Intercom AI GDPR: Does Intercom Have a Data Processing Agreement?
Does Intercom have a Data Processing Agreement?
Yes. Intercom offers a Data Processing Agreement (DPA) for business plan customers. German companies must verify that the DPA covers their actual deployment, including Fin AI Agent data flows, subprocessor chains, EU data residency scope, and Article 50 EU AI Act transparency obligations.
- Intercom provides a DPA with SCCs for international transfers — review subprocessors, AI data flows, and retention settings before rollout.
- Fin AI Agent creates additional obligations under Article 50 EU AI Act — disclosure to users interacting with AI is required.
- German deployments involving employees trigger Betriebsrat co-determination rights under Section 87 BetrVG.
Intercom AI GDPR questions usually come from IT managers, legal counsel, and procurement teams asking a specific question: does Intercom have a Data Processing Agreement, and does it actually cover Fin AI? As of April 8, 2026, the answer is yes — Intercom offers a Data Processing Agreement (DPA) for eligible business plan customers. The DPA references Standard Contractual Clauses (SCCs) for international transfers and covers Intercom’s role as a processor under Article 28 GDPR. That is a necessary starting point. It is not a sufficient one. Whether your specific Intercom deployment is lawful depends on which products you activate, what customer data enters the system, and whether your contract and configuration address your actual data flows.
Short answer
Yes, Intercom has a DPA — but verify the scope before rollout.
- Confirm the DPA covers Fin AI Agent and other activated AI features, not just base chat.
- Check the subprocessor list, transfer mechanism, and EU data residency scope.
- Plan Article 50 EU AI Act disclosures if Fin AI handles inbound customer queries.
This page is general information, not legal advice for a specific implementation. If you are comparing AI-powered customer support platforms for Germany, also review our guides on AI customer service, Zendesk, and HubSpot.
Does Intercom Have a Data Processing Agreement?
Yes. Intercom publicly provides a Data Processing Agreement for business customers who process personal data through the platform. The DPA establishes Intercom’s role as a processor under Article 28 GDPR, sets out obligations on subprocessors, security measures, deletion, audit support, and references SCCs for data transfers to third countries.
For German buyers, this matters because Article 28 GDPR requires a written contract before any processor handles personal data on your behalf. A supplier without a DPA creates an immediate compliance gap. Intercom clears this threshold.
What legal teams should verify once the DPA exists:
| Issue | What to check |
|---|---|
| Processor role definition | Does the DPA cover all Intercom products you activate, including Fin AI Agent? |
| Subprocessor list | Who does Intercom rely on for cloud, AI, and support infrastructure? |
| Transfer mechanism | SCCs or DPF — are they current, and do they cover all processing paths? |
| Retention and deletion | What are default retention periods for chat, AI outputs, and derived data? |
| Article 28 clause quality | Do instructions, confidentiality, audit, and assistance clauses meet GDPR standards? |
One practical point for German procurement: the DPA’s scope depends on which Intercom products you activate. Fin AI Agent processes data differently from a basic support widget. If your deployment includes Fin AI, AI Copilot, or AI Summaries, verify explicitly that those features are covered by the same processor terms, subprocessor disclosures, and transfer mechanism as the base platform.
Is Intercom AI GDPR Compliant?
The better question for German buyers is not whether Intercom is “GDPR compliant” in the abstract. The real question is whether your Intercom deployment satisfies the GDPR.
Legal basis for processing customer data via chat
Most customer support deployments rely on Article 6(1)(b) GDPR (contract performance) or Article 6(1)(f) GDPR (legitimate interests) as the legal basis for processing names, contact details, and conversation content. For standard inbound support chat, this is often workable. It becomes more complex when:
- AI features analyse chat content to derive insights about customer behavior
- special-category data (health, financial situation) arrives through support channels
- employee data is processed for monitoring or performance purposes
Identify the legal basis before rollout, not after.
Sub-processor chain
Intercom uses subprocessors for cloud infrastructure, analytics, and AI model processing. German buyers should review the public subprocessor list, understand the objection rights, and confirm that each material subprocessor has an equivalent transfer and security setup to the primary DPA.
