Privacy Policy


Ribbon recognizes and supports the privacy rights of all persons, and we respect these rights when we collect and process personal information.  We have developed and adopted a set of Privacy Principles that define our privacy values.   We have also developed and adopted this Privacy Policy to describe and guide our processing of personal information.

In addition to the restrictions and obligations of this Policy, we always comply with the letter and spirit of applicable national laws that protect the privacy of personal information.

The obligations and responsibilities set out in this Privacy Policy are applicable to Ribbon and its personnel and will be made available on Ribbon’s intranet and external website.   The obligations and responsibilities set out in the Privacy Policy are in addition to any other applicable policies or agreements entered into with Ribbon, and any applicable national and local laws and regulations.  We continually monitor data privacy and security laws and regulations as they apply to our operations worldwide.  In some cases, a country’s data privacy and security laws may establish requirements different from our Privacy Policy.  If a country’s law conflicts with our Data Privacy Policy, we follow the law.


At Ribbon, privacy matters.  Ribbon respects the privacy of its customers and other individuals with whom Ribbon has business interactions

This policy is global, applying to all Ribbon locations. It applies to personal information regardless of format.  For example, the policy applies to computerized records and electronic information as well as paper-based files.

It is also applicable to all personal information that is collected, maintained or processed by Ribbon. The concepts enumerated in this policy will guide Ribbon’s selection and expectations of its agents and contractors to whom Ribbon transfers and relies on for processing of personal information.

Ribbon processes personal information that is controlled by or originated from other companies, such as our customers or other business partners.  Ribbon shall protect the personal information, comply with all laws that regulate the processing of such personal information, and process the information only as authorized by the data controller or the data subject.  In some cases, Ribbon may collect and process personal information for our own business purposes and shall comply with the applicable privacy laws concerning Ribbon’s processing.

Data Processor

Ribbon provides the technology platform for hosted cloud information and communications services.  These services merely act as a conduit for data transmitted by third parties and subscribers.  Ribbon also processes personal information in the course of providing support for Ribbon communications products. 

In its role as a data processor, the standard of care that Ribbon must comply with is that of the data processor rather than the data controller.  Accordingly, Ribbon relies on guidance and direction of the data controller, who determines the purposes of processing such personal information. 

While Ribbon does process data in its role of providing a technology platform, it does not own, control or direct the use of any of the personal information stored or processed by any subscriber.  Ribbon only processes such personal information in order to provide and bill for subscribed services.

The Information We Collect or Process

Ribbon processes and in certain situations collects personal information as needed to deliver its products and services and manage its business.  When collecting personal information, Ribbon does so in a reasonable and lawful manner. 

The types of information and the purposes for which Ribbon collects or processes personal information may include:

For Customers & Resellers

Ribbon uses such personal information only for relevant, appropriate, and customary purposes.   Ribbon will not share or disclose personal information for purposes other than as described herein.  The following are examples of some of the personal information Ribbon processes. 

Business Contact Information:

Ribbon may collect and use personal information about individual contacts of customers and others who access Ribbon public websites or provide personal information through other means.  Such information may include account information, first/last name, company name, title and responsibilities, work email address, work mailing address, telephone numbers, as well as additional information provided by such individuals in the course of receiving products or services from Ribbon and/or requesting information about Ribbon.  We will use such information for the purposes of providing services, product support, conducting data analytics and product assessments and related activities, and providing information regarding Ribbon products and services. 

Unless expressly requested by Ribbon and consented by the business contact, Ribbon will not share or disclose such business contact information to marketing firms or similar organizations.

Customer Proprietary Network Information (CPNI):

Customer Proprietary Network Information (CPNI) may include information regarding quantity, destination, technical configuration, location, amount of use and related billing information of telecommunications, interconnected or non-interconnected Voice over Internet Protocol (VoIP) services.  This may include but is not limited to the phone numbers that you call or send messages to (or the phone numbers that you receive these calls and messages from) through our service.  The date, time and duration of the calls may also be collected.  This data is used for billing and service level assurance.

Ribbon provides services that are primarily for the benefit of organizations and subscribers in that it transmits, routes, switches or caches information.   These services merely act as a conduit for data transmitted by third parties and subscribers.  Ribbon does not determine the purposes and means of processing this personal information.  However, for data that is collected by Ribbon that is not subject to the control of others, Ribbon shall obtain consent from the user for the processing of this data.      

Ribbon collects end user CPNI in the course of providing service and product support.  This data may pertain to direct customers of Ribbon or indirect customers (eg: end users of Ribbon’s direct customers).  This data may include IP address, telephone number, call detail records and other information sufficient to identify an individual end user.  

Indirect End User’s CPNI

Ribbon acts as a data processor with regard to indirect end user personal information, and our customers act as the data controller of such data. In the course of Ribbon’s processing and protection of such data, use will be in conformity with the data controller’s instructions.

Direct End User’s CPNI

Ribbon typically collects and processes direct end user personal information for the purposes of providing services, product support, conducting data analytics and managing product performance.

Messaging, Voicemail, Video and Media Files

Ribbon provides services that facilitate the recording and storage of audio and video by way of services such as voicemail, call and conference recording.  Users may elect to store or record personal information including Sensitive Personal Information (SPI) within these resources at their discretion.  

Anonymized, Non-Identifying Voice and Traffic Data

Ribbon may use anonymized, non-identifying data collected from use of our Kandy™ service.  This anonymyzed, non-identifying data may be used to enhance voice activation and recognition algorythms.  Similarly, Ribbon may use anonymized, non-identifying data collected from use of our Ribbon Protect™ products in order to improve traffic analysis algorythms and techniques.  This processing is executed under applicable terms and support Ribbon’s legimate interests in tuning, maintaining and enhancing these products and services.


Ribbon websites may use cookies to collect certain kinds of personal information about subscribers or users.  For more information on how Ribbon uses cookies and choices available to subscribers and users please refer to Ribbon’s Cookie Policy.

Other Passive Site Tracking

Websites may also uses Internet Protocol (IP) addresses and log files to identify server problems. We also use web beacons to perform standard website traffic analysis in a manner similar to how we use cookies.  If in the future new types of passive tracking mechanisms are introduced, Ribbon will update this policy document accordingly.

Credit Card Information

Ribbon only collects credit card information in order to bill for subscribed services.  Ribbon utilizes credit card payment processing agents solely for the purpose of processing payment for the services you receive.   We require these agents to take reasonable and appropriate measures to protect this information from loss or misuse.

For Vendors, Suppliers and Sub-Contractors

Ribbon may collect personal information about individuals who are employed by our suppliers and vendors.  This business contact and payment information is strictly used to administer existing and future business arrangements.


Additional personal information may be collected, processed and disclosed for the purposes for which it was collected and for legal compliance purposes, including regulatory reporting, investigation of allegations of wrongdoing, and the management and defense of legal claims and actions, and compliance with subpoenas, court orders and other legal obligations.  For example, we may collect information about individuals that visit our facilities.

When we do collect data, such collection shall be relevant, proportionate and limited to the purposes for which they are processed. 

Cross-Border Personal Information Transfers

Where feasible Ribbon utilizes geographically aligned resources for primary data processing in order to reduce complexity and volume of cross-border personal information transfer.  Where cross-border transfer is necessary Ribbon utilizes entities who have demonstrated an ability to comply with applicable personal information privacy regulation.

Ribbon shall comply with the applicable laws governing personal information transfer and where required shall ensure that such transfers are made to countries where the data protection regime is compatible with that of the originating jurisdiction.

Transfer of Personal Information from the EU and Switzerland to the United States

Ribbon Communications, Inc. and its U.S. subsidiaries Sonus Networks, Inc., GENBAND US LLC, and Ribbon Communications Federal Inc. (“Ribbon Privacy Shield Companies”) comply with the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred to the U.S. from the EU and Switzerland, respectively.   The Ribbon Privacy Shield Companies have certified to the Department of Commerce that they adhere to the Privacy Shield Principles.  If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

To learn more about the the EU-U.S. and Swiss-U.S. Privacy Shield programs, please visit  To view the Ribbon Privacy Shield Companies’ certification under Privacy Shield, please visit

In addition to the protections provided under other sections of this Privacy Policy, the Ribbon Privacy Shield Companies and all EU and Swiss Ribbon entities will provide the following protections for personal data transferred from the EU or Switzerland to the U.S.


Individuals will be offered a clear, conspicuous, and readily available mechanism to choose (opt out) whether their personal information is (1) to be disclosed to a third party (other than a third party acting as an agent to perform tasks on behalf of and under the instruction of Ribbon or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.

