How we ensure the highest standards of data privacy and compliance within Intercom
At Intercom, we believe trust is at the core of every relationship between a business and its customers.
As businesses grow and scale, they need to continue to earn and build on that trust in every way they can – but with rapidly expanding tech stacks, it’s not just their own company policies they need to monitor, it’s those of every company they partner with.
This is the fifth post in a content series exploring Intercom’s investment in supporting large businesses. Explore other articles in the series.
Your data is our most critical asset. We protect it throughout its lifecycle with robust security practices, tailored role-specific staff training, and rigorous compliance with regulations. We handle the security of your data so that you can focus on acquiring, engaging, and retaining your customers.
We leave no stone unturned when it comes to data privacy
Intercom is a data processor, and we take the utmost care with any data we touch. With over three billion end user records and over 640 million conversations to date facilitated between businesses and their users – that’s a lot of data!
We take care of your data from ingestion to deletion. In this post we’ll tell you about how we protect your data during:
- Storage, processing, and transmission
- Access
- Expiry and deletion
Processing, storage, and transmission
Since data is our key asset, we only trust it to be handled by third party service providers who meet and maintain our bar of security. Before a vendor is procured, our IT, legal, and security teams review their security and data privacy practices in full. The only vendors who have access to your data are in our official subprocessor list.
“You can choose to host your data in a region that suits your compliance requirements and give you – and your users – peace of mind”
You can choose to host your data in a region that suits your compliance requirements and give you – and your users – peace of mind. Intercom services and data are hosted in Amazon Web Services (AWS) facilities in the USA (us-east-1), Dublin, Ireland (eu-west-1), and Sydney, Australia.
We build our services with disaster recovery in mind. All of our infrastructure and data are spread across three AWS availability zones and will continue to operate should any one of those fail.
Data is kept safe at rest and in transit. All data sent to or from Intercom through our API and application endpoints is encrypted using TLS v1.2. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also guarantee encryption at rest using an industry-standard AES-256 encryption algorithm for all customer processor data.
TL;DR:
- We do regional hosting in AU, EU, and US
- Data is encrypted at rest and in transit with 256 bit encryption
- We only share data with the vendors listed in our subprocessor list
Data access
Access to customer data is limited to authorized employees who require it for their job. It’s granted only when needed, with expiry where possible. When expiry isn’t available, tool owners review and baseline access quarterly.
We leverage an Identity Provider to provide and restrict access to all key corporate and production applications. We implement a Zero Trust system architecture which mandates biometric authentication on company-managed devices, ensuring access to all cloud services is adequately protected.
Employee security
We enable and empower our employees to make secure decisions with our product and customer data every day through a combination of training and compliance-related governance.
Training
All employees complete Security and Privacy Awareness training annually, and we employ quick, engaging Slack training courses throughout the year to keep people’s security knowledge front of mind. We supplement company-wide training with role-specific training for high risk groups like Customer Support and Engineering.
“We conduct phishing tests for all employees on a rolling basis and are happy to report a >96% pass rate for our whole organization, with supplementary training where needed”
We conduct phishing tests for all employees on a rolling basis and are happy to report a >96% pass rate for our whole organization, with supplementary training where needed.
Control access to your workspace
We’ve talked about us accessing your data but what about your team? Intercom employs enterprise application features to give you granular control over access (by your teammates and users) and deletion of data.
You can control access to your workspace with SAML SSO and two-factor authentication. Once your teammates are inside your workspace, use granular permission levels and roles to specify who can access certain data or take destructive actions, at scale. Additionally, if you need to audit what actions teammates take inside the workspace, you can check Teammate Activity Logs to identify who is behind critical changes e.g: data deletions or exports.
Identity verification
Intercom also offers additional security for the Intercom Messenger to prevent users impersonating each other or accessing each other’s conversations. Enabling Identity Verification will ensure that the users you talk to are who they say they are. This is a strongly recommended addition to any Intercom installation.
TL;DR:
- We employ least privilege for all Intercom employees on all systems, with quarterly access reviews and baselining for all tools processing your data
- We have role-specific training and phishing tests to prepare our staff
- We also have enterprise level app features that give you this level of control over the data in your workspace
Data expiry and deletion
We took significant efforts to align with the GDPR before its introduction in 2018, focusing on rigorous data mapping efforts, training, updates to documentation, and data retention reviews for every piece of data we store and process. We create a culture where every employee understands the importance of a data asset – and its classification – so that we build a secure data ecosystem for you. We also have an appointed Data Protection Officer inside our Legal team to guide our data protection efforts.
“We don’t keep data we don’t need”
We don’t keep data we don’t need. We expire inactive workspaces after 13 months and website visitor data after nine months.
If your users request a GDPR DSAR user deletion and you perform that in Intercom, we begin processing that deletion immediately and automatically. The same applies if you choose to delete your Intercom workspace and all associated data.
TL;DR:
- We comply and help you comply with the EU’s GDPR
- We map all our data flows
- We have workspace deletion immediately on request or after 13 months of inactivity
- Visitor data expires after 9 months
Compliance: Don’t just take our word for it
Compliance is a major focus for us at Intercom, and we dedicate an entire team within our wider Information Security team (not to mention our Legal team) to ensure that we adhere to global standards that protect customer data.
To that end, we pursue the highest standards of industry-recognized accreditation so that all our customers, big and small, can have trust in our policies and procedures. All of our security compliance reports and certifications are available on request.
SOC 2
Intercom undergoes yearly audits and maintains SOC 2 Type 2 compliance focusing on the Security and Availability trust service principles. These audits provide an industry-wide recognition that companies conform to the American Institute of Certified Public Accountants (“AICPA”) SOC 2 standard, which measures security and availability and serves as assurance that your data is being managed in a controlled and audited environment.
HIPAA
Intercom has maintained a HIPAA attestation report since 2021, which covers the handling and safeguarding of protected health information (PHI) and electronic protected health information (ePHI). We’re committed to performing this HIPAA attestation examination annually, to ensure ongoing compliance and continue to demonstrate the importance we place on protecting our end-users protected health information.
“We’re vigilant and continuously scan for vulnerabilities, misconfigurations, and threats which may put your data in jeopardy”
ISO/IEC 27001 & ISO/IEC 27018
Intercom holds ISO/IEC 27001 and ISO/IEC 27018 certifications in line with the ISO/IEC 27002 implementation guidance. Intercom undergoes certification and surveillance audits each year to maintain these certifications.
ISO/IEC 27001 relates to Intercom’s Information Security Management System (ISMS), which is a framework of security policies, procedures and controls in place to manage and protect Intercom’s critical data. ISO/IEC 27018 relates to the code of practice for protection of personally identifiable information (PII) in public clouds.
These certificates establish commonly accepted control objectives, controls, and guidelines for implementing measures to protect Intercom’s most critical data, including PII.
GDPR compliance
Our teams ensured we complied with GDPR from the moment it came into effect, and we continue to dedicate lots of time and effort to GDPR compliance. Here’s what we’ve done:
- Built new features to enable our customers to easily meet their GDPR obligations
- Updated Data Processing Agreements
- Ensured we were certified for International Data Transfers
- Appointed a Data Protection Officer
- Coordinated with vendors around GDPR compliance
- Reinforced and added to security measures regularly
But we haven’t stopped there – we’re always looking for ways to improve. We’re vigilant and continuously scan for vulnerabilities, misconfigurations, and threats which may put your data in jeopardy.
“The Intercom application and infrastructure is looked at in detail by security researchers on a rolling basis”
The Intercom application and infrastructure is looked at in detail by security researchers on a rolling basis. We supplement our static and dynamic code testing with twice yearly penetration tests and a public ‘bug bounty’ program. Our pentest reports are available upon request to all existing and prospecting customers.
We’re constantly on the lookout for ways to bring our data privacy and compliance standards to new heights, and strengthen our data protection policies. Our commitment to our customers’, and their customers’, data, is why companies of all sizes put their trust in us.
Something we’re missing? Let us know what you’d like to see by emailing compliance@intercom.com.