Data Security and Compliance

Customer.io’s Ad Audience Sync allows you to use our segmentation to create ad audiences on Facebook and Google. Our segments are populated in real-time and synced on an hourly basis so that your audiences remain as accurate and true as possible – without the need for any manual work. Additionally, you can retarget customers based on Mobile Advertising ID (IDFA or AAID) or an email address.

Our Site Reliability team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Customer.io’s security, please get in touch by email at ctf@customer.io. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Customer.io’s Site Reliability team.

Learn more by reading our report a vulnerability page. 

We communicate service impacting outages to our customers via our status page at https://status.customerio.com.

Customer.io does not currently maintain active ISO 27001 compliance. Our compliance program and control environment is influenced by ISO 27001 principles and we have an ISMS policy and committee within the company. We will explore formal ISO 27001 compliance at a future date.

When you purchase a paid Customer.io subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe’s security information is available online.

Data transmitted to Customer.io, via our API, is encrypted in transit through the use of the HTTPS protocol.

Our system data is encrypted at rest using Cloud KMS services.

Absolutely, we provide the latest version of the Customer.io DPA for you to read or download on our legal page. You can find additional information regarding GDPR & Customer.io here, as well as more information about our security practices here.