The article describes the following advanced security features: Data at rest encryption, enhanced disaster recovery, and HIPAA compliance.
Data at rest encryption
Zendesk Support can encrypt customer data at rest stored in our infrastructure using AES-256. Data at rest refers to inactive data stored physically in any digital form. Encrypting it provides extra protection from unauthorized access. The encrypted data at rest includes:
- User, ticket and Help Center data
- Search data
Enhanced disaster recovery
Zendesk Support performs daily backups of all customers’ service data to provide basic disaster recovery. Customers can also have real-time data replication as well as dedicated capacity and failover to a different data center within the same region in the case of a disaster.
All customers are assigned to a specific POD in one of our data centers. Customers with the Enhanced DR feature are also assigned a secondary (warm) POD which contains a real-time replication of their data and dedicated redundant capacity. The primary and secondary PODs are located in two separate geographically diverse data centers. In the event of a significant disaster, this allows Zendesk Support to failover from the primary POD to the secondary POD more seamlessly. To break this down a little further, here are some additional details:
- In addition to our standard data backup practices, the extra layer of real-time replication in a secondary location lessens the chance of any data loss as the result of a significant disaster. Because of this real-time replication we are able to maintain a targeted Recovery Point Objective (RPO) of 0 hours from the point of impact.
- The secondary POD has a full application stack and dedicated redundant capacity in place. This combined with the data being readily available allows for a straight forward failover from the primary POD within a short number of hours. For customers with the Enhanced DR feature there is a targeted Recovery Time Objective (RTO) of 8 hours, after a declaration of a disaster.
- We have extensively tested both our US and EU Enhanced DR functionality. These exercises consisted of a full failover from each data center to its secondary site and a rollback to its original state. Each quarter we perform an exercise that touches either our US or EU Enhanced DR. The scenarios for these exercises vary and include different elements of our business continuity and disaster recovery plans.
- Our business continuity and disaster recovery plan and associated technical runbooks are detailed and have been vetted through each DR exercise.
The Health Insurance Portability and Accountability Act (HIPAA) is a set of rules and regulations passed by the U.S. Congress designed to protect the privacy of individuals’ personal health information and ensure the security of electronic personal health information (ePHI).
It applies to providers of health care, health plans, and health care clearinghouse services. These providers are required to handle patient personal health information in a way that meets defined security standards. When providers use third-party vendors or services (business associates) where personal health information might be stored, those business associates need to adhere to the standards as well. This agreement is contractually defined in a Business Associate Agreement (BAA).
Zendesk will now sign BAA’s with healthcare customers who need to comply with HIPAA.
These advanced security features may not apply to the following services:
- Zendesk Net Promoter Score (NPS) Surveys
- Zendesk Insights
- Other services managed and hosted by third parties and the data you enter into these other services, as defined in our Terms of Service