Intercom Hardening Guide
Customer messaging platform hardening for Intercom including SAML SSO, workspace security, and data protection
Overview
Intercom is a leading customer messaging platform serving thousands of businesses for support, marketing, and customer engagement. As a platform handling customer conversations and PII, Intercom security configurations directly impact customer privacy and data protection.
Intended Audience
- Security engineers managing customer platforms
- IT administrators configuring Intercom
- Support operations managing messaging
- GRC professionals assessing communication security
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers Intercom security including SAML SSO, workspace access, conversation security, and data protection.
Table of Contents
- Authentication & SSO
- Access Controls
- Data Protection
- Monitoring & Compliance
- Compliance Quick Reference
1. Authentication & SSO
1.1 Configure SAML Single Sign-On
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.3, 12.5 |
| NIST 800-53 | IA-2, IA-8 |
Description
Configure SAML SSO to centralize authentication for Intercom teammates.
Prerequisites
- Intercom admin access
- Enterprise or Pro plan
- SAML 2.0 compatible IdP
ClickOps Implementation
Step 1: Access Security Settings
- Navigate to: Settings → Security
- Find SAML/SSO section
Step 2: Configure SAML
- Enable SAML SSO
- Configure IdP settings:
- SSO URL
- Entity ID
- Certificate
- Configure attribute mapping
Step 3: Test and Enforce
- Test SSO authentication
- Enable SSO enforcement
- Document admin fallback
Time to Complete: ~1-2 hours
1.2 Enforce Two-Factor Authentication
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.5 |
| NIST 800-53 | IA-2(1) |
Description
Require 2FA for all Intercom teammates.
ClickOps Implementation
Step 1: Enable Workspace 2FA
- Navigate to: Settings → Security
- Enable Require two-factor authentication
- All teammates must configure 2FA
Step 2: Verify Compliance
- Review 2FA enrollment status
- Follow up with non-compliant users
- Document exceptions
1.3 Configure Session Security
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.2 |
| NIST 800-53 | AC-12 |
Description
Configure session timeout and security settings.
ClickOps Implementation
Step 1: Configure Timeout
- Navigate to: Settings → Security
- Configure session timeout
- Balance security with usability
2. Access Controls
2.1 Configure Team Roles
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Implement least privilege using Intercom roles.
ClickOps Implementation
Step 1: Review Roles
- Navigate to: Settings → Teammates
- Review available roles:
- Owner
- Admin
- Teammate
- Understand role capabilities
Step 2: Assign Appropriate Roles
- Apply least-privilege principle
- Limit admin access
- Regular access reviews
2.2 Configure Inbox Access
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Control access to conversation inboxes.
ClickOps Implementation
Step 1: Configure Inbox Permissions
- Navigate to: Settings → Inbox
- Configure team inbox access
- Limit visibility by team
Step 2: Configure Assignment Rules
- Configure conversation routing
- Restrict reassignment permissions
- Audit conversation access
2.3 Limit Admin Access
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6(1) |
Description
Minimize and protect administrator accounts.
ClickOps Implementation
Step 1: Inventory Admin Users
- Review all admin accounts
- Document admin access
- Identify unnecessary privileges
Step 2: Apply Restrictions
- Limit admin/owner to 2-3 users
- Require 2FA for admins
- Monitor admin activity
3. Data Protection
3.1 Configure Data Export Controls
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.3 |
| NIST 800-53 | AC-3 |
Description
Control data export capabilities.
ClickOps Implementation
Step 1: Review Export Permissions
- Understand export capabilities
- Limit export access to admins
- Audit export activities
Step 2: Configure Data Policies
- Define data handling policies
- Configure retention settings
- Document compliance requirements
3.2 Configure Conversation Security
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.3 |
| NIST 800-53 | AC-3 |
Description
Protect sensitive conversation data.
ClickOps Implementation
Step 1: Configure Data Masking
- Enable sensitive data masking
- Configure PII detection
- Apply masking rules
Step 2: Configure Deletion Policies
- Configure conversation retention
- Enable deletion workflows
- Support GDPR/CCPA requests
4. Monitoring & Compliance
4.1 Configure Activity Logs
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 8.2 |
| NIST 800-53 | AU-2 |
Description
Enable and monitor activity logs.
ClickOps Implementation
Step 1: Access Logs
- Navigate to: Settings → Security → Activity Log
- Review logged events
- Configure monitoring
Step 2: Monitor Key Events
- Teammate authentication
- Role changes
- Data exports
- Configuration changes
5. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | Intercom Control | Guide Section |
|---|---|---|
| CC6.1 | SSO/2FA | 1.1 |
| CC6.2 | Team roles | 2.1 |
| CC7.2 | Activity logs | 4.1 |
NIST 800-53 Rev 5 Mapping
| Control | Intercom Control | Guide Section |
|---|---|---|
| IA-2 | SSO | 1.1 |
| IA-2(1) | 2FA | 1.2 |
| AC-6 | Team roles | 2.1 |
| AU-2 | Activity logs | 4.1 |
Appendix A: References
Official Intercom Documentation:
- Trust Center
- Intercom Security
- Help Center
- Security & Privacy Collection
- SAML SSO Setup
- Team Management
- Security Policy
API & Developer Tools:
Compliance Frameworks:
- SOC 2 Type II, ISO 27001:2022, ISO 27018, ISO 27701, ISO/IEC 42001:2023 (AI), HIPAA, GDPR, CCPA – via Trust Center
- Accessing Security and Compliance Documents
Security Incidents:
- No major public security incidents identified as of February 2026.
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with SSO, roles, and data protection | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide