such, even though we maintain separate and regionalized storage of customer data, customer data may be processed or accessed by our employees around the world on a need-to-know basis, for example in order to be able to support our customers for sales, billing and payment, technical support and maintenance, fraud detection and prevention, etc. You can find more detailed information on the purposes of the transfers in Bandwidth standard DPA – Appendix 1.
Bandwidth relies on Standard Contractual Clauses (SCCs), which are incorporated by reference in our customer contracts in our Bandwidth standard DPA. These are standard contractual terms that have been pre-approved by the European Commission and serve as one of the legal transfer mechanisms to allow personal data to flow outside of the EU/EEA. The EU Commission published an updated version of the SCCs on 4th June 2021 to modernize the SCCs, account for sub-processors and additional models (e.g. P2C and P2P), and add additional contractual safeguards in response to the Schrems II decision.
Additionally, Bandwidth participates in and complies with the EU-US Data Privacy Framework (the “DPF”) and the UK Extension to the DPF as set forth by the U.S. Department of Commerce. Bandwidth has certified to the U.S. Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles with regard to the processing of personal data received from the European Union in reliance on the DPF and from the United Kingdom (and Gibraltar if applicable) in reliance on the UK Extension to the DPF. To learn more about the DPF program, and to view our certification, please visit www.dataprivacyframework.gov.
A Transfer Impact Assessment – or TIA – is a documented assessment of a transfer of personal data from the EU/EEA to non-EU/EEA countries that do not benefit from an adequacy decision of the European Commission (here’s the list of countries benefiting from an adequacy decision).
TIAs are required to be conducted under the new Standard Contractual Clauses and serve to document a proper assessment of risks associated with the transfer. Because Bandwidth provides its services globally, Bandwidth is committed to ensuring that if and when personal data is transferred to a non-EEA country on our watch, the relevant legal obligations are met.
To provide you with a flexible, reliable, global communications platform. Bandwidth may transfer personal data in order to be able to support our customers in various parts of the services (sales, billing and payment, technical support and maintenance, fraud detection and prevention, etc). You can find more detailed information on the purposes of the transfers in Bandwidth standard DPA – Appendix 1.
- Bandwidth Inc. (US)
- Voxbone SA (Singapore Branch)
- Voxbone Telekomünikasyon ve İletişim Hiz. Tic. Ltd (Turkey)
You can find a complete list of categories of data affected in Bandwidth standard DPA – Appendix 1 to the DPA for information on the nature of Bandwidth’s processing activities in connection with the provision of the Services, the types of customer personal data we process and transfer, and the categories of data subjects.
As noted above, Bandwidth maintains separate and regionalized storage of customer data in the EU and US; however, customer data may be processed or accessed by our employees from our offices locations around the world (including in the US, Singapore and Turkey) in order to provide the services and support our customers. You can find more detailed information on the purposes of the transfers in Bandwidth standard DPA – Appendix 1.
You can find a list of our current sub-processors relevant for our Processor Services at www.bandwidth.com/legal/subprocessors.
Contractual: Bandwidth relies on SCCs, both intracompany and with any third party vendor involved in an onward transfer. As a customer, you will also benefit from our Bandwidth standard DPA with new SCCs and the UK Addendum.
If your customer agreement appears to be based on a DPA template signed before September 27, 2021 either with Bandwidth Inc. or with Voxbone SA, please note that our DPA was updated to incorporate the new SCCs and communicated to customers in November 2022. If you are unsure of the status, we will be pleased to confirm or assist you with an amendment to incorporate the new SCCs. Please feel free to reach out to your Bandwidth representative to execute an updated DPA.
Technical: Security is a high priority for Bandwidth, which has a comprehensive Information Security Management System (ISMS) based on ISO 27001 requirements and ISO 27001:2013 certified. In addition to protecting its network and software, Bandwidth is committed to protecting all access points to that network and Customer information. All Bandwidth desktops, laptops, and mobile devices are centrally managed and fully encrypted. All end user computers have anti-virus and anti-malware protections. Access to Bandwidths production systems and services by employees is on a need-to-know model with least privileges. Bandwidth continuously monitors user accounts using security analytics and anomaly detection. Bandwidth requires two-factor authentication for all remote access to Bandwidth networks and systems. You may review the Bandwidth Security Fact Sheet for more details.
Organizational: Bandwidth reviews and reinforces our internal policies to respond to government access requests of personal data. Our regulatory operations teams implement and enforce a tailored review process for government access requests to ensure appropriate responsiveness in applicable jurisdictions and the protection of the personal data of our customers and their end users; more information is available at. Information on law enforcement requests may be found at the Law Enforcement Guide. Bandwidth publishes a transparency report related to access requests on an annual basis as part of its Corporate Responsibility Report, a current copy of which may be found at https://investors.bandwidth.com.
In light of the information reviewed in our assessment, including Bandwidth’s practical experience dealing with government requests and the technical, contractual, and organizational measures Bandwidth has implemented to protect customer personal data, Bandwidth considers that the risks involved in transferring and processing of personal data from the EU/EEA in/to the US and Singapore do not impinge on our ability to comply with our obligations under the SCCs (as “data importer”) or to ensure that data subjects’ rights remain protected.