Security at Intercom: How our InfoSec team protects our customers’ data and trust

​​At Intercom, we think deeply about how to deliver the safest, most secure experience possible for our customers and their customers. 

As a SaaS business, Intercom is a data processor: our customers entrust us with their data, which we store and process on their behalf. From the beginning, we’ve considered customer data to be one of Intercom’s most critical assets and focused our efforts on protecting it by building strong internal security foundations for our product and infrastructure. 

As we scale, we’re working with larger mid-market and enterprise customers with more complex needs and specifications. We’re committed to meeting the highest standards of security to protect our customers’ trust and love for our product. We do that by:

1. Investing in your trust through compliance with industry security and privacy ISO standards or frameworks such as SOC 2
2. Shipping quickly and securely
3. Continuous risk management
4. Hiring and cultivating incredible talent on our Information Security team

Investing significantly in safeguarding our customers’ trust

The mission of the Intercom Information Security (InfoSec) team is to foster and safeguard customer trust – and we think a lot about how we preserve Intercom’s agility while also recognizing and mitigating the highest-rated security risks. 

The team’s remit covers: security and abuse; governance risk and compliance; and IT. Each area is defined by a separate program of work and is supported by one or more specific teams. The overlap and synergies between these teams means we can use automation to efficiently solve problems at scale while remaining lean. 

“We’ve invested massively in compelling security assurance to foster and safeguard our customers’ trust in Intercom, evidenced by our SOC2 Type II and HIPAA attestation reports, and ISO27001 certification”

We’ve invested massively in compelling security assurance to foster and safeguard our customers’ trust in Intercom as a product, but also as a company, evidenced by our SOC2 Type II and HIPAA attestation reports, and ISO27001 certification.

Shipping quickly – and securely

Intercom’s success depends on being able to move fast through the implementation of robust, efficient, and secure business processes. Our InfoSec team members implement guardrails rather than gates by leveraging our skills to make balanced security risk management decisions. 

“Understanding the guardrails we need to build means closely tracking meaningful change across Intercom and making sure we’re on top of new initiatives”

Understanding the guardrails we need to build means closely tracking meaningful change across Intercom and making sure we’re on top of new initiatives. In most SaaS companies, R&D is the organization that innovates the most, and therefore introduces the highest level of potentially risky change. 

Intercom is no exception. “Shipping is our heartbeat” has been the motto of the Intercom R&D org from the very beginning and engineers ship code to our customer-facing production app dozens of times a day. This is where products are born, where they develop, and where they modify the company’s exposure to the internet and to web security threats in particular. 

“Being embedded within the R&D org means that Intercom’s InfoSec team is closer to this risk while retaining company wide visibility and impact”

This level of velocity is a delight for both our customers and engineers, but introduces the potential for risky changes. That’s why we embedded Intercom’s InfoSec team within the R&D org and why it reports directly to the CTO, meaning that we are closer to this risk while retaining company-wide visibility and impact. 

As engineers and Technical Program Managers (TPMs) ourselves, our team can more efficiently mitigate any risk by designing processes and security controls that preserve engineers’ ability to move fast – we are effectively able to build security into the product and culture from the inside.

Evolving our security program through a continuous process of risk management

Intercom’s security engineering program is designed to assist R&D in securing one of their most critical business activities: shipping secure products fast, early, and often. It is supported by two teams who focus on incident management and threat detection, the eradication of classes of vulnerabilities by building on the secure defaults of our Rails monolith, and role-based security education. 

“Intercom’s approach to security is fundamentally risk-based and relies heavily on our continuous internal security risk management process to evolve”

While some security programs rely primarily on compliance frameworks to guide their roadmaps, Intercom’s approach to security is fundamentally risk-based and relies heavily on our continuous internal security risk management process to evolve. 

External risk assessment activities such as attack surface monitoring, bi-annual pen-tests, and most importantly, Intercom’s public bug bounty program, ensure the effectiveness of our security controls is verified continuously and independently. All such controls and activities provide strong foundations for our compliance program to build on and deliver customer-facing security assurance to inform our Sales team’s deals. 

While all of that makes us confident, we remain humble, as stated in our company values. People, processes, and tools each introduce a degree of complexity – guaranteeing 100% security all the time, and therefore zero security incidents, is just unrealistic. 

“Everybody at Intercom is responsible for factoring security into our day-to-day decisions”

At Intercom, we expect incidents to occur, prepare for them, and when they materialize, embrace the opportunity to test and optimize our existing controls and processes. Our team knows we can’t succeed on our own; while we are accountable for driving a robust security program, we also educate, enable, and empower people across the company to protect Intercom’s ability to move fast, securely. Everybody at Intercom is responsible for factoring security into our day-to-day decisions. 

Like most Internet-facing web properties, we were hit by the log4j incident in December 2021, which we managed to contain and mitigate efficiently. We ran an incident review, drew important lessons, and took the opportunity to refine our security incident response process and improve our internal supply chain related security controls. 

Overcoming the InfoSec skills shortage by cultivating Intercom talent

Being part of Intercom’s R&D organization also has other advantages. We’ve all heard about the InfoSec industry skill shortage. The tech industry is constantly searching for its unicorn senior 10x developer and InfoSec is no different.

“To protect Intercom as a whole, understanding the product, its underlying infrastructure, and how our customers use or misuse it is key”

Intercom’s InfoSec team, while always on the lookout for great specialized talent, has taken the alternative approach of investing in internal transfers, early. To protect Intercom as a whole, understanding the product, its underlying infrastructure, and how our customers use or misuse it is key. As a result, the team has taken the approach of internally selecting and onboarding product, systems, and IT engineers, as well as security and compliance TPMs with extensive knowledge of Intercom that they can learn to apply to its security. 

With the help of experienced InfoSec leaders and managers, Intercom’s internal transfers leverage their expertise and growth mindsets to navigate the often daunting InfoSec learning curve. As a result, new team members drive impact quickly through cross-pollination and the strong relationships they maintain with their former teams.

Evolving security landscape

As we build the future of customer communications, grow the Intercom team and onboard larger and larger customers, Intercom’s risk tolerance and threat landscape continue to evolve. In recent months, we’ve ramped up our efforts to roll out a device trust infrastructure to further secure Intercomrades’ access to key systems, and built security and privacy building blocks within the product to enable a robust customer data lifecycle. 

There will be many more challenges ahead. As Intercom dreams big and delivers more value to customers, the InfoSec team will strive to continue fostering and safeguarding customers’ trust in how Intercom stores, processes, and manages their data.

Questions? Reach out to a member of our Sales team for more details, or take a look at our security page on the Intercom website.