Security Best Practices
From our side, we’re working hard to keep your data safe, but there are also a few measures you, as an admin, can take to make your Customer.io account security bulletproof.
1). Do not share login credentials
Add named accounts for all of the people in your team who will be collaborating on your messaging content and strategy. Customer.io allows you to add as many team members as you need - with different levels of access.
2). Give each employee only the access level they need.
Depending on the tasks your team members need to perform within Customer.io, you can choose between Admin, Workspace Manager, Author and Viewer. If you’re managing a large company account, you’ll likely want to have at least one other admin user, but otherwise, Workspace Manager or Author might be the best choice for most team members.
3). Ensure your login id is a valid email address.
If your Customer.io account still uses an old email address you no longer have access to, update it as soon as possible. Not only you run the risk of being locked out of your account in case of an attack, but you’re also missing out on important notifications sent by our team.
4). Use a secure password.
It’s crucial to use a strong password that cannot be easily guessed or cracked by malevolent individuals trying to retrieve your customer database. While remembering long, complicated password might be difficult to do on your own, a password manager can make this process painless.
5). Enable Single Sign-on (SSO)
If you are using G Suite or Okta to manage your employees, then you can enable SSO in your Customer.io account. Doing so adds an extra layer of protection to team members logging in to the account and removes the risk of managing another password.
6). Make sure you and your team members have 2FA enabled.
A green lock means 2FA is enabled and a red lock shows 2FA hasn’t been setup:
7). Notify other admins ASAP if you’ve lost access to your account.
If you lost your 2FA device and are worried someone else might use it to gain access to your company’s Customer.io account, ask another admin to remove your user and re-add it. The initial 2FA authentication method will become invalid and you can add a new one.
If you’re the only admin, our technical support team can verify your identity and reset your access.
8). Review the exports performed by your team members on a regular basis.
This will allow you to detect any suspicious activity early on and take action against the offender. If you need additional information regarding the downloads performed by a particular team member like the IP address and which exports they retrieved, reach out to our support team and we’ll be happy to help.
9). Remove team members when they leave your company.
To protect both your business and your ex-employees it is important to remove their access to Customer.io as they leave your employ. To do that, go to your Team Members page and press the Delete button next to that person’s email address:
10). What to do about compromised API credentials.
If you suspect your API credentials have been compromised or an unauthorized individual has gained access to your account, send us a message right away with a Subject that includes Security to ensure that your request is escalated. Our technical support team can generate a new site id and API key for you and keep the old ones active until you have made the required changes to your integration. This way, there is no downtime and you regain your peace of mind.
In case of an emergency where the unauthorized individual has locked out access to the account, please include your phone number so that we can call you and clarify next steps. We’ll also provide details regarding the actions performed by the intruder in the account.