At Intercom, we work hard to comply for EU General Data Protection Regulation (GDPR), to ensure that we fulfil its obligations and maintain transparency about customer messaging and how we use data.
Here’s an overview of GDPR, and how we achieve compliance at Intercom:
The GDPR is a comprehensive data protection law that came into effect on May 25, 2018. It replaced existing EU law to strengthen the protection of “personal data” and the rights of the individual. It's a single set of rules which governs the processing and monitoring of EU data.
Does it affect me?
Yes, most likely. If you hold or process the data of an any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not.
How Intercom complies with GDPR
We will automatically expire data on visitors that have not been seen in 9 months, to ensure we comply with GDPR retention requirements.
GDPR - US Surveillance Protection
Intercom carefully considers all third party requests for data, including requests from law enforcement and national security agencies.
As a policy, we do not provide third parties with information that does not belong to them and we only respond to requests where we are legally required to do so. This means that Intercom will only provide data in response to a court order, subpoena, warrant or other valid legal request that compels us to provide data from a customer account.
Where we are legally permitted to do so, we will always notify you of the requests we receive and work with you should you wish to challenge a request or limit disclosure.
Our Data Processing Addendum (DPA)
The DPA (incorporating the new SCCs issued by the European Commission on June 4, 2021, is incorporated into the Terms of Service under which your Intercom services are governed and no separate signature is needed.
Strong data protection commitments are a key part of GDPR’s requirements. Our data processing agreement shares our privacy commitments and sets out the terms for Intercom and our customers to meet GDPR requirements. This is available for customers to sign upon request.
We cannot accept any alterations to our DPA, as we are not at the scale where we can enter into bespoke DPAs with customers. If you have specific questions on the DPA, please reach out to us via Messenger.
Bespoke DPAs with customers
Intercom's policy is that we only contract on the basis of our GDPR DPA.
This established approach is based on sound legal and operational reasons and reflects common practice for SaaS suppliers.
From a legal perspective, the EU GDPR requires a processor like Intercom to flow down to its sub-processors certain data protection obligations contained in its customer contracts. We have prepared our DPA for GDPR compliance and, as such, to contain obligations which can be flowed down to our sub-processors. Quite simply, we would not be able to meet the GDPR's flow down requirement if we enter into bespoke DPAs with customers. This is particularly the case in relation to large scale sub-processors, such as Amazon Web Services, where there is little to no flexibility to negotiate their standard terms.
From an operational perspective, Intercom has tens of thousands of customers, and is a rapidly expanding business. We simply don't have the bandwidth or operational flexibility to enter into different DPAs with different terms for each and every customer. This would create overly burdensome commitments for Intercom and is not scalable. By using the Intercom GDPR DPA, we can better manage our data protection obligations and thereby focus our activities on processing personal data in a compliant manner and providing customers with a streamlined service.
We are certified for International Data Transfers:
The EU-US Privacy Shield is a framework negotiated and agreed by the European Commission and U.S. Department of Commerce as a lawful way of transferring personal data.
Although the CJEU has invalidated the EU-US Privacy Shield Framework, it also confirmed that SCCs remain a valid transfer mechanism under the GDPR. However, the validity of SCCs will differ depending on your own business model so you must rely on the advice of your own counsel to determine if SCCs will be a valid transfer mechanism for your use of Intercom as we are not able to speak to the applicability of the SCCs to meet the specific data transfer needs of your business.
You will need to review your compliance in line with our updated DPA which can be reviewed and executed at this link.
EU Privacy Shield Ruling Update
The CJEU's ruling does not affect the strong protections we have put in place to protect and secure the data that we process on your behalf. However, we are taking additional steps to ensure that you can continue to use our services in compliance with the GDPR.
Before the CJEU's ruling, Intercom relied on Privacy Shield to receive and process customer data from the European Economic Area, Switzerland and United Kingdom. From now on, Intercom will be making use of Standard Contractual Clauses (SCCs) to ensure we can continue to receive and process customer data from Europe in compliance with the GDPR.
We have updated our standard customer data processing addendum (DPA) so that the SCCs will be incorporated automatically in all future agreements. You can sign and execute the updated DPA at this link.
Besides the SCCs, Intercom has implemented a number of other measures to ensure that customer data remains protected in accordance with the GDPR, even when it is transferred and processed in the United States.
Our Data Protection Officer
Coordination with our Vendors
Where appropriate, we require all of our third-party vendors to enter into data processing agreements that ensure customer data will remain protected in accordance with the GDPR and our obligations to you.
All data sent to or from Intercom is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Our security measures
Security is a priority for us. We have regular external audits, pentests and bug bounties. We’ve built a robust security framework, achieving International Compliance standards (SOC2, CSA, HIPAA and Privacy Shield) and reviewed our internal access design to ensure the right people have access to the right level of customer data. More details are available on our Security page.
We continue to help our customers and prospective customers be compliant. Some steps you can take are:
Get familiar with the GDPR requirements and how they affect your company.
Map out everywhere you process data and carry out a gap analysis.
See how you can leverage Intercom to help with your GDPR compliance. Our audit reports, pen tests and security docs are available to customers on request.
Look at your product roadmap, think about privacy when you’re planning.
Chat to your lawyer about what your company needs to do to.
Keep an eye on the developing guidelines from the European Data Protection Board.
We will also continue to monitor new and emerging guidance to determine whether we need to make any additional changes to our data practices as a result of the CJEU's ruling.
Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts