Cover your bases

Zendesk hosts Service Data primarily in AWS data centres that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn about Compliance at AWS.

AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn more about Data Centre Controls at AWS.

AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about AWS physical security.

Zendesk leverages AWS data centres in the United States, Europe, and Asia Pacific. Learn more about Data Hosting Locations for your Zendesk Service Data.

Zendesk offers multiple data locality choices including the United States (US), Australia (AU), Japan (JP), or European Economic Area (EEA). For more information on product, plan, and regional offerings please see our Regional Data Hosting Policy.

Our globally distributed Security Team is on call 24/7 to respond to security alerts and events.

Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Our network security architecture consists of multiple security zones. More sensitive systems like database servers are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilised between the Internet, and internally between the different zones of trust.

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

In addition to our extensive internal scanning and testing programme, each year Zendesk employs third-party security experts to perform a broad penetration test across the Zendesk Production and Corporate Networks.

Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.

Service ingress and egress points are instrumented and monitored to detect anomalous behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Zendesk participates in several threat intelligence sharing programmes. We monitor threats posted to these threat intelligence networks and take action based on risk.

Zendesk has architected a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provides deeper protection along with our use of AWS DDoS specific services.

Access to the Zendesk Production Network is restricted on an explicit need-to-know basis, utilises least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Zendesk Production Network are required to use multiple factors of authentication.

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

All communications with Zendesk UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Zendesk is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service subscribers may choose to leverage at their own discretion.

Service Data is encrypted at rest in AWS using AES-256 key encryption.

Zendesk maintains a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history and relevant security events.

Zendesk employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allow us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Our Disaster Recovery (DR) programme ensures that our services remain available and are easily recoverable in the case of a disaster.

This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Our Enhanced Disaster Recovery package adds contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through our capability to prioritise operations of Enhanced Disaster Recovery subscribers during any declared disaster event.

Zendesk leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

We employ third-party security tooling to continuously and dynamically scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.

We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed.

In addition to our extensive internal scanning and testing programme, Zendesk employs third-party security experts to perform detailed penetration tests on different applications within our family of products.

Our Responsible Disclosure Programme gives security researchers, as well as customers, an avenue for safely testing and notifying Zendesk of security vulnerabilities through our partnership with HackerOne.

Zendesk has several different authentication options: subscribers can enable native Zendesk authentication, social media Single sign-on (SSO) (Facebook, Twitter, Google), and/or Enterprise SSO (SAML, JWT) for end user and/or agent authentication. Learn about user access.

Zendesk native authentication for products available through the Admin Centre provides the following levels of password security: low, medium and high, as well as set custom password rules for agents and admins. Zendesk also allows different password security levels to apply to end users vs. agents and admins. Only admins can change the password security level. Learn more about configurable password policies.

Zendesk native authentication for products available through the Admin Center offers 2-factor (2FA) for agents and admins via SMS or an authenticator app. Learn about 2FA.

Zendesk follows secure credential storage best practice by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.

For businesses that need a higher level of data privacy and security, Zendesk offers the Advanced Data Privacy and Protection add-on. The add-on includes capabilities for BYOK encryption, customisable data retention policies, data masking, PII redaction and access logs.

Access to data within Zendesk applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Zendesk supports various permission levels for users (owner, admin, agent, end user, etc.).

Learn about user roles:

• Support Default Roles
• Support Custom Roles *Enterprise only
• Chat Default Roles
• Chat Custom Roles *Enterprise only
• Explore Default Roles
• Guide Default Roles
• Talk Default Roles
• Session Time

Any Zendesk account can restrict access to their Zendesk Support to users within a specific range of IP addresses. Only users from the allowed IP addresses will be able to sign in to your Zendesk account. You can allow subscribers (not agents or admins) to bypass this restriction. For more information, see Restricting access to Zendesk Support and your Help Centre using IP restrictions and Using IP Access Restriction in Chat.

Zendesk provides free TLS encryption for host-mapped Guide help centres. Zendesk uses Let’s Encrypt to request certificates and automatically renews the certificate before it expires.

You can also upload your own certificate, if you choose.

To learn more about setting up encryption certificates for a Guide help centre please see Setting up a hosted TLS encryption certificate.

Zendesk Chat allows the ability to restrict what file types are sent to agents. Alternatively, you can choose to turn off file sending entirely in the Chat product. To learn about this feature, see Managing file sending in live chat.

Zendesk offers Audit Logs to accounts with Enterprise/Enterprise Plus plans. These logs include account changes, user changes, app changes, business rules, ticket deletions, and settings. The Audit Log is available in both the Admin Centre and Support API. To learn more about Audit Logs and see what information is available within the log please see Viewing the audit log for changes.

Subscribers can configure their instance so that users are required to sign in to view ticket attachments. Learn about Private Attachments.

Zendesk has two types of redaction for removing sensitive data: Manual redaction provides the ability to redact or remove sensitive data in Support ticket comments, and securely delete attachments, so you can protect confidential information. The data is redacted from tickets via the UI or API to prevent sensitive information from being stored in Zendesk. Learn about redaction via the UI or API.

Automatic redaction allows for automatic redaction of credit card numbers from subscriber-submitted tickets. When enabled, credit card numbers are partially replaced with blank boxes in the ticket. They are also redacted from logs and database entries. To learn more about how to enable this feature and how credit card numbers are identified, see Automatically redacting credit card numbers from tickets and from chats.

Zendesk’s spam filtering service can be used to prevent end user spam posts from being published in your Guide help centre. Learn about filtering spam in Guide.

Zendesk offers DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for signing outbound emails from Zendesk when you have to set up an external email domain on your Zendesk. Using an email service that supports these features helps you stop email spoofing. Learn more about digitally signing your email.

Zendesk tracks the devices used to sign in to each user account. When someone signs into an account from a new device, it is added to the device list in that user's profile. That user can get an email notification when a new device is added, and should follow up if the activity seems suspicious. Suspicious sessions can be terminated through the agent UI. Learn about device tracking.

Zendesk has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Zendesk information assets.

All employees attend a Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.

Zendesk performs background checks on all new employees in accordance with local laws. These checks are also required for contractors. The background check includes criminal, education, and employment verification. Cleaning crews are included.

All new hires are required to sign Non-Disclosure and Confidentiality agreements.