Skip to content

Security

Customer trust and data security are critical to everything we do at Intercom.
  • SOC 2

    Service Organization Controls (Soc2) (Type II) Trust Services Principles

  • CSA

    Cloud Security Alliance

  • HIPAA

    Health Insurance Portability and Accountability Act

  • ISO 27001

    ISO 27001:2022 Certification

  • ISO 27018

    ISO 27018:2019 Certification

  • ISO 27701

    ISO 27701:2019 Certification

  • HDS

    HDS (Hébergeur de Données de Santé) Certification

  • Compliance

    SOC2 - Service Organization Controls (Soc2) (Type II) Trust Services Principles

    SOC2 compliance ensures that Intercom has controls in place to process and manage customer’s data. Compliance shows the excellence of controls in the realms of security, availability, and confidentiality. 

    HIPAA - Health Insurance Portability and Accountability Act

    HIPAA is a federal law that requires the creation of standards and controls to protect electronic protected health information (ePHI) from being disclosed. 

    ISO 27001 - ISO 27001:2022 Certification

    ISO/IEC 27001 is an international standard for information security management systems (ISMS). Certification shows that an organisation has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles within this International Standard. 

    ISO 27018 - ISO 27018:2019 Certification

    ISO/IEC 27018 It is an add-on to ISO 27001 and is an international standard on privacy in cloud computing services.

    ISO 27701 - ISO 27701:2019 Certification

    ISO/IEC 27701 is an international standard for privacy information management systems (PIMS). Certification shows that Intercom has put in place a system to include the privacy information management system (PIMS) requirements in the role of a personally identifiable information (PII) processor.

    Health Data Hosting

    Intercom is HDS (Hébergeur de Données de Santé) certified. Intercom customers are required to comply with applicable data protection legislation and local regulations with regards to personal health information. Customers that work with or in the French healthcare industry must comply with the PGSSI-S (global information security policy for the healthcare sector) and are required to implement a health information system in compliance with the PGSSI-S.

    CSA - Cloud Security Alliance

    CSA is a not for profit organisation which put together best practices for a company to follow to help ensure a secure cloud computing environment.


    Getting access to compliance documents.

    Within your Intercom workspace we have a security settings page (Settings > Security > Compliance documents) that allows logged-in admins to download our compliance documents without having to request them. 

    Product security

    SSO & 2FA

    SAML Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials.  If you’re using password-based authentication, you can turn on 2-factor authentication (2FA). More details on our docs.

    Permissions

    We enable permission levels within the app to be set for your teammates. Permissions can be set to include app settings, billing, user data or the ability to send or edit messages.

    Password and Credential Storage

    Intercom enforces a password complexity standard and credentials are stored using a PBKDF function (bcrypt).

    Uptime

    We have uptime of 99.9% or higher. You can check our past month stats at https://www.intercomstatus.com.

    Customer Best Practices

    There are simple steps you can take to increase the security of your app. Check out the Staying Secure section on our docs site.

    Network and application security

    Regional Data Hosting and Storage

    Intercom services and data are hosted in Amazon Web Services (AWS) facilities in the USA (us-east-1), Dublin, Ireland (eu-west-1), and Sydney, Australia

    Failover and DR

    Intercom was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.

    Virtual Private Cloud

    All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

    Back Ups and Monitoring

    On an application level, we produce audit logs for all activity, ship logs to Graylog for analysis and use S3 for archival purposes. All actions taken on production consoles or in the Intercom application are logged.

    Permissions and Authentication

    Access to customer data is limited to authorized employees who require it for their job. Intercom is served 100% over https. Intercom runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Intercom’s network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on GitHub, Google, AWS, and Intercom to ensure access to cloud services is protected.

    Encryption

    All data sent to or from Intercom is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

    Pentests, Vulnerability Scanning and Bug Bounty Program

    Intercom uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Once a year we engage third-party security experts to perform detailed penetration tests on the Intercom application and infrastructure. Intercom also runs a ‘bug bounty’ program with Bugcrowd, which gives security researchers a platform for testing and submitting vulnerability reports.

    Incident Response

    Intercom implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

    Additional Security features

    Training

    All employees complete Security and Awareness training annually.

    Policies

    Intercom has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

    Employee Vetting

    Intercom performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.

    Confidentiality

    All employee contracts include a confidentiality agreement.

    PCI Obligations

    All payments made to Intercom go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.