Zendesk Security

Protect your Zendesk community and business

Customer data is one of the most valuable assets a company has. That’s why our top priority is delivering a comprehensive, high-performance solution with a focus on keeping our customers’ data safe, their interactions secure, and their businesses protected.

Memberships and Certifications

Customer perspective

At Box, we pride ourselves on our product’s simplicity, security, and performance. When looking for a solution to meet the support needs of thousands of customers, we required the same.

Jon Herstein, Vice President of Customer Success READ THE FULL CASE STUDY

Highlights

  • Methodology

    At Zendesk, we achieve the highest level of security by performing full security audits of our product and infrastructure regularly, including quarterly third-party audits. Our security practices have been evaluated as part of our SOC 2 Type I attestation. We are ISO27001:2013 certified.

    Zendesk is a member of the Cloud Security Alliance (CSA). CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. CSA has launched the Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing offerings. We have completed a publicly available Consensus Assessment Initiative (CAI) Questionnaire, based on the results of our due diligence self-assessment. We have also received the Skyhigh Enterprise-ReadyTM seal, the highest rating in the CloudTrustTM program, which is a comprehensive evaluation of security controls and enterprise readiness developed in conjunction with the CSA.

    Physical security

    Zendesk servers are hosted at Tier III, SSAE-16, or ISO 27001 compliant facilities. Our facilities feature 24-hour manned security, biometric access control, video surveillance, and physical locks. The co-location facilities are powered by redundant power, each with UPS and backup generators. All systems, networked devices, and circuits are constantly monitored by both Zendesk and the co-location providers.

  • Network security

    Our network is protected by redundant layer 7 firewalls, best-of-class router technology, regular audits, and network intrusion detection that monitors for malicious traffic and network attacks. Network security scanning gives us deep insight for quick identification of out-of-compliance systems. A security incident event management (SIEM) system gathers logs from all network systems and creates triggers based on correlated events. We also contract with on-demand scrubbing providers to help mitigate Distributed Denial of Service (DDoS) attacks.

    Transmission security

    All communications with Zendesk servers are encrypted using industry standard SSL. For email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.

    Access control

    All access to data within Zendesk is governed by access rights, authenticated by username and password. Zendesk supports multiple forms of authentication (including SAML) and your Zendesk instance administrator can define granular access privileges.

    Our security architecture ensures segregation of customer data and additional access controls include network IP restrictions as well as stricter access restrictions for Zendesk mobile apps.

  • Application security

    Zendesk maintains a robust application audit log, to include security events such as user logins or configuration changes. Additionally, Zendesk follows secure credential storage best practices by storing passwords using the bcrypt (salted) hash function.

    Vulnerability management

    The Zendesk application and its supporting infrastructure are frequently reviewed for potentially harmful vulnerabilities.

    We use industry-recognized, third-party security specialists, enterprise-class security solutions, and custom in-house tools to identify, analyze, and swiftly mitigate any potential vulnerabilities. We employ a number of third-party, qualified security tools to regularly scan our application and perform continuous static analysis of our codebase. Our Responsible Disclosure Policy gives researchers an avenue for safely testing and notifying Zendesk of security vulnerabilities. We maintain a dedicated application security team in-house to test and remediate any discovered issues.

    Privacy

    Zendesk is certified under E.U.-U.S. and Swiss-U.S. Safe Harbor Programs and is registered with the U.S. Department of Commerce’s Safe Harbor Program.