Service Data is any information, including personal data, which is stored in or transmitted via the Zendesk services by, or on behalf of, our customers and their end-users.

From a privacy perspective, the customer is the controller of Service Data, and Zendesk is a processor. This means that throughout the time that a customer subscribes to services with Zendesk, the customer retains ownership of and control over Service Data in its account.

Zendesk may use sub-processors, including affiliates of Zendesk as well as third party companies, to provide, secure or improve the Services, and such sub-processors may have access to Service Data. Zendesk maintains an up-to-date list of the names and locations of all sub-processors, available at our Sub-Processor Policy. The list includes the ability for our customers to sign up for notifications of any changes. Zendesk shall be responsible for the acts and omissions of sub-processors to the same extent that Zendesk would be responsible if Zendesk was performing the services of each sub-processor directly.

We use Service Data to operate and improve our services, help customers access and use the services, respond to customer inquiries, and send communications related to the services.

Zendesk prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.

For example, Zendesk servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. Additionally, we engage third-party security experts to perform detailed penetration tests on a periodic basis, and our Support team is on call 24/7 to respond to security alerts and events.

For more information about security incident management and procedures for Enterprise Services, please visit How We Protect Your Service Data (Enterprise Services). For more information about security incident management and procedures for Innovation Services, please visit How We Protect Your Service Data (Innovation Services).

Zendesk uses data centers in three main regions — United States, Asia Pacific, and the European Union. Service Data may be stored in any region. Customers can select the region in which data centers that host certain of their Service Data are located by purchasing the Data Center Locality Add-On. Please see the Regional Data Hosting Policy for additional information.

Zendesk maintains a publicly available Data Deletion Policy that describes Zendesk’s data deletion processes upon termination or expiration of a Subscriber’s agreement with Zendesk.

Zendesk recognizes that privacy and data security issues are top priorities for customers.

• Zendesk does not disclose Service Data except as necessary to provide its services to its customers and comply with the law as detailed in our Privacy Policy found here.

• Zendesk has achieved a number of internationally-recognized certifications and accreditations demonstrating compliance with third-party assurance frameworks as described on our Security site.

• Where we need to act publicly to protect customers, we do. Zendesk has voiced its support for the USA Liberty Act that seeks to reform the surveillance program under Section 702 of the Foreign Intelligence Surveillance Act (“FISA”).

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe the same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Master Subscription Agreement, or as otherwise required by law.

The General Data Protection Regulation (“GDPR”) is the European privacy regulation which replaced the EU Data Protection Directive (“Directive 95/46/EC”). The GDPR addresses the processing of personal data and the free movement of such data. It aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. Broadly, it sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.

The GDPR also established the European Data Protection Board (“EPDB”), which ensures that the data protection law is applied consistently across the EU and works to ensure effective cooperation amongst data protection authorities.

Zendesk customers that collect and store personal data are considered data controllers under the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including the GDPR and uniquely determine what personal data is submitted to, and processed by, Zendesk in accordance with the Services.

One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.

If Zendesk receives a data subject request from a Subscriber’s End-User (i.e., a user of the Services to whom a Subscriber has provided our Services), Zendesk is the Processor, and Zendesk will, to the extent that applicable legislation does not prohibit Zendesk from doing so, promptly inform the End-User to contact our Subscriber (i.e. the Controller) directly about any request relating to his/her Personal Data such as access or deletion. Zendesk will not further respond to a data subject request without Subscriber’s prior consent.

Zendesk encourages customers to continually review their privacy and data security processes and policies to ensure compliance with the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Below are some key points to consider for GDPR compliance:

• Geographical Application: The GDPR may apply to organizations that are established in the EU as well as certain organizations established outside the EU but which are processing the personal data of EU citizens, depending on their activities.

• Rights of End-Users: Organizations should be cognizant of End-Users whose personal data they may be processing. The GDPR establishes enhanced rights for End-Users, and organizations should be able to accommodate those rights.

• Data Breach Notifications: Organizations that are controllers of personal data should have clear processes in place in order to comply with the GDPR requirement to report data breaches in accordance with the time frames set out within the GDPR. Zendesk will notify affected customers without undue delay if we become aware of a data breach of our services.

• Appointment of Data Protection Officer (“DPO”): Customers may need to appoint DPOs to manage issues relating to the processing of personal data.

• Data Processing Agreement (“DPA”): Where personal data is transferred outside the EEA, a customer may need DPAs in place with its sub-processors to ensure an adequate level of protection for the transferred data.

• Data Protection Impact Assessment (“DPIA”): DPIAs usually describe organizations data processes and protective measures, particularly those that may be risky. For data processing activities, customers need to conduct and file with authorities a DPIA.

Customers can use Zendesk’s third-party ISO certifications and SOC 2 audit reports to help conduct their risk assessments and determine whether appropriate technical and organizational measures are in place. For additional information, please see the Zendesk Security website.

Below are examples of specific Zendesk product features that customers can utilize to assist with the GDPR compliance program. Through our Advanced Security Deployed Associated Service, customers can choose to obtain enhanced features, including enhanced disaster recovery and encryption, as well as the ability to configure for the Health Insurance Portability and Accountability Act (“HIPAA”).

Currently available features for specific Zendesk products can be found in the questions/answers below.

Auditing Standards:

• ISO 27001:2013 certified

• ISO 27018:2014 certified

Scanning:

• Bug bounty

• Dynamic scanning of live applications

• Static scanning of code repositories

Encryption:

• Encryption of data in motion over public networks

• Encryption of certain data at rest with AES256

Yes, more detailed information on how to use Zendesk products to stay compliant with GDPR can be found via our Help Center here.

The European Commission has approved a set of standard provisions called the Standard Contractual Clauses (“Model Clauses”) which provide a data controller a compliant mechanism to transfer personal data to a data processor outside of the European Economic Area (“EEA”). The Model Clauses are appended to the Zendesk DPA to help provide adequate protection for data transfer outside of the EEA or Switzerland.

Zendesk periodically replicates data for purposes of archival, backup and audit logs. We use Amazon Web Services (AWS) to store some of the information that is backed up, such as database information and attachment files. Please see our Regional Data Hosting Policy for further details.

Zendesk customers who purchase the Data Center Location Add-on have the ability to select the region (from the available Zendesk regional options) where the data center which hosts their Service Data is located. Please see our Regional Data Hosting Policy for further details. Otherwise, Zendesk may utilize any of the global data centers it uses to host Service Data.

Irrespective of the outcome of the ongoing Brexit negotiations, Zendesk remains committed to the success of our Subscribers and employees in the UK and the rest of Europe. We are closely monitoring the negotiations between the UK government and the European Union regarding the details of their future relationship. As the details become clear, we will take appropriate measures to ensure that our Subscribers can continue to use our services in compliance with both EU and UK laws, and for Zendesk overall, business will continue as usual and will remain focused on our Subscribers’ success.

Zendesk offers customers a robust Data Processing Agreement governing the relationship between the customer (acting as a data controller) and Zendesk (acting as a data processor). The DPA facilitates Zendesk’s customers’ compliance with their obligations under EU data protection law and contains strong privacy commitments, and has been updated to confirm our compliance with the GDPR. The DPA also contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Zendesk outside of the European Union by relying on one of three mechanisms: our Binding Corporate Rules, our Privacy Shield certification, or Standard Contractual Clauses.

Yes, Zendesk’s DPA includes provisions to assist Subscribers with their GDPR compliance.

Zendesk recommends that you consult with your legal counsel to assess the potential impact that your decision not to sign the DPA may have on your particular situation.

No. The Zendesk DPA is specific to Zendesk’s Services, privacy practices and representations made to regulators.

If you have additional questions, please contact your Zendesk Account Executive or alternatively, open a case with the Zendesk customer advocacy team by contacting support@zendesk.com.

Not directly, instead Zendesk offers a separate addendum to its Master Subscription Agreement to support a “Businesses” compliance efforts with CCPA, as such term is defined in the CCPA. For more information, please review the CCPA section of this webpage.

If you would like to review and/or execute Zendesk’s CCPA Addendum to the Master Subscription Agreement, please click here.

For information on our privacy practices and the functionality we provide to support our Subscribers’ compliance, please visit our Privacy and Data Protection Website, Data Deletion Policy, and Product Guides.

The CCPA grants California consumers new rights with respect to the collection of their personal information and requires companies to comply with certain obligations related to those rights, including:

1. An obligation on businesses to notify a consumer of its data collection practices, including the categories of personal information it has collected, the source of the information, the business’s use of the information, and to whom the business disclosed the information it has collected about the consumer;
2. The consumer’s right to receive a copy, in a readily usable format, of the specific personal information collected about them during the twelve (12) months prior to their request;
3. The consumer’s right to have such personal information deleted (with exceptions);
4. The consumer’s right to know the business’ data sale practices and to request that their personal information not be sold to third parties;
5. A prohibition on businesses on discrimination for exercising a consumer right; and
6. An obligation on businesses to notify a consumer of their rights.

Zendesk has been following the CCPA and preparing for compliance since the CCPA was first passed in 2018. Most recently, the California Office of the Attorney General has indicated that it may further amend regulations proposed for the CCPA. In light of such potential amendments, Zendesk is actively tracking the law and we will continue to keep our customers updated on features and functionality they can use to support their compliance efforts. Customers can also view our Product Guides for more detailed information on how to use Zendesk’s products to comply with data privacy laws, as well as our Data Deletion Policy for details on Service Data deletion.

Zendesk customers that collect and store personal information in Zendesk Services may be considered “Businesses” under the CCPA. Businesses bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the CCPA. Zendesk acts as a “Service Provider,” as such term is defined in the current version of the CCPA, with respect to the processing of personal information through our Services. Therefore, Zendesk collects, accesses, maintains, uses, processes and transfers the personal information of our customers and our customer’s end-users processed through the Services solely for the purpose of performing our obligations under our existing contract(s) with our subscribers; and, for no commercial purpose other than the performance of such obligations and improvement of the Services we provide.

We do not “sell” our customer’s personal information as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to a third party for monetary or other valuable consideration. We may share aggregated and/or anonymized information regarding use of the Service(s)—which is not considered personal information under the CCPA—with third parties to help us develop and improve the Services and provide our customers with more relevant content and service offerings as detailed in our customer agreements.

Subscribers are advised to consult their own legal counsel to evaluate how the CCPA specifically applies to them and determine how to achieve their own compliance with CCPA.

Binding Corporate Rules (“BCRs”) are company-wide data protection policies approved by European data protection authorities to facilitate intra-group transfers of personal data from the European Economic Area (“EEA”) to countries outside the EEA. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with those authorities. Customers can find the full list of approved entities on the Binding Corporate Rules Approved List, here.

Yes, Zendesk has completed the EU approval process with the Irish Data Protection Commissioner (“DPC”) (peer reviewed by both the UK Information Commissioner’s Office and the Dutch Data Protection Authority) for its global Binding Corporate Rules (“BCRs”) as data processor and controller. This significant regulatory approval validates Zendesk’s implementation of the highest possible standards for protecting personal data globally, covering both the personal data of its customers and its employees.

Zendesk is one of only a few software companies in the world to have received approval for its BCRs; and just the second company ever to receive approval from the Irish DPC.

To access Zendesk’s BCRs, please follow the relevant links below:

– Zendesk’s Processor Binding Corporate Rules (which apply when Zendesk’s processes personal data on behalf of its customers); and

– Zendesk’s Controller Global Binding Corporate Rules (which apply when Zendesk processes personal data for which it is a data controller).

Zendesk has updated its Binding Corporate Rules to align them with the GDPR and to further enhance the robust privacy protections we offer to our Subscribers. Zendesk notified the Irish data protection authority of these updates as part of our annual update.

The U.S. Department of Commerce, with the European Commission and the Swiss government, created the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) to provide companies with a mechanism to transfer personal data from the European Union to the United States in a manner that provides an adequate level of protection for the purpose of European data protection law.

Zendesk has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a ruling invalidating the EU-U.S. Privacy Shield program. The U.S. Department of Commerce indicated that it will continue to administer the Privacy Shield program.

Zendesk customers can continue to use Zendesk services and transfer data in compliance with European law such as the GDPR, as we have both Binding Corporate Rules and Model Clauses (incorporated into our Data Processing Agreement) in place. If you would like to access the Zendesk DPA for review or signature, you can access it in your Customer Admin Console or click here.

• SOC 2 Type II Report

• SOC 3 Report

• ISO 27001:2013 Certification

• ISO 27018:2014 Certification

• Binding Corporate Rules Approved List

• Privacy Shield Approved List

• TrustArc Privacy Seal

• How Zendesk Protects Personal Data

• Zendesk Adheres To Highest Standards Of Data Protection With European BCR Approval

• Zendesk Privacy Policy

• Zendesk Data Deletion Policy

• Zendesk Security Page

• Zendesk Security Best Practices

• SOC 2 Report

• SOC 3 Report

• ISO 27001:2013 Certification

• ISO 27018:2014 Certification

• Zendesk Master Subscription Agreement

• U.S. Department of Commerce Privacy Shield Website: https://www.privacyshield.gov/welcome.

• Directive 95/46/EC: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=LEGISSUM:l14012.

• General Data Protection Regulation (GDPR): http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.

• The International Association of Privacy Professionals: https://iapp.org.

• United Kingdom Information Commissioner’s Office’s “Preparing for the GDPR”: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.