Security

What we're doing to keep your data and our infrastructure safe

Keeping your company's data secure is a top priority at Help Scout. Our goal is to provide a secure environment, while also being mindful of application performance and the overall user experience.

With the exception of off-site backup and redundancy infrastructure, Help Scout is hosted on Amazon Web Services (AWS), a highly scalable cloud computing platform with end-to-end security and privacy features built in. Our team takes additional pro-active measures to maintain a secure infrastructure and application environment.

For additional, more specific details regarding AWS security, please refer to https://aws.amazon.com/security/. We don't publicize exactly what features, services and data center regions/zones are used at Help Scout for security reasons, but we are able to provide a brief overview of our approach to securing your company's data.

Data Center Security

AWS maintains an impressive list of reports, certifications and independent assessments to ensure complete and ongoing state-of-the-art data center security. They have many years of experience in designing, constructing, and operating large-scale data centers.

AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. It is safe to say Amazon is much better at physical security than we are capable of being, so we leave it to them.

Infrastructure Security

Help Scout infrastructure is hosted in a fully redundant, secured VPN environment, with access restricted to operations support staff only. This allows us to leverage complete firewall protection, private IP addresses and other security features.

Application Security

All Help Scout web application communications are encrypted over 256 bit SSL, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.

In some cases, when viewing a conversation with a non-HTTPS embedded image, your browser may popup a security error. Please know that the image is the only insecure asset on the page, everything else remains securely encrypted. For this reason, embedded images are opt-in (must click to enable) in Help Scout.

Help Scout maintains ongoing Level 1 PCI compliance, adhering to stringent industry standards for storing, processing and transmitting credit card information online. In addition to encrypting customer payment information, the following types of information are also encrypted:

  • User email addresses
  • User passwords
  • API keys, including 3rd party keys stored by Apps


Company-specific data is kept separate through logical separation at the data tier, based on application-level access permissions and roles.

The in-house engineering team at Help Scout monitors ongoing security, performance and availability 24/7/365. The application is tested on an ongoing basis for security vulnerabilities, which are patched and deployed quickly after discovery.

Email Security

Help Scout supports TLS encryption on all inbound and outbound email. For a great overview of how email encryption works, we recommend this overview from Google.

HIPAA Compliance

Help Scout maintains ongoing compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and is able to process, maintain and store protected health information for any entities restricted by these regulations. On request, Help Scout will sign a business associate agreement (BAA) with your organization.

HIPAA Compliant badge

Privacy

Our Privacy Policy outlines specific details about how we safeguard information. Help Scout complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce.

Safe Harbor

Access to customer data by Help Scout employees is only used to assist with support and resolve customer issues. Violation of this policy is a serious matter, requiring investigation and appropriate disciplinary action, up to and including termination as well as legal action.

Reporting Security Issues

We have decided to temporarily suspend the bug bounty program to catch up on the backlog of reports and prioritize other improvements on our roadmap. We will update this message when the bounty program is open to new submissions again.

Thank You

These wonderful researchers have helped us identify and resolve issues in 2014 and 2015:

Free training & 24-hour support

99.98% uptime the last 12 months

Serious about security & privacy