Security

Infrastructure Security

Your data is hosted on Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud platform. AWS maintains an extensive set of third-party validated security certifications, including:

• SOC 1, SOC 2, and SOC 3 - Independent auditor reports validating security controls
• ISO 27001 - International standard for information security management
• ISO 27017 - Cloud-specific security controls
• ISO 27018 - Protection of personal data in the cloud
• PCI DSS Level 1 - Payment card industry data security standard

These certifications are assessed by independent third-party auditors and demonstrate AWS's commitment to maintaining the highest security standards.

Data Protection

Your data is stored on AWS's secure and redundant infrastructure. Files are stored on redundant EBS volumes with snapshot backups taken daily and stored in remote regions for an extra layer of protection. All data stored in the database is written to multiple availability zones in real-time for high availability. Databases are also continuously backed up and capable of point-in-time recovery in addition to daily snapshots.

The network is protected by a firewall and uses a combination of AWS security tools and Cloudflare to protect against intrusion and DDoS attacks.

Encryption

Your data is always transmitted and stored using industry-standard encryption:

• In Transit - All data is encrypted using TLS 1.2 or higher
• At Rest - All stored data is encrypted using AES-256 encryption

Physical Security

AWS data centers feature multiple layers of physical security, including:

• 24/7 security staff and video surveillance
• Multi-factor access controls
• Unmarked facilities in non-descript locations
• Environmental controls for fire detection and suppression

Database servers are configured with real-time automatic failover in case of hardware failure. All backups are restricted to their respective regions (US or EU) to meet data residency requirements.

Software Updates

All servers are configured to automatically install the latest security updates and patches, ensuring protection against known vulnerabilities.

Microsoft Government Cloud Environments

HelpSpot supports Microsoft 365 government cloud environments via OAuth and the Microsoft Graph API. Supported environments include:

• Microsoft 365 U.S. Government GCC - Government Community Cloud for federal, state, and local agencies
• Microsoft 365 U.S. Government GCC High - Higher-impact environment meeting ITAR and DFARS requirements
• Microsoft 365 U.S. Government DoD - Department of Defense environment meeting DoD SRG IL5 requirements

Each environment uses distinct OAuth and Graph API endpoints. HelpSpot connects to the correct government-specific endpoints for your tenant, so your email integration works without routing traffic through commercial Microsoft services.

Billing Information

All credit card information is stored and processed by Stripe, a PCI DSS Level 1 certified payment processor. HelpSpot never stores or has access to your full credit card details.