Skip to main content

Security Standards

Intercom and Gorgias certifications, and our own access practices.

Written by LucentLayer Support Team

Your system runs on Intercom or Gorgias, depending on your build. Both are enterprise platforms with independently audited security programs. This article covers what they hold, and where LucentLayer's own practices sit.


Intercom (B2B and SaaS builds)

Standard

What it means

SOC 2 Type II

Independently audited controls, tested over a sustained period rather than at a single point Intercom

ISO 27001:2022

Certified information security management system — the policies, procedures, and controls governing how critical data is managed and protected Intercom

ISO 27018

Code of practice for protecting personally identifiable information in public cloud environments Intercom

ISO 27701

Privacy information management

ISO/IEC 42001:2023

The international standard for AI management systems, covering AI governance and monitoring

GDPR and CCPA

GDPR compliance since it came into effect, with features enabling customers to meet their own obligations Intercom

HIPAA

Attestation report maintained since 2021, renewed annually, covering the handling of protected health information Intercom


Gorgias (E-Commerce Builds)

Standard

What it means

SOC 2 Type II

Independently audited security controls

GDPR

Data processing agreement covering EU and UK GDPR, with standard contractual clauses for international transfers Gorgias


LucentLayer's Own Practices

We hold administrator access to your workspace and scoped access to your connected tools. That access is:

  • Granted by you, visible in your settings, and revocable at any time

  • Limited to the permission level the work requires, and we tell you the reason for each

  • Held by named individuals rather than shared credentials

  • Removed immediately on offboarding


AI and Your Data

Both platforms process customer conversations through their AI agents. How that data is used, retained, and whether it contributes to model training is governed by the data processing agreement between the platform and you.

If this matters to your compliance position, raise it during scoping and we'll walk you through exactly where the settings sit and what the agreement says.


For Your Procurement Team

We can supply certification reports, data processing agreements, subprocessor lists, and completed security questionnaires. Intercom's trust center is self-serve if your team prefers to pull documents directly.


💬 Still Have Questions?

Need more help? Our team responds to every message within 24 hours. Start a conversation and we'll point you in the right direction.

Did this answer your question?