Customer trust and data security are critical to everything we do at Intercom.

Compliance

SOC 2

Service Organization Controls (Soc2) (Type II) Trust Services Principles

Privacy Shield

EU-US Privacy Shield

CSA

Cloud Security Alliance

Key features

Product security

Product security

Learn more
Network security

Network and application security

Learn more
Practices

Additional Security features

Learn more
Intercom’s GDPR Commitment

Product security


SSO & 2FA

SSO & 2FA

Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials

If you’re using password based authentication, you can turn on 2-factor authentication (2FA) More details on our docs.


Permissions

Permissions

We enable permission levels within the app to be set for your teammates.
Permissions can be set to include app settings, billing, user data or the ability to send or edit messages.


Password and Credential Storage

Password and Credential Storage

Intercom enforces a password complexity standard and credentials are stored using a PBKDF function (bcrypt).


Uptime

Uptime

We have uptime of 99.9% or higher. You can check our past month stats at https://www.intercomstatus.com.


Customer Best Practices

Customer Best Practices

There are simple steps you can take to increase the security of your app. Check out the Staying Secure section on our docs site.

Network and application security


Data Hosting and Storage

Data Hosting and Storage

Intercom services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the USA.


Failover and DR

Failover and DR

Intercom was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.


Virtual Private Cloud

Virtual Private Cloud

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.


Back Ups and Monitoring

Back Ups and Monitoring

Intercom uses MongoDB’s MMS backup solution for datastores that contain customer data.

On an application level, we produce audit logs for all activity, ship logs to Logentries for analysis and use S3 for archival purposes.

All actions taken on production consoles or in the Intercom application are logged.


Permissions and Authentication

Permissions and Authentication

Access to customer data is limited to authorized employees who require it for their job.

Intercom is served 100% over https. Intercom runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Intercom’s network.

We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS, MongoDB and Intercom to ensure access to cloud services are protected.


Encryption

Encryption

All data sent to or from Intercom is encrypted in transit using 256 bit encryption.

Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.


Pentests, Vulnerability Scanning and Bug Bounty Program

Pentests, Vulnerability Scanning and Bug Bounty Program

Intercom uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised.

Twice yearly we engage third-party security experts to perform detailed penetration tests on the Intercom application and infrastructure.

Intercom also runs a ‘bug bounty’ program with Bugcrowd, which gives security researchers a platform for testing and submitting vulnerability reports.


Incident Response

Incident Response

Intercom implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Additional Security features


Training

Training

All employees complete Security and Awareness training annually.


Policies

Policies

Intercom has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.


Employee Vetting

Employee Vetting

Intercom performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.


Confidentiality

Confidentiality

All employee contracts include a confidentiality agreement.


PCI Obligations

PCI Obligations

All payments made to Intercom go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.

Security questions?

If you think you may have found a security vulnerability, please get in touch with our security team at security@intercom.com.

Learn more about Intercom by reading our Terms of Use and Privacy Policy.