Additionally, individuals will be offered a similar choice mechanism to give affirmative or explicit (opt in) choice whether their sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual by opt-in choice.  However, explicit (opt in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of the individual or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization’s obligations in the field of employment law, or (5) related to personal information that is manifestly made public by the individual.

Transfer of Personal Data from the EU or Switzerland to Processors in the U.S.

Ribbon’s EU and Swiss entities may transfer personal information to a processor in the United States solely for processing purposes.  A “processor” is a third party who processes personal information on behalf of and in accordance with the instructions of Ribbon’s EU and/or Swiss entities.  When personal information is transferred from the EU and/or Switzerland to the United States solely for processing purposes, Ribbon’s EU and/or  Swiss entities will comply with the applicable data protection laws including the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP), respectively and enter into a contract with the processor to ensure that the processor (1) acts only on instructions of Ribbon’s EU and/or  Swiss entities; (2) provides appropriate technical and organizational measures to protect the personal information against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; and understands whether onward transfers are allowed; and (3) assists Ribbon’s EU and/or  Swiss entities in responding to individuals exercising their rights under the Privacy Shield principles, taking into account the nature of the processing.

Onward Transfers to Third Party Agents

After personal information is transferred from the EU and/or Switzerland to the Ribbon Privacy Shield Companies in the United States, the Ribbon Privacy Shield Companies may thereafter transfer the personal information to third parties acting as controllers.  A “controller” is a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal information.  Examples of third party controllers may include banks and healthcare providers, or management personnel in other Ribbon Privacy Shield Companies offices outside of the U.S.  When the Ribbon Privacy Shield Companies makes such onward transfers to third party controllers, the Ribbon Privacy Shield Companies will comply with the Privacy Shield notice and choice principles and enter into a contract with the third party controller that provides that (1) such personal information may be processed only for limited and specified purposes consistent with the consent provided by the individual; (2) the third party controller will provide the same level of protections as the Privacy Shield principles; (3) the third party controller will notify the Ribbon Privacy Shield Companies if the third party can no longer meet its obligation to provide the same level of protection for the personal information as required by the Privacy Shield principles; and (4) upon such notice by the third party controller, the third party controller will cease processing the personal information and/or take reasonable and appropriate steps to remediate any unauthorized processing.


The Ribbon Privacy Shield Companies have verified and will verify annually through self-assessment that the attestations and assertions made about its Privacy Shield privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the Privacy Shield principles.  This verification has been and will be signed by an officer of the Ribbon Privacy Shield Companies or other authorized representative of the Ribbon Privacy Shield Companies at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance.  The verification includes the following:

  • That the Policy is accurate, comprehensive, prominently displayed, completely implemented and accessible;
  • That the Policy conforms to the Privacy Shield Principles;
  • That individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
  • That it has in place procedures for training employees in the implementation of this Policy and disciplining them for failure to follow it;
  • That it has in place internal procedures for periodically conducting objective reviews of compliance with the above.

Recourse Mechanisms For Personal Data Transferred Under Privacy Shield

Inquiries or complaints regarding transfers of personal data from the EU or Switzerland to the U.S. pursuant to Privacy Shield should be directed to:

Associate General Counsel
5927 South Miami Blvd, Suite 150
Morrisville, NC 27560 USA
Fax:  (919) 457-9621

If a complaint remains unresolved,  it will be resolved through alternative dispute resolution.  Ribbon has selected JAMS Mediation, Arbitration and ADR Services (JAMS) as the administrator of Ribbon’s independent recourse mechanism for Privacy Shield disputes.  Ribbon has committed to refer such unresolved Privacy Shield complaints to JAMS in the United States.  You may find more information about dispute resolution and how to file a claim with JAMS at

Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms.  Please visit Annex I for additional information:


The Ribbon Privacy Shield Companies are also subject to the investigatory and enforcement powers of the United States Federal Trade Commission.


In the context of an onward transfer of personal information, the Ribbon Privacy Shield Companies have responsibility for the processing of personal information they receive under the Privacy Shield and subsequently transfers to a third party agent.  The Ribbon Privacy Shield Companies will remain liable under the Privacy Shield principles if their third party agent processes such personal information in a manner inconsistent with the Privacy Shield principles, unless the Ribbon Privacy Shield Companies proves that they are not responsible for the event giving rise to the damage.


