Security Policy


ISO 27001:2022

ISO 27017

ISO 27018

ISO 27032

ISO 27001 – ISO 27001:2022 
ISO/IEC 27001 is an international standard for information security management systems (ISMS). Certification shows that an organisation has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles within this International Standard.

ISO 27018 – ISO 27018:2019 
ISO/IEC 27018 It is an add-on to ISO 27001 and is an international standard on privacy in cloud computing services.

ISO 27017 – ISO 27017:2019 
ISO/IEC 27018 It is an add-on to ISO 27001 and is an international standard on privacy in cloud computing services.

ISO 27032 –  ISO 27032:2019 
ISO/IEC 27018 It is an add-on to ISO 27001 and is an international standard on privacy in cloud computing services.

Product security

Network and application security

Additional Security features

Product security

SAML Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials.

We enable permission levels within the app to be set for your teammates. Permissions can be set to include app settings, billing, user data or the ability to send or edit messages.

Password and Credential Storage
SHIFT enforces a password complexity standard and credentials are stored using a PBKDF function (bcrypt).

We have uptime of 99.9% or higher

Network and application security

Regional Data Hosting and Storage
SHIFT services and data are hosted in AZURE Web Services facilities in the ?? Dublin, Ireland (eu-west-1), and Sydney, Australia

Failover and DR
SHIFT was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.

Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

Back Ups and Monitoring
On an application level, we produce audit logs for all activity, ship logs to Graylog for analysis and use S3 for archival purposes. All actions taken on production consoles or in the Intercom application are logged.

Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. Intercom is served 100% over https. Intercom runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Intercom’s network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on GitHub, Google, AWS, and Intercom to ensure access to cloud services is protected.

All data sent to or from SHIFT is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Pentests, Vulnerability Scanning and Bug Bounty Program
SHIFT uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Twice yearly we engage third-party security experts to perform detailed penetration tests on the Intercom application and infrastructure. SHIFT also runs a ‘bug bounty’ program with Bugcrowd, which gives security researchers a platform for testing and submitting vulnerability reports.

Incident Response
SHIFT implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Additional Security features

All employees complete Security and Awareness training annually.

SHIFT has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

All employee contracts include a confidentiality agreement.

* Completion of the standardization process November 2023