The article describes the following advanced security features: Data at rest encryption, enhanced disaster recovery, and the ability to configure your environment in a HIPAA compliant manner.
Data at rest encryption
Zendesk Support can encrypt customer Service Data at rest stored in our infrastructure using AES-256. Service Data at rest refