Security at 6sense follows a shared responsibility model. The platform includes built-in security capabilities designed to protect customer data, while customers are responsible for configuring these controls in alignment with their internal security policies and compliance requirements.
For organizations with more advanced security needs, 6sense offers Advanced Security as an add-on. This extends the core security foundation with additional capabilities designed for more complex and scaled environments.
To learn more about Advanced Security or to enable it, please contact your 6sense Account Team.
This guide is intended for IT and Security administrators responsible for securely configuring the 6sense platform. It provides recommended configurations to help align the platform with your organization’s security requirements.
Each recommendation includes:
What to configure: The recommended security setting or feature.
Why it matters: The associated security rationale and risk addressed.
How to implement it: Links to supporting documentation.
To get started, use the Security Overview Checklist to track your implementation progress. Then refer to the detailed recommendations throughout this guide for configuration guidance.
Security overview checklist
Use this checklist to confirm that security controls are enabled in your 6sense organization. Each item references the corresponding recommendation number for detailed guidance.
Configure identity and access controls
Enable Single Sign-On (SSO): see Recommendation 1.
Enable SCIM user provisioning and de-provisioning (advanced security required): see Recommendation 2.
Configure default role and group mapping (advanced security required): see Recommendation 3.
Configure custom user roles (advanced security required): see Recommendation 4.
Set strong password requirements and understand MFA behavior if SSO is not used: see Recommendations 5 and 6.
Assign roles using least privilege (RBAC): see Recommendation 7.
Use Just-in-Time (JIT) access for 6sense support: see Recommendation 8.
Configure inactivity session timeouts: see Recommendation 9.
Configure system notifications and contacts
Allowlist system-alert@6sense.com: see Recommendation 10.
Configure appropriate notification recipients: see Recommendation 10.
Monitor weekly privacy notifications: see Recommendation 10.
Update Security and Privacy Contact Email: see Recommendation 11.
Secure integrations and API access
Follow API token lifecycle best practices: see Recommendation 12.
Create domain allowlist for CI API: see Recommendation 13.
Use OAuth 2.0 where available: see Recommendation 15.
Periodically review connected applications: see Recommendation 15.
Enable monitoring and visibility
Periodically review WebTag domain coverage: see Recommendation 14.
Download and review platform audit logs: see Recommendation 16.
Set up scheduled audit log exports to S3 (advanced security required): see Recommendation 17.
6sense platform security and privacy best practices
Access control
Recommendation 1: Configure Single Sign-On (SSO)
SSO centralizes authentication through your Identity Provider (IdP) and removes reliance on locally managed passwords. When SSO is enabled, all users authenticate through your IdP, allowing you to enforce your organization's authentication policies, including MFA and conditional access.
Why it matters: Centralized authentication reduces the risk of credential compromise, simplifies access management, and aligns 6sense access with existing enterprise identity controls. SSO is strongly recommended and preferred over basic authentication.
Once SSO is selected as the default login mechanism, it cannot be bypassed.
Refer to Set Up and Manage SAML 2.0 SSO for 6sense via the SSO Portal for more information.
Recommendation 2: Enable SCIM for automated user provisioning and de-provisioning (advanced security required)
SCIM enables automated synchronization of user identities between your Identity Provider and the 6sense platform. When enabled, changes such as new hires, role changes, and offboarding in your IdP are reflected automatically in 6sense.
Why it matters: Automating the user lifecycle helps reduce stale and unused accounts, ensures timely access removal, and minimizes manual administrative effort. This is especially important for organizations with strict access governance or regulatory requirements.
Prerequisite: SSO must be configured before enabling SCIM.
Refer to the following for more information:
Recommendation 3: Configure default role and group mapping (advanced security required)
SAML SSO group-to-role mapping enables automatic role assignment in 6sense based on group attributes sent from your IdP during user login. This eliminates manual role assignment and ensures users receive appropriate permissions from their first login.
Prerequisite: SSO must be configured.
Refer to SAML SSO Default Role and Group Mapping for more information.
Recommendation 4: Configure custom user roles (advanced security required)
Administrators can create specific permission sets tailored to user responsibilities and security needs. Custom roles allow for granular control, ensuring users have only the necessary permissions, supporting enterprise-scale deployments, and adhering to least-privilege security policies.
Refer to Custom User Roles for more information.
Authentication controls for organizations not using SSO
If your organization does not use SSO, the following controls help mitigate risk when using username and password authentication.
