Security Overview

Last updated: June 2026

Control Tower monitors Intercom conversations for risk signals, so we treat customer conversation data as sensitive. This overview describes the security measures used to protect data processed by Control Tower.

1. Infrastructure

• The Control Tower application runs on DigitalOcean infrastructure.
• Production PostgreSQL is hosted on DigitalOcean Managed PostgreSQL.
• Database access is restricted to production service infrastructure and administrative access paths.
• Production configuration is loaded from server-side environment files, not from browser-exposed code.

2. Encryption

• All public traffic uses HTTPS/TLS.
• Intercom OAuth access tokens and refresh tokens are encrypted before storage using AES-256-GCM.
• Conversation message bodies and raw Intercom webhook payloads are encrypted by the application before storage.
• Managed PostgreSQL and provider backups are protected by the database provider's storage security controls.

3. Authentication and Access Control

• Customers install Control Tower through Intercom OAuth.
• Production does not use static Intercom access tokens.
• Dashboard sessions use secure, HttpOnly, SameSite cookies.
• Admin access requires a configured administrator account and bcrypt password hash.
• Customer data is scoped by organization ID in API and database access patterns.

4. Intercom Access

Control Tower requests only the Intercom permissions needed to monitor conversations and perform customer-triggered workflows such as escalation. Control Tower does not modify unrelated Intercom settings such as secure mode, IP allowlists, articles, data connectors, or workspace security configuration.

5. Data Minimization and Retention

Control Tower stores the data needed to provide risk scoring, alerts, dashboard review, audit history, and billing enforcement. Message bodies and raw webhook payloads are encrypted before storage and are redacted after the configured retention period.

6. Monitoring and Audit

• Webhook processing status is tracked.
• Risk assessment, escalation, resolution, QA review, push alert, and billing actions are recorded as audit events.
• The admin console surfaces system health, failed webhook counts, billing state, and organization-level diagnostics.

7. Incident Response

If we become aware of a confirmed or suspected personal data breach affecting Control Tower customer data, we will notify affected customers without undue delay and, where required, within 72 hours of becoming aware of the breach. Where the breach involves Intercom data or the Intercom Developer Platform, we will notify Intercom within 72 hours as required by Intercom's developer terms.

8. Customer Responsibilities

• Use secure Intercom workspace authentication, such as SSO or two-factor authentication.
• Limit Control Tower access to authorized team members.
• Keep billing and support contacts current.
• Configure Slack webhooks only for channels appropriate for customer risk alerts.

9. Security Contact

Report security concerns to security@controltower.live. General support requests can still be sent to support@controltower.live.