Our team has relevant experience
Our team includes people who've played lead roles in designing, building and operating highly secure Internet facing systems, such as payment processing platforms, cloud services and content distribution networks in companies such as Amazon and Facebook. We also have people who've successfully built a number of startups from scratch, and others who have worked in well established smaller Internet businesses.
We host in world class facilities
The vast majority of our services and data are hosted in Amazon Web Services facilities in the USA, and we are in the process of consolidating all services and data there. Further details about the considerable measures Amazon take in securing their facilities and services can be found here: https://aws.amazon.com/compliance/
We follow best practices
At Intercom we follow a number of best practices that improve our security posture. Here are a few examples:
We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes. We typically deploy dozens of times a day, so we have high confidence that we can get a security fix out quickly when required.
All data sent to Intercom is encrypted in transit. Our API and application endpoints are TLS/SSL only and score an "A+" rating on SSL Labs' tests - meaning that we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest.
We regularly engage with well-regarded third-party auditors to audit our code-base and infrastructure, and work with them to resolve potential issues.
We use technologies such as Graylog, AWS Cloudtrail and StreamAlert to provide an audit trail over our infrastructure and the Intercom application. Auditing allows to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.
We use two-factor authentication whenever possible. We ask vendors to enforce two factor authentication in all our accounts. We discourage use of shared accounts on any system - when we have no choice we use 1Password to securely share logins. We review which accounts can access our systems and the permissions they have regularly.
We don't trust our corporate network - it has no backdoors into our production systems.
We have a documented incident response plan and educate all staff on security procedures and policies.
We enable security features
We have lots of features that allow our customers to use Intercom with enhanced security. These include:
Enabling identity verification to restrict who can see messages.
Use of two-factor authentication to log in to Intercom.
Use of the Intercom shutdown method to end a session.
We do not store payment details
Intercom is not in the business of storing or processing payments. All payments made to Intercom goes through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe's security page.
Have more security questions?
Check out this article which will answer many of your security questions.