// Trust & Security Report
Intercom, Inc. (US) / Intercom R&D Unlimited Company (EU)
AI-powered customer service platform (omnichannel helpdesk + Fin AI Agent)
Certifications held
12
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on intercom.com“Intercom undergoes yearly audits and maintains SOC 2 Type 2 compliance focusing on the Security and Availability trust service principles.”
Verify on intercom.com“Intercom holds ISO/IEC 27001 and ISO/IEC 27018 certifications in line with the ISO/IEC 27002 implementation guidance.”
Verify on intercom.com“Intercom holds ISO/IEC 27001 and ISO/IEC 27018 certifications in line with the ISO/IEC 27002 implementation guidance. ISO 27001, 27018, 27701 Certificates listed as a downloadable resource in the Trust Center.”
Verify on trust.intercom.com“Compliance SOC 2 ISO 27001:2022 ISO 27018 ISO 27701 ISO/IEC 42001:2023 GDPR CCPA COMPLIANT CCPA HIPAA HDS AIUC-1 CSA STAR EU AI ACT”
Verify on intercom.com“one of the first AI customer service platforms to have achieved ISO/IEC 42001:2023 certification”
Verify on trust.intercom.com“Intercom is now among the first companies certified under AIUC-1, the new global benchmark for responsible AI. It confirms that Intercom's long-standing commitment to trust fully extends to Fin.”
Verify on intercom.com“Intercom has maintained a HIPAA attestation report since 2021, which covers the handling and safeguarding of protected health information (PHI).”
Verify on trust.intercom.com“Compliance SOC 2 ISO 27001:2022 ISO 27018 ISO 27701 ISO/IEC 42001:2023 GDPR CCPA COMPLIANT CCPA HIPAA HDS AIUC-1 CSA STAR EU AI ACT”
Verify on intercom.com“The DPA (incorporating the new SCCs issued by the European Commission on June 4, 2021, is incorporated into the Terms of Service. Fin participates in the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework.”
Verify on trust.intercom.com“Compliance SOC 2 ISO 27001:2022 ISO 27018 ISO 27701 ISO/IEC 42001:2023 GDPR CCPA COMPLIANT CCPA HIPAA HDS AIUC-1 CSA STAR EU AI ACT”
Verify on trust.intercom.com“Compliance SOC 2 ISO 27001:2022 ISO 27018 ISO 27701 ISO/IEC 42001:2023 GDPR CCPA COMPLIANT CCPA HIPAA HDS AIUC-1 CSA STAR EU AI ACT”
Verify on trust.intercom.com“Compliance SOC 2 ISO 27001:2022 ISO 27018 ISO 27701 ISO/IEC 42001:2023 GDPR CCPA COMPLIANT CCPA HIPAA HDS AIUC-1 CSA STAR EU AI ACT”
> Show 2 unconfirmed / not-held certifications
source: intercom.comFin is not in the business of storing or processing payments. All payments made to Fin go through our partner, Stripe. No PCI DSS certification claimed; not applicable to core service.
source: trust.intercom.comNo public evidence of FedRAMP authorization found on any Intercom-domain page. Intercom is a commercial SaaS platform with no stated pursuit of FedRAMP.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
USA (AWS us-east-1), EU/Ireland (AWS eu-west-1), Australia (Sydney) - EU and AU available via Regional Data Hosting Addendum
Third-party LLM providers (including OpenAI, the primary AI subprocessor) are contractually prohibited from using customer conversation data to train or improve their models; Intercom states a zero data retention policy applies at the LLM layer. However, Intercom's own ToS permits use of anonymized, de-identified usage data ('Anonymized Data') to analyze, improve, support and operate services - which may include AI feature improvement. No personal data of end-users is used for model training. Fin learns within each customer's own workspace from their best human reps (per-tenant self-improvement), not cross-customer training.
// Security controls
Encryption in transit
TLS v1.2 minimum; API and application endpoints TLS/SSL only; A+ rating on SSL Labs; HSTS and Perfect Forward Secrecy fully enabled
intercom.comPenetration testing
External penetration testing twice a year by dedicated external security partners; Penetration Test reports (2024, 2025) available in Trust Center
trust.intercom.comAccess control
Identity Provider with Zero Trust architecture; biometric authentication on company-managed devices; 2FA enforced; background checks on employees
trust.intercom.comInfrastructure
Hosted on Amazon Web Services; infrastructure managed as code with Terraform; auto scaling and backups in place; AWS CloudTrail and PantherLabs for audit trails
intercom.comDoS protection
Denial of Service (DoS) Protection listed as an infrastructure security control in the Trust Center
trust.intercom.comIncident response
Documented incident response plan; Incident Response Coverage and Incident Response Process listed as Trust Center controls
trust.intercom.comVulnerability assessments
Vulnerability Assessments report available in Trust Center
trust.intercom.com// Products & data scope
data: Customer PII, conversation history, behavioral data, custom attributes, company data; processes email, chat, phone, WhatsApp, social media messages
Seat-based pricing at $29/seat/month. Full-featured helpdesk with ticketing, reporting, and omnichannel inbox. SOC 2, ISO 27001 and HIPAA coverage applies to this tier.
data: Processes customer conversation data and knowledge base content; passes data to third-party LLMs (primarily OpenAI) for response generation; zero retention at LLM layer
Usage-based pricing at $0.99/outcome. Uses OpenAI as primary LLM subprocessor (contractually prohibited from training on data). Covered by AIUC-1 and ISO/IEC 42001 certifications. Customers must opt-in to data sources for AI processing.
data: Accesses conversation history, knowledge base, and past conversations to draft replies; same data access as Fin AI Agent
Included in Intercom platform. Same AI subprocessor (OpenAI) and data handling policies as Fin AI Agent apply.
// What to watch
- AIUC-1 is a nascent standard (launched November 2025); the consortium includes Intercom as a founding member, which raises a minor independence question - however the certification process involves independent third-party audits and quarterly adversarial testing
- CSA STAR appears to be Level 1 self-assessment (CAIQ v4) only, not independently audited Level 2 certification
- Intercom ToS permits use of anonymized usage data to improve services - distinct from LLM training prohibition, but AI teams should review if this scope is acceptable
- PCI DSS not applicable and not held - Stripe handles all payment processing
- FedRAMP not held - not suitable for US federal government use cases requiring FedRAMP authorization
- Trust center now branded 'Fin Trust Center' at trust.intercom.com reflecting product rebrand; legal entity remains Intercom, Inc.
- OpenAI is a named AI subprocessor - customers with strict data locality or OpenAI restrictions should review the Subprocessor list; EU/AU data hosting regions exist but AI processing subprocessors (OpenAI) may process data in USA or EU depending on region
// At a glance
Pricing model
Seat-based ($29/seat/month for helpdesk) plus usage-based ($0.99/outcome for Fin AI Agent); free trial available
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Intercom, Inc. (US) / Intercom R&D Unlimited Company (EU)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.intercom.com