Advanced Security: Data at Rest Encryption, Enhanced Disaster Recovery, and HIPAA Compliance (Enterprise Add-on) Follow

The article describes the following advanced security features: Data at rest encryption, enhanced disaster recovery, and HIPAA compliance.

Note: These features are part of the Advanced Security Add-on for Enterprise.
 

Data at rest encryption

Zendesk Support can encrypt customer data at rest stored in our infrastructure using AES-256. Data at rest refers to inactive data stored physically in any digital form. Encrypting it provides extra protection from unauthorized access. The encrypted data at rest includes:

  • User, ticket and Help Center data
  • Search data
  • Logs
  • Backups
  • Attachments

Enhanced disaster recovery

Zendesk Support performs daily backups of all customers’ service data to provide basic disaster recovery. Customers can also have real-time data replication as well as dedicated capacity and failover to a different data center within the same region in the case of a disaster.

All customers are assigned to a specific POD in one of our data centers. Customers with the Enhanced DR feature are also assigned a secondary (warm) POD which contains a real-time replication of their data and dedicated redundant capacity. The primary and secondary PODs are located in two separate geographically diverse data centers. In the event of a significant disaster, this allows Zendesk Support to failover from the primary POD to the secondary POD more seamlessly. To break this down a little further, here are some additional details:

  • In addition to our standard data backup practices, the extra layer of real-time replication in a secondary location lessens the chance of any data loss as the result of a significant disaster. Because of this real-time replication we are able to maintain a targeted Recovery Point Objective (RPO) of 0 hours from the point of impact.
  • The secondary POD has a full application stack and dedicated redundant capacity in place. This combined with the data being readily available allows for a straight forward failover from the primary POD within a short number of hours. For customers with the Enhanced DR feature there is a targeted Recovery Time Objective (RTO) of 8 hours, after a declaration of a disaster.
  • We have extensively tested both our US and EU Enhanced DR functionality. These exercises consisted of a full failover from each data center to its secondary site and a rollback to its original state. Each quarter we perform an exercise that touches either our US or EU Enhanced DR. The scenarios for these exercises vary and include different elements of our business continuity and disaster recovery plans.
  • Our business continuity and disaster recovery plan and associated technical runbooks are detailed and have been vetted through each DR exercise.

HIPAA compliance

The Health Insurance Portability and Accountability Act (HIPAA) is a set of rules and regulations passed by the U.S. Congress designed to protect the privacy of individuals’ personal health information and ensure the security of electronic personal health information (ePHI).

It applies to providers of health care, health plans, and health care clearinghouse services. These providers are required to handle patient personal health information in a way that meets defined security standards. When providers use third-party vendors or services (business associates) where personal health information might be stored, those business associates need to adhere to the standards as well. This agreement is contractually defined in a Business Associate Agreement (BAA).

Zendesk will now sign BAA’s with healthcare customers who need to comply with HIPAA. 

Exceptions

These advanced security features may not apply to the following services:

  • Zendesk Net Promoter Score (NPS) Surveys
  • Zendesk Insights
  • Other services managed and hosted by third parties and the data you enter into these other services, as defined in our Terms of Service

Click here to learn more about security for Zendesk Chat. For the other services listed above click here to learn more about security.

 

Have more questions? Submit a request

Comments

  • 9

    Please lower the bar for this... 50 agent, $2,000 per month minimum is a high barrier of entry.

  • 0

    Ditto

  • 1

    Agreed. Would love to see this available on the Plus package and not forced to Enterprise. 

  • 0

    Agreed with @Mike

  • 0

    Is there a possibility this pricing can be reduced to a more reasonable level - we need HIPAA compliance but not 50 agents, and given this level of pricing, we are probably likely to use Atlassian ServiceDesk instead, which has a much better pricing model.

  • 0

    We could not afford it and after talking with support settled on a policy of leaving PHI out and using the Ticket Redaction App, which is free, should there be a mistake.

  • 0

    Hey Roger!

    I'd recommend getting in touch with our Sales team; they'd be able to let you know whether that's possible or not.

    @Brian, thanks for sharing your solution!

  • 1

    We finally get the BAA we've been requesting for years, but only if you spend a fortune for the Enterprise level service? I'm very disappointed. Zendesk will be an outlier in this field. Is there truly such a premium for HIPAA compliance?

  • 2

    There are many small healthcare startups that are starving for HIPAA-compliant integrations, but there's no way we'd need 50 agents or could afford $2000/month. Please know that it's not just giant hospital systems and insurers that need this functionality - help us little guys, too.

  • 0

    Does someone knows what iti is the standard SLA without this add-on? For SLA I mean when I've a issue(on zendesk side) that block my activity and I cannot meet my SLA with my internal customers. 

  • 2

    There should be a reasonable price for Security Add-On Feature!

    We are currently paying $600 for all of our Email Exchange servies per month, why should any small businesses pay $2000/Month just for 4 agents on ticketing system?

    HIPAA is very important for any healthcare businesses, but this price is way higher than any other HIPAA compliant services!

    This plan is not affordable at all, ZenDesk please give us a reasonable price!

  • 1

    Amazon Web Services, Dropbox, and more now offer this as part of their services. I encourage you folks to take a look at the market and reconsidered your current product offering and associated costs. There are a ton of SMBs and small medical providers who need to protect ePHI and receive BAAs from their vendors.

  • 0

    Wow, that's... still way too much. As a comparison, Help Scout offers a BAA starting at $10/month. Zendesk's minimum cost is 80 times as high.

  • 0

    Agreed, definitely still too high. And requiring the enterprise plan. There are users that are not on the enterprise plan that would love to have these features at a reasonable cost. This is not reasonable. 

Please sign in to leave a comment.

Powered by Zendesk