Secure Customer Service
Cover your bases
Zendesk takes security very seriously—just ask the number of Fortune 100 and Fortune 500 companies that trust us with their data. We use a combination of enterprise-class security features and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected, which means every customer can rest easy—our own included.
Compliance Certifications and Memberships
We use best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our customers meet their own compliance standards.
SOC 2 Type II
We undergo routinized audits to receive updated SOC 2 Type II reports, available upon request and under NDA. The latest SOC 2 Type II report can be requested here.
Zendesk is ISO 27001:2013 certified. The certificate is available for download here.
Zendesk is ISO 27018:2014 certified. The certificate is available for download here.
Zendesk is FedRAMP authorized with Low Impact Software-as-a-Service (LI-SaaS) and is listed in the FedRAMP Marketplace. US Government agency customers can request access to the Zendesk FedRAMP Security Package by completing a Package Access Request Form here or by submitting a request to email@example.com.
We help customers address their HIPAA obligations by leveraging appropriate security configuration options in Zendesk products. Additionally, we make our Business Associate Agreement (BAA) available for execution by subscribers.
The HDS certification validates that Zendesk ensures data confidentiality, integrity, and availability to its customers and partners. Zendesk worked with an independent third-party auditor to achieve the certification. We help customers address their HDS obligations by leveraging appropriate security configuration options in certain Zendesk Products (special configuration requirements apply). Additionally, we have an HDS Exhibit for Subscribers to execute.
Zendesk has satisfied all requirements (Stage 1 and Stage 2) to become fully registered on the FSQS (Financial Services Qualification System) supplier qualification system, as set out by participating buying organisations. The latest FSQS Certificate can be requested here.
For more details about FSQS please see https://hellios.com/fsqs/.
Zendesk received the Skyhigh Enterprise-Ready™ seal, the highest rating in the CloudTrust™ program. It is bestowed on cloud services that fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
Cloud Security Alliance
Zendesk is a member of the Cloud Security Alliance (CSA), a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. CSA has launched the Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing offerings. We've completed a publicly available Consensus Assessment Initiative (CAI) Questionnaire, based on the results of our due diligence self-assessment.
The CSA CAIQ is available for download here.
Zendesk is a member of IT-ISAC, a group focused on bringing together a diverse set of private sector companies to leverage evolving technology and have a common commitment to security. IT-ISAC enables collaboration and sharing of relevant, actionable threat intelligence information and practices. They moderate special interest groups that focus on Intelligence, Insider Threat, Physical Security, and other specific focus areas to help further our mission of securing Zendesk.
Zendesk is a member of FIRST, an international confederation of incident response teams that cooperatively handles computer security incidents and promote incident prevention programs. FIRST members develop and share technical information, tools, methodologies, processes and best practices. As a member of FIRST, Zendesk Security works with other members to use their combined knowledge, skills and experience to promote a safer and more secure global electronic environment.
Privacy Certifications and Data Protection
For information on our legal and privacy terms, please visit:
- Customer/Partner legal terms on our webpage found here: https://www.zendesk.com/company/customers-partners/
- Policies/Procedures found here: https://www.zendesk.com/company/policies-procedures/
- Privacy/Data Protection found here: https://www.zendesk.com/company/privacy-and-data-protection/
We have a number of resources that we can provide upon request.
Direct Download Resources (non-NDA)
To gain access to the following downloadable resources, please click the button below:
ISO 27001:2013 certificate
ISO 27018:2014 Certificate
SOC 3 Report
PCI Attestation of Compliance (AoC) and Certificate of Compliance
Network Architecture Diagrams
- Support / Guide
The following resources may require an NDA on file. Please click on the button below to gain access.
Certificate of Insurance
SOC 2 Type II Report
Annual Penetration Test Summary
Business Continuity and Disaster Recovery Test Summary
Data Center Physical Security
Zendesk hosts Service Data primarily in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn more about Compliance at AWS.
AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn more about Data Center Controls at AWS.
AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about AWS physical security.
Data Hosting Location
Zendesk leverages AWS data centers in the United States, Europe, and Asia Pacific. Learn more about Data Hosting Locations for your Zendesk Service Data.
