Skip to main content

How Customer Data Is Handled And Stored

Where it lives, who reaches it, and what happens to it.

Written by LucentLayer Support Team

Where It's Stored

Intercom (B2B and SaaS builds) offers regional data hosting, so EU and other regional requirements can be met at the workspace level.

Gorgias (ecommerce builds) hosts on Google Cloud Platform, with customer data held in regional clusters across the US, EU, and Australia. For ANZ businesses, the Australian cluster is usually the relevant one, and it's what supports local data residency obligations.


How It's Protected

Both platforms encrypt data at rest and in transit. Gorgias keeps continuous encrypted backups. Both support single sign-on, two-factor authentication, and role-based permissions with granular control over what each person on your team can see. Access on your side is yours to structure.


What Data The System Holds

Data

Where it comes from

Conversations

Every message between your customers, your agent, and your team

Customer records

Names, contact details, and whatever your CRM or store passes through

Order and account data

Pulled live from your store or CRM at the moment of the conversation

Knowledge base content

Your help articles and policies

Configuration and reporting

Your routing rules, automations, and performance data


Integrated Tools

Data from your connected systems — CRM, store, billing — surfaces inside conversations by querying those systems directly. Your Shopify order data lives in Shopify; the support system reads it when a conversation needs it.

Conversation data writes back where you've configured it: a new contact into your CRM, a bug report into your engineering tracker.


AI Processing

Your customer conversations are processed by the platform's AI agent to generate answers. Intercom has committed to not using customer conversation data to train shared AI models. Gorgias's AI Agent uses a mix of underlying models from providers including OpenAI and Anthropic.

If model training or data isolation is a specific concern for your compliance position, raise it during scoping. Both platforms document their approach, and we'll show you where the relevant settings and agreement terms sit.


Retention and Deletion

Retention is governed by your agreement with the platform, and you control it. Intercom processes GDPR data subject deletion requests immediately and automatically when you action them, including full workspace deletion.

Data subject requests from your customers — access, deletion, correction — are yours to fulfil, and both platforms provide the tooling. We'll configure the process during setup if you need it.


LucentLayer's handling

We access your data to build and manage your system. We don't copy it, hold it, or retain it after an engagement ends. It lives on your account throughout.


Data Processing Agreements

Your DPA is with the platform, directly. It sets out the processing terms, the standard contractual clauses for international transfers, subprocessors, and audit rights.

Gorgias's DPA provides for customer audits, with their SOC 2 Type II report accepted where it covers the controls being assessed. Intercom publishes its documentation through trust.intercom.com.


💬 Still Have Questions?

Need more help? Our team responds to every message within 24 hours. Start a conversation and we'll point you in the right direction.

Did this answer your question?