At Intercom, we work hard to comply for EU General Data Protection Regulation (GDPR), to ensure that we fulfil its obligations and maintain transparency about customer messaging and how we use data.

Here’s an overview of GDPR, and how we achieve compliance at Intercom:

The GDPR is a comprehensive data protection law that came into effect on May 25, 2018. It replaced existing EU law to strengthen the protection of “personal data” and the rights of the individual. It's a single set of rules which governs the processing and monitoring of EU data.

Yes, most likely. If you hold or process the data of an any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not. 

Intercom helps you meet your data portability requirements; you can easily export all of your data linked to an individual and permanently delete all data linked to an individual user. 

We will automatically expire data on visitors that have not been seen in 9 months, to ensure we comply with GDPR retention requirements.

Intercom carefully considers all third party requests for data, including requests from law enforcement and national security agencies.

As a policy, we do not provide third parties with information that does not belong to them and we only respond to requests where we are legally required to do so. This means that Intercom will only provide data in response to a court order, subpoena, warrant or other valid legal request that compels us to provide data from a customer account.

Where we are legally permitted to do so, we will always notify you of the requests we receive and work with you should you wish to challenge a request or limit disclosure.

The DPA (incorporating the new SCCs issued by the European Commission on June 4, 2021, is incorporated into the Terms of Service under which your Intercom services are governed and no separate signature is needed.

Strong data protection commitments are a key part of GDPR’s requirements. Our data processing agreement shares our privacy commitments and sets out the terms for Intercom and our customers to meet GDPR requirements. This is available for customers to sign upon request. 

We cannot accept any alterations to our DPA, as we are not at the scale where we can enter into bespoke DPAs with customers. If you have specific questions on the DPA, please reach out to us via Messenger.

Intercom's policy is that we only contract on the basis of our GDPR DPA.
​
This established approach is based on sound legal and operational reasons and reflects common practice for SaaS suppliers.
​
From a legal perspective, the EU GDPR requires a processor like Intercom to flow down to its sub-processors certain data protection obligations contained in its customer contracts. We have prepared our DPA for GDPR compliance and, as such, to contain obligations which can be flowed down to our sub-processors. Quite simply, we would not be able to meet the GDPR's flow down requirement if we enter into bespoke DPAs with customers. This is particularly the case in relation to large scale sub-processors, such as Amazon Web Services, where there is little to no flexibility to negotiate their standard terms.
​
From an operational perspective, Intercom has tens of thousands of customers, and is a rapidly expanding business. We simply don't have the bandwidth or operational flexibility to enter into different DPAs with different terms for each and every customer. This would create overly burdensome commitments for Intercom and is not scalable. By using the Intercom GDPR DPA, we can better manage our data protection obligations and thereby focus our activities on processing personal data in a compliant manner and providing customers with a streamlined service.
​

To comply with the GDPR’s requirements for international data transfers, Intercom participates in the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. For more information, please see our Privacy Policy.

We’ve a dedicated Data Protection Officer to oversee and advise on our data management. Get in touch through the messenger or by emailing dataprotection@intercom.io. 

Where appropriate, we require all of our third-party vendors to enter into data processing agreements that ensure customer data will remain protected in accordance with the GDPR and our obligations to you.

All data sent to or from Intercom is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Security is a priority for us. We have regular external audits, pentests and bug bounties. We’ve built a robust security framework, achieving International Compliance standards (SOC2, ISO27001, ISO27701, ISO27018, HIPAA and HDS) and reviewed our internal access design to ensure the right people have access to the right level of customer data. More details are available on our Security page. 

We continue to help our customers and prospective customers be compliant. Some steps you can take are: 

We will also continue to monitor new and emerging guidance to determine whether we need to make any additional changes to our data practices as a result of the CJEU's ruling.