Customers can choose to locate their Service Data in the US-only or EEA-only.* Learn more about our regional data hosting options and Service Data type restrictions.
*Only available with Data Center Location Add-on
Dedicated Security Team
Our globally distributed Security Team is on call 24/7 to respond to security alerts and events.
Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.
Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year, Zendesk employs third-party security experts to perform a broad penetration test across the Zendesk Production and Corporate Networks.
Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Program
Zendesk participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.
Zendesk has architected a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provide deeper protection along with our use of AWS DDoS specific services.
Access to the Zendesk Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Zendesk Production Network are required to use multiple factors of authentication.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption in Transit
All communications with Zendesk UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Zendesk is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service subscribers may choose to leverage at their own discretion.
Encryption at Rest
Service Data is encrypted at rest in AWS using AES-256 key encryption.
Availability & Continuity
Zendesk maintains a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
Zendesk employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Enhanced Disaster Recovery
Our Enhanced Disaster Recovery package adds contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through our capability to prioritize operations of Enhanced Disaster Recovery customers during any declared disaster event.
*Only available with the purchase of the Enhanced Disaster Recovery Add-on.
Secure development (SDLC)
Secure Code Training
At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Zendesk security controls.
Framework Security Controls
Zendesk leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.
Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core applications against the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.
Static Code Analysis
The source code repositories for both our platform and mobile applications are scanned for security issues via our integrated static analysis tooling.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, Zendesk employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Customers can enable native Zendesk authentication, social media Single sign-on (SSO) (Facebook, Twitter, Google), and/or Enterprise SSO (SAML, JWT) for end-user and/or agent authentication. Learn more about user access.
Configurable Password Policy
Zendesk native authentication for products available through the Admin Center provides the following levels of password security: low, medium, and high, as well as set custom password rules for agents and admins. Zendesk also allows for different password security levels to apply to end users vs. agents and admins. Only admins can change the password security level. Learn more about configurable password policies.
2-Factor Authentication (2FA)
Service Credential Storage
Zendesk follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.
Additional Product Security Features
Role-Based Access Controls
Access to data within Zendesk applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Zendesk has various permission levels for users (owner, admin, agent, end-user, etc.).
Learn more about user roles:
- Support Default Roles
- Support Custom Roles *Enterprise only
- Chat Default Roles
- Chat Custom Roles *Enterprise only
- Explore Default Roles
- Guide Default Roles
- Talk Default Roles
Details on global security and user access can be found here.
You can configure your instance so users are required to sign in to view ticket attachments. Learn more about Private Attachments.
Email Signing (DKIM/DMARC)
Zendesk offers DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for signing outbound emails from Zendesk when you have to set up an external email domain on your Zendesk. Using an email service that supports these features allows you to stop email spoofing. Learn more about digitally signing your email.
Zendesk tracks the devices used to sign in to each user account. When someone signs into an account from a new device, it is added to the device list in that user's profile. That user can get an email notification when a new device is added, and should follow-up if the activity seems suspicious. Suspicious sessions can be terminated from the agent UI. Learn more about device tracking.
Redacting Sensitive Data
Manual redaction provides the ability to redact, or remove sensitive data in Support ticket comments, and securely delete attachments so that you can protect confidential information. The data is redacted from tickets via the UI or API to prevent sensitive information from being stored in Zendesk. Learn more about redaction via the UI or API.
Automatic redaction provides the ability to automatically redact strings of numbers that match a valid credit card primary account number (CC PAN), which match a Luhn check in both Support and Chat. Learn more about automatic redaction in Support and Chat.
Zendesk Support offers a configurable PCI-compliant credit card field which redacts all but the last four digits. Learn more about PCI Compliance at Zendesk.
Spam Filter for Help Center
Zendesk’s spam filtering service can be used to prevent end-user spam posts from being published in your Help Center. Learn more about filtering spam in Help Center.
Human Resources Security
Zendesk has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Zendesk information assets.
All employees attend a Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
Zendesk performs background checks on all new employees in accordance with local laws. These checks are also required to be completed for contractors. The background check includes criminal, education, and employment verification. Cleaning crews are included.
All new hires are required to sign Non-Disclosure and Confidentiality agreements.