Security at Customerly

Your data is not just an asset, it's a responsibility. Security is an integral part of how we build Customerly: encrypted everywhere, hosted in the EU, monitored around the clock, and designed so you can focus on your customers while we protect their data.

GDPR compliant

Customerly is built to meet EU Regulation 2016/679. A Data Processing Agreement is available to every customer, and product features support data export, deletion, and consent management.

EU data residency

All customer data is stored and processed in AWS data centers located within the European Union, meeting data sovereignty requirements out of the box.

Encrypted everywhere

Data is encrypted in transit with TLS and Perfect Forward Secrecy, and at rest with AES-256. Encryption keys are managed through AWS Key Management Service.

AWS infrastructure

Customerly runs entirely on Amazon Web Services, inheriting the physical security, certifications, and resilience of one of the world's most audited cloud platforms.

Our security controls

A multi-layered approach combining technical controls, regular reviews, and a culture of security awareness that extends to our partners and third-party vendors.

Data encryption

  • All traffic between your browser and our servers is encrypted over HTTPS (TLS)
  • Perfect Forward Secrecy and strong ciphers protect past sessions even if a key is compromised
  • Data at rest is encrypted with AES-256 on AWS
  • Cryptographic keys are managed with AWS Key Management Service (KMS)
  • Backups are encrypted both in transit and at rest

Infrastructure security

  • Servers and databases run inside an AWS Virtual Private Cloud, never exposed to the public internet
  • Multi-Availability-Zone redundancy for databases with automatic failover
  • Autoscaling groups automatically replace failed instances
  • The entire infrastructure is managed as code with Terraform for consistent, auditable changes
  • Docker images are automatically scanned against disclosed vulnerabilities

Access control

  • Two-factor authentication is required for all administrative and AWS Console access
  • Role-Based Access Control grants each team member the minimum permissions needed
  • IP whitelisting is required for any system accessing our servers
  • Access follows the principle of least privilege across all sensitive systems
  • Customer data is segregated and isolated to prevent cross-tenant access

Monitoring & logging

  • Real-time monitoring tools continuously oversee servers and databases
  • All access and modifications are recorded in audit logs reviewed by authorized personnel
  • Systems are kept up to date with the latest security patches through regular update cycles
  • AWS monitoring automatically alerts us on anomalies and backup failures

Backup & disaster recovery

  • Hourly backups of every critical resource: S3 buckets, RDS databases, and EC2 instances
  • Backup integrity and restore procedures are routinely tested
  • Data can be restored from the latest snapshot within minutes
  • Terraform lets us rebuild any lost infrastructure quickly and consistently
  • Backups remain redundantly stored across multiple locations within the EU

Incident response

  • Documented incident response plan covering security breaches, system failures, and disasters
  • Immediate containment and isolation of affected systems
  • Stakeholders and data controllers are notified per our Personal Data Breach & Incident Handling Procedure
  • Root causes are eradicated and systems restored from verified secure backups
  • Post-incident reviews feed back into our security policies

Organizational security

Technology alone isn't enough. These are the practices every Customerly team member follows.

Corporate password policy

Minimum 16 characters with mandatory uppercase, lowercase, numeric, and special characters, strictly enforced across the company.

Device security

Company devices lock automatically after one minute of inactivity, and no removable media is used in our operations.

Least privilege by default

Only authorized personnel with specific roles can access high-risk systems, reducing the chance of unauthorized access or data manipulation.

Continuous risk assessment

We continually identify, evaluate, and prioritize risks, from software vulnerabilities to data loss scenarios, and review the process periodically.

Your role in security

Security is a shared responsibility. Customerly gives you the tools to keep your workspace and your customers' data under control:

  • Manage teammate permissions with feature-level access controls
  • Review active sessions with creation date, last activity, IP address, and browser details
  • Audit access logs showing date, IP address, and login results
  • Export user data to meet data portability requests
  • Permanently delete all data referencing a single user
  • Rely on automatic opt-out handling in every campaign and automation

We recommend using strong, unique passwords for your Customerly account and reviewing teammate permissions regularly.

Resources & documentation

Everything you need for your compliance and vendor review process:

For security questionnaires, vulnerability reports, or any other security inquiry, contact us at legal@customerly.io.

Security

Security FAQ

The questions security and procurement teams ask most often.

All customer data is stored on Amazon Web Services infrastructure located within the European Union, satisfying EU data sovereignty requirements. Backups are also redundantly stored across multiple availability zones inside the EU.

Yes. Data in transit is protected with HTTPS/TLS and Perfect Forward Secrecy. Data at rest is encrypted with AES-256 through AWS encryption services, with keys managed via AWS Key Management Service. Backups are encrypted in transit and at rest as well.

Customerly does not currently hold a SOC 2 or ISO 27001 certification of its own. Our security program follows the same industry best practices those frameworks codify, and our infrastructure runs entirely on AWS, which maintains SOC 1/2/3, ISO 27001, and many other certifications. If your procurement process requires specific documentation, contact us at legal@customerly.io.

Access follows the principle of least privilege: only authorized personnel with a specific role can access production systems, and only through two-factor authentication and IP whitelisting. Every access and modification is recorded in audit logs.

We follow a documented incident response plan: identify and classify the incident, contain and isolate affected systems, notify affected customers and data controllers according to our Personal Data Breach & Incident Handling Procedure, eradicate the root cause, restore from verified backups, and run a post-incident review.

Every critical resource, including databases, file storage, and compute instances, is backed up hourly. Backups are encrypted, stored redundantly within the EU, and routinely tested so data can be restored from the latest snapshot within minutes.

If you believe you have found a security vulnerability in Customerly, email us at legal@customerly.io with the details. We investigate every report and appreciate responsible disclosure that gives us reasonable time to remediate before public release.

AI Support That Sets You Apart.
Start Leading Today.

AI Support Software

Join our community of 3,655 people
and get the most juicy content.