Secure Customer Service

Cover your bases

Zendesk takes security very seriously — just ask the number of Fortune 100 and Fortune 500 companies that trust us with their data. We use a combination of enterprise-class security features and comprehensive audits of our applications, systems and networks to ensure that your data is always protected, which means every customer can rest easy—our own included.

Compliance Certifications and Memberships

We use best practice and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our customers meet their own compliance standards.

Security Compliance
SOC 2 Type II

We undergo routinised audits to receive updated SOC 2 Type II reports, available upon request and under NDA. Request the latest SOC 2 Type II report.

ISO 27001:2013

Zendesk is ISO 27001:2013 certified. Download the certificate.

ISO 27018:2014

Zendesk is ISO 27018:2014 certified. The certificate is available for download here.

ISO 27701:2019

Zendesk is ISO 27701:2019 certified. The certificate is available for download here.

FedRAMP LI-SaaS

Zendesk is FedRAMP authorised with Low Impact Software-as-a-Service (LI-SaaS) and is listed in the FedRAMP Marketplace. US Government agency subscribers can request access to the Zendesk FedRAMP Security Package by completing a Package Access Request Form or submitting a request to fedramp@zendesk.com.

Industry-Based Compliance
PCI-DSS

Zendesk Support offers a configurable PCI-compliant credit card field that redacts all but the last four digits. Learn about PCI Compliance at Zendesk.

Memberships
McAfee Cloud Trust - McAfee Enterprise Ready

Zendesk received the McAfee CloudTrust Program. The program presents the McAfee Enterprise-Ready seal to only those services that have the highest CloudTrust™ rating possible. These are among the services that have earned McAfee's CloudTrust™ and a rating of McAfee Enterprise-Ready based on their attributes across the data, user and device, security, business and legal evaluation categories.

Cloud Security Alliance (CSA)

Zendesk is a member of the Cloud Security Alliance (CSA), a not-for-profit organisation with a mission to promote the use of best practice for providing security assurance within Cloud Computing. CSA has launched the Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing offerings. Zendesk completed a publicly available Consensus Assessment Initiative (CAI) Questionnaire, based on the results of our due diligence self-assessment.

The CSA CAIQ is available here.

IT-ISAC

Zendesk is a member of IT-ISAC, a group focused on bringing together a diverse set of private sector companies to leverage evolving technology and have a common commitment to security. IT-ISAC enables collaboration and sharing of relevant, actionable threat intelligence information and practices. They moderate special interest groups that focus on Intelligence, Insider Threat, Physical Security and other specific focus areas to help further our mission of securing Zendesk.

FIRST

Zendesk is a member of FIRST, an international confederation of incident response teams that cooperatively handles computer security incidents and promote incident prevention programmes. FIRST members develop and share technical information, tools, methodologies, processes and best practice. As a member of FIRST, Zendesk Security works with other members to use their combined knowledge, skills, and experience to promote a safer and more secure global electronic environment.

Financial Services Qualifications System (FSQS)

Zendesk has satisfied all requirements (Stage 1 and Stage 2) to become fully registered on the FSQS (Financial Services Qualification System) supplier qualification system, as set out by participating buying organisations. Request the latest FSQS Certificate here.

More details about FSQS https://hellios.com/fsqs/.

Artifacts

We can provide additional resources upon request.

Direct Download Resources (non-NDA)

ISO 27001:2013 Certification

ISO 27018:2014 Certification

ISO 27701:2019 certificate

SOC 3 Report

Datasheet / White Paper

PCI Attestation of Compliance (AoC) and Certificate of Compliance

Network Architecture Diagrams

  • Support/Guide
  • Chat
  • Talk

CSA CAIQ

Risk Ledger

FSQS (Financial Services Qualification System)

Get resources
NDA Resources

The following resources may require an NDA on file. Click the button to gain access.

Certificate of Insurance

SOC 2 Type II Report

Annual Penetration Test Summary

Business Continuity and Disaster Recovery Test Summary

SIG Lite

VSA

HECVAT Lite

Current subscribers can access these resources in the Admin UI:

Cloud Security

Data Centre Physical Security
Facilities

Zendesk hosts Service Data primarily in AWS data centres that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn about Compliance at AWS.

AWS infrastructure services include backup power, HVAC systems and fire suppression equipment to help protect servers and ultimately your data. Learn more about Data Centre Controls at AWS.

On-Site Security

AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology and other security measures. Learn about AWS physical security.

Data Hosting Location

Zendesk leverages AWS data centres in the United States, Europe and Asia Pacific. Learn about Data Hosting Locations for your Zendesk Service Data.

Zendesk offers multiple data locality choices including the United States (US), Australia (AU), Japan (JP) or European Economic Area (EEA). For more information on product, plan and regional offerings please see our Regional Data Hosting Policy.

Vendor Security

Zendesk minimises risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our systems or Service Data.

Network Security
Dedicated Security Team

Our globally distributed Security Team is on call 24/7 to respond to security alerts and events.

Protection

Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Our network security architecture consists of multiple security zones. More sensitive systems like database servers are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilised between the Internet and internally between the different zones of trust.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Third-Party Penetration Tests

In addition to our extensive internal scanning and testing program, each year Zendesk employs third-party security experts to perform a broad penetration test across the Zendesk Production and Corporate Networks.

Security Incident Event Management

Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.

Intrusion Detection and Prevention

Service ingress and egress points are instrumented and monitored to detect abnormal behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Threat Intelligence Program

Zendesk participates in several threat intelligence sharing programmes. We monitor threats posted to these threat intelligence networks and take action based on risk.

DDoS Mitigation

Zendesk has architected a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defences, while the use of AWS scaling and protection tools provide deeper protection along with our use of AWS DDoS specific services.

Logical Access

Access to the Zendesk Production Network is restricted by an explicit need-to-know basis, utilises least privilege, is frequently audited and monitored and is controlled by our Operations Team. Employees accessing the Zendesk Production Network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Encryption
Encryption in Transit

All communications with Zendesk UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Zendesk is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration or service subscribers may choose to leverage at their own discretion.

Encryption at Rest

Service Data is encrypted at rest in AWS using AES-256 key encryption.

Availability & Continuity
Uptime

Zendesk maintains a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history and relevant security events.

Redundancy

Zendesk employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans and testing activities.

Enhanced Disaster Recovery

Our Enhanced Disaster Recovery package adds contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through our capability to prioritise operations of Enhanced Disaster Recovery customers during any declared disaster vent.

Get more information on Disaster Recovery Guarantees.

Application Security

Security Development (SDLC)
Framework Security Controls

Zendesk leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), amongst others.

Quality Assurance

Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test and triage security vulnerabilities in code.

Separate Environments

Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

Vulnerability Management
Dynamic Vulnerability Scanning

We employ third-party security tooling to continuously and dynamically scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.

Software Composition Analysis

We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed.

Third-Party Penetration Testing

In addition to our extensive internal scanning and testing program, Zendesk employs third-party security experts to perform detailed penetration tests on different applications within our family of products.

Responsible Disclosure / Bug Bounty Program

Our Responsible Disclosure Programgives security researchers, as well as customers, an avenue for safely testing and notifying Zendesk of security vulnerabilities through our partnership with HackerOne.

Product Security

Authentication Security
Authentication Options

Zendesk has several different authentication options: subscribers can enable native Zendesk authentication, social media Single sign-on (SSO) (Facebook, Twitter, Google), and/or Enterprise SSO (SAML, JWT) for end-user and/or agent authentication. Learn about user access.

Configurable Password Policy

Zendesk native authentication for products available through the Admin Centre provides the following levels of password security: low, medium, and high, as well as set custom password rules for agents and admins. Zendesk also allows for different password security levels to apply to end users vs agents and admins. Only admins can change the password security level. Learn about configurable password policies.

2-Factor Authentication (2FA)

Zendesk native authentication for products available through the Admin Centre offers 2-factor (2FA) for agents and admins via SMS or an authenticator app. Learn about 2FA.

Service Credential Storage

Zendesk follows secure credential storage best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.

Additional Product Security Features
Role-Based Access Controls

Access to data within Zendesk applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Zendesk supports various permission levels for users (owner, admin, agent, end-user, etc.).

Learn about user roles:

Details on global security and user access

IP Restrictions

Any Zendesk account can restrict access to their Zendesk Support to users within a specific range of IP addresses. Only users from the allowed IP addresses will be able to sign in to your Zendesk account. You can allow subscribers (not agents or admins) to bypass this restriction. For more information, see Restricting access to Zendesk Support and your Help Centre using IP restrictions and Using IP Access Restriction in Chat.

Hosted Encryption Certificates for Help Centre (TLS)

Zendesk provides free TLS encryption for host-mapped Guide help centers. Zendesk uses Let’s Encrypt to request certificates and automatically renews the certificate before it expires.

You can also upload your own certificate, if you choose.

To learn more about setting up encryption certificates for a Guide help centre please see Setting up a hosted TLS encryption certificate.

File Restrictions in Chat

Zendesk Chat allows the ability to restrict what file types are sent to agents. Alternatively, you can choose to turn off file sending entirely in the Chat product. To learn about this feature, see Managing file sending in live chat.

Audit Logs

Zendesk offers Audit Logs to accounts with Enterprise/Enterprise Plus plans. These logs include account changes, user changes, app changes, business rules, ticket deletions and settings. The Audit Log is available in both the Admin Centre and Support API. To learn more about Audit Logs and see what information is available within the log please see Viewing the audit log for changes.

Private Attachments

Subscribers can configure their instance so that users are required to sign in to view ticket attachments. Learn about Private Attachments.

Redaction

Zendesk has two types of redaction for removing sensitive data: Manual redaction provides the ability to redact or remove sensitive data in Support ticket comments and securely delete attachments, so you can protect confidential information. The data is redacted from tickets via the UI or API to prevent sensitive information from being stored in Zendesk. Learn about redaction via the UI or API.

Automatic redaction allows for automatic redaction of credit card numbers from subscriber-submitted tickets. When enabled, credit card numbers are partially replaced with blank boxes in the ticket. They are also redacted from logs and database entries. To learn more about how to enable this feature and how credit card numbers are identified, see Automatically redacting credit card numbers from tickets and from chats.

Spam Filter for Guide help centre

Zendesk’s spam filtering service can be used to prevent end-user spam posts from being published in your Help Centre. Learn about filtering spam in Guide.

Email Signing (DKIM/DMARC)

Zendesk offers DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting And Conformance) for signing outbound emails from Zendesk when you have to set up an external email domain on your Zendesk. Using an email service that supports these features helps you stop email spoofing. Learn about digitally signing your email.

Device Tracking

Zendesk tracks the devices used to sign in to each user account. When someone signs into an account from a new device, it is added to the device list in that user's profile. That user can get an email notification when a new device is added, and should follow up if the activity seems suspicious. Suspicious sessions can be terminated through the agent UI. Learn about device tracking.

HR Security

Security Awareness
Policies

Zendesk has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Zendesk information assets.

Training

All employees attend a Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts and in presentations during internal events.

Employee Vetting
Background Checks

Zendesk performs background checks on all new employees in accordance with local laws. These checks are also required for contractors. The background check includes criminal, education and employment verification. Cleaning crews are included.

Confidentiality Agreements

All new hires are required to sign Non-Disclosure and Confidentiality agreements.

Welcome to the Zendesk Global Privacy Program

Zendesk has a formal global privacy and data protection program, which includes cross-functional key stakeholders including Legal, Security, Product and Executive sectors of the company. As privacy advocates, we work diligently to ensure our Services and team members are dedicated to compliance with applicable regulatory and industry frameworks.

Compliance

Australian Privacy Act of 1988 and Privacy Principles

The Australian Privacy Act of 1998 (as amended) provides several data subject rights and added mandatory notification of eligible data breaches. Unlike the GDPR, there are no concepts of data controller and data processor. https://www.zendesk.com/company/anz-privacy/

Brazil Lei Geral de Proteção de Dados Pessoais (LGPD) Addendum

The Brazilian General Data Protection Law or Lei Geral de Proteção de Dados Pessoais (“LGPD”), was entered into effect on September 18, 2020. LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and provides individual rights.

Zendesk customers that collect and store personal data in Zendesk Services may be considered “controllers” under the LGPD. Controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the LGPD. Zendesk acts as a “processor,” as such term is defined in the current version of the LGPD, with respect to the processing of personal data through our Services.

Subscribers can view our Product Guides and Service Data Deletion Policy for more detailed information on how to use Zendesk’s products to align with compliance initiatives. The National Authority for Protection Data (“ANPD”) may issue additional guidance for the LGPD in the future. Zendesk will continue to actively track the law and we will continue to keep our subscribers updated on features and functionality they can use to support their compliance efforts.

If you would like to review and/or execute Zendesk’s LGPD Addendum to the Master Subscription Agreement, please click here. Our Zendesk’s Master Subscription Agreement includes “Region-Specific Terms”, specifically a Brazil section.

California Consumer Privacy Act (CCPA) Addendum.

The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”) is a U.S. law enacted in the State of California, which went into force on January 1, 2020. It expands upon the privacy rights available to certain California consumers, and requires certain companies to comply with various data protection requirements. Please also visit the final CCPA Regulations and the California Privacy Rights Act (“CPRA”). A few CPRA provisions went into effect on December 16, 2020, with the remaining provisions of the CPRA becoming operative on January 1, 2023.

Zendesk subscribers that collect and store personal information in Zendesk Services may be considered “Businesses” under the CCPA. Businesses bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the CCPA. Zendesk acts as a “Service Provider,” as such term is defined in the current version of the CCPA, with respect to the processing of personal information through our Services. Therefore, Zendesk collects, accesses, maintains, uses, processes, and transfers the personal information of our subscribers and our subscriber’s end-users processed through the Services solely for the purpose of performing our obligations under our existing contract(s) with our subscribers; and for no commercial purpose other than the performance of such obligations and improvement of the Services we provide.

We do not “sell” our subscriber’s personal information as defined under the CCPA. We may share aggregated and/or anonymised information regarding use of the Service(s), which is not considered personal information under the CCPA, with third parties to help us develop and improve the Services and provide our subscribers with more relevant content and service offerings as detailed in our subscriber agreements.

You can review and/or execute Zendesk’s CCPA Addendum to the Master Subscription Agreement here.

Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

Canada’s Personal Information Protection and Electronic Documents Act went into effect in 2000 and is focused around ten fair information principles, which form the rules for collection, use, access and disclosure of personal information. In October of 2021, the International Technology Association of Canada and Information Technology Industry Council suggested changes to PIPEDA to provide greater privacy and transparency rights for Canadian citizens.

Data Processing Agreement (DPA)

You can review and/or execute Zendesk’s DPA here. The Zendesk DPA covers the specific processing activities and security measures applicable to our Services and incorporates the new EU Standard Contractual Clauses (“EU SCCs”).

If you require your existing Zendesk DPA be updated to incorporate the new EU SCCs and the UK Addendum, but do not wish to execute a new DPA, you can review and/or execute Zendesk’s Data Transfer Addendum here.

Subscribers can read our Product Guides and Service Data Deletion Policy for detailed information on how to use Zendesk’s products to assist in compliance with data protection and privacy laws.

Europe General Data Protection Regulation (GDPR)

Since our inception, Zendesk’s approach has been anchored by a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our subscribers’ compliance with EU data protection requirements, such as those set out in the General Data Protection Regulation (“GDPR”).

If a subscriber collects, transmits, hosts, or analyses personal data of EU citizens, GDPR requires the subscriber to use third-party data processors who guarantee their ability to implement the technical and organisational requirements of the GDPR. To further earn our customers’ trust, our Data Processing Agreement (“DPA”) has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR.

Binding Corporate Rules (BCRs): Binding Corporate Rules (“BCRs”) are company-wide data protection policies approved by European data protection authorities to facilitate intra-group transfers of personal data from the European Economic Area (“EEA”) to countries outside the EEA. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with those authorities. Subscribers can find the full list of approved entities on the Binding Corporate Rules Approved List here. In 2017 Zendesk completed the EU approval process with the Irish Data Protection Commissioner (“DPC”) (peer reviewed by both the UK Information Commissioner’s Office and the Dutch Data Protection Authority) BCRs as processor and as a controller. This significant regulatory approval validated Zendesk’s implementation of the highest possible standards for protecting personal data globally, covering both the personal data of its customers and its employees. Zendesk is one of the first software companies in the world to have received approval for its BCRs; and was the second company ever to receive approval from the Irish DPC.

To access Zendesk’s BCRs, please visit:
Zendesk’s Processor Binding Corporate Rules which apply when Zendesk processes personal data on behalf of its customers
and
Zendesk’s Controller Binding Corporate Rules which apply when Zendesk processes personal data for which it is a data controller.

Data Subject Requests: An individual who seeks to exercise their data protection rights in respect of personal data stored or processed by us on behalf of a Subscriber of ours within the Subscriber’s Service Data (including to seek access to, or to correct, amend, delete, port or restrict processing of such personal data) should direct his/her query to our Subscriber (the data controller). Upon receipt of a request from one of our Subscribers for us to remove the personal information, we will respond to their request within thirty (30) days. We will retain personal information that we process and store on behalf of our Subscribers for as long as needed to provide the Services to our Subscribers.

Data Protection Officer: Zendesk’s Data Protection Officer (“DPO”) can be reached at euprivacy@zendesk.com.

Privacy Shield: The U.S. Department of Commerce, with the European Commission and the Swiss government, created the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) to provide companies with a mechanism to transfer personal data from the European Union to the United States in a manner that provides an adequate level of protection for the purpose of European data protection law. Zendesk has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued a ruling invalidating the EU-U.S. Privacy Shield program. We understand that you may have questions around the invalidation of the Privacy Shield and Zendesk’s position in relation to the same, so we have published this blog post to assist you with your queries.

France Hébergeur de Données de Santé (HDS or Health Data Hosting)

HDS enables healthcare providers in France to use Zendesk’s customer service and engagement platform with confidence that our platform has appropriate technical and governance measures in place to secure and protect personal health information (PHI). Additional information is available here.

New Zealand Privacy Act 2020 and its Information Privacy Principles

The New Zealand Privacy Act in 2020 commenced on December 1, 2020, applies to agencies and maintains the principle-based framework of the 1993 Act. The 2020 Act states that organisations are responsible for ensuring that personal information sent outside of New Zealand is adequately protected and added mandatory breach notification requirements. https://www.zendesk.com/company/anz-privacy/

Singapore Personal Data Protection Act (PDPA)

The Personal Data Protection Act of Singapore establishes data protection laws that govern the collection, use, and disclosure of Personal Data as of July 2, 2014. Zendesk is a recognised Infocomm Development Authority of Singapore (IDA) Data Intermediary as a Software-as-a-Service (“SaaS”) Service Provider. Additional information is available here.

United Kingdom GDPR and Brexit

The United Kingdom withdrew from the European Union on 31 January 2020. On 28 June 2021, the European Commission adopted adequacy decisions for transfers of personal data to the United Kingdom under GDPR.

United States Health Insurance Portability and Accountability Act (HIPAA) and Business Associate Agreement (BAA)

To achieve a HIPAA-Enabled Account, you will need to (1) purchase the Advanced Security Deployed Associated Service or Advanced Compliance Deployed Associated Service Add-On; (2) enable a set of security configurations as outlined by Zendesk; and (3) execute our Business Associate Agreement (“BAA”). For more details, including a list of which Services can be HIPAA-enabled, please see Advanced Compliance.

Subscriber Service Data Details

Service Data is any information, including personal data, which is stored in or transmitted via the Zendesk Services by, or on behalf of, our subscribers and their end-users. We use Service Data to operate and improve our Services, help customers access and use the Services, respond to subscriber inquiries and send communications related to the Services.

Additional information

Access: Zendesk provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining, and improving the Zendesk services and as otherwise required by law. See here for additional information.

Data Hosting: Zendesk uses Amazon Web Services to host Service Data as described here and in the Regional Data Hosting Policy. For additional information, please also see the Security section.

Default Data Types Collected by the Service: Zendesk has created a list of data points, categorised by product. For the full picture of data types, subscribers can use this list in conjunction with their specific intended use case and resultant data types.

Legal or Government Requests: Privacy, data security, and subscriber trust are our top priorities. Zendesk does not disclose Service Data, except as necessary to provide our Services and to comply with applicable laws, as detailed in our Privacy Policy. To assist our subscribers in performing compliance reviews, we have additional resources: Transparency Report and Government Request Policy.

Ownership: From a privacy perspective, the subscriber is the controller of Service Data and Zendesk is a processor. This means that throughout the time that you subscribe to services with Zendesk, you retain ownership of and control over Service Data in your Zendesk instance.

Replication: Zendesk periodically replicates data for purposes of archival, backup and audit logs. We use Amazon Web Services (AWS) to store some of the information that is backed up, such as database information and attachment files. Please see our Regional Data Hosting Policy for further details.

Security: Zendesk prioritises data security and combines enterprise-class security features with comprehensive audits of our applications, systems and networks to ensure subscriber and business data is protected. See additional information here.

Security Incidents: For more information about security incident management see our Security Incident Response.

Sub-processors: Zendesk may use sub-processors, including affiliates of Zendesk, as well as third-party companies, to provide, secure, or improve the Services and such sub-processors may have access to Service Data. Our Sub-processors policy provides an up-to-date list of the names and locations of all sub-processors.

Termination: Zendesk maintains a Service Data Deletion Policy that describes Zendesk’s data deletion processes upon subscriber’s termination or expiration of the Zendesk subscription.

Privacy Related Policies

Policies

Detailed information about how and when we use cookies on Zendesk websites.

Provides information about how and when Zendesk uses cookies within the Zendesk Services.

How our Subscribers’ Service Data is deleted in connection with the cancellation, termination, or migration of an Account within the Zendesk Services.

This framework clarifies which party is responsible for which controls related to the security and privacy of your data.

Application Features Related to Privacy

Privacy and Data Protection Tools

Zendesk has tools for each of its products to assist with user requests and other obligations under applicable privacy and data protection laws and regulations, such as data access, correction, portability, deletion and objection. To learn about the features and functionality in each Zendesk product, please see Complying with Privacy and Data Protection in Zendesk products.

Access Management

Zendesk provides an advanced set of access and encryption features to help subscribers effectively protect their information. We do not access or use subscriber data for any purpose other than providing, maintaining, and improving the Zendesk Services and as otherwise required by applicable law. Additional information is available here.

Certifications

Zendesk has achieved a number of internationally-recognised certifications and accreditations demonstrating compliance with third-party assurance frameworks as described on our Security site. Security certifications are described here.

Data Hosting Locality:

Subscribers who purchase the Data Centre Location Deployed Associated Service (“Data Centre Location Add-on”), or have the Data Centre Location functionality in their Service Plan, have the ability to select the region that will host their Service Data from a list of Zendesk available regions.

Privacy by Design

Zendesk has a robust global privacy and data protection program, which takes a unified approach to privacy and information governance to give customers flexibility to manage personal data that lives within Zendesk’s systems. For details, see our product guides: Complying with Privacy and Data Protection in Zendesk Products.

Redaction / Data Minimisation

Zendesk has two types of redaction for removing sensitive data:

Manual redaction provides the ability to redact or remove sensitive data in Support ticket comments, and securely delete attachments so that you can protect confidential information. The data is redacted from tickets via the UI or API to prevent sensitive information from being stored in Zendesk. Learn more about redaction via the UI or API.

Automatic redaction allows for automatic redaction of credit card numbers from Agent- or End-User-submitted tickets. When enabled, credit card numbers are partially replaced with blank boxes in the ticket. The numbers are also redacted from logs and database entries. Learn how to enable this feature and how the credit card numbers are identified.

Transparency Report

Disclosure of Service Data: Zendesk only discloses Service Data to third parties where disclosure is necessary to provide or improve the services or as required to respond to lawful requests from public authorities. Please see our Government Data Request Policy as well as the Zendesk Transparency Report.