Secure Customer Service
Zendesk takes security very seriously—just ask the number of Fortune 100 and Fortune 500 companies that trust us with their data. We use a combination of enterprise-class security features and comprehensive audits of our applications, systems and networks to ensure that your data is always protected, which means every customer can rest easy—our own included.
Compliance Certifications and Memberships
We use best practice and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our customers meet their own compliance standards.
SOC 2 Type II
We undergo routinised audits to receive updated SOC 2 Type II reports, available upon request and under NDA. Request the latest SOC 2 Type II report.
ISO 27001:2022
Zendesk is ISO 27001:2022 certified. Download the certificate.
ISO 27018:2019
Zendesk is ISO 27018:2019 certified. The certificate is available for download here.
ISO 27701:2019
Zendesk is ISO 27701:2019 certified. The certificate is available for download here.
ISO 27019:2015
Zendesk is ISO 27017:2014 certified. The certificate is available for download here.
FedRAMP LI-SaaS
Zendesk is FedRAMP authorised with Low Impact Software-as-a-Service (LI-SaaS) and is listed in the FedRAMP Marketplace. US Government agency subscribers can request access to the Zendesk FedRAMP Security Package by completing a Package Access Request Form or submitting a request to [email protected].
PCI-DSS
Zendesk Support offers a configurable PCI-compliant credit card field that redacts all but the last four digits. Learn about PCI Compliance at Zendesk.
- Zendesk's Compliance with PCI DSS Standards
- How to use Zendesk with PCI DSS Compliance
HIPAA
For more information on our HIPAA program and our BAA
HDS
For more information on our HDS program
McAfee Cloud Trust - McAfee Enterprise Ready
Zendesk received the McAfee CloudTrust Program. The program presents the McAfee Enterprise-Ready seal to only those services that have the highest CloudTrust™ rating possible. These are among the services that have earned McAfee's CloudTrust™ and a rating of McAfee Enterprise-Ready based on their attributes across the data, user and device, security, business and legal evaluation categories.
Cloud Security Alliance (CSA)
Zendesk is a member of the Cloud Security Alliance (CSA), a not-for-profit organisation with a mission to promote the use of best practice for providing security assurance within Cloud Computing. CSA has launched the Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing offerings. Zendesk completed a publicly available Consensus Assessment Initiative (CAI) Questionnaire, based on the results of our due diligence self-assessment.
The CSA CAIQ is available here.
IT-ISAC
Zendesk is a member of IT-ISAC, a group focused on bringing together a diverse set of private sector companies to leverage evolving technology and have a common commitment to security. IT-ISAC enables collaboration and sharing of relevant, actionable threat intelligence information and practices. They moderate special interest groups that focus on Intelligence, Insider Threat, Physical Security and other specific focus areas to help further our mission of securing Zendesk.
FIRST
Zendesk is a member of FIRST, an international confederation of incident response teams that cooperatively handles computer security incidents and promote incident prevention programmes. FIRST members develop and share technical information, tools, methodologies, processes and best practice. As a member of FIRST, Zendesk Security works with other members to use their combined knowledge, skills and experience to promote a safer, and more secure global electronic environment.
Financial Services Qualifications System (FSQS)
Zendesk has satisfied all requirements (Stage 1 and Stage 2) to become fully registered on the FSQS (Financial Services Qualification System) supplier qualification system, as set out by participating buying organisations. Request the latest FSQS Certificate here.
More details about FSQS https://hellios.com/fsqs/.
Artifacts
We can provide additional resources upon request.
ISO 27001:2022 certificates
ISO 27018:2019 certificate
ISO 27701:2019 certificate
ISO 27017:2015 certificate
SOC 3 Report
Datasheet / White PaperPCI Attestation of Compliance (AoC) and Certificate of Compliance
Network Architecture Diagrams
Support/Guide
Chat
Talk
CSA CAIQ
Risk Ledger
FSQS (Financial Services Qualification System)
SIG Lite
VSA
HECVAT Lite
The following resources may require an NDA on file. Click the button to gain access.
Certificate of Insurance
SOC 2 Type II Report
Annual Penetration Test Summary
Cloud Security
Facilities
Zendesk hosts Service Data primarily in AWS data centres that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn about Compliance at AWS.
AWS infrastructure services include backup power, HVAC systems and fire suppression equipment to help protect servers and ultimately your data. Learn more about Data Centre Controls at AWS.
On-Site Security
AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology and other security measures. Learn about AWS physical security.
Data Hosting Location
Zendesk leverages AWS data centres in the United States, Europe and Asia Pacific. Learn about Data Hosting Locations for your Zendesk Service Data.
Zendesk offers multiple data locality choices including the United States (US), Australia (AU), Japan (JP) or European Economic Area (EEA). For more information on product, plan and regional offerings please see our Regional Data Hosting Policy.
Zendesk minimises risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our systems or Service Data.
Dedicated Security Team
Our globally distributed Security Team is on call 24/7 to respond to security alerts and events.
Protection
Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Architecture
Our network security architecture consists of multiple security zones. More sensitive systems like database servers are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilised between the Internet and internally between the different zones of trust.
Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year Zendesk employs third-party security experts to perform a broad penetration test across the Zendesk Production and Corporate Networks.
Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect abnormal behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Program
Zendesk participates in several threat intelligence sharing programmes. We monitor threats posted to these threat intelligence networks and take action based on risk.
DDoS Mitigation
Zendesk has architected a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defences, while the use of AWS scaling and protection tools provide deeper protection along with our use of AWS DDoS specific services.
Logical Access
Access to the Zendesk Production Network is restricted by an explicit need-to-know basis, utilises least privilege, is frequently audited and monitored and is controlled by our Operations Team. Employees accessing the Zendesk Production Network are required to use multiple factors of authentication.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption in Transit
All communications with Zendesk UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Zendesk is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration or service subscribers may choose to leverage at their own discretion.
Encryption at Rest
Service Data is encrypted at rest in AWS using AES-256 key encryption.
Uptime
Zendesk maintains a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history and relevant security events.
Redundancy
Zendesk employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as service data is replicated across availability zones.
Disaster Recovery
Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster.
This is accomplished through building a robust technical environment, creating Disaster Recovery plans and testing activities.
Enhanced Disaster Recovery
Our Enhanced Disaster Recovery package adds contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through our capability to prioritise operations of Enhanced Disaster Recovery customers during any declared disaster vent.
Get more information on Disaster Recovery Guarantees.Application Security
Secure Code Training
Framework Security Controls
Zendesk leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF), amongst others.
Quality Assurance
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test and triage security vulnerabilities in code.
Separate Environments
Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.
Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.
Software Composition Analysis
We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, Zendesk employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Responsible Disclosure / Bug Bounty Program
Our Responsible Disclosure Program gives security researchers, as well as customers, an avenue for safely testing and notifying Zendesk of security vulnerabilities through our partnership with HackerOne.
Product Security
Authentication Options
Zendesk has several different authentication options: subscribers can enable native Zendesk authentication, social media Single sign-on (SSO) (Facebook, Twitter, Google), and/or Enterprise SSO (SAML, JWT) for end-user and/or agent authentication. Learn about user access.
Configurable Password Policy
Zendesk native authentication for products available through the Admin Centre provides the following levels of password security: low, medium and high, as well as set custom password rules for agents and admins. Zendesk also allows for different password security levels to apply to end users vs agents and admins. Only admins can change the password security level. Learn about configurable password policies.
2-Factor Authentication (2FA)
Zendesk native authentication for products available through the Admin Centre offers 2-factor (2FA) for agents and admins via SMS or an authenticator app. Learn about 2FA.
Service Credential Storage
Zendesk follows secure credential storage best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.
Advanced Data Privacy and Protection
For businesses that need a higher level of data privacy and security, Zendesk offers the Advanced Data Privacy and Protection add-on. The add-on includes capabilities for BYOK encryption, customisable data retention policies, data masking, PII redaction and access logs.
Role-Based Access Controls
Access to data within Zendesk applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Zendesk supports various permission levels for users (owner, admin, agent, end-user, etc.).
Learn about user roles:
- Support Default Roles
- Support Custom Roles *Enterprise only
- Chat Default Roles
- Chat Custom Roles *Enterprise only
- Explore Default Roles
- Guide Default Roles
- Talk Default Roles
- Session Time
IP Restrictions
Any Zendesk account can restrict access to their Zendesk Support to users within a specific range of IP addresses. Only users from the allowed IP addresses will be able to sign in to your Zendesk account. You can allow subscribers (not agents or admins) to bypass this restriction. For more information, see Restricting access to Zendesk Support and your Help Centre using IP restrictions and Using IP Access Restriction in Chat.
Hosted Encryption Certificates for Help Centre (TLS)
Zendesk provides free TLS encryption for host-mapped Guide help centers. Zendesk uses Let’s Encrypt to request certificates and automatically renews the certificate before it expires.
You can also upload your own certificate, if you choose.
To learn more about setting up encryption certificates for a Guide help centre please see Setting up a hosted TLS encryption certificate.
File Restrictions in Chat
Zendesk Chat allows the ability to restrict what file types are sent to agents. Alternatively, you can choose to turn off file sending entirely in the Chat product. To learn about this feature, see Managing file sending in live chat.
Audit Logs
Zendesk offers Audit Logs to accounts with Enterprise/Enterprise Plus plans. These logs include account changes, user changes, app changes, business rules, ticket deletions and settings. The Audit Log is available in both the Admin Centre and Support API. To learn more about Audit Logs and see what information is available within the log please see Viewing the audit log for changes.
Private Attachments
Subscribers can configure their instance so that users are required to sign in to view ticket attachments. Learn about Private Attachments.
Redaction
Zendesk has two types of redaction for removing sensitive data: Manual redaction provides the ability to redact or remove sensitive data in Support ticket comments and securely delete attachments, so you can protect confidential information. The data is redacted from tickets via the UI or API to prevent sensitive information from being stored in Zendesk. Learn about redaction via the UI or API.
Automatic redaction allows for automatic redaction of credit card numbers from subscriber-submitted tickets. When enabled, credit card numbers are partially replaced with blank boxes in the ticket. They are also redacted from logs and database entries. To learn more about how to enable this feature and how credit card numbers are identified, see Automatically redacting credit card numbers from tickets and from chats.
Spam Filter for Guide help centre
Zendesk’s spam filtering service can be used to prevent end-user spam posts from being published in your Help Centre. Learn about filtering spam in Guide.
Email Signing (DKIM/DMARC)
Zendesk offers DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting And Conformance) for signing outbound emails from Zendesk when you have to set up an external email domain on your Zendesk. Using an email service that supports these features helps you stop email spoofing. Learn about digitally signing your email.
Device Tracking
Zendesk tracks the devices used to sign in to each user account. When someone signs into an account from a new device, it is added to the device list in that user's profile. That user can get an email notification when a new device is added and should follow up if the activity seems suspicious. Suspicious sessions can be terminated through the agent UI. Learn about device tracking.
HR Security
Policies
Zendesk has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Zendesk information assets.
Training
All employees attend a Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts and in presentations during internal events.
Background Checks
Zendesk performs background checks on all new employees in accordance with local laws. These checks are also required for contractors. The background check includes criminal, education and employment verification. Cleaning crews are included.
Confidentiality Agreements
All new hires are required to sign Non-Disclosure and Confidentiality agreements.
Welcome to the Zendesk Global Privacy Program
Zendesk has a formal global privacy and data protection program, which includes cross-functional key stakeholders including Legal, Security, Product and Executive sectors of the company. As privacy advocates, we work diligently to ensure our Services and team members are dedicated to compliance with applicable regulatory and industry frameworks.
Compliance
The Australian Privacy Act of 1998 (as amended) provides several data subject rights and added mandatory notification of eligible data breaches. Unlike the GDPR, there are no concepts of data controller and data processor. https://www.zendesk.com/in/company/anz-privacy/
The Brazilian General Data Protection Law or Lei Geral de Proteção de Dados Pessoais (“LGPD”), was entered into effect on September 18, 2020. LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and provides individual rights.
Zendesk customers that collect and store personal data in Zendesk Services may be considered “controllers” under the LGPD. Controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the LGPD. Zendesk acts as a “processor,” as such term is defined in the current version of the LGPD, with respect to the processing of personal data through our Services.
