Where It's Stored
Intercom (B2B and SaaS builds) offers regional data hosting, so EU and other regional requirements can be met at the workspace level.
Gorgias (ecommerce builds) hosts on Google Cloud Platform, with customer data held in regional clusters across the US, EU, and Australia. For ANZ businesses, the Australian cluster is usually the relevant one, and it's what supports local data residency obligations.
How It's Protected
Both platforms encrypt data at rest and in transit. Gorgias keeps continuous encrypted backups. Both support single sign-on, two-factor authentication, and role-based permissions with granular control over what each person on your team can see. Access on your side is yours to structure.
What Data The System Holds
Data | Where it comes from |
Conversations | Every message between your customers, your agent, and your team |
Customer records | Names, contact details, and whatever your CRM or store passes through |
Order and account data | Pulled live from your store or CRM at the moment of the conversation |
Knowledge base content | Your help articles and policies |
Configuration and reporting | Your routing rules, automations, and performance data |
Integrated Tools
Data from your connected systems — CRM, store, billing — surfaces inside conversations by querying those systems directly. Your Shopify order data lives in Shopify; the support system reads it when a conversation needs it.
Conversation data writes back where you've configured it: a new contact into your CRM, a bug report into your engineering tracker.
AI Processing
Your customer conversations are processed by the platform's AI agent to generate answers. Intercom has committed to not using customer conversation data to train shared AI models. Gorgias's AI Agent uses a mix of underlying models from providers including OpenAI and Anthropic.
If model training or data isolation is a specific concern for your compliance position, raise it during scoping. Both platforms document their approach, and we'll show you where the relevant settings and agreement terms sit.
Retention and Deletion
Retention is governed by your agreement with the platform, and you control it. Intercom processes GDPR data subject deletion requests immediately and automatically when you action them, including full workspace deletion.
Data subject requests from your customers — access, deletion, correction — are yours to fulfil, and both platforms provide the tooling. We'll configure the process during setup if you need it.
LucentLayer's handling
We access your data to build and manage your system. We don't copy it, hold it, or retain it after an engagement ends. It lives on your account throughout.
Data Processing Agreements
Your DPA is with the platform, directly. It sets out the processing terms, the standard contractual clauses for international transfers, subprocessors, and audit rights.
Gorgias's DPA provides for customer audits, with their SOC 2 Type II report accepted where it covers the controls being assessed. Intercom publishes its documentation through trust.intercom.com.
💬 Still Have Questions?
Need more help? Our team responds to every message within 24 hours. Start a conversation and we'll point you in the right direction.
