Data Protection and Privacy

Bandwidth services have a global reach, delivering exceptional experiences everywhere. Our global privacy program is built on the framework of GDPR principles and CCPA/CPRA imperatives that have served as the model for privacy and data protection laws worldwide.

Our team continuously monitors and updates our privacy program in accordance with applicable laws and regulations from around the world. As subject matter experts and engaged collaborators, we foster a culture of data protection and privacy within Bandwidth. We believe privacy is a team sport, and we work together with Bandmates across the company to mitigate risk and achieve meaningful compliance.

All Bandmates receive information security and privacy training yearly, including CPNI, GDPR & US State Privacy Laws, and HIPAA. Individual teams receive additional in-depth training in privacy topics relevant to their role at Bandwidth. And our cross-functional league of Privacy Champions helps us operationalize, evangelize, and deliver on our promises as boots on the ground throughout the year.

We offer our customers a clear and concise Global DPA in our contracting process, available at www.bandwidth.com/legal/dpa. This document reflects our attention to the roles and responsibilities we play in processing personal data through our products and services, as well as the key contractual provisions required by applicable data protection laws around the world.

In support of our commitment to data protection and privacy, Bandwidth maintains appropriate administrative, technical, and physical security measures to help safeguard against the accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of, or access to, the personal data we process or use. We are ISO 27001:20013 certified and SOC II compliant. We participate in yearly third-party information security audits to validate our continual progress. We’re proud to tell you more about our credentials at www.bandwidth.com/security.

As a communications service provider, Bandwidth generates, collects, and processes certain categories of personal data in order to provide our services and comply with our regulatory obligations.

In most cases, Bandwidth acts as a controller for essential data elements in the telecommunications ecosystem. As detailed in our DPA, this includes Customer Account Information, Communications Metadata, and Subscriber Data.

1. Customer Account Information means (i) information used for Customer’s account billing and payment or to prevent fraud or misuse of the Services such as: name, email address, phone number of a Customer’s representative; and (ii) other information Bandwidth may Process in the context of creating or maintaining a business relationship with Customer for purposes of the Services. We use this information for billing and payment, to prevent fraud and misuse of our services, and to maintain or manage a business relationship with a customer.
2. Communications Metadata means information generated in connection with the conveyance of communications via the Services, and used for the performance and billing thereof, such as source and destination information, IP address, time duration or completion status. This category includes traffic data (CDRs) and logs. We use Communications Metadata to provide, maintain, bill, and optimize the services; to prevent fraud and misuse of our services; and to comply with federal or local regulatory requirements.
3. Subscriber Data means any identifying information about subscribers purchasing our services that Bandwidth may collect to comply with local regulatory requirements or provision of Services, such as name, birth date, physical address, nationality, identification card of the appointed representative of Subscriber. We use Subscriber Data to comply with local regulatory requirements, such as LAR and identity verification. We may also use Subscriber Data for telephone number assignments, number portability, or provision of emergency services.

In some cases, Bandwidth may also act as a processor at the direction of our customers purchasing certain product features.

For more information on Bandwidth’s roles and responsibilities with respect to personal data, please refer to our DPA

Across each category of data, our commitment to privacy and security is paramount to serve our customers, comply with regulatory requirements, and protect end users. You can learn more about our security measures at www.bandwidth.com/security.

Like most software service providers, Bandwidth uses a select number of third-party subprocessors to support our product offerings, including cloud-based hosting, storage, and infrastructure provider(s).

A current list of subprocessors is available here.

Together the Global Sourcing, Contracts, Privacy, and Vendor Risk Management teams perform an extensive assessment and approval process before licensing or using third-party vendors. In addition, the Privacy Team provides training to help ensure that data processing and cross-border data transfers are identified, considered, and addressed at each stage of review.

Bandwidth relies on Standard Contractual Clauses as the valid transfer mechanism for data transfers among our internal affiliates and with our customers in our DPA.

In support of the SCCs and in accordance with Schrems II, Bandwidth has conducted an internal transfer impact assessment for international data transfers that occur among our affiliates, in particular the transfer of personal data to the United States in connection with our products and services.

Our customers and prospective business partners may reference this Transfer Impact Assessment FAQ to gather relevant information for their independent assessment of Bandwidth as a vendor or partner.

While EU-US Privacy Shield is no longer recognized as a valid transfer mechanism, Bandwidth maintains Privacy Shield certification as part of our continued commitment to adhere to the attendant principles and EU standard of care.

Information on law enforcement requests may be found at the Law Enforcement Guide.

Our global regulatory operations teams implement and enforce a tailored review process for government access requests to ensure appropriate responsiveness in applicable jurisdictions and the protection of the personal data of our customers and their end users.

Bandwidth publishes a transparency report related to access requests on an annual basis as part of its Corporate Responsibility Report, available at https://investors.bandwidth.com/.

Privacy should never be more than a click away. Bandwidth offers an easy-to-use form for data subjects to exercise their rights, available through our Privacy Notice and at this direct link: DATA SUBJECT RIGHT REQUEST FORM