Recommendation 5 (Non-SSO): Define and enforce a password standard
Establish an internal password standard that meets or exceeds 6sense platform requirements. Ensure users are trained on secure password creation and handling practices.
6sense platform password requirements:
Minimum 12 characters.
Must include at least one uppercase letter, one lowercase letter, one number, and one special character.
Cannot reuse the last 3 passwords.
Passwords expire based on your organization's configured policy.
Why it matters: Strong password standards reduce the risk of credential compromise in environments without centralized authentication.
Refer to 6sense Revenue AI Platform Password Requirements for more information.
Recommendation 6 (Non-SSO): Monitor login notifications for new locations
6sense sends login email notifications to the user’s account when access occurs from a new location. Users should review these notifications and report any unrecognized activity immediately.
Why it matters: Monitoring login notifications helps detect unauthorized access attempts and supports early response to potential credential misuse.
Refer to New Browser Log In – Security Note for more information.
Recommendation 6a (Non-SSO): Understand two-factor authentication and email-based verification codes
Two-factor authentication is required for non-SSO logins. Users should understand verification code delivery, validity, retry limits, and lockout behavior to avoid disruption and ensure secure access.
Why it matters: Security awareness around MFA behavior is an important control in password-based authentication models.
Email-based verification code details:
Each verification code is sent to the email address associated with the user's account and remains valid for 10 minutes.
Users can request a new verification code up to five times.
After five incorrect code entries, the account will be locked for 15 minutes.
Refer to Two-Factor Authentication for more information.
General access management
Recommendation 7: Manage user access using least privilege (RBAC)
Assign roles based on the principle of least privilege and limit the number of administrative users. Regularly review access to ensure permissions align with current job responsibilities and employment status.
Why it matters: Least-privilege access reduces the impact of compromised accounts and limits the risk of unauthorized actions.
Refer to User Management (RBAC) for more information.
Recommendation 8: Use just-in-time access for 6sense support
Just-in-time access allows customers to grant temporary access to 6sense support personnel when assistance is required. Access is time-bound and can be revoked when no longer needed.
Why it matters: This approach reduces standing privileged access and supports controlled, auditable support interactions.
Refer to 6sense Team Member Access for more information.
Recommendation 9: Configure inactivity session timeout
Session timeouts automatically sign users out after a period of inactivity. Configuring appropriate timeout values reduces the risk of unauthorized access from unattended sessions.
Recommended value: 6sense recommends configuring an inactivity timeout of 25 minutes, as longer inactivity periods may increase the risk of unauthorized access. Administrators can adjust timeout settings to balance security and user productivity based on organizational needs.
Refer to Inactivity Session Timeout for more information.
System notifications
Recommendation 10: Configure system notifications and recipients
System notifications provide visibility into security-relevant events such as expiring credentials, API limits, and data collection issues. Configure recipients so notifications reach the appropriate teams.
Allowlist system-alert@6sense.com in your email gateway to ensure delivery. Monitor weekly privacy notifications to support compliance with opt-out and data privacy obligations.
Refer to the following for more information:
Recommendation 11: Maintain designated security and privacy contacts
Ensure security and privacy contacts are kept up to date in the Security and Compliance Settings page within the 6sense application. Accurate contact information enables timely communication during security or privacy-related events.
Why it matters: If a security incident or privacy event occurs, 6sense will use these contacts to notify your organization. Outdated or missing contacts can delay critical communications.
Refer to Contacts and Compliance for more information.
API tokens
Recommendation 12: Follow API token best practices
Apply the following best practices to manage API tokens securely:
Give your API token a descriptive name to track where it is being used (typically the same name as the integration it supports).
Do not assign the same API token to more than one integration, unless absolutely necessary.
Rotate your API tokens every 90 days: create a new token, apply it to the integration, then deactivate the old token.
Migrate any "default_existing_token". Legacy organizations may have a system-generated token with this label. Replace it with a named, purpose-specific token and then deactivate the legacy token.
Deactivate tokens that are not in use and delete tokens you don't plan to use again. Before deleting, save a copy of any token-related historical match rates and usage graphs if needed.
API token settings (score and segments settings) are secure by default and do not return detailed information. Adjust these settings only as required for your specific use cases.
For Enrichment APIs, ensure the API token is never exposed on any public domain. These APIs are designed exclusively for server-to-server communication.
Refer to API Credits & API Tokens for more information.
Recommendation 13: Create domain allowlist for 6sense company identification (CI) API
Create an allowlist of approved domains to restrict usage of the CI API token(s) to only those domains.