All employees who handle personal data transferred from the EU or Switzerland to the U.S. will receive training regarding the data privacy prinicples and procedures under Privacy Shield Prinicples and this Policy.

Accountability for Onward Transfer


Ribbon will only transfer or provide direct access to personal information covered by this policy to third parties that have:

  • made a commitment to respect the privacy rights of the data subject;
  • limited processing of personal information to comply with customer and/or data controller instructions; and
  • given Ribbon contractual assurances that they will provide at least the same level of privacy protection as is required by applicable privacy laws.

EU Personal Information

Additionally, for personal information pertaining to EU data subjects Ribbon will only transfer or provide direct access to personal information covered by this policy to third parties that:

  • are located in a jurisdiction subject to the EU Data Protection Directive or with privacy laws considered to be adequate by the EU, or
  • subscribe to the EU-US Privacy Shield Principles, or
  • have given Ribbon contractual assurances that they will provide at least the same level of privacy protection as is required by the EU-US Privacy Shield Principles, GDPR or EU member state laws implementing the EU Data Privacy Directive.

Accordingly, Ribbon requires the following of it’s onwards transfer agents:

  • data processing and further transfer is limited and to specified purposes;
  • provision of at least the same level of privacy protection as contemplated by the Principles;
  • processing of the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
  • takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
  • provision of notification if the agent makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles.

Choices and Accommodation

The data Ribbon processes is described in further detail in the “Information We Collect and Use” section above.

Ribbon recognizes and promotes the right of subscribers to have reasonable opportunities to object to the collection (opt out), use and disclosure of their personal information while still maintaining the minimal data needed to provide the subscribed service.  However, except for data provided by the subscriber for which Ribbon is merely providing a conduit for transmission, the subscribed services are of such a nature that, in most instances, Ribbon requires and collects only essential CPNI and billing information, and opting out or declining to provide the requested data may hinder the provision of subscribed services.  For further information on opting out please reference the instructions in the Contact section below.

Sensitive Information

Ribbon recognizes that for some sensitive information, affirmative express consent from individuals is required and must be obtained if such information is to be (i) disclosed to a third party or (ii) processed for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice.  In addition, Ribbon shall treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

Service Portals

If you have created a user profile on any Ribbon service portal (eg: Salesforce,,, you may access and revise the personal information in your user profile when you log into your account. In general, these portals will only require minimal personal information that is necessary to provide and administer the service.

Marketing Materials

If you provide us with your email address or other Business Contact Information to enable us to provide current communications and information to you, we may use the information for providing such communications including delivery of press releases and other Ribbon marketing materials.  You may request to no longer receive Ribbon marketing communications by following the "unsubscribe" instructions in emails from Ribbon or by sending a request to the contact identified below.

In the rare and unlikely event that Ribbon wishes to use an individual’s personal information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals, Ribbon will seek consent in advance as required by law.

Data Integrity

Ribbon employs reasonable means to keep personal information accurate, complete, and current, as needed for the purposes for which it was collected.

Information Disclosure

Internal Disclosure

In general, personal information may be shared within Ribbon, where legally permitted for reasonable and appropriate corporate purposes.  However, even within Ribbon, we restrict access to personal information to those employees, agents, or contractors who need access to carry out their assigned functions.

External Disclosure

Ribbon uses vendors and partners for a variety of business purposes such as to help us provide, and bill for services we provide. We share information with those vendors and partners when it is necessary for them to perform work on our behalf.   As described in the Accountability for Onward Transfer section of this policy, Ribbon requires that these vendors and partners protect the customer information we provide to them and limit their use of such information to their respective processing activity.

We may disclose information that individually identifies our subscribers or identifies customer devices in certain circumstances, such as:

  • to comply with valid legal process including subpoenas, court orders or search warrants, to defend or respond to legal actions, and as otherwise authorized by law, or in response to lawful requests by public authorities, including to meet national security or law enforcement requirements;
  • to prevent unauthorized, unlawful or abusive use of our products and services;
  • to determine credit risk or obtain payment for Ribbon services or products, such as through credit bureaus or collection agencies;
  • for other purposes with your consent.