Subscribers can view our Product Guides and Service Data Deletion Policy for more detailed information on how to use Zendesk’s products to align with compliance initiatives. The National Authority for Protection Data (“ANPD”) may issue additional guidance for the LGPD in the future. Zendesk will continue to actively track the law and we will continue to keep our subscribers updated on features and functionality they can use to support their compliance efforts.
Zendesk’s LGPD Addendum has been incorporated into Zendesk’s Data Processing Agreement. If you would like to review and/or execute Zendesk’s Data Processing Agreement, please click here.
The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”) is a U.S. law enacted in the State of California, which went into force on January 1, 2020. It expands upon the privacy rights available to certain California consumers and requires certain companies to comply with various data protection requirements. Please also visit the final CCPA Regulations and the California Privacy Rights Act (“CPRA”). A few CPRA provisions went into effect on December 16, 2020, with the remaining provisions of the CPRA becoming operative on January 1, 2023.
Zendesk subscribers that collect and store personal information in Zendesk Services may be considered “Businesses” under the CCPA. Businesses bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the CCPA. Zendesk acts as a “Service Provider,” as such term is defined in the current version of the CCPA, with respect to the processing of personal information through our Services. Therefore, Zendesk collects, accesses, maintains, uses, processes and transfers the personal information of our subscribers, and our subscriber’s end-users processed through the Services solely for the purpose of performing our obligations under our existing contract(s) with our subscribers; and for no commercial purpose other than the performance of such obligations and improvement of the Services we provide.
We do not “sell” our subscriber’s personal information as defined under the CCPA. We may share aggregated and/or anonymised information regarding use of the Service(s), which is not considered personal information under the CCPA, with third parties to help us develop and improve the Services and provide our subscribers with more relevant content and service offerings as detailed in our subscriber agreements.
Zendesk’s CCPA Addendum has been incorporated into Zendesk’s Data Processing Agreement. If you would like to review and/or execute Zendesk’s Data Processing Agreement, please click here.
If you would like to review and/or execute Zendesk’s US State Addendum to the Main Subscription Agreement, please click here.
Canada’s Personal Information Protection and Electronic Documents Act went into effect in 2000 and is focused around ten fair information principles, which form the rules for collection, use, access and disclosure of personal information. In October of 2021, the International Technology Association of Canada and Information Technology Industry Council suggested changes to PIPEDA to provide greater privacy and transparency rights for Canadian citizens.
You can review and/or execute Zendesk’s DPA here. The Zendesk DPA covers the specific processing activities and security measures applicable to our Services and incorporates the new EU Standard Contractual Clauses (“EU SCCs”).
Subscribers can read our Product Guides and Service Data Deletion Policy for detailed information on how to use Zendesk’s products to assist in compliance with data protection and privacy laws.
Since our inception, Zendesk’s approach has been anchored by a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our subscribers’ compliance with EU data protection requirements, such as those set out in the General Data Protection Regulation (“GDPR”).
If a subscriber collects, transmits, hosts, or analyses personal data of EU citizens, GDPR requires the subscriber to use third-party data processors who guarantee their ability to implement the technical and organisational requirements of the GDPR. To further earn our customers’ trust, our Data Processing Agreement (“DPA”) has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR.
Binding Corporate Rules (BCRs): Binding Corporate Rules (“BCRs”) are company-wide data protection policies approved by European data protection authorities to facilitate intra-group transfers of personal data from the European Economic Area (“EEA”) to countries outside the EEA. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with those authorities. Subscribers can find the full list of approved entities on the Binding Corporate Rules Approved List here. In 2017 Zendesk completed the EU approval process with the Irish Data Protection Commissioner (“DPC”) (peer reviewed by both the UK Information Commissioner’s Office and the Dutch Data Protection Authority) BCRs as processor and as a controller. This significant regulatory approval validated Zendesk’s implementation of the highest possible standards for protecting personal data globally, covering both the personal data of its customers and its employees. Zendesk is one of the first software companies in the world to have received approval for its BCRs; and was the second company ever to receive approval from the Irish DPC.
