Data Security and Compliance

As a data company, we understand the importance of keeping your company’s data secure. Rest assured, your information is protected.

Trusted by:

Compliance

Service Organization Controls (SOC 2 Type II)

Health Insurance Portability and Accountability Act (HIPAA)

SOC 2 Compliance

Customer.io is SOC 2 Type II compliant. To learn more about our compliance or request a copy of our independent auditor report, please contact our sales team.

HIPAA Compliance

Customer.io fulfills the role of a Business Associate under HIPAA. As such, Customer.io can execute a Business Associate Addendum (BAA) with any customer that is a Covered Entity under HIPAA. To get more information, please contact our sales team.

Frequently Asked Questions

Do you host or store customer data in EU data centers?

Customer.io does not currently host or store customer data in EU centers. However, we are in the process of building an availability zone hosted in the EU, which will be online in Q1 2021.

If this is a requirement for your business, please contact gdpr@customer.io.

Do you have an EU Data Processing Addendum?

Yes, we provide the latest version of the Customer.io DPA for you to read or download on our legal page. You can find additional information regarding GDPR & Customer.io here, as well as more information about our security practices here.

How do I report a security vulnerability?

Our Site Reliability team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Customer.io’s security, please get in touch by email at ctf@customer.io. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Customer.io’s Site Reliability team.

Learn more by reading our report a vulnerability page. 

What is your PCI compliance status?

When you purchase a paid Customer.io subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe’s security information is available online.

What is your ISO 27001 compliance status?

Customer.io does not currently maintain active ISO 27001 compliance. Our compliance program and control environment is influenced by ISO 27001 principles and we have an ISMS policy and committee within the company. We will explore formal ISO 27001 compliance at a future date.

How do you communicate service outages?

We communicate service impacting outages to our customers via our status page at https://status.customerio.com.

What is your policy for encrypted data?

Data transmitted to Customer.io, via our API, is encrypted in transit through the use of the HTTPS protocol.

Our system data is encrypted at rest using Cloud KMS services.

If you’d like to know more about our privacy and security practices, please visit: https://customer.io/legal or contact our legal team at legal@customer.io.