If Ribbon enters into a merger, acquisition or sale of all or a portion of its assets or business, customer information will also be transferred as part of or in connection with the transaction as per local law and/or non-disclosure agreement.

Protecting Personal Information

To help protect the confidentiality of personal information, Ribbon employs security safeguards appropriate to the sensitivity of the information.  These safeguards include reasonable administrative, technical and physical measures to safeguard the confidentiality and security of personal information against anticipated threats and unauthorized access to the personal information.   

We convey safeguard obligations to our agents who receive personal information from or on behalf of Ribbon in the course of their relationship with our organization as described above in the Accountability for Onward Transfer provision.

Retention of Data

Personal information collected by Ribbon will be retained for as long as necessary and legally permitted for the purposes for which it was collected, to provide you with services and to conduct our legitimate business interests or where otherwise required by law.

Access, Correction, Recourse and Enforcement

We shall generally provide individuals with an opportunity to examine their own Personal Information, confirm the accuracy and completeness of their Personal Information, and have their personal information updated, if appropriate.  

The ability of an individual to access his or her personal information is not unlimited, however.  An individual’s ability to access personal information may be limited, for example, where (a) the burden or expense of providing access would be unreasonable or disproportionate to the risks to the individual’s privacy, (b) the information should not be disclosed due to legal or security reasons or to protect confidential commercial information; or (c) providing access would compromise the privacy of another person.

If you have created a user profile on a portal, you may also access and revise the personal information in your user profile when you log into your account.

Individuals who wish to access or update their personal information not accessible via a portal, or who wish to file a complaint or who take issue with Ribbon’s policy should direct such communications to Ribbon at:

Ribbon Legal Department
3605 East Plano Parkway - Suite 400
Plano, Texas 75074 USA

Ribbon undertakes annual compliance review of our policies, procedures with respect to data privacy to ensure that policy is implemented as presented and, in particular, to address any cases of non-compliance.  Ribbon also considers any impact to our policies and procedures as a result of privacy law changes or trends in recurring complaints from individuals.

Third Party Web Sites, Plugins or Widgets

Ribbon websites and services may include social network or other third party plugins and widgets. Accessing these links is done at your option and is not part of any of Ribbon’s service offering.  Please review the sponsor’s privacy policy provided at the respective site.

Your California Privacy Rights

The California Data Protection Act (Cal. Civ. Code §§ 1798.80-84) applies to business that owns or retains California residents’ personal information and, requires such businesses to disclose to its California customers, upon request, the identity of any third parties to whom the business has disclosed personal information within the previous calendar year, along with the type of personal information disclosed, for the third parties' direct marketing purposes.

In addition, a business subject to California Business and Professions Code Section 22581 and the Privacy Rights for California Minors in the Digital World Act (Cal. Bus. & Prof. Code §§ 22580-22582) must allow California residents under age 18 who are registered users of online sites, services or applications to request and obtain removal or other forms of anonymization of content or information they have publicly posted. Your request should include a detailed description of the specific content or information to be so removed.

If you are a California resident and would like to make such a request, email or contact us at:

Revision of Policy

Ribbon reserves the right to change this Privacy Policy at our discretion subject to business or legal requirements.  Please check this Privacy Policy from time to time and particularly before you provide personal information to Ribbon.  The effective date of the newest version of the Privacy Policy will be posted below, and in the event that we make material changes to this Privacy Policy, we will notify affected users by making a more prominent notice of the changes.

If we change our policy or use of personal information in such a manner that significantly diverges from the original purpose that we collected the information, we will provide notification as required by law.  Your rights object or obtain further information is as provided for in the Access, Correction, Recourse and Enforcement section.

Recent Revisions

October 2017 — Significant updates to privacy policy to reflect GDPR preparations
March 2018 — Inclusion of content to reflect Ribbon’s EU-US Privacy Shield commitments
June 2018 — Inclusion of “Anonymized, Non-Idenfying Voice and Traffic Data” within Information We Collect

Effective Date

June 25, 2018


If you have any comments or questions regarding this Privacy Policy or our privacy practices, please contact us at:

Ribbon Privacy
Suite 2100
500 Palladium Drive
Ottawa, Ontario, Canada K2V 1C2

Ask Us Anything!

Ribbon's team of professionals are ready to answer your questions, guide you to the right solution or help you with your network design.