To access Zendesk’s EU BCRs, please visit:
To access Zendesk’s UK BCRs, please visit:
Data Subject Requests: An individual who seeks to exercise their data protection rights in respect of personal data stored or processed by us on behalf of a Subscriber of ours within the Subscriber’s Service Data (including to seek access to, or to correct, amend, delete, port or restrict processing of such personal data) should direct his/her query to our Subscriber (the data controller). Upon receipt of a request from one of our Subscribers for us to remove the personal information, we will respond to their request within thirty (30) days. We will retain personal information that we process and store on behalf of our Subscribers for as long as needed to provide the Services to our Subscribers.
Data Protection Officer: Zendesk’s Data Protection Officer (“DPO”) can be reached at [email protected].
HDS enables healthcare providers in France to use Zendesk’s customer service and engagement platform with confidence that our platform has appropriate technical and governance measures in place to secure and protect personal health information (PHI). Additional information is available here.
The New Zealand Privacy Act in 2020 commenced on December 1, 2020, applies to agencies and maintains the principle-based framework of the 1993 Act. The 2020 Act states that organisations are responsible for ensuring that personal information sent outside of New Zealand is adequately protected and added mandatory breach notification requirements. https://www.zendesk.com/company/anz-privacy/
The Personal Data Protection Act of Singapore establishes data protection laws that govern the collection, use, and disclosure of Personal Data as of July 2, 2014. Zendesk is a recognised Infocomm Development Authority of Singapore (IDA) Data Intermediary as a Software-as-a-Service (“SaaS”) Service Provider. Additional information is available here.
The United Kingdom withdrew from the European Union on 31 January 2020. On 28 June 2021, the European Commission adopted adequacy decisions for transfers of personal data to the United Kingdom under GDPR.
To achieve a HIPAA-Enabled Account, you will need to (1) purchase the Advanced Security Deployed Associated Service or Advanced Compliance Deployed Associated Service Add-On; (2) enable a set of security configurations as outlined by Zendesk; and (3) execute our Business Associate Agreement (“BAA”). For more details, including a list of which Services can be HIPAA-enabled, please see Advanced Compliance.
Subscriber Service Data Details
Service Data is any information, including personal data, which is stored in or transmitted via the Zendesk Services by, or on behalf of, our subscribers and their end-users. We use Service Data to operate and improve our Services, help customers access and use the Services, respond to subscriber inquiries and send communications related to the Services.
Access: Zendesk provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining and improving the Zendesk services, and as otherwise required by law. See here for additional information.
Data Hosting: Zendesk uses Amazon Web Services to host service data, as described here and in the Regional Data Hosting Policy. For additional information, please also see the security section.
Default Data Types Collected by the Service: Zendesk has created a list of data points, categorised by product. For the full picture of data types, subscribers can use this list in conjunction with their specific intended use case and resultant data types.
Legal or Government Requests: Privacy, data security, and subscriber trust are our top priorities. Zendesk does not disclose service data, except as necessary to provide our services and to comply with applicable laws, as detailed in our Privacy Policy. To assist our subscribers in performing compliance reviews, we have additional resources: Transparency Report and Government Request Policy.
Ownership: From a privacy perspective, the subscriber is the controller of Service Data and Zendesk is a processor. This means that throughout the time that you subscribe to services with Zendesk, you retain ownership of and control over Service Data in your Zendesk instance.
Replication: Zendesk periodically replicates data for purposes of archival, backup and audit logs. We use Amazon Web Services (AWS) to store some of the information that is backed up, such as database information and attachment files. Please see ourRegional Data Hosting Policy for further details.
Security: Zendesk prioritises data security and combines enterprise-class security features with comprehensive audits of our applications, systems and networks to ensure subscriber and business data is protected. See additional information here.
Security Incidents: For more information about security incident management see our Security Incident Response.
Sub-processors: Zendesk may use sub-processors, including affiliates of Zendesk, as well as third-party companies, to provide, secure, or improve the Services and such sub-processors may have access to Service Data. Our Sub-processors policy provides an up-to-date list of the names and locations of all sub-processors.
Termination: Zendesk maintains a Service Data Deletion Policy that describes Zendesk’s data deletion processes upon subscriber’s termination or expiration of the Zendesk subscription.
Privacy Related Policies
Cookie Policy
Detailed information about how and when we use cookies on Zendesk websites.
Provides information about how and when Zendesk uses cookies within the Zendesk Services.
How our Subscribers’ Service Data is deleted in connection with the cancellation, termination, or migration of an Account within the Zendesk Services.
This framework clarifies which party is responsible for which controls related to the security and privacy of your data.
Application Features Related to Privacy
Zendesk has tools for each of its products to assist with user requests and other obligations under applicable privacy and data protection laws and regulations, such as data access, correction, portability, deletion and objection. To learn about the features and functionality in each Zendesk product, please see Complying with Privacy and Data Protection in Zendesk products.
Zendesk provides an advanced set of access and encryption features to help subscribers effectively protect their information. We do not access or use subscriber data for any purpose other than providing, maintaining and improving the Zendesk Services, and as otherwise required by applicable law. Additional information is available here.
Zendesk has achieved a number of internationally-recognised certifications and accreditations demonstrating compliance with third-party assurance frameworks as described on our Security site. Security certifications are described here.
Subscribers who purchase the Data Centre Location Deployed Associated Service (“Data Centre Location Add-on”), or have the Data Centre Location functionality in their Service Plan, have the ability to select the region that will host their Service Data from a list of Zendesk available regions.
Zendesk has a robust global privacy and data protection program, which takes a unified approach to privacy and information governance to give customers flexibility to manage personal data that lives within Zendesk’s systems. For details, see our product guides: Complying with Privacy and Data Protection in Zendesk Products.
Zendesk has two types of redaction for removing sensitive data:
Manual redaction provides the ability to redact or remove sensitive data in support ticket comments, and securely delete attachments so that you can protect confidential information. The data is redacted from tickets via the UI or API to prevent sensitive information from being stored in Zendesk. Learn more about redaction via the UI or API.
Automatic redaction allows for automatic redaction of credit card numbers from Agent- or End-User-submitted tickets. When enabled, credit card numbers are partially replaced with blank boxes in the ticket. The numbers are also redacted from logs and database entries. Learn how to enable this feature and how the credit card numbers are identified.
Zendesk AI
Zendesk AI is built based on the core principles of privacy, security and compliance, by design. Our commitment to providing businesses with secure, trusted products and solutions is embedded in our DNA. As part of this, Zendesk leverages a set of design principles that not only set the standard for how we design, develop and build everything we do, but set a clear foundation for our use of AI for customer experiences (CX and employee experience (EX)).
Service Data processed by Zendesk AI is subject to all security standards and commitments, including compliance with Zendesk’s robust Enterprise Security Measures and storage within Zendesk’s SOC 2-compliant environment. Service Data will not be shared with any other customer.
Generative AI features are currently powered by OpenAI. OpenAI deletes all data after producing the output, without any storage. OpenAI data security practices are available here.
All models developed by Zendesk are classification models – this means they are trained to read and classify inputs into one of a set number of categories created by Zendesk. Because these models are not generative, no content is produced by the model and it is not possible for data to be reproduced by the model.
Does Zendesk use customer Service Data to train machine learning models?
Zendesk offers three types of machine learning functionality:
1. Account-specific ML functionality: Zendesk creates machine learning models tailored to a customer’s account using only data existing in the account. Account-specific models will not be used by any other customer.
2. Generic ML functionality: Zendesk uses Service Data to train its generic, cross-account machine learning models to be predictive and useful to multiple Zendesk customers. These include global and industry models. These models will never disclose one customer’s Service Data to another customer, because they are not “generative” (i.e., they do not create text).
3. Generative ML functionality supported by OpenAI: OpenAI models are pre-trained and Zendesk customer data will never be used by OpenAI (or any other third party) to train their model(s).
How does Zendesk protect Service Data when used for model training? Before Service Data is used to train generic ML functionality, Zendesk applies aggregation and sanitation processes, as necessary. No fields designed to intake personal data or ticket attachments are used for model training. Zendesk is committed to ensuring that no service data will be reproduced by the model. There is no risk that one customer's data will be exposed to another customer through the model's output. See AI Data Use Information.
