Last revised and effective as of March 10, 2017
Keeping your company's data secure is a top priority at Help Scout. Our goal is to provide a secure environment, while also being mindful of application performance and the overall user experience.
With the exception of monitoring and logging services, Help Scout is hosted on Amazon Web Services (AWS), a highly scalable cloud computing platform with end-to-end security and privacy features built in. Our team takes additional pro-active measures to maintain a secure infrastructure and application environment.
For additional, more specific details regarding AWS security, please refer to https://aws.amazon.com/security/. We don't publicize exactly what features, services and data center regions/zones are used at Help Scout for security reasons, but we are able to provide a brief overview of our approach to securing your company's data.
Data Center Security
AWS maintains an impressive list of reports, certifications and independent assessments to ensure complete and ongoing state-of-the-art data center security. They have many years of experience in designing, constructing, and operating large-scale data centers.
AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. It is safe to say Amazon is much better at physical security than we are capable of being, so we leave it to them.
Help Scout infrastructure is hosted in a fully redundant, secured VPN environment, with access restricted to operations support staff only. This allows us to leverage complete firewall protection, private IP addresses and other security features.
Help Scout databases that contain PII, or PHI in the case of HIPAA-compliant customers, encrypt data in transit and at rest.
All Help Scout web application communications are encrypted over 256 bit SSL, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.
In some cases, when viewing a conversation with a non-HTTPS embedded image, your browser may popup a security error. Please know that the image is the only insecure asset on the page, everything else remains securely encrypted. For this reason, embedded images are opt-in (must click to enable) in Help Scout.
Help Scout maintains ongoing Level 1 PCI compliance, adhering to stringent industry standards for storing, processing and transmitting credit card information online. In addition to encrypting customer payment information, the following types of information are also encrypted:
- User email addresses
- User passwords
- API keys, including 3rd party keys stored by Apps
Company-specific data is kept separate through logical separation at the data tier, based on application-level access permissions and roles.
Help Scout monitors ongoing security, performance and availability 24/7/365. We run automated security testing on an ongoing basis. We also contract a third party for annual penetration testing. In both cases, we prioritize, resolve and deploy discovered security issues quickly after discovery.
Help Scout supports TLS encryption on all inbound and outbound email. For a great overview of how email encryption works, we recommend this overview from Google.
Help Scout maintains ongoing compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and is able to process, maintain and store protected health information for any entities restricted by these regulations. On request, Help Scout will sign a business associate agreement (BAA) with your organization. Due to the cost of maintaining compliance with HIPAA regulations, we require customers that sign a BAA to be on the Plus plan.
Access to customer data by Help Scout employees is only used to assist with support and resolve customer issues. Violation of this policy is a serious matter, requiring investigation and appropriate disciplinary action, up to and including termination as well as legal action.
Reporting Security Issues
We do not currently maintain a public bug bounty program, but do have plans to reinstate one in 2017. We will update this message when the bounty program is open to new submissions again.
These wonderful security researchers have helped us identify and resolve issues in the past: