The article describes the following advanced security features: Data at rest encryption, enhanced disaster recovery, and the ability to configure your environment in a HIPAA compliant manner.
Data at rest encryption
Zendesk Support can encrypt customer data at rest stored in our infrastructure using AES-256. Data at rest refers to inactive data stored physically in any digital form. Encrypting it provides extra protection from unauthorized access. The encrypted data at rest includes:
- User, ticket and Help Center data
- Search data
Enhanced disaster recovery
Zendesk Support performs daily backups of all customers’ service data to provide basic disaster recovery. Customers can also have real-time data replication as well as dedicated capacity and failover to a different data center within the same region in the case of a disaster.
All customers are assigned to a specific POD in one of our data centers. Customers with the Enhanced DR feature are also assigned a secondary (warm) POD which contains a real-time replication of their data and dedicated redundant capacity. The primary and secondary PODs are located in two separate geographically diverse data centers. In the event of a significant disaster, this allows Zendesk Support to failover from the primary POD to the secondary POD more seamlessly. To break this down a little further, here are some additional details:
- In addition to our standard data backup practices, the extra layer of real-time replication in a secondary location lessens the chance of any data loss as the result of a significant disaster. Because of this real-time replication we are able to maintain a targeted Recovery Point Objective (RPO) of 0 hours from the point of impact.
- The secondary POD has a full application stack and dedicated redundant capacity in place. This combined with the data being readily available allows for a straight forward failover from the primary POD within a short number of hours. For customers with the Enhanced DR feature there is a targeted Recovery Time Objective (RTO) of 8 hours, after a declaration of a disaster.
- We have extensively tested both our US and EU Enhanced DR functionality. These exercises consisted of a full failover from each data center to its secondary site and a rollback to its original state. Each quarter we perform an exercise that touches either our US or EU Enhanced DR. The scenarios for these exercises vary and include different elements of our business continuity and disaster recovery plans.
- Our business continuity and disaster recovery plan and associated technical runbooks are detailed and have been vetted through each DR exercise.
Zendesk helps customers fulfill their HIPAA obligations by providing these covered entities or business associates with appropriate configuration options to help safeguard protected health information (PHI) from misuse and wrongful disclosure. Please note Zendesk is limited to the status of a business associate. The HIPAA requirements for a business associate are met through Zendesk's SOC2 and ISO27001/ISO27018 certifications and internal HIPAA audits. For more information on HIPAA please see below or email security if you would like more information regarding the specifics of Zendesk's HIPAA program.
The Health Insurance Portability and Accountability Act (HIPAA) is a set of rules and regulations passed by the U.S. Congress designed to protect the privacy and ensure the security of individuals’ personal health information (PHI) and electronic personal health information (ePHI).
It applies to providers of health care, health plans, and health care clearinghouse services. These providers are required to handle patient personal health information (PHI/ePHI) in a way that meets defined security standards. When providers use third-party vendors or services (business associates) where personal health information might be stored, those business associates need to adhere to the standards as well. This agreement is contractually defined in a Business Associate Agreement (BAA).
Zendesk's customers with HIPAA obligations can now sign Zendesk's BAA online by the customer's account executive requesting the BAA from Zendesk Legal.
Zendesk's BAA covers the Zendesk infrastructure and the following products (special configurations apply):
For further information, or to obtain our required HIPAA configuration document, please contact firstname.lastname@example.org.
These advanced security features may not apply to the following services:
- Zendesk Net Promoter Score (NPS) Surveys
- Zendesk Insights
- Other services managed and hosted by third parties and the data you enter into these other services, as defined in our Terms of Service