Hallucinations are an intrinsic risk for generative AI features. Zendesk does two things to mitigate this risk:
Zendesk utilises the Retrieval Augmented Generation (RAG) technique to ensure that generated replies or search results are grounded in specific knowledge base content.
Zendesk development team regularly inspects replies with negative end user feedback for hallucinations to develop tools that can automatically detect and prevent such scenarios.
All service data is hosted in Zendesk’s existing AWS regions.
Use of Zendesk AI does not impact any Subscriber data locality commitments, including those available in the Data Centre Location Add-on Service data of eligible subscribers will continue to be hosted in the selected region.
Note: Zendesk WFM (Tymeshift), Zendesk QA (Klaus) and Ultimate Service Data are hosted in Google Cloud Platform in the regions provided below:
| Product | Service Data Hosting Location(s) |
|---|---|
| Zendesk WFM (Tymeshift) | US, Germany |
| Zendesk QA (Klaus) | Germany |
| Ultimate | Belgium |
All Zendesk products and features are designed with privacy in-mind, and the Zendesk AI is no different.
Subscribers are able to comply with various privacy laws (including GDPR and CCPA) when using Zendesk, including Zendesk AI features.
The Zendesk AI is eligible for coverage under Zendesk’s Business Associate Agreement (BAA).
Subscribers interested in executing a BAA with Zendesk must have access to the Advanced Compliance Add-on.
Data Security
OpenAI data security practices are available here.
Model Security
Zendesk uses pre-trained OpenAI models, and service data will never be used by OpenAI for any purpose other than to provide and secure its service to subscriber. Once the output is delivered, the service data is deleted.
Model Training
OpenAI will never use service data for model training or any other form of service improvement.
Data Hosting and Locality
OpenAI currently processes service data in the United States. However, OpenAI does not store or host service data because it is promptly deleted after providing the output.
Data Privacy
Zendesk uses OpenAI’s ‘Zero Data Retention’ policy so that no service data is stored or hosted by OpenAI after the output has been delivered. As a result, using OpenAI does not affect subscribers’ ability to comply with various privacy laws (including GDPR and CCPA) when using Zendesk.
All OpenAI features within Zendesk are optional. Subscribers who do not wish to use these features do not have to turn them on and are always able to disable the features through the Admin Centre.
HIPAA
Select OpenAI-powered features are available for use with HIPAA-enabled accounts. Please see the Advanced Compliance page for more information.
You can learn more about Ultimate’s AI agent Security and Privacy here.
Legal
Our agreements and policies provide our subscribers transparency and detailed information about Zendesk’s Services, which in turn support our subscribers in meeting their own legal and compliance standards.
Zendesk offers several data processing agreements and other addenda to support subscribers’ compliance with data privacy laws, available for execution here. These include:
Data Processing Agreement (DPA)
United States HIPAA Business Associate Agreement (BAA)
Main Services Agreement (MSA)
US State Addendum
Accessibility Policy
Subscribers can leverage our Voluntary Product Accessibility Template in making their preliminary assessments.
The minimum standards that we expect from our directors, officers, employees and contingent workers in the conduct of our business.
Cookie Policy
Detailed information about how and when we use cookies on Zendesk websites.
Provides information about how and when Zendesk uses cookies within the Zendesk Services.
How Zendesk handles notifications of infringement.
How our Subscribers’ Service Data is deleted in connection with the cancellation, termination, or migration of an Account within the Zendesk Services.
Legal or Government Request Policy
Addresses Zendesk’s procedure for responding to a request received from a law enforcement or other government authority.
Privacy Policy
Describes how Zendesk collects, uses, shares and secures personal data.
Where Zendesk Service Data can be hosted if a Subscriber purchases or enables the Data Centre Location Add-On.
Responsible Disclosure Policy
Programs for security researchers to report discoveries of security vulnerability in the Zendesk Services.
Additional Zendesk policies are available here.
Transparency Report
Disclosure of service data: Zendesk only discloses Service Data to third parties where disclosure is necessary to provide or improve the services or as required to respond to lawful requests from public authorities. Please see our Government Data Request Policy as well as the Zendesk Transparency Report.
This could be the beginning of a beautiful relationship
Sign up for a trialTake the tour
