Skip to content


Customer trust and data security are critical to everything we do at Intercom.
  • SOC 2

    Service Organization Controls (Soc2) (Type II) Trust Services Principles

  • Privacy Shield

    EU-US Privacy Shield

  • CSA

    Cloud Security Alliance


    Health Insurance Portability and Accountability Act

  • ISO 27001

    ISO 27001:2013 Certification

  • ISO 27018

    ISO 27018:2019 Certification

  • Product security

    SSO & 2FA

    L'authentification unique (SSO) SAM vous permet d'authentifier les utilisateurs de vos systèmes sans avoir à démultiplier les identifiants.  Si vous utilisez l'authentification par mot de passe, vous pouvez activer l'identification à deux facteurs (2FA). Notre documentation vous fournira de plus amples informations.


    We enable permission levels within the app to be set for your teammates. Permissions can be set to include app settings, billing, user data or the ability to send or edit messages.

    Password and Credential Storage

    Intercom enforces a password complexity standard and credentials are stored using a PBKDF function (bcrypt).


    We have uptime of 99.9% or higher. You can check our past month stats at

    Customer Best Practices

    There are simple steps you can take to increase the security of your app. Check out the Staying Secure section on our docs site.

    Network and application security

    Hébergement et stockage régional des données

    Les services et les données Intercom sont hébergés sur des serveurs Amazon Web Services (AWS) aux États-Unis (us-east-1), à Dublin en Irlande (eu-west-1) et à Sydney en Australie.

    Failover and DR

    Intercom was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.

    Virtual Private Cloud

    All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

    Back Ups and Monitoring

    On an application level, we produce audit logs for all activity, ship logs to Graylog for analysis and use S3 for archival purposes. All actions taken on production consoles or in the Intercom application are logged.

    Permissions and Authentication

    L'accès aux données des clients est limité aux employés qui en ont besoin pour mener à bien leur mission. Intercom est opéré à 100 % via https. Intercom a mis en place un réseau d'entreprise zéro-confiance. Faire partie du réseau d'Intercom ne donne droit à aucune ressource professionnelle ou privilège supplémentaire. Nous proposons l'authentification unique (SSO) SAML et l'identification à deux facteurs (2FA) et imposons l'utilisation de mots de passe forts sur GitHub, Google, AWS et Intercom pour garantir un accès protégé aux services cloud.


    All data sent to or from Intercom is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

    Pentests, Vulnerability Scanning and Bug Bounty Program

    Intercom uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Twice yearly we engage third-party security experts to perform detailed penetration tests on the Intercom application and infrastructure. Intercom also runs a ‘bug bounty’ program with Bugcrowd, which gives security researchers a platform for testing and submitting vulnerability reports.

    Incident Response

    Intercom implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

    Additional Security features


    All employees complete Security and Awareness training annually.


    Intercom has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

    Employee Vetting

    Intercom performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.


    All employee contracts include a confidentiality agreement.

    PCI Obligations

    All payments made to Intercom go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.