Here are the key AI security practices and measures in place by our supplier Intercom:

Intercom has implemented advanced security measures specifically for its AI features:

LLM Data Handling Restrictions: None of their third-party LLM providers store customer conversation data. Customer data is only temporarily used to generate responses before being deleted, and there is a mandated zero data retention policy for customer messages and responses.

Defensive Prompting: They include protective instructions when the LLM reads user input to safeguard against attempts to manipulate or override the system's core safety measures (e.g., prompt injection attacks).

Adversarial Testing: Intercom runs industry-standard LLM vulnerability scanning against the models in production to identify and mitigate potential evasion techniques.

Robust Prompt Design: Significant investment has been made to design prompts that are robust against manipulation to ensure Fin's outputs remain consistent and secure.

AIUC-1 Certification: Intercom is among the first companies certified under AIUC-1, a global benchmark for responsible AI, which required independent, enterprise-grade testing of their AI systems for safety, reliability, and protection against issues like hallucinations.

Secure API Design: APIs that integrate the LLM are designed with secure best practices, including secure proxies to LLM providers and complementary customer control implementations.

Granular Data Opt-in: Customers must explicitly opt-in to making data sources available for LLM processing, providing fine-grained control over the content fed to AI-backed features.

Data Leak Prevention by Design: They operate under the assumption that data going into an LLM prompt can potentially come out as part of the response, informing their data handling architecture.

These practices form the foundation of Intercom's security environment, which extends to its AI features:

Encryption: All data is encrypted in transit (TLS/SSL with an "A+" rating, strong cipher suites, HSTS, and Perfect Forward Secrecy) and at rest (using AES-256 encryption).

Auditing and Logging: Comprehensive logging and auditing mechanisms track data access and usage, helping to quickly identify anomalies. Prompts for LLMs are also logged in access-controlled repositories.

Security Testing: They conduct external penetration testing twice a year and run a public bug bounty program with Bugcrowd.

Secure Messenger Implementation: They strongly recommend using JSON Web Tokens (JWTs) for Secure Mode to cryptographically verify user identity, prevent user impersonation, and protect all user attributes sent to the Messenger.

Compliance: Intercom has achieved several compliance certifications, including SOC 2 Type II, ISO 27001 & ISO 27018, and HIPAA Attestation.

Anti-Abuse Controls: Sign-ups are fingerprinted, assessed for risk, and either blocked or allowed to continue. They also have controls like PAN redaction to automatically detect and redact payment card numbers from conversations.