Navigate to Settings > API Tokens in the 6sense platform. Select the relevant CI API token and configure the domain allowlist.
Why it matters: Without a domain allowlist, CI API tokens can potentially be used from any domain, increasing the risk of unauthorized data access or token misuse. Restricting token usage to known, approved domains is a critical API security control.
Refer to API Credits & API Tokens for more information.
WebTag
Recommendation 14: Review WebTag domains annually
Review the domains covered by your WebTags at minimum annually and remove any domains that are no longer valid.
What to look for during a review:
Decommissioned or retired domains that should no longer have tags.
Staging, development, or test domains that may have been added temporarily.
Domains belonging to divested business units or discontinued products.
Any domains you do not recognize or did not authorize.
Why it matters: Stale or unauthorized WebTag coverage can result in unintended data collection from domains you no longer control, creating privacy and compliance risk.
Refer to FAQ: Domain Inclusion List for 6sense JavaScript WebTag for more information.
Connecting 6sense with external platforms (CRM and MAP)
Recommendation 15: Implement OAuth 2.0 where available
When connecting 6sense to external platforms, apply the following security practices:
Implement OAuth 2.0 where available instead of static credentials or API keys.
Regularly refresh OAuth 2.0 tokens to maintain secure and uninterrupted access between integrated systems.
Ensure token expiration and refresh intervals are configured according to your organization's security policies.
Periodically review and reauthorize connected applications to confirm that access scopes remain appropriate and that no unused or outdated tokens persist.
Integration-specific hardening: When integrating 6sense with another system, adhere to the security and configuration guidelines for both platforms. Refer to the following resources for common integrations:
Monitoring your 6sense rgoanization
Recommendation 16: Review audit logs regularly
Audit logs for your organization are available directly within the 6sense platform and can be downloaded in CSV format for offline analysis. Use these logs to regularly monitor user activity and system events within your organization.
Refer to Audit Logs for more information.
Recommendation 17: Scheduled audit log export to Amazon S3 (advanced security required)
Configure scheduled export of 6sense audit logs to your organization's AWS S3 bucket to enable secure, long-term storage under your control.
Ingest these logs into your SIEM to support centralized monitoring, correlation with other security telemetry, and integration into existing detection and response workflows.
Refer to the following for more information:
Recommendation Summary Table
# | Recommendation | Advanced Security Required |
1 | Configure Single Sign-On (SSO) | No |
2 | Enable SCIM Provisioning/De-provisioning | Yes |
3 | Configure Default Role and Group Mapping | Yes |
4 | Configure Custom User Roles | Yes |
5 | Define and Enforce a Password Standard (Non-SSO) | No |
6 | Monitor Login Notifications (Non-SSO) | No |
6a | Understand Two-Factor Authentication Behavior (Non-SSO) | No |
7 | Manage User Access Using Least Privilege (RBAC) | No |
8 | Use Just-in-Time Access for 6sense Support | No |
9 | Configure Inactivity Session Timeout | No |
10 | Configure System Notifications and Recipients | No |
11 | Maintain Designated Security and Privacy Contacts | No |
12 | Follow API Token Best Practices | No |
13 | Create Domain Allowlist for CI API | No |
14 | Review WebTag Domains Annually | No |
15 | Implement OAuth 2.0 Where Available | No |
16 | Review Audit Logs | No |
17 | Scheduled Audit Log Export to S3 | Yes |
Next steps and ongoing maintenance
Hardening is not a one-time activity. To maintain a strong security posture, the 6sense Security Team recommends incorporating the following into your ongoing operations:
Quarterly access reviews: Review user roles, permissions, and employment status to ensure alignment with least-privilege principles (Recommendation 7).
90-day API token rotation: Rotate all active API tokens on a 90-day cycle (Recommendation 12).
Annual WebTag domain audit: Review and clean up WebTag domain coverage at least once per year (Recommendation 14).
Ongoing SIEM integration: If using advanced security, confirm audit log exports to S3 are flowing and being ingested by your SIEM (Recommendation 17).
Contact validation: Verify that security and privacy contacts are current at least semi-annually, or whenever key personnel change (Recommendation 11).
Connected application review: Periodically reauthorize OAuth integrations and remove unused connections (Recommendation 15).
6sense builds the platform with security and privacy by design. Customers play a critical role by enabling and maintaining appropriate security controls to further protect their organization.
If you have a security concern, report it to security@6sense.com.
To learn more about 6sense’s security and privacy practices, visit our trust center at https://6sense.com/trust/.