Privacy and Data Protection

To learn more about recent developments with the EU-U.S. Privacy Shield Framework, click here.

Overview

Zendesk prioritizes customer trust. We know that the security and integrity of customer data is important to our customers’ values and operations. That is why we keep it private and safe.

Zendesk supports thousands of customers in over 160 countries and territories. Our customers entrust us with large amounts of sensitive information, stemming from a wide range of industries including healthcare, financial services, government, and technology.

Zendesk helps customers maintain control of their privacy and data security in a myriad of ways:

Data Security: We provide our customers compliance with high security standards, such as encryption of data in motion over public networks, auditing standards (SOC 2, ISO 27001, ISO 27018), Distributed Denial of Service (“DDoS”) mitigations, and a Support team that is on-call 24/7.
Disclosure of Customer Service Data: Zendesk only discloses Service Data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.
Trust: Zendesk has developed security protections and control processes to help our customers ensure a secure environment for their information. Independent third-party experts have confirmed Zendesk’s adherence to high industry standards.
Data Hosting Locality: Customers who purchase the Data Center Location Deployed Associated Service (“Data Center Location Add-on”) have the ability to select the region (from the available Zendesk regional options) where the data center which hosts their Service Data is located.
Access Management: Zendesk provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining and improving the Zendesk services and as otherwise required by law.

What is Service Data?

Service Data is any information, including personal data, which is stored in or transmitted via the Zendesk services by, or on behalf of, our customers and their end-users.

Who owns and controls Service Data?

From a privacy perspective, the customer is the controller of Service Data, and Zendesk is a processor. This means that throughout the time that a customer subscribes to services with Zendesk, the customer retains ownership of and control over Service Data in its account.

Who are Zendesk’s sub-processors?

Zendesk may use sub-processors, including affiliates of Zendesk as well as third party companies, to provide, secure or improve the Services, and such sub-processors may have access to Service Data. Zendesk maintains an up-to-date list of the names and locations of all sub-processors, available at our Sub-Processor Policy. The list includes the ability for our customers to sign up for notifications of any changes. Zendesk shall be responsible for the acts and omissions of sub-processors to the same extent that Zendesk would be responsible if Zendesk was performing the services of each sub-processor directly.

How does Zendesk use Service Data?

We use Service Data to operate and improve our services, help customers access and use the services, respond to customer inquiries, and send communications related to the services.

What steps does Zendesk take to secure Service Data?

Zendesk prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.

For example, Zendesk servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. Additionally, we engage third-party security experts to perform detailed penetration tests on a periodic basis, and our Support team is on call 24/7 to respond to security alerts and events.

How does Zendesk notify customers of a security incident?

For more information about security incident management and procedures for Enterprise Services, please visit How We Protect Your Service Data (Enterprise Services). For more information about security incident management and procedures for Innovation Services, please visit How We Protect Your Service Data (Innovation Services).

Where will Service Data be stored?

Zendesk uses data centers in three main regions — United States, Asia Pacific, and the European Union. Service Data may be stored in any region. Customers can select the region in which data centers that host certain of their Service Data are located by purchasing the Data Center Locality Add-On. Please see the Regional Data Hosting Policy for additional information.

What happens to Service Data upon termination or expiration of a customer’s agreement with Zendesk?

Zendesk maintains a publicly available Data Deletion Policy that describes Zendesk’s data deletion processes upon termination or expiration of a customer’s agreement with Zendesk.

How does Zendesk Respond to Information Requests?

Zendesk recognizes that privacy and data security issues are top priorities for customers.

Zendesk does not disclose Service Data except as necessary to provide its services to its customers and comply with the law as detailed in our Privacy Policy found here.
Zendesk has achieved a number of internationally-recognized certifications and accreditations demonstrating compliance with third-party assurance frameworks as described on our Security site.
Where we need to act publicly to protect customers, we do. Zendesk has voiced its support for the USA Liberty Act that seeks to reform the surveillance program under Section 702 of the Foreign Intelligence Surveillance Act (“FISA”).

How does Zendesk respond to legal requests for Service Data?

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe the same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Master Subscription Agreement, or as otherwise required by law.

Since our inception, Zendesk’s approach has been anchored with a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which replaced the EU Data Protection Directive (also known as “Directive 95/46/EC“) and became enforceable on May 25, 2018.

If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn our customers’ trust, our DPA has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR. Our contractual commitments guarantee that customers can:

Respond to requests from data subjects to export, correct, amend or delete personal data.
Be made aware of and report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
Demonstrate their compliance with the GDPR as pertaining to Zendesk’s services.

Data Processing Agreement

Zendesk offers active customers of its paid and trial services the ability to enter into a Data Processing Agreement (“DPA”) to reflect the parties’ agreement with regard to the processing of personal data. If you would like to access the Zendesk DPA for review or signature, please click here. Customers who signed earlier versions of our DPA can sign our current DPA at any time.

What is a Data Processing Agreement (“DPA”)?

Zendesk offers customers a robust Data Processing Agreement governing the relationship between the customer (acting as a data controller) and Zendesk (acting as a data processor). The DPA facilitates Zendesk’s customers’ compliance with their obligations under EU data protection law and contains strong privacy commitments, and has been updated to confirm our compliance with the GDPR. The DPA also contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Zendesk outside of the European Union by relying on one of three mechanisms: our Binding Corporate Rules, our Privacy Shield certification, or Standard Contractual Clauses.

Does the DPA take GDPR into account?

Yes, Zendesk’s DPA includes provisions to assist customers with their GDPR compliance.

What happens if a customer does not sign the DPA?

Zendesk recommends that you consult with your legal counsel to assess the potential impact that your decision not to sign the DPA may have on your particular situation.

Can a customer use its own DPA?

No. The Zendesk DPA is specific to Zendesk’s Services, privacy practices and representations made to regulators.

What if I have additional questions about the DPA?

If you have additional questions, please contact your Zendesk Account Executive or alternatively, open a case with the Zendesk customer advocacy team by contacting support@zendesk.com.

Does the DPA take the California Consumer Privacy Act (CCPA) into account?

Not directly, instead Zendesk offers a separate addendum to its Master Subscription Agreement to support a “Businesses” compliance efforts with CCPA, as such term is defined in the CCPA. For more information, please review the CCPA section of this webpage.

CCPA

The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) is a U.S. law enacted in the State of California with an effective date of January 1, 2020. Generally, it expands upon the privacy rights available to certain California consumers, and requires certain companies to comply with various data protection requirements.

Does Zendesk’s Master Subscription Agreement specifically address CCPA?

If you would like to review and/or execute Zendesk’s CCPA Addendum to the Master Subscription Agreement, please click here.

For information on our privacy practices and the functionality we provide to support our customers’ compliance, please visit our Privacy and Data Protection Website, Data Deletion Policy, and Product Guides.

What is the CCPA?

The CCPA grants California consumers new rights with respect to the collection of their personal information and requires companies to comply with certain obligations related to those rights, including:

An obligation on businesses to notify a consumer of its data collection practices, including the categories of personal information it has collected, the source of the information, the business’s use of the information, and to whom the business disclosed the information it has collected about the consumer;
The consumer’s right to receive a copy, in a readily usable format, of the specific personal information collected about them during the twelve (12) months prior to their request;
The consumer’s right to have such personal information deleted (with exceptions);
The consumer’s right to know the business’ data sale practices and to request that their personal information not be sold to third parties;
A prohibition on businesses on discrimination for exercising a consumer right; and
An obligation on businesses to notify a consumer of their rights.

How has Zendesk been preparing for the CCPA and how do Zendesk products support compliance with the CCPA?

Zendesk has been following the CCPA and preparing for compliance since the CCPA was first passed in 2018. Most recently, the California Office of the Attorney General has indicated that it may further amend regulations proposed for the CCPA. In light of such potential amendments, Zendesk is actively tracking the law and we will continue to keep our customers updated on features and functionality they can use to support their compliance efforts. Customers can also view our Product Guides for more detailed information on how to use Zendesk’s products to comply with data privacy laws, as well as our Data Deletion Policy for details on Service Data deletion.

How does the CCPA apply to Zendesk customers?

Zendesk customers that collect and store personal information in Zendesk Services may be considered “Businesses” under the CCPA. Businesses bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the CCPA. Zendesk acts as a “Service Provider,” as such term is defined in the current version of the CCPA, with respect to the processing of personal information through our Services. Therefore, Zendesk collects, accesses, maintains, uses, processes and transfers the personal information of our customers and our customer’s end-users processed through the Services solely for the purpose of performing our obligations under our existing contract(s) with our customers; and, for no commercial purpose other than the performance of such obligations and improvement of the Services we provide.

Does Zendesk sell personal information?

We do not “sell” our customer’s personal information as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to a third party for monetary or other valuable consideration. We may share aggregated and/or anonymized information regarding use of the Service(s)—which is not considered personal information under the CCPA—with third parties to help us develop and improve the Services and provide our customers with more relevant content and service offerings as detailed in our customer agreements.

How can Zendesk customers ensure compliance with CCPA?

Subscribers are advised to consult their own legal counsel to evaluate how the CCPA specifically applies to them and determine how to achieve their own compliance with CCPA.

LGPD

The Brazilian General Data Protection Law, or Lei Geral de Proteção de Dados Pessoais, (LGPD) went into effect on August 16, 2020. It is the primary law in Brazil addressing the protection of personal data.

Does Zendesk’s Master Subscription Agreement specifically address LGPD?

If you would like to review and/or execute Zendesk’s LGPD Addendum to the Master Subscription Agreement, please click here.

In addition, Zendesk’s Master Subscription Agreement (MSA), other privacy and product documentation, as well as our internal practices are designed for global use and we update them as necessary to continue to deliver our Services to customers in Latin America and the Caribbean in accordance with legal requirements. We direct your attention to Exhibit A of our MSA (“Supplemental Terms: Region-Specific Terms”), the section entitled, “Brazil.” Zendesk’s MSA can be found at: https://www.zendesk.com/company/customers-partners/master-subscription-agreement/.

What is the LGPD?

The LGPD is the primary law in Brazil addressing the protection of personal data, aiming to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.” As such, controllers and processors (as defined under the LGPD) are required to adhere to certain principles when processing personal data, including but not limited to purpose, necessity, transparency, and security.

How has Zendesk prepared for the LGPD and how do Zendesk Services support compliance with the LGPD?

Zendesk has been following the LGPD and preparing for compliance since the LGPD was first passed in 2018. Additionally, the National Authority for Protection Data (ANPD) may issue additional guidance for the LGPD. In light of such guidance, Zendesk is actively tracking the law and we will continue to keep our customers updated on features and functionality they can use to support their compliance efforts. Customers can also view our Product Guides for more detailed information on how to use Zendesk’s Services to comply with data privacy laws, as well as our Data Deletion Policy for details on Service Data deletion.

How does the LGPD apply to Zendesk customers?

Zendesk customers that collect and store personal data in Zendesk Services may be considered “controllers” under the LGPD. Controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the LGPD. Zendesk acts as a “processor,” as such term is defined in the current version of the LGPD, with respect to the processing of personal data through our Services. Therefore, Zendesk processes the personal data of our customers and our customer’s end-users at the instruction of our customers.

How can Zendesk customers ensure compliance with the LGPD?

Customers are advised to consult their own legal counsel to evaluate how the LGPD specifically applies to them and determine how best to achieve their own compliance with LGPD.

Click on the Zendesk products below to see the features and functionality available in each of Zendesk’s products that can support compliance with privacy and data protection obligations.

Privacy frameworks from different regions may differ in the terminology they use to describe the roles and obligations of the respective parties. For consistency, Zendesk uses the following terms throughout these guides to apply globally. For the avoidance of doubt, these definitions do not replace any definitions in agreements that customers or individuals may have with Zendesk.

Data controller is the party that determines the purposes and means of processing the personal data;
Data processor is the party that processes personal data on behalf of the data controller;
Data subject is the identified or identifiable natural person whose personal data is at issue; and
Personal data is any information relating to the data subject.

To learn more about how Zendesk’s products align with global privacy rights, please click on the icons below

Click on the Zendesk products below to see the features and functionality available in each of Zendesk’s products that can support GDPR compliance. If you are a Zendesk Suite customer, the products referenced in the table below correspond to the following functionality that may be made available in your Service Plan (as defined in the Service-Specific terms found here: https://support.zendesk.com/hc/en-us/articles/360047508453-Supplemental-terms-Zendesk-s-service-specific-terms).

Product	Zendesk Suite Functionality
Support	Help Desk Functionality
Guide	Help Center Functionality
Chat	Live Chat Functionality
Talk	Voice Functionality
Explore	Analytics Functionality

Binding Corporate Rules

What are Binding Corporate Rules?

Binding Corporate Rules (“BCRs”) are company-wide data protection policies approved by European data protection authorities to facilitate intra-group transfers of personal data from the European Economic Area (“EEA”) to countries outside the EEA. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with those authorities. Customers can find the full list of approved entities on the Binding Corporate Rules Approved List, here.

Does Zendesk have approved BCRs in place?

Yes, Zendesk has completed the EU approval process with the Irish Data Protection Commissioner (“DPC”) (peer reviewed by both the UK Information Commissioner’s Office and the Dutch Data Protection Authority) for its global Binding Corporate Rules (“BCRs”) as data processor and controller. This significant regulatory approval validates Zendesk’s implementation of the highest possible standards for protecting personal data globally, covering both the personal data of its customers and its employees.

Zendesk is one of only a few software companies in the world to have received approval for its BCRs; and just the second company ever to receive approval from the Irish DPC.

To access Zendesk’s BCRs, please follow the relevant links below:

– Zendesk’s Processor Binding Corporate Rules (which apply when Zendesk’s processes personal data on behalf of its customers); and

– Zendesk’s Controller Global Binding Corporate Rules (which apply when Zendesk processes personal data for which it is a data controller).

Does Zendesk update its BCRs?

Zendesk has updated its Binding Corporate Rules to align them with the GDPR and to further enhance the robust privacy protections we offer to our customers. Zendesk notified the Irish data protection authority of these updates as part of our annual update.

Privacy Shield

What is the Privacy Shield?

The U.S. Department of Commerce, with the European Commission and the Swiss government, created the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) to provide companies with a mechanism to transfer personal data from the European Union to the United States in a manner that provides an adequate level of protection for the purpose of European data protection law.

Is Zendesk certified under the Privacy Shield?

Zendesk has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.

How does the invalidation of Privacy Shield affect transfers of Zendesk Service Data from the EEA to the U.S.?

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a ruling invalidating the EU-U.S. Privacy Shield program. Zendesk customers can continue to use Zendesk services and transfer data in compliance with European law such as the GDPR, as we have both Binding Corporate Rules and Model Clauses (incorporated into our Data Processing Agreement) in place.

We understand that you may have questions around the invalidation of the Privacy Shield and Zendesk’s position in relation to the same, so we have published this blog post to assist you with your queries.

If you would like to access the Zendesk DPA for review or signature, you can access it in your Customer Admin Console or click here.

Zendesk Transparency Report

Current as of: February 22, 2021.

ABOUT OUR TRANSPARENCY REPORT

Zendesk, like most technology companies, occasionally receives requests from law enforcement agencies in the United States and elsewhere, seeking information about Zendesk customers. Such requests may take the form of a subpoena, court order, search warrant, National Security Letter, and orders issued under the Foreign Intelligence Surveillance Act. Zendesk must comply with valid governmental requests for customer data.

At the same time, Zendesk cares deeply about maintaining the trust of our customers. One way to maintain that trust is to inform Zendesk customers and the public about valid governmental requests. To do so, we have prepared this transparency report.

When Zendesk receives a request for data, where possible we ask law enforcement to serve our customers directly with requests for their data. When that is not possible, we carefully review the request for data, work to narrow that request, consult with outside counsel when appropriate, provide notice to customers when not prohibited from doing so, and produce responsive data only as required.

This transparency report provides information relating to law enforcement requests for user data that we processed from January 1, 2021 to the date of this report.

Zendesk will provide updated reports approximately every 6 months for the prior 6-month period. Zendesk’s next report will cover the period from January 2021-June 2021.

REPORT

Requests from United States Law Enforcement

Type of Request	Number of Requests	Content Data Disclosed	Non-Content Data Disclosed
Subpoena	1	0	1
Court Order	1	0	1
Search Warrant	0	N/A	N/A
National Security Letters or FISA orders	0	N/A	N/A

Requests from Non-U.S. Law Enforcement

Although Zendesk is located in the United States, we have a corporate presence in several other countries. When we receive requests from non-US governments we work with U.S. and non-U.S. counsel to determine the validity of the request and our ability to respond under United States and other applicable laws.

Type of Request	Number of Requests	Number of Times Data Provided
Informal requests	5	0
Non-U.S. requests pursuant to an MLAT	0	N/A

Definitions

Content Data: Includes the contents of End-Users’ communications with an Account such as the contents of Zendesk Support Tickets and Zendesk Chats. Content data is generally considered Service Data as defined in Zendesk’s Master Subscription Agreement.
Non-Content Data: All data that is not Content Data. It can include Account Information as defined in Zendesk’s Privacy Policy (such as Account Owner name and contact information, Account billing information, length of Service, types of Services utilized, and account login information). Additionally, if Zendesk receives a court order, then Non-Content Data can also include Non-Content metadata related to End-Users’ communications with an Account, which is Service Data.
Subpoena: A compulsory demand issued by a governmental entity for the production of documents in a criminal case (such as grand jury subpoenas).
Court Order: An order issued by a judge upon a finding that there are reasonable grounds to believe that the information sought is relevant and material to an ongoing criminal investigation.
Search Warrant: An order issued by a judge upon a finding of probable cause by law enforcement. A search warrant is required to obtain Content Data.
MLAT: Stands for “mutual legal assistance treaty.” Zendesk requires that non-U.S. government entities use appropriate international law processes, such as through an MLAT, to obtain customer data.
National Security Letters: A national security letter issued under 18 U.S.C. § 2709.
FISA Orders: An order or request issued under the Foreign Intelligence Surveillance Act for user information issued in the U.S.

For More Information

For more information regarding Zendesk’s approach to responding to requests for information from law enforcement, please see here.

Recursos adicionales

Zendesk Reports/Certificates:

SOC 2 Type II Report
SOC 3 Report
ISO 27001:2013 Certification
ISO 27018:2014 Certification
Binding Corporate Rules Approved List
Privacy Shield Approved List
TrustArc Privacy Seal

Zendesk Resources:

Third-Party Resources:

U.S. Department of Commerce Privacy Shield Website: https://www.privacyshield.gov/welcome.
Directive 95/46/EC: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=LEGISSUM:l14012.
General Data Protection Regulation (GDPR): http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
The International Association of Privacy Professionals: https://iapp.org.
United Kingdom Information Commissioner’s Office’s “Preparing for the GDPR”: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.

Last updated December 1, 2020