AI features in particular may rely on third-party model providers that are not covered by the base cloud infrastructure disclosure. Ask specifically: does the Fin AI Agent use any external LLM providers, and if so, under what terms?
Data residency options
Intercom offers EU data hosting options for enterprise customers. For German procurement teams, this is a useful starting point for a cleaner hosting narrative. However, EU data hosting is not equivalent to EU-only processing. Global support access, AI model calls, and subprocessor operations may still involve processing outside the European Economic Area (EEA). Confirm the scope in writing.
Intercom’s AI Features and GDPR
Intercom’s AI portfolio has expanded significantly and each feature creates distinct data processing questions.
Fin AI Agent
Fin AI Agent is Intercom’s autonomous conversational AI — it handles inbound customer queries end-to-end without a human agent in the loop. For GDPR purposes, this raises the stakes:
- Data processed: Fin AI accesses conversation history, knowledge base content, and potentially linked customer account data to generate responses.
- Where processed: Fin AI outputs may be generated through model infrastructure outside the EEA. Verify the transfer path in the DPA or directly with Intercom.
- Retention: AI-generated conversation outputs can follow different retention schedules than raw chat transcripts. Check what is retained, where, and for how long.
- Model training: Enterprise contracts typically include opt-out protections against customer data being used for model training. Verify — do not assume.
AI Copilot
AI Copilot is the agent-assist feature — it surfaces suggestions to human support agents in real time. The primary data concern here is employee data, not customer data:
- Copilot monitors agent activity to generate suggestions, which may constitute employee behavioral monitoring under German law.
- If agents are systematically tracked through Copilot, the Betriebsrat (works council) may have co-determination rights under Section 87(1) no. 6 BetrVG.
- AI-generated agent performance insights should not be used for evaluation without a proper legal basis and works council agreement.
AI Summaries and conversation intelligence
Intercom’s AI Summaries, topic detection, and conversation intelligence features derive structured data from chat content. Key questions:
- Are AI-generated summaries stored separately from the original conversation, and for how long?
- If summaries feed into customer scoring, routing decisions, or CRM enrichment, do those downstream uses have a separate legal basis?
- Are summaries scoped as “controller-accessible data” or strictly processor-held data under the DPA?
International Data Transfers from Germany
Intercom is headquartered in San Francisco, California. As a US company, any transfer of European personal data to Intercom’s infrastructure or US-based personnel requires a valid transfer mechanism under Chapter V GDPR.
Intercom’s DPA references Standard Contractual Clauses (SCCs) under the 2021 European Commission decision and the EU-U.S. Data Privacy Framework (DPF) where applicable. Both mechanisms are recognized under current GDPR guidance as valid transfer instruments for US data flows, provided they are properly implemented and the relevant data flows are covered.
German buyers should still verify:
- Are SCCs executed between the correct legal entities (the specific Intercom entity and the German controller)?
- Does the DPF reference actually apply to the Intercom legal entity you are contracting with?
- Do the SCCs cover AI feature processing, not just base platform data storage?
- Does EU data hosting, where offered, fully eliminate the need for SCCs, or do residual processing paths outside the EEA still require transfer mechanisms?
The practical standard is: document the transfer basis in writing and confirm it covers all processing paths your deployment activates.
Works Council (Betriebsrat) Requirements
German deployments of Intercom that affect employees — directly or indirectly — trigger co-determination rights under Section 87(1) no. 6 BetrVG.
The Betriebsrat must be consulted when technical equipment is introduced that enables monitoring or evaluation of employee behavior or performance. For Intercom, the relevant scenarios are:
- AI Copilot surfaces real-time suggestions to support agents. If this data is also used to monitor response times, quality scores, or productivity, the works council likely has co-determination rights.
- Fin AI Agent replacing or supplementing human agents: if the deployment affects headcount, workload distribution, or performance benchmarking, the Betriebsrat should be involved.
- Internal IT helpdesk or HR support on Intercom: employee-facing support channels are held to a stricter standard under Section 26 BDSG (Federal Data Protection Act) for employee data.
Engage the Betriebsrat before rollout. Prepare a clear description of what data the tool collects about employees, directly or indirectly, and propose a works council agreement (Betriebsvereinbarung) that sets usage limits and prohibits unauthorized performance monitoring.
EU AI Act Classification
Fin AI Agent: chatbot transparency obligations
Under Article 50(1) EU AI Act, AI systems designed to interact with natural persons must disclose that they are an AI, unless this is obvious from the context or the system has been authorized by national law for specific purposes. Fin AI Agent — a fully automated conversational AI that handles inbound customer queries — falls squarely within this scope.
Practical implication: If your Intercom deployment uses Fin AI in customer-facing chat, you must ensure that users are informed they are interacting with an AI, not a human agent. This applies at the start of the interaction, not just in the footer or terms of service.
Disclosure requirement
The disclosure obligation is not a branding decision. It is a legal requirement under the EU AI Act, which has been partially applicable since August 2024. Non-compliance creates regulatory risk, particularly for B2C deployments in Germany where consumer protection enforcement is active.
Review your Intercom chat widget configuration. If Fin AI handles first-response before escalating to a human agent, the AI disclosure must appear at the moment the user initiates the interaction, not only when AI involvement becomes apparent.
Our Assessment
Intercom is a deployable customer support platform for German companies, provided the procurement process is handled correctly. The DPA exists, the transfer mechanism is in place, and EU data hosting is available for enterprise customers. Those are meaningful foundations.
The risk areas that require active management are:
- Fin AI data flows — verify the AI feature DPA scope, LLM subprocessors, and retention terms explicitly.
- Article 50 EU AI Act — implement user-facing AI disclosure for all Fin AI-handled interactions before launch.
- Works council — engage the Betriebsrat if any Intercom feature directly or indirectly affects employees.
- Transfer documentation — confirm the SCC/DPF basis in writing, and verify EU data hosting scope does not leave gaps.
For a like-for-like comparison with an alternative customer support platform, see our guides on Zendesk and HubSpot. For a broader framework on AI customer service governance in Germany, see AI customer service compliance.
FAQ
Does Intercom have a DPA?
Yes. Intercom publicly provides a Data Processing Agreement for business plan customers. The DPA covers Intercom’s processor role under Article 28 GDPR, subprocessors, SCCs, and deletion requirements. German buyers should review whether the DPA terms match their specific deployment — especially AI feature coverage and EU data residency scope.
Is Intercom AI GDPR compliant?
Intercom AI can be used lawfully under the GDPR with the right setup. That requires a reviewed DPA, a valid legal basis for chat data processing, AI transparency disclosures where Fin AI is deployed, and a documented transfer mechanism. GDPR compliance is always deployment-specific, not vendor-specific.
Does Intercom have an AVV (Auftragsverarbeitungsvertrag)?
Yes. Intercom’s DPA is the functional equivalent of an Auftragsverarbeitungsvertrag (AVV) under German data protection practice — it satisfies the Article 28 GDPR requirement for a written processor contract. German buyers should verify the AVV terms cover all Intercom products activated in their deployment, including AI features.
Does Intercom Fin AI Agent comply with the EU AI Act?
Fin AI Agent is an AI system that interacts with natural persons and is therefore subject to the Article 50 EU AI Act transparency obligation. Companies must disclose to users that they are interacting with an AI system. This applies at the start of the interaction and is not satisfied by general privacy notices alone.
Where does Intercom process data?
Intercom is headquartered in San Francisco. EU data hosting options are available for enterprise customers, but EU hosting does not eliminate all processing outside the EEA. Global support access, Fin AI model calls, and subprocessor infrastructure may still involve extra-EEA processing. Document the full transfer picture in writing before rollout.
If your legal or procurement team is reviewing Intercom before deployment, Compound Law advises businesses in Germany on GDPR, AI procurement, DPA reviews, and EU AI Act compliance. Contact us for a DPA review or rollout checklist tailored to your specific Intercom configuration.
