Intercom

AI Review

AI-powered customer service platform with ISO 27001, ISO 42001, SOC 2 Type II, HIPAA, and HDS certifications. Fin AI Agent processes conversations through five third-party LLM providers (OpenAI, Anthropic, Microsoft Azure OpenAI, Google, ElevenLabs) creating data privacy considerations. Features annual penetration testing, bug bounty program, and regional data hosting across US, EU, and Australia infrastructure.

Key Signals

Data Training Privacy Risks

AI Model Hallucination Risks

ISO/IEC 42001:2023

ISO 27001:2022

SOC 2 Type II Report

2 months ago

Trust Signals (24)

Certifications

ResourceOrganizational Security

ISO 27001:2022

Third-party audited certification validating comprehensive information security management system implementation with annual surveillance audits and 3-year recertification, covering 114 security controls across organizational security, human resources, operations, and access management domains.

Information security management system (ISMS) certified to ISO 27001:2022 standard with annual external audits. Certification demonstrates systematic approach to managing sensitive data and security risks across the organization.

View Details

Certifications

ResourceOrganizational Security

ISO/IEC 27018:2019

Third-party audited certification validating personal data protection in cloud services with annual surveillance audits covering privacy controls and data protection measures for cloud service providers.

ISO 27018:2019 certification for protection of personally identifiable information (PII) in public cloud computing environments, ensuring enhanced privacy controls for customer data.

View Details

Jan 1, 2025

Certifications

ResourceOrganizational Security

ISO/IEC 27701:2019

Third-party audited certification validating privacy information management systems with annual surveillance audits covering privacy controls and data protection requirements for organizations processing personal data.

Privacy information management system (PIMS) certified to ISO 27701:2019 as a PII processor, demonstrating comprehensive privacy controls and data protection practices.

View Details

Jan 1, 2025

Certifications

ResourceOrganizational Security

ISO/IEC 42001:2023

Third-party audited international standard for AI management systems requiring comprehensive governance, risk management, and ethical AI practices with annual surveillance audits and 3-year recertification for AI system reliability.

Certified to ISO/IEC 42001:2023 for AI management systems, demonstrating responsible development and deployment of AI features including Fin AI Chatbot and Copilot with appropriate governance controls.

View Details

Jan 1, 2025

Certifications

ResourceOrganizational Security

SOC 2 Type II Report

A comprehensive audit report that verifies a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy over a period of time (typically 6-12 months)

Annual SOC 2 Type II audit attestation covering security, availability, and confidentiality controls. Reports demonstrate effective operational controls over extended testing period and are available upon request.

View Details

Jan 1, 2025

Policies

ResourceOrganizational Security

Antivirus Policy

Organizational policy establishing requirements for antivirus software deployment, configuration, and management across all systems and endpoints to protect against malware, viruses, and other malicious software threats.

Automated anti-virus and malware scanning for all file uploads up to 100MB, including archives and compressed files. High-risk executable files automatically blocked across all workspaces for security.

View Details

Jan 1, 2024

Policies

ResourceOrganizational Security

Business Continuity Policy

Comprehensive governance framework ensuring continuous business operations through documented recovery procedures, backup strategies, alternative site provisions, and tested incident response protocols for maintaining service availability.

Infrastructure distributed across 3 AWS availability zones ensuring continued operation if any single data center fails. Strives for 99.9% monthly uptime with public status page for incident transparency.

View Details

Jan 1, 2024

Policies

ResourceOrganizational Security

Disaster Recovery Policy and Plan

Comprehensive recovery framework detailing IT system restoration procedures, recovery time objectives, backup strategies, testing protocols, and incident response measures for maintaining business operations during disruptive events.

Disaster recovery architecture built into infrastructure design with multi-zone redundancy. Auto-scaling capabilities maintain high availability and support demand during failure scenarios.

View Details

Jan 1, 2024

Policies

ResourceOrganizational Security

Incident Response Policy

Executive-approved security framework establishing incident detection, analysis, containment, eradication, and recovery procedures with defined roles, communication protocols, and post-incident review processes for effective security incident management.

Formal incident response plan with escalation procedures, rapid mitigation protocols, and post-mortem analysis. 24/7 security team coverage with on-call engineering support for immediate response to security events.

View Details

Jan 1, 2024

Policies

ResourceOrganizational Security

Privacy Policy

Comprehensive privacy policy outlining data collection, processing, storage, and sharing practices, user rights, and privacy safeguards to ensure transparent and compliant data handling practices.

Comprehensive privacy policy detailing data collection, processing, retention, and deletion practices. Complies with GDPR, CCPA, and EU-U.S./UK/Swiss-U.S. Data Privacy Framework requirements.

View Details

Jan 1, 2024

Policies

ResourceOrganizational Security

Responsible Disclosure Policy

Security vulnerability disclosure framework establishing clear guidelines for security researchers to report vulnerabilities with defined scope, submission process, and response timelines for coordinated vulnerability management.

Public bug bounty program via Bugcrowd platform with defined vulnerability disclosure process. Security team contactable at security@intercom.io for security concerns and findings.

View Details

Jan 1, 2024

Questionnaires

ResourceOrganizational Security

CSA CAIQ

Industry-standard questionnaire enabling cloud service providers to document security controls and practices, allowing customers to assess cloud security posture, compliance with industry standards, and third-party risk management capabilities through standardized evaluation criteria.

Completed Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQv4.0.2), demonstrating alignment with cloud security best practices and transparency in security controls.

View Details

Jan 1, 2025

3rd Party Assessments

ResourceOrganizational Security

Bug Bounty Program

Security vulnerability disclosure program inviting security researchers to report vulnerabilities with monetary rewards based on severity and impact, enabling proactive security testing and vulnerability management.

Active bug bounty program via Bugcrowd platform enabling security researchers to continuously test for vulnerabilities. Dedicated security teams respond to reported issues with defined disclosure process.

View Details

Jan 1, 2024

3rd Party Assessments

ResourceOrganizational Security

Cybersecurity Insurance

Financial protection mechanism providing coverage for business disruptions and financial losses resulting from cybersecurity incidents, data breaches, and other cyber-related events to ensure business continuity and risk mitigation.

Maintains cyber insurance coverage with certificate available through Trust Center, providing financial protection and demonstrating risk management practices for potential cyber incidents.

View Details

Jan 1, 2024

3rd Party Assessments

ResourceOrganizational Security

Data Encryption (AES-256)

Advanced encryption standard implementing 256-bit key length for data at rest protection, providing military-grade security for sensitive data storage and ensuring confidentiality of customer information.

Data at rest encrypted using industry-standard AES-256 encryption algorithm across all storage systems, providing strong cryptographic protection for customer data in AWS infrastructure.

View Details

Jan 1, 2024

3rd Party Assessments

ResourceOrganizational Security

Data Processing Agreement

Legal agreement establishing data processing terms, responsibilities, and safeguards between data controller and processor, ensuring compliance with data protection regulations and defining data handling requirements.

Comprehensive Data Processing Addendum (DPA) available outlining data protection measures, security assessments, encryption standards, and GDPR compliance including Standard Contractual Clauses for international transfers.

View Details

Jan 1, 2024

3rd Party Assessments

ResourceOrganizational Security

Data Protection Officer

Designated data protection officer (DPO) responsible for overseeing data protection compliance, providing privacy guidance, and serving as a point of contact for data protection matters and regulatory inquiries.

Designated Data Protection Officer (DPO) available for privacy-related inquiries and data subject requests, ensuring GDPR compliance and accountability for data protection practices.

View Details

Jan 1, 2024

3rd Party Assessments

ResourceOrganizational Security

Data Residency Options

Regional data storage options enabling customers to host content in specific geographic regions to meet data sovereignty requirements and compliance with local regulations.

Regional data hosting available in three locations: USA (us-east-1), Dublin, Ireland (eu-west-1), and Sydney, Australia. Customers can select hosting region to meet data sovereignty and regulatory requirements.

View Details

Jan 1, 2024

3rd Party Assessments

ResourceOrganizational Security

HIPAA Business Associate Agreement (BAA) Support

Health Insurance Portability and Accountability Act compliance with Business Associate Agreement support for handling Protected Health Information (PHI) and electronic PHI (ePHI), implementing technical and organizational safeguards, breach notification procedures, and regulatory compliance for healthcare data.

HIPAA compliance with Business Associate Agreement (BAA) available for healthcare customers handling electronic protected health information (ePHI). Maintains controls to protect sensitive healthcare data. Also holds French HDS (Hébergeur de Données de Santé) certification v1.1 for health data hosting, with v2 update expected March 2026 (renewal date: May 16, 2026).

View Details

Mar 28, 2025

3rd Party Assessments

ResourceOrganizational Security

Security Awareness Training

Mandatory employee education program covering cybersecurity best practices, threat recognition, and incident reporting, required within 30 days of hire and annually thereafter to maintain security-conscious workforce.

Mandatory annual security awareness training for all employees with additional role-specific training for higher-risk positions, ensuring workforce understands security policies and threat landscape.

View Details

Jan 1, 2024

3rd Party Assessments

ResourceOrganizational Security

Status Monitoring

Comprehensive system status monitoring and reporting infrastructure providing real-time visibility into service availability, performance metrics, and operational health with public status pages and incident communication.

Public status page providing real-time visibility into service availability and operational incidents. Target of 99.9% uptime on monthly basis with transparent incident reporting and historical uptime data.

View Details

Jan 1, 2024

3rd Party Assessments

ResourceOrganizational Security

TLS Encryption in Transit

Transport Layer Security protocol implementing TLS 1.2 or higher for data in transit protection, ensuring secure communication channels and preventing unauthorized interception of customer data during transmission.

100% HTTPS enforcement with TLS/SSL encryption for all data in transit using 256-bit encryption. Achieves "A+" rating on Qualys SSL Labs tests with HSTS and Perfect Forward Secrecy enabled.

View Details

Jan 1, 2024

3rd Party Assessments

ResourceOrganizational Security

Vulnerability Management

Formal vulnerability management process including regular vulnerability assessments, patch management with documented SLAs, vulnerability prioritization and remediation based on severity levels, and continuous monitoring of security vulnerabilities.

Regular vulnerability assessments conducted with reports from 2023 and 2024 available through Trust Center. Periodic application vulnerability scans with risk-based remediation prioritization.

View Details

Jan 1, 2024

Penetration Tests

ResourceOrganizational Security

Third-Party Penetration Testing

Regular independent security assessments conducted by third-party experts to identify vulnerabilities and security weaknesses before exploitation, ensuring ongoing security validation.

Annual third-party penetration testing of application and infrastructure by external security experts. Test summaries from 2023 and 2024 available through Trust Center demonstrating proactive vulnerability identification.

View Details

Jan 1, 2024

Risk Signals (2)

Risk Signal

ResourceOrganizational Security

Data Training Privacy Risks

Risk of sensitive data being inadvertently included in model training datasets or exposed through model outputs, potentially violating privacy regulations and data protection requirements.

Fin AI processes customer service conversations through five third-party LLM providers: OpenAI, Anthropic, Microsoft Azure OpenAI, Google, and ElevenLabs. Customer and end-user data flows to these external AI services for processing. While Intercom's AI Products guide addresses data handling, customers should verify whether conversation data is excluded from LLM provider training datasets and review data processing agreements for each region's AI provider. ISO 42001 certification demonstrates AI governance, but inherent privacy risks exist when sensitive customer conversations transit multiple third-party AI platforms.

View Details

Jan 1, 2024

Risk Signal

ResourceOrganizational Security

AI Model Hallucination Risks

Risk of AI models generating false or misleading information that could lead to incorrect decisions, data integrity issues, or compliance violations in business-critical applications.

Fin AI Agent provides automated customer support responses using large language models, creating risk of AI-generated hallucinations where the system may provide confident but incorrect information to end-users. In customer service context, hallucinated responses could misguide customers, provide wrong product information, or create liability issues. While Intercom implements testing protocols per Fin AI Security documentation, LLM hallucinations remain an inherent limitation of current AI technology. Organizations should implement human review workflows for sensitive inquiries and monitor AI response accuracy.

View Details

Subprocessors & AI Models (12)

Infrastructure

United States

Amazon Web Services (AWS)

Primary cloud infrastructure provider hosting all application services, databases, and data storage. Critical infrastructure supporting 99.99% uptime requirements with global data residency controls.

Primary cloud infrastructure provider hosting Intercom services across multiple AWS regions (us-east-1, eu-west-1, Sydney). Provides compute, storage, and data processing infrastructure with multi-availability zone redundancy.

Security Documentation Intercom Subprocessor List Intercom Security Policy

N/A

Other

United States

OpenAI

AI language model services for content generation, analysis, and processing. Powers automated content creation, customer support responses, and data analysis features across the platform.

Provides large language model (LLM) processing via APIs for customers using Intercom's AI Products (Fin AI Chatbot, Fin AI Copilot). Processes customer and end-user data for AI-powered support features.

Security Documentation Intercom AI Products Guide

Other

United States

Anthropic

AI language model services for content generation and analysis. Powers automated content creation, customer support responses, and data analysis features with focus on AI safety and reliability.

Provides large language model processing via APIs for customers using Intercom's AI Products in USA region. Alternative LLM provider for Fin AI features with focus on AI safety.

Other

Vendor Region: European Union

Microsoft Openai

Provides EU-hosted AI Products utilizing Azure OpenAI Service for customers requiring EU data residency. Enables LLM processing within European Union infrastructure for compliance requirements.

Intercom AI Products Guide

N/A

Infrastructure

United States

Google Cloud Platform (GCP)

Cloud infrastructure provider hosting applications, databases, and data storage. Critical infrastructure supporting compute, storage, and AI/ML services with global data residency controls.

Provides AI processing capabilities. For customers in Intercom USA or Australian region, processing occurs in USA. For EU region customers, processing occurs in EU to meet data residency requirements.

Compliance & Security Intercom Subprocessor Information

Other

United States

ElevenLabs

AI-powered text-to-speech platform converting text into natural-sounding voice audio for accessibility features and voice-enabled applications.

Provides AI text-to-speech processing for Fin Voice AI Agent feature, enabling voice-based customer interactions powered by natural-sounding AI-generated speech.

Security Documentation Intercom AI Products Guide

N/A

Other

United States

Mailgun

Email delivery service for transactional email infrastructure. Provides email API services with sending, receiving, tracking, and analytics capabilities for application emails and notifications.

Email delivery services for individual emails and bulk email campaigns initiated from Intercom's platform. Handles transactional and marketing email infrastructure.

Security & Compliance Privacy Policy

Other

United States

SparkPost

Email delivery platform (owned by MessageBird) providing transactional and marketing email infrastructure. Processes email content, recipient data, and delivery analytics for high-volume email sending.

Email delivery services for individual emails and bulk campaigns with real-time monitoring of ISP responses, bounce rates, and spam trap detection. Provides email infrastructure redundancy.

Other

United States

Snowflake

Cloud data warehouse platform hosting structured and semi-structured data. Provides scalable data storage, analytics, and business intelligence for large-scale data processing and analysis.

Data warehouse services enabling data storage, processing, and analytics capabilities for Intercom's data infrastructure and customer analytics features.

Other

Vendor Region: United States

Planetscale

Fully-managed MySQL database platform powered by Vitess providing database storage and caching services for Intercom's application data with high scalability.

Intercom Subprocessor Information

N/A

Communications

United States

Twilio

Communication platform providing SMS, voice, and video APIs. Handles messaging, voice calls, and video conferencing for customer communication and engagement.

Cloud communications platform providing SMS and phone functionality for Intercom's voice and text messaging features, enabling multi-channel customer communication.

N/A

Infrastructure

United States

Cloudflare

Global CDN and security infrastructure providing DDoS protection, SSL/TLS termination, and content delivery. Critical infrastructure for website performance and security with global edge network.

Provides Transport Layer Security (TLS) protection for customers using custom domains to host Intercom Articles. CDN and security services for content delivery and DDoS protection.