Secure Customer Service
Cover your bases
Zendesk takes security very seriously—just ask the number of Fortune 100 and Fortune 500 companies that trust us with their data. We use a combination of enterprise-class security features and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected, which means every customer can rest easy—our own included.
Compliance Certifications and Memberships
Zendesk uses best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our subscribers meet their own compliance standards.
SOC 2 Type II
We undergo routine audits to receive updated SOC 2 Type II reports, available upon request and under NDA. Request the latest SOC 2 Type II report.
Zendesk is ISO 27001:2013 certified. Download the certificate.
Zendesk is ISO 27018:2014 certified. The certificate is available for download here.
Zendesk is ISO 27701:2019 certified. The certificate is available for download here.
Zendesk is FedRAMP authorized with Low Impact Software-as-a-Service (LI-SaaS) and is listed in the FedRAMP Marketplace. US Government agency subscribers can request access to the Zendesk FedRAMP Security Package by completing a Package Access Request Form or submitting a request to firstname.lastname@example.org.
Zendesk Support offers a configurable PCI-compliant credit card field that redacts all but the last four digits. Learn about PCI Compliance at Zendesk.
McAfee Cloud Trust - McAfee Enterprise Ready
Zendesk received the McAfee CloudTrust Program. The program presents the McAfee Enterprise-Ready seal to only those services that have the highest CloudTrust™ rating possible. These are among the services that have earned McAfee's CloudTrust™ and a rating of McAfee Enterprise-Ready based on their attributes across the data, user and device, security, business, and legal evaluation categories.
Cloud Security Alliance (CSA)
Zendesk is a member of the Cloud Security Alliance (CSA), a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. CSA has launched the Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing offerings. Zendesk completed a publicly available Consensus Assessment Initiative (CAI) Questionnaire, based on the results of our due diligence self-assessment.
The CSA CAIQ is available here.
Zendesk is a member of IT-ISAC, a group focused on bringing together a diverse set of private sector companies to leverage evolving technology and have a common commitment to security. IT-ISAC enables collaboration and sharing of relevant, actionable threat intelligence information and practices. They moderate special interest groups that focus on Intelligence, Insider Threat, Physical Security, and other specific areas to help further our mission of securing Zendesk.
Zendesk is a member of FIRST, an international confederation of incident response teams that cooperatively handles computer security incidents and promotes incident prevention programs. FIRST members develop and share technical information, tools, methodologies, processes and best practices. As a member of FIRST, Zendesk Security works with other members to use their combined knowledge, skills, and experience to promote a safer and more secure global electronic environment.
Financial Services Qualifications System (FSQS)
Zendesk has satisfied all requirements (Stage 1 and Stage 2) to become fully registered on the FSQS (Financial Services Qualification System) supplier qualification system, as set out by participating buying organisations. Request the latest FSQS Certificate here.
More details about FSQS https://hellios.com/fsqs/.
We can provide additional resources upon request.
Direct Download Resources (non-NDA)
ISO 27001:2013 certificates
ISO 27018:2014 certificate
ISO 27701:2019 certificate
SOC 3 Report
PCI Attestation of Compliance (AoC) and Certificate of Compliance
Network Architecture Diagrams
FSQS (Financial Services Qualification System)Get resources
The following resources may require an NDA on file. Click the button to gain access.
Certificate of Insurance
SOC 2 Type II Report
Annual Penetration Test Summary
Business Continuity and Disaster Recovery Test Summary
Data Center Physical Security
Zendesk hosts Service Data primarily in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn about Compliance at AWS.
AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn about Data Center Controls at AWS.
AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about AWS physical security.
Data Hosting Location
Zendesk leverages AWS data centers in the United States, Europe, and Asia Pacific. Learn about Data Hosting Locations for your Zendesk Service Data.
Zendesk offers multiple data locality choices including the United States (US), Australia (AU), Japan (JP), or European Economic Area (EEA). For more information on product, plan, and regional offerings please see our Regional Data Hosting Policy.
Zendesk minimizes risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our systems or Service Data.
Dedicated Security Team
Our globally distributed Security Team is on call 24/7 to respond to security alerts and events.
Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Our network security architecture consists of multiple security zones. More sensitive systems like database servers are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.
Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year Zendesk employs third-party security experts to perform a broad penetration test across the Zendesk Production and Corporate Networks.
Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Program
Zendesk participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.
Zendesk has architected a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provides deeper protection along with our use of AWS DDoS specific services.
Access to the Zendesk Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Zendesk Production Network are required to use multiple factors of authentication.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption in Transit
All communications with Zendesk UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Zendesk is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service subscribers may choose to leverage at their own discretion.
Encryption at Rest
Service Data is encrypted at rest in AWS using AES-256 key encryption.
Availability & Continuity
Zendesk maintains a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
Zendesk employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
Enhanced Disaster Recovery
Our Enhanced Disaster Recovery package adds contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through our capability to prioritize operations of Enhanced Disaster Recovery subscribers during any declared disaster event.
Security Development (SDLC)
Secure Code Training
Framework Security Controls
Zendesk leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.
Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.
Software Composition Analysis
We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, Zendesk employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Responsible Disclosure / Bug Bounty Program
Our Responsible Disclosure Program gives security researchers as well as subscribers an avenue for safely testing and notifying Zendesk of security vulnerabilities through our partnership with HackerOne.
Zendesk has several different authentication options: subscribers can enable native Zendesk authentication, social media Single sign-on (SSO) (Facebook, Twitter, Google), and/or Enterprise SSO (SAML, JWT) for end-user and/or agent authentication. Learn about user access.
Configurable Password Policy
Zendesk native authentication for products available through the Admin Center provides the following levels of password security: low, medium, and high, as well as set custom password rules for agents and admins. Zendesk also allows different password security levels to apply to end users vs. agents and admins. Only admins can change the password security level. Learn about configurable password policies.
2-Factor Authentication (2FA)
Zendesk native authentication for products available through the Admin Center offers 2-factor (2FA) for agents and admins via SMS or an authenticator app. Learn about 2FA.
Service Credential Storage
Zendesk follows secure credential storage best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.
Additional Product Security Features
Role-Based Access Controls
Access to data within Zendesk applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Zendesk supports various permission levels for users (owner, admin, agent, end-user, etc.).
Learn about user roles:
- Support Default Roles
- Support Custom Roles *Enterprise only
- Chat Default Roles
- Chat Custom Roles *Enterprise only
- Explore Default Roles
- Guide Default Roles
- Talk Default Roles
- Session Time
Any Zendesk account can restrict access to their Zendesk Support to users within a specific range of IP addresses. Only users from the allowed IP addresses will be able to sign in to your Zendesk account. You can allow subscribers (not agents or admins) to bypass this restriction. For more information, see Restricting access to Zendesk Support and your Help Center using IP restrictions and Using IP Access Restriction in Chat.
Hosted Encryption Certificates for Help Center (TLS)
Zendesk provides free TLS encryption for host-mapped Guide help centers. Zendesk uses Let’s Encrypt to request certificates and automatically renews the certificate before it expires.
You can also upload your own certificate, if you choose.
To learn more about setting up encryption certificates for a Guide help center please see Setting up a hosted TLS encryption certificate.
File Restrictions in Chat
Zendesk Chat allows the ability to restrict what file types are sent to agents. Alternatively, you can choose to turn off file sending entirely in the Chat product. To learn about this feature, see Managing file sending in live chat.
Zendesk offers Audit Logs to accounts with Enterprise/Enterprise Plus plans. These logs include account changes, user changes, app changes, business rules, ticket deletions, and settings. The Audit Log is available in both the Admin Center and Support API. To learn more about Audit Logs and see what information is available within the log please see Viewing the audit log for changes.
Subscribers can configure their instance so that users are required to sign in to view ticket attachments. Learn about Private Attachments.
Zendesk has two types of redaction for removing sensitive data: Manual redaction provides the ability to redact or remove sensitive data in Support ticket comments, and securely delete attachments, so you can protect confidential information. The data is redacted from tickets via the UI or API to prevent sensitive information from being stored in Zendesk. Learn about redaction via the UI or API.
Automatic redaction allows for automatic redaction of credit card numbers from subscriber-submitted tickets. When enabled, credit card numbers are partially replaced with blank boxes in the ticket. They are also redacted from logs and database entries. To learn more about how to enable this feature and how credit card numbers are identified, see Automatically redacting credit card numbers from tickets and from chats.
Spam Filter for Guide help center
Zendesk’s spam filtering service can be used to prevent end-user spam posts from being published in your Guide help center. Learn about filtering spam in Guide.
Email Signing (DKIM/DMARC)
Zendesk offers DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, & Conformance) for signing outbound emails from Zendesk when you have to set up an external email domain on your Zendesk. Using an email service that supports these features helps you stop email spoofing. Learn about digitally signing your email.
Zendesk tracks the devices used to sign in to each user account. When someone signs into an account from a new device, it is added to the device list in that user's profile. That user can get an email notification when a new device is added, and should follow up if the activity seems suspicious. Suspicious sessions can be terminated through the agent UI. Learn about device tracking.
Zendesk has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Zendesk information assets.
All employees attend a Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
Zendesk performs background checks on all new employees in accordance with local laws. These checks are also required for contractors. The background check includes criminal, education, and employment verification. Cleaning crews are included.
All new hires are required to sign Non-Disclosure and Confidentiality agreements.
Welcome to the Zendesk Global Privacy Program
Zendesk has a formal global privacy and data protection program, which includes cross-functional key stakeholders including Legal, Security, Product, and Executive sectors of the company. As privacy advocates, we work diligently to ensure our Services and team members are dedicated to compliance with applicable regulatory and industry frameworks.
Australian Privacy Act of 1988 and Privacy Principles
The Australian Privacy Act of 1998 (as amended) provides several data subject rights and added mandatory notification of eligible data breaches. Unlike the GDPR, there are no concepts of data controller and data processor. https://www.zendesk.com/company/anz-privacy/
Brazil Lei Geral de Proteção de Dados Pessoais (LGPD)
The Brazilian General Data Protection Law or Lei Geral de Proteção de Dados Pessoais (“LGPD”), was entered into effect on September 18, 2020. LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and provides individual rights.
Zendesk subscribers that collect and store personal data in Zendesk Services may be considered “controllers” under the LGPD. Controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the LGPD. Zendesk acts as a “processor,” as such term is defined in the LGPD, with respect to the processing of personal data through our Services.
Subscribers can view our Product Guides and Service Data Deletion Policy for more detailed information on how to use Zendesk’s products to align with compliance initiatives.The National Authority for Protection Data (“ANPD”) may issue additional guidance for the LGPD in the future. Zendesk will continue to actively track the law and we will continue to keep our subscribers updated on features and functionality they can use to support their compliance efforts.
Zendesk’s LGPD Addendum has been incorporated into Zendesk’s Data Processing Agreement. If you would like to review and/or execute Zendesk’s Data Processing Agreement, please click here.
California Consumer Privacy Act ("CCPA") & California Privacy Rights Act ("CPRA")
The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”) is a U.S. law enacted in the State of California, which went into force on January 1, 2020. It expands upon the privacy rights available to certain California consumers, and requires certain companies to comply with various data protection requirements. Please also visit the final CCPA Regulations and the California Privacy Rights Act (“CPRA”). A few CPRA provisions went into effect on December 16, 2020, with the remaining provisions of the CPRA becoming operative on January 1, 2023.
Zendesk subscribers that collect and store personal information in Zendesk Services may be considered “Businesses” under the CCPA. Businesses bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the CCPA. Zendesk acts as a “Service Provider,” as such term is defined in the current version of the CCPA, with respect to the processing of personal information through our Services. Therefore, Zendesk collects, accesses, maintains, uses, processes, and transfers the personal information of our subscribers and our subscriber’s end-users processed through the Services solely for the purpose of performing our obligations under our existing contract(s) with our subscribers; and for no commercial purpose other than the performance of such obligations and improvement of the Services we provide.
We do not “sell” our subscriber’s personal information as defined under the CCPA. We may share aggregated and/or anonymized information regarding use of the Service(s), which is not considered personal information under the CCPA, with third parties to help us develop and improve the Services and provide our subscribers with more relevant content and service offerings as detailed in our subscriber agreements.
Zendesk’s CCPA Addendum has been incorporated into Zendesk’s Data Processing Agreement. If you would like to review and/or execute Zendesk’s Data Processing Agreement, please click here.
If you would like to review and/or execute Zendesk’s US State Addendum to the Master Subscription Agreement, please click here.
Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada’s Personal Information Protection and Electronic Documents Act went into effect in 2000 and is focused around ten fair information principles, which form the rules for collection, use, access, and disclosure of personal information. In October of 2021, the International Technology Association of Canada and Information Technology Industry Council suggested changes to PIPEDA to provide greater privacy and transparency rights for Canadian citizens.
Data Processing Agreement (DPA)
You can review and/or execute Zendesk’s DPA here. The Zendesk DPA covers the specific processing activities and security measures applicable to our Services and incorporates the new EU Standard Contractual Clauses (“EU SCCs”).
If you require your existing Zendesk DPA be updated to incorporate the new EU SCCs and the UK Addendum, but do not wish to execute a new DPA, you can review and/or execute Zendesk’s Data Transfer Addendum here.
Subscribers can read our Product Guides and Service Data Deletion Policy for detailed information on how to use Zendesk’s products to assist in compliance with data protection and privacy laws.
Europe General Data Protection Regulation (GDPR)
Since our inception, Zendesk’s approach has been anchored by a strong commitment to privacy, security, compliance, and transparency. This approach includes supporting our subscribers’ compliance with EU data protection requirements, such as those set out in the General Data Protection Regulation (“GDPR”).
If a subscriber collects, transmits, hosts, or analyzes personal data of EU citizens, GDPR requires the subscriber to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn our subscribers’ trust, our Data Processing Agreement (“DPA”) has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR.
Binding Corporate Rules (BCRs): Binding Corporate Rules (“BCRs”) are company-wide data protection policies approved by European data protection authorities to facilitate intra-group transfers of personal data from the European Economic Area (“EEA”) to countries outside the EEA. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with those authorities. Subscribers can find the full list of approved entities on the Binding Corporate Rules Approved List here. In 2017 Zendesk completed the EU approval process with the Irish Data Protection Commissioner (“DPC”) (peer reviewed by both the UK Information Commissioner’s Office and the Dutch Data Protection Authority) BCRs as processor and as a controller. This significant regulatory approval validated Zendesk’s implementation of the highest possible standards for protecting personal data globally, covering both the personal data of its customers and its employees. Zendesk is one of the first software companies in the world to have received approval for its BCRs; and was the second company ever to receive approval from the Irish DPC.
To access Zendesk’s BCRs, please visit:
Zendesk’s Processor Binding Corporate Rules which apply when Zendesk processes personal data on behalf of its customers
Zendesk’s Controller Binding Corporate Rules which apply when Zendesk processes personal data for which it is a data controller.
Data Subject Requests: An individual who seeks to exercise their data protection rights in respect of personal data stored or processed by us on behalf of a subscriber of ours within the subscriber’s Service Data (including to seek access to, or to correct, amend, delete, port, or restrict processing of such personal data) should direct such query to our subscriber (the data controller). Upon receipt of a request from one of our subscribers to remove personal data from Zendesk, we will respond to such request within thirty (30) days. We will retain personal data that we process and store on behalf of our subscribers for as long as needed to provide the Services to our subscribers.
Data Protection Officer: Zendesk’s Data Protection Officer (“DPO”) can be reached at email@example.com.
Privacy Shield: The U.S. Department of Commerce, with the European Commission and the Swiss government, created the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) to provide companies with a mechanism to transfer personal data from the European Union to the United States in a manner that provides an adequate level of protection for the purpose of European data protection law. Zendesk has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued a ruling invalidating the EU-U.S. Privacy Shield program. We understand that you may have questions around the invalidation of the Privacy Shield and Zendesk’s position in relation to the same, so we have published this blog post to assist you with your queries.
France Hébergeur de Données de Santé (HDS or Health Data Hosting)
HDS enables healthcare providers in France to use Zendesk’s customer service and engagement platform with confidence that our platform has appropriate technical and governance measures in place to secure and protect personal health information (PHI). Additional information is available here.
New Zealand Privacy Act 2020 and its Information Privacy Principles
The New Zealand Privacy Act in 2020 commenced on December 1, 2020, applies to agencies and maintains the principle-based framework of the 1993 Act. The 2020 Act states that organisations are responsible for ensuring that personal information sent outside of New Zealand is adequately protected and added mandatory breach notification requirements. https://www.zendesk.com/company/anz-privacy/
Singapore Personal Data Protection Act (PDPA)
The Personal Data Protection Act of Singapore establishes data protection laws that govern the collection, use, and disclosure of Personal Data as of July 2, 2014. Zendesk is a recognized Infocomm Development Authority of Singapore (IDA) Data Intermediary as a Software-as-a-Service (“SaaS”) Service Provider. Additional information is available here.
United Kingdom GDPR and Brexit
The United Kingdom withdrew from the European Union on 31 January 2020. On 28 June 2021, the European Commission adopted adequacy decisions for transfers of personal data to the United Kingdom under GDPR.
United States Health Insurance Portability and Accountability Act (HIPAA) and Business Associate Agreement (BAA)
To achieve a HIPAA-Enabled Account, you will need to (1) purchase the Advanced Security Deployed Associated Service or Advanced Compliance Deployed Associated Service Add-On; (2) enable a set of security configurations as outlined by Zendesk; and (3) execute our Business Associate Agreement (“BAA”). For more details, including a list of which Services can be HIPAA-enabled, please see Advanced Compliance.
Subscriber Service Data Details
Service Data is any information, including personal data, which is stored in or transmitted via the Zendesk Services by, or on behalf of, our subscribers and their end-users. We use Service Data to operate and improve our Services, help customers access and use the Services, respond to subscriber inquiries, and send communications related to the Services.
Access: Zendesk provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining, and improving the Zendesk services and as otherwise required by law. See here for additional information.
Data Hosting: Zendesk uses Amazon Web Services to host Service Data as described here and in the Regional Data Hosting Policy. For additional information, please also see the Security section.
Default Data Types Collected by the Service: Zendesk has created a list of data points, categorized by product. For the full picture of data types, subscribers can use this list in conjunction with their specific intended use case and resultant data types.
Ownership: From a privacy perspective, the subscriber is the controller of Service Data and Zendesk is a processor. This means that throughout the time that you subscribe to services with Zendesk, you retain ownership of and control over Service Data in your Zendesk instance.
Replication: Zendesk periodically replicates data for purposes of archival, backup, and audit logs. We use Amazon Web Services (AWS) to store some of the information that is backed up, such as database information and attachment files. Please see our Regional Data Hosting Policy for further details.
Security: Zendesk prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure subscriber and business data is protected. See additional information here.
Security Incidents: For more information about security incident management see our Security Incident Response.
Sub-processors: Zendesk may use sub-processors, including affiliates of Zendesk, as well as third-party companies, to provide, secure, or improve the Services, and such sub-processors may have access to Service Data. Our Sub-processors policy provides an up-to-date list of the names and locations of all sub-processors.
Termination: Zendesk maintains a Service Data Deletion Policy that describes Zendesk’s data deletion processes upon subscriber’s termination or expiration of the Zendesk subscription.
Privacy Related Policies
How our Subscribers’ Service Data is deleted in connection with the cancellation, termination, or migration of an Account within the Zendesk Services.
This framework clarifies which party is responsible for which controls related to the security and privacy of your data.
Application Features Related to Privacy
Privacy and Data Protection Tools
Zendesk has tools for each of its products to assist with user requests and other obligations under applicable privacy and data protection laws and regulations, such as data access, correction, portability, deletion, and objection. To learn about the features and functionality in each Zendesk product, please see Complying with Privacy and Data Protection in Zendesk products.
Zendesk provides an advanced set of access and encryption features to help subscribers effectively protect their information. We do not access or use subscriber data for any purpose other than providing, maintaining, and improving the Zendesk Services and as otherwise required by applicable law. Additional information is available here.
Zendesk has achieved a number of internationally recognized certifications and accreditations demonstrating compliance with third-party assurance frameworks. Security certifications are described here.
Data Hosting Locality
Subscribers who purchase the Data Center Location Deployed Associated Service (“Data Center Location Add-on”), or have the Data Center Location functionality in their Service Plan, have the ability to select the region that will host their Service Data from a list of Zendesk available regions.
Privacy by Design
Zendesk has a robust global privacy and data protection program, which takes a unified approach to privacy and information governance to give customers flexibility to manage personal data that lives within Zendesk’s systems. For details, see our product guides: Complying with Privacy and Data Protection in Zendesk Products.
Redaction / Data Minimisation
Zendesk has two types of redaction for removing sensitive data:
Manual redaction provides the ability to redact or remove sensitive data in Support ticket comments, and securely delete attachments so that you can protect confidential information. The data is redacted from tickets via the UI or API to prevent sensitive information from being stored in Zendesk. Learn more about redaction via the UI or API.
Automatic redaction allows for automatic redaction of credit card numbers from Agent- or End-User-submitted tickets. When enabled, credit card numbers are partially replaced with blank boxes in the ticket. The numbers are also redacted from logs and database entries. Learn how to enable this feature and how the credit card numbers are identified.
Our agreements and policies provide our subscribers transparency and detailed information about Zendesk’s Services, which in turn support our subscribers in meeting their own legal and compliance standards.
Zendesk offers several data processing agreements and other addenda to support subscribers’ compliance with data privacy laws, available for execution here. These include:
Data Processing Agreement (DPA)
United States HIPAA Business Associate Agreement (BAA)
Master Subscription Agreement (MSA)
Subscribers can leverage our Voluntary Product Accessibility Template in making their preliminary assessments.
The minimum standards that we expect from our directors, officers, employees and contingent workers in the conduct of our business.
How Zendesk handles notifications of infringement.
How our Subscribers’ Service Data is deleted in connection with the cancellation, termination, or migration of an Account within the Zendesk Services.
Addresses Zendesk’s procedure for responding to a request received from a law enforcement or other government authority.
Describes how Zendesk collects, uses, shares, and secures personal data.
Where Zendesk Service Data can be hosted if a Subscriber purchases or enables the Data Center Location Add-On.
Programs for security researchers to report discoveries of security vulnerability in the Zendesk Services.
Additional Zendesk policies are available here.
Disclosure of Service Data: Zendesk only discloses Service Data to third parties where disclosure is necessary to provide or improve the services or as required to respond to lawful requests from public authorities. Please see our Government Data Request Policy as well as the Zendesk Transparency Report.