More than 4500 businesses trust Smooch with their customer communications, expecting their data to be protected and secure. That’s why we sweat the details. Through rigorous security checks, data encryption, employee screenings and compliance with industry regulations, we ensure your data is safe with us.

  • Data center and network security

    Smooch services are hosted on Amazon Web Services. As such, Smooch inherits the control environment which Amazon maintains and demonstrates via SSAE-16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers.

  • Access Controls

    Logical access to the Smooch production system is restricted by an explicit need-to-know basis, utilizes least privilege. It is frequently audited and monitored and is controlled by our production and security teams. Premises are monitored and access is logged.

  • Data Encryption

    Smooch supports encryption of customer data, both in transit and at rest. Communications between you and Smooch servers are encrypted via HTTPS and Transport Layer Security (TLS) industry best-practices.

Best practices and education

We implement industry best practices to ensure the confidentiality and integrity of your data.

  • Incident response plan

    We have implemented a formal procedure for security events and have educated all our staff on our policies.

  • Background checks

    All new employees on teams that have access to customer data (such as technical support and engineers) undergo criminal history and background checks prior to employment.

  • Confidentiality agreements

    All new hires are screened through the hiring process and required to sign non-disclosure and confidentiality agreements.

  • Security and privacy training

    All new employees attend a security training during the onboarding process. In addition, all employees must take the Smooch Security and Privacy training once a year, which covers the information security policies, security best practices, and privacy principles.

  • Privacy Shield Certification

    Smooch complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and from the Switzerland.

  • Payment processing

    All payment instrument processing is outsourced to Stripe, making Smooch not subject to PCI compliance obligations.

  • Internal processes and audit

    Our Chief Privacy Officer works with our developers to make sure we comply with applicable international privacy laws.

  • Service data processing

    We primarily process personal data on behalf of our customers. Our privacy practices are outlined in the privacy statement for service data.

  • Data collection

    We collect a limited amount of personal data for our own internal purposes, that is governed by the privacy policy.