Skip to main content
Data and actions FAQs

Learn about accessing and using actions securely with Fin.

Beth-Ann Sher avatar
Written by Beth-Ann Sher
Updated over 2 months ago

Access and availability

Does my plan include data and actions for Fin?

Data and actions can be used by Fin on all pricing plans and you’ll be charged per resolution.

Can Fin use data and actions on regionally hosted workspaces?

Fin data and actions is available on all US and EU hosted workspaces. Availability on AU hosted workspaces is coming soon.


Data privacy and security

How is sensitive data handled in conversations with Fin?

Intercom offers a PAN redaction feature which scans conversation content for numbers that look like credit card numbers and that pass a Luhn check. If a matching number is found, it will be masked up to the last 4 digits of the number, and customers will see a redacted version in web Messenger and both iOS and Android SDKs. The number will also appear redacted in the conversation on the Help Desk.

For additional control, you can install the Strac app to detect and redact sensitive data from Intercom messages and attachments. This allows you to configure a list of sensitive data elements (SSN, DoB, Drivers License, Passport, Credit Card, Debit Card, API Keys, etc.) to redact.

How do I prevent bad actors from impersonating?

Before setting an action live for your logged in users, you are required to set up Identify Verification. Actions are only exposed to users whose identity has been verified.

With Identity Verification, you generate a unique user hash for each of your users based on their email address or user_id and your workspaces’s identity verification secret (available from your Intercom security settings). Your integration will generate and send these hashes along with every Messenger request, which avoids bad actors from impersonating your users and Fin delivering a personalized answer using someone else's data.

How do I ensure Fin doesn't share personal data with someone who isn't the user?

There are two potential ways that this could happen. See the table for the recommended settings to best mitigate this risk:

Use Case

Risk

Best practice to mitigate

Fin retrieves personalized data for a customer based off a user ID stored in an Intercom CDA.

A bad actor could manipulate the CDA value in order to get Fin to retrieve data from another account.

We recommend that you prevent the ability for users to make updates to these attributes via the Messenger. This helps to ensure that bad actors cannot access data not belonging to them. To set this up, navigate to Settings > Data > People, select the relevant attribute and toggle on "Prevent updates via the Messenger".

Fin retrieves personalized data for a customer based off a data value collected by Fin.

A bad actor could provide a value to Fin for an account that they should not have access to.

We recommend that you perform checks on the API server side to ensure that the user has access control for the data requested.

Fin retrieves personalized data for a customer based off a data value collected by Fin.

Fin hallucinates a value for another customer, retrieving the wrong data.

The risk of this hallucination, while not zero, is low.

However we do recommend that you perform checks on the API server side to ensure that the user has access control for the data requested.

How do I ensure that Fin doesn't accidentally share information from another user?

Fin will only be able to read data you’ve given access to in the Preview tab. Fin will use this data to generate responses based on a user’s question. If there’s sensitive internal data you do not want Fin to access, select Restricted data access and only give access to fields you want Fin to use to generate responses.

Additionally, you can transform the response data with customer facing names and values. For example, instead of application status “Pending four eyes check” you can transform the value to something language you would use with your customer such as “Pending review”.


Fin’s behavior using data and actions

When does Fin use an action instead of other available content?

Fin AI Agent doesn't distinguish between using content vs actions. It looks for the most relevant answer to resolve the conversation and sends this to the customer.


💡Tip

Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts


Did this answer your question?