Intercom & GDPR: Is Intercom (and Fin AI) Compliant for EU Businesses?

Is Intercom GDPR compliant?

Intercom is GDPR-compliant and offers a DPA with Standard Contractual Clauses for international transfers. EU data residency on AWS Frankfurt is available from Business plan and above. Fin AI Agent creates additional obligations under GDPR Article 6, Article 22, and EU AI Act Article 50.

• Intercom provides a DPA covering Article 28 GDPR processor obligations — verify Fin AI Agent, AI Copilot, and AI Summaries are in scope.
• EU data hosting on AWS Frankfurt is available for Business plan customers — but does not eliminate extra-EEA processing via sub-processors or AI model calls.
• Fin AI Agent triggers Article 50 EU AI Act disclosure obligations — users must be told they are interacting with an AI system at session start.
• German deployments affecting employees require Betriebsrat consultation under Section 87(1) no. 6 BetrVG before rollout.

Is Intercom GDPR compliant? Yes — Intercom offers a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) for international data transfers, and EU data hosting on AWS Frankfurt for Business plan customers. Intercom’s role as a processor under Article 28 GDPR is documented in the DPA. That covers the compliance baseline. What requires active verification is whether your specific deployment — especially if you activate Fin AI Agent, AI Copilot, or AI Summaries — is fully covered by the DPA scope, sub-processor disclosures, and EU AI Act transparency obligations.

Short answer

Intercom is GDPR-compliant — but verify your deployment, not just the platform.

• Confirm the DPA covers Fin AI Agent and all activated AI features, not just base chat.
• Check EU data residency scope: available on Business plans and above, hosted on AWS Frankfurt.
• Plan Article 50 EU AI Act disclosures if Fin AI handles inbound customer queries.
• Review sub-processors — especially any LLM providers behind Fin AI model calls.

This page is general information, not legal advice for a specific implementation. For comparison with alternative platforms, see our guides on Zendesk and HubSpot. For the broader AI governance framework, see AI customer service compliance.

Does Intercom Have a Data Processing Agreement (DPA)?

Yes. Intercom publicly provides a Data Processing Agreement accessible through its online privacy portal. The DPA establishes Intercom’s role as a processor under Article 28 GDPR, covers obligations on sub-processors, security measures, deletion procedures, and audit support, and incorporates SCCs for data transfers to third countries.

For EU buyers, this matters because Article 28 GDPR requires a written contract before any processor handles personal data on your behalf. A supplier without a DPA creates an immediate compliance gap. Intercom clears this threshold.

Key issues to verify once the DPA is signed:

Issue	What to check
Processor role scope	Does the DPA cover all Intercom products you activate, including Fin AI Agent?
Sub-processor list	Who does Intercom rely on for cloud, AI model, and support infrastructure?
Transfer mechanism	Are SCCs current and signed between the correct legal entities?
Retention and deletion	What are default retention periods for chat, AI outputs, and derived data?
AI feature coverage	Are Fin AI, AI Copilot, and AI Summaries explicitly covered under processor terms?

One practical point: the DPA scope depends on which Intercom products are activated. Fin AI Agent processes data differently from a basic support widget. If your deployment includes Fin AI, AI Copilot, or AI Summaries, verify explicitly that those features are covered by the same processor terms, sub-processor disclosures, and transfer mechanism as the base platform.

Where Does Intercom Store Data? EU Data Residency

Intercom offers EU data hosting for Business plan customers and above. EU data is stored on AWS Frankfurt infrastructure, which provides a cleaner hosting narrative for German procurement teams.

Important caveats that must be confirmed in writing:

• EU hosting is not EU-only processing. Global support access, AI model calls, and sub-processor operations may still involve transfers to servers outside the European Economic Area (EEA).
• Fin AI model calls — if Fin AI uses external LLM providers whose infrastructure sits outside the EEA, even EU-hosted Intercom instances may trigger cross-border transfer requirements under Chapter V GDPR.
• EU data residency scope — confirm in the DPA or a supplemental agreement exactly which data categories, product features, and processing operations fall within the EU hosting commitment.

For German buyers: EU data residency reduces (but does not eliminate) the Standard Contractual Clauses requirement. Even with EU hosting, document the full transfer picture — particularly for AI feature processing paths — before rollout.

Is Intercom GDPR Compliant? Legal Basis and Data Flows

The core GDPR question for any Intercom deployment is not whether the platform is “certified” — it is whether your specific use case has a valid legal basis under Article 6 GDPR.

Legal basis for chat data processing

Most customer support deployments rely on Article 6(1)(b) GDPR (contract performance) or Article 6(1)(f) GDPR (legitimate interests). For standard inbound support chat, this is usually workable. The legal basis becomes more complex when:

• AI features analyse chat content to derive behavioral insights about customers
• special-category data (health information, financial situation) arrives through support channels
• Intercom is used for employee-facing support or HR channels

Identify and document the legal basis before rollout — not after.

Sub-processor chain

Intercom uses sub-processors for cloud infrastructure, analytics, and AI model processing. German buyers should review the public sub-processor list and understand the objection rights before deployment.

AI features may rely on third-party model providers not covered by the base cloud infrastructure disclosure. Ask specifically: does Fin AI Agent use any external LLM providers, and if so, under what DPA and transfer terms?

Data residency options

Intercom offers EU data hosting for enterprise customers. EU data hosting is a useful starting point for a cleaner hosting narrative but is not equivalent to EU-only processing. Global support access, AI model calls, and sub-processor operations may still involve processing outside the EEA. Confirm the full scope in writing.

Intercom Fin AI and GDPR — Special Considerations

Fin AI Agent is Intercom’s autonomous conversational AI — it handles inbound customer queries end-to-end without a human agent in the loop. This creates specific GDPR obligations beyond those of a standard chat platform.

• Data processed: Fin AI accesses conversation history, knowledge base content, and potentially linked customer account data to generate responses.
• Article 22 GDPR — automated decision-making: Fin AI Agent makes autonomous decisions about how to resolve customer queries. If those decisions have significant effects on users — automated refusals, eligibility determinations, or account-level actions — an Article 22 GDPR analysis is required.
• Training data opt-out: Enterprise contracts typically include opt-out protections against customer data being used for AI model training. Verify this explicitly — do not assume.
• Transfer path for model calls: Confirm in the DPA whether Fin AI responses are generated through model infrastructure outside the EEA and whether the SCCs cover that specific processing path.

AI Copilot surfaces real-time suggestions to human support agents. The primary data concern is employee data, not customer data:

• If Copilot systematically tracks agent activity to generate performance insights, the Betriebsrat (works council) may have co-determination rights under Section 87(1) no. 6 BetrVG.
• AI-generated agent performance data should not be used for evaluation or monitoring without a valid legal basis and a works council agreement.

AI Summaries and conversation intelligence derive structured data from chat content. Verify whether AI-generated summaries are stored separately, for how long, and whether downstream uses (customer scoring, CRM enrichment) have their own legal basis.

GDPR Sub-processors and Third-Party Data Transfers

Intercom is headquartered in San Francisco, California. As a US company, any transfer of European personal data to Intercom’s infrastructure or US-based personnel requires a valid transfer mechanism under Chapter V GDPR.

Intercom’s DPA references Standard Contractual Clauses (SCCs) under the 2021 European Commission decision and the EU-U.S. Data Privacy Framework (DPF) where applicable. Both mechanisms are recognized under current GDPR guidance, provided they are properly implemented and the relevant data flows are covered.

Key steps for sub-processor due diligence:

1. Obtain the current sub-processor list from Intercom’s privacy portal or DPA annex.
2. Check notification rights — the DPA should give you the right to object to new sub-processors before they are added.
3. Verify transfer mechanisms for each material sub-processor, particularly those outside the EEA.
4. Ask specifically about Fin AI’s LLM providers — AI features may rely on third-party model providers not covered by the base cloud infrastructure disclosure.
5. Review the Zendesk/Salesforce integration chain — if Intercom data flows into integrated CRM or ticketing systems, each integration creates its own data transfer path requiring a separate DPA and transfer mechanism.

Verify that SCCs are executed between the correct legal entities — specifically the Intercom entity you contract with and your organization as the controller.

Data Retention and Deletion

Intercom data retention is configurable at the account level, but default settings may not align with your GDPR data minimization obligations.

What to check before deployment:

• Conversation transcripts: What is the default retention period for chat conversations? Can it be shortened to match your data minimization policy?
• AI-generated outputs: Are Fin AI responses and AI Summaries stored separately from raw transcripts? What is their default retention period?
• Derived data: Does Intercom retain derived behavioral data — topics, sentiment scores, routing signals — beyond the base conversation retention period?
• Contact deletion and right to erasure: When a customer exercises the right to erasure under Article 17 GDPR, does deleting a contact in Intercom also delete conversation data, AI outputs, and all derived records? Verify the full deletion scope in writing.
• DSAR support: Intercom provides tools for data subject access requests — review whether automated DSAR responses cover all data held under your contract, including AI feature data and derived analytics.

For German deployments: verify that Intercom’s deletion workflows align with the right to erasure and data minimization principles. If Intercom is integrated with Salesforce or Zendesk, the deletion chain must extend to integrated systems.

What German Companies Should Check Before Deploying Intercom

A practical pre-deployment checklist for German legal and procurement teams:

DPA/AVV review:

• DPA signed with the correct Intercom legal entity
• Fin AI Agent, AI Copilot, and AI Summaries explicitly covered in the processor scope
• Sub-processor list reviewed and objection rights understood
• SCCs executed between correct entities and covering AI feature processing paths
• Retention and deletion terms verified against your data minimization obligations

Works council (Betriebsrat):

• Assessed whether Intercom features monitor or evaluate employee behavior (AI Copilot, productivity metrics)
• Works council consulted before rollout if monitoring is present
• Draft Betriebsvereinbarung prepared covering usage limits and monitoring prohibitions

EU AI Act:

• Article 50 EU AI Act disclosure implemented for all Fin AI-handled interactions
• Disclosure appears at the start of each interaction, not only in terms of service or privacy notices

Integration chain:

• Data transfer path reviewed for Intercom integrations with Salesforce and Zendesk
• Each integration has its own DPA and transfer mechanism in place

Works Council (Betriebsrat) Requirements

German deployments of Intercom that affect employees — directly or indirectly — trigger co-determination rights under Section 87(1) no. 6 BetrVG.

The Betriebsrat must be consulted when technical equipment is introduced that enables monitoring or evaluation of employee behavior or performance. For Intercom, the relevant scenarios are:

• AI Copilot surfaces real-time suggestions to support agents. If this data is also used to monitor response times, quality scores, or productivity, the works council likely has co-determination rights.
• Fin AI Agent replacing or supplementing human agents: if the deployment affects headcount, workload distribution, or performance benchmarking, the Betriebsrat should be involved before rollout.
• Internal IT helpdesk or HR support on Intercom: employee-facing support channels are held to a stricter standard under Section 26 BDSG for employee data processing.

Engage the Betriebsrat before rollout. Prepare a clear description of what data the tool collects about employees, directly or indirectly, and propose a Betriebsvereinbarung that sets usage limits and prohibits unauthorized performance monitoring.

EU AI Act: Fin AI Agent Transparency Obligations

Under Article 50(1) EU AI Act, AI systems designed to interact with natural persons must disclose that they are an AI, unless this is obvious from context or authorized by national law for specific purposes. Fin AI Agent — a fully automated conversational AI that handles inbound customer queries — falls squarely within this scope.

Practical implication: If your Intercom deployment uses Fin AI in customer-facing chat, you must ensure that users are informed they are interacting with an AI system, not a human agent. This disclosure must appear at the moment the user initiates the interaction — not only when AI involvement becomes apparent, and not satisfied by general privacy notices alone.

The EU AI Act transparency obligation is partially applicable since August 2024. Non-compliance creates regulatory risk, particularly for B2C deployments in Germany where consumer protection enforcement is active.

FAQ

Is Intercom GDPR compliant?

Yes. Intercom is GDPR-compliant at the platform level. It has a publicly available DPA, SCCs for US data transfers, and EU data hosting on AWS Frankfurt for Business plan customers. Whether your specific deployment is fully compliant depends on your legal basis, activated features, sub-processor chain, and retention configuration.

Does Intercom have a DPA?

Yes. Intercom provides a Data Processing Agreement covering its processor role under Article 28 GDPR, sub-processors, SCCs, deletion requirements, and audit support. German buyers should review whether the DPA terms match their specific deployment — especially AI feature coverage, EU data residency scope, and the specific Intercom legal entity signing the agreement.

Does Intercom store customer chat data in the EU?

Yes, for Business plan customers and above. Chat data is hosted on AWS Frankfurt. However, EU hosting does not eliminate all cross-border transfers — Fin AI model calls, global support access, and sub-processor infrastructure may still involve processing outside the EEA. Confirm the full transfer picture in writing before rollout.

Is Intercom Fin AI GDPR compliant?

Fin AI Agent can be used under the GDPR with proper setup: a DPA that explicitly covers Fin AI data flows and LLM sub-processors, a valid Article 6 legal basis, documented training data opt-out protections, and an Article 50 EU AI Act disclosure for end users at the start of each interaction.

Does Intercom have an AVV (Auftragsverarbeitungsvertrag)?

Yes. Intercom’s DPA is the functional equivalent of an Auftragsverarbeitungsvertrag (AVV) — it satisfies the Article 28 GDPR written processor contract requirement. German buyers should verify the AVV covers all activated Intercom products, including Fin AI Agent, AI Copilot, and AI Summaries.

Does Intercom Fin AI Agent comply with the EU AI Act?

Fin AI Agent is an AI system designed to interact with natural persons and falls within the scope of Article 50(1) EU AI Act transparency obligations. Companies deploying Fin AI in customer-facing chat must disclose to users that they are interacting with an AI system. This disclosure must appear at the start of the interaction — it is not satisfied by general privacy notices alone.

If your legal or procurement team is reviewing Intercom before deployment, Compound Law advises businesses in Germany on GDPR, AI procurement, DPA reviews, and EU AI Act compliance. Contact us for a DPA review or rollout checklist tailored to your specific Intercom configuration.