Security at Help Scout

Help Scout is committed to keeping your data secure, your private information private, and being transparent about our practices as a business. We are happy to work with our customers to answer any questions or address any concerns regarding how we protect their personal data. Below you will find general information and answers to many of our frequently asked questions regarding our security. 

General Security and Privacy Information

The engineering team at Help Scout monitors ongoing security and performance 24 hours a day, 365 days a year. The application is tested on an ongoing basis for security vulnerabilities and should any be found, patches and fixes are deployed quickly after discovery.

We also use a third party service to do PCI scans each quarter and penetration testing at least once a year. We can provide our latest scan and attestation of compliance upon request. Our hosting provider (Amazon AWS) is SOC 2 compliant. We are happy to provide info on how to obtain AWS's SOC 2 report (which requires signing an NDA with them) upon request as well — just ask our support team for more information on those. 

All of our policies are publicly available: 

Frequently Asked Questions

Is Help Scout GDPR compliant?
We have a GDPR-specific section of our Policies and Procedures that takes an in-depth look at all of the changes we’ve made to be GDPR compliant, including our Data Processing Agreement (DPA). Help Scout’s Help Desk and Beacon features are GDPR compliant. However, Help Scout’s Docs knowledge base is not, when it comes to storing customer information. If you need more specific information regarding Docs and cookies, ask our support team!

Can you sign my DPA? 
We provide an executable version of our DPA but we are not able to sign custom DPAs. 

Where are Help Scout's servers located?
Help Scout is hosted on servers in the United States. We have customers all over the world. With the recent changes to the suitability of the Privacy Shield framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries we have updated our DPA to include Standard Contractual Clauses (SCCs).

Can you fill out my GDPR compliance form?
We're not able to fill out individual compliance questionnaires. However, we do have answers to common questions/concerns around Help Scout's obligations under US law as a data importer available to download here.  

Is Help Scout HIPAA compliant?
You can find full details about our HIPAA support at Help Scout and HIPAA.

How does someone else know I'm using Help Scout? 
Targeted marketing in the current world of technology is easier than ever! If your team received marketing outreach that indicates they know you're using Help Scout, they have gathered this information without access to our customer database. Data mining tools such as Built With are able to show the details about your website components and email services by scraping publicly available DNS records and your website's code. If you have created any DNS records — such as CNAME or SPF records — that point to Help Scout servers from your domain, you're linking to a Help Scout Docs site from your website, or you have added a Beacon to your website, they can see that you're using Help Scout. 

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.