The information below discusses the policies and procedures Customer.io has in place when dealing with Customer data.
Customer.io uses 128-bit SSL encryption for all authenticated sessions. This means that data sent to the Customer.io API as well as data retrieved through the Customer.io management interface is protected.
Data stored in your Customer.io account is only available to you. Each request to retrieve data from Customer.io must be authenticated. Furthermore, requests are restricted to the currently logged-in account. Requests made to the Customer.io internal API require a logged in account and will not return successfully otherwise.
When you purchase a paid Customer.io subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe’s security information is available online.
Access to servers is restricted to infrastructure engineers and maintenance staff. Each employee is provided access through a unique key that can be revoked if needed. Each employee has their own login to our administrative web interface which can also be revoked.
No Customer.io employee will access customer accounts unless required for support reasons.
If you see a hole in security or an area that we can improve, send us an email to firstname.lastname@example.org. We’ll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities and will work to address any issues that arise ASAP.