// Trust & Security Report

    Intercom, Inc. (US) / Intercom R&D Unlimited Company (EU) logo

    Intercom, Inc. (US) / Intercom R&D Unlimited Company (EU)

    AI-powered customer service platform (omnichannel helpdesk + Fin AI Agent)

    Certifications held

    12

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Intercom undergoes yearly audits and maintains SOC 2 Type 2 compliance focusing on the Security and Availability trust service principles.

    Verify on intercom.com
    ISO 27001:2022
    HELD

    Intercom holds ISO/IEC 27001 and ISO/IEC 27018 certifications in line with the ISO/IEC 27002 implementation guidance.

    Verify on intercom.com
    ISO 27018
    HELD

    Intercom holds ISO/IEC 27001 and ISO/IEC 27018 certifications in line with the ISO/IEC 27002 implementation guidance. ISO 27001, 27018, 27701 Certificates listed as a downloadable resource in the Trust Center.

    Verify on intercom.com
    ISO 27701
    HELD

    Compliance SOC 2 ISO 27001:2022 ISO 27018 ISO 27701 ISO/IEC 42001:2023 GDPR CCPA COMPLIANT CCPA HIPAA HDS AIUC-1 CSA STAR EU AI ACT

    Verify on trust.intercom.com
    ISO/IEC 42001:2023
    HELD

    one of the first AI customer service platforms to have achieved ISO/IEC 42001:2023 certification

    Verify on intercom.com
    AIUC-1 (AI Agent certification)
    HELD

    Intercom is now among the first companies certified under AIUC-1, the new global benchmark for responsible AI. It confirms that Intercom's long-standing commitment to trust fully extends to Fin.

    Verify on trust.intercom.com
    HIPAA
    HELD

    Intercom has maintained a HIPAA attestation report since 2021, which covers the handling and safeguarding of protected health information (PHI).

    Verify on intercom.com
    HDS (Hebergeur de Donnees de Sante)
    HELD

    Compliance SOC 2 ISO 27001:2022 ISO 27018 ISO 27701 ISO/IEC 42001:2023 GDPR CCPA COMPLIANT CCPA HIPAA HDS AIUC-1 CSA STAR EU AI ACT

    Verify on trust.intercom.com
    GDPR
    HELD

    The DPA (incorporating the new SCCs issued by the European Commission on June 4, 2021, is incorporated into the Terms of Service. Fin participates in the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework.

    Verify on intercom.com
    CCPA
    HELD

    Compliance SOC 2 ISO 27001:2022 ISO 27018 ISO 27701 ISO/IEC 42001:2023 GDPR CCPA COMPLIANT CCPA HIPAA HDS AIUC-1 CSA STAR EU AI ACT

    Verify on trust.intercom.com
    EU AI Act
    HELD

    Compliance SOC 2 ISO 27001:2022 ISO 27018 ISO 27701 ISO/IEC 42001:2023 GDPR CCPA COMPLIANT CCPA HIPAA HDS AIUC-1 CSA STAR EU AI ACT

    Verify on trust.intercom.com
    CSA STAR
    HELD

    Compliance SOC 2 ISO 27001:2022 ISO 27018 ISO 27701 ISO/IEC 42001:2023 GDPR CCPA COMPLIANT CCPA HIPAA HDS AIUC-1 CSA STAR EU AI ACT

    Verify on trust.intercom.com
    > Show 2 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    Fin is not in the business of storing or processing payments. All payments made to Fin go through our partner, Stripe. No PCI DSS certification claimed; not applicable to core service.

    source: intercom.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on any Intercom-domain page. Intercom is a commercial SaaS platform with no stated pursuit of FedRAMP.

    source: trust.intercom.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    USA (AWS us-east-1), EU/Ireland (AWS eu-west-1), Australia (Sydney) - EU and AU available via Regional Data Hosting Addendum

    Third-party LLM providers (including OpenAI, the primary AI subprocessor) are contractually prohibited from using customer conversation data to train or improve their models; Intercom states a zero data retention policy applies at the LLM layer. However, Intercom's own ToS permits use of anonymized, de-identified usage data ('Anonymized Data') to analyze, improve, support and operate services - which may include AI feature improvement. No personal data of end-users is used for model training. Fin learns within each customer's own workspace from their best human reps (per-tenant self-improvement), not cross-customer training.

    // Security controls

    Encryption in transit

    TLS v1.2 minimum; API and application endpoints TLS/SSL only; A+ rating on SSL Labs; HSTS and Perfect Forward Secrecy fully enabled

    intercom.com

    Encryption at rest

    AES-256 for all customer processor data

    intercom.com

    Penetration testing

    External penetration testing twice a year by dedicated external security partners; Penetration Test reports (2024, 2025) available in Trust Center

    trust.intercom.com

    Bug bounty

    Public bug bounty program via Bugcrowd

    intercom.com

    Access control

    Identity Provider with Zero Trust architecture; biometric authentication on company-managed devices; 2FA enforced; background checks on employees

    trust.intercom.com

    Infrastructure

    Hosted on Amazon Web Services; infrastructure managed as code with Terraform; auto scaling and backups in place; AWS CloudTrail and PantherLabs for audit trails

    intercom.com

    DoS protection

    Denial of Service (DoS) Protection listed as an infrastructure security control in the Trust Center

    trust.intercom.com

    Incident response

    Documented incident response plan; Incident Response Coverage and Incident Response Process listed as Trust Center controls

    trust.intercom.com

    Vulnerability assessments

    Vulnerability Assessments report available in Trust Center

    trust.intercom.com

    Cyber insurance

    Certificate of cyber insurance available in Trust Center

    trust.intercom.com

    // Products & data scope

    Intercom HelpdeskCustomer support / omnichannel inbox

    data: Customer PII, conversation history, behavioral data, custom attributes, company data; processes email, chat, phone, WhatsApp, social media messages

    Seat-based pricing at $29/seat/month. Full-featured helpdesk with ticketing, reporting, and omnichannel inbox. SOC 2, ISO 27001 and HIPAA coverage applies to this tier.

    Fin AI AgentAutonomous AI customer service agent

    data: Processes customer conversation data and knowledge base content; passes data to third-party LLMs (primarily OpenAI) for response generation; zero retention at LLM layer

    Usage-based pricing at $0.99/outcome. Uses OpenAI as primary LLM subprocessor (contractually prohibited from training on data). Covered by AIUC-1 and ISO/IEC 42001 certifications. Customers must opt-in to data sources for AI processing.

    CopilotAI assistant for human support agents

    data: Accesses conversation history, knowledge base, and past conversations to draft replies; same data access as Fin AI Agent

    Included in Intercom platform. Same AI subprocessor (OpenAI) and data handling policies as Fin AI Agent apply.

    // What to watch

    • AIUC-1 is a nascent standard (launched November 2025); the consortium includes Intercom as a founding member, which raises a minor independence question - however the certification process involves independent third-party audits and quarterly adversarial testing
    • CSA STAR appears to be Level 1 self-assessment (CAIQ v4) only, not independently audited Level 2 certification
    • Intercom ToS permits use of anonymized usage data to improve services - distinct from LLM training prohibition, but AI teams should review if this scope is acceptable
    • PCI DSS not applicable and not held - Stripe handles all payment processing
    • FedRAMP not held - not suitable for US federal government use cases requiring FedRAMP authorization
    • Trust center now branded 'Fin Trust Center' at trust.intercom.com reflecting product rebrand; legal entity remains Intercom, Inc.
    • OpenAI is a named AI subprocessor - customers with strict data locality or OpenAI restrictions should review the Subprocessor list; EU/AU data hosting regions exist but AI processing subprocessors (OpenAI) may process data in USA or EU depending on region

    // At a glance

    Pricing model

    Seat-based ($29/seat/month for helpdesk) plus usage-based ($0.99/outcome for Fin AI Agent); free trial available

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Intercom, Inc. (US) / Intercom R&D Unlimited Company (EU)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.intercom.com

    > Browse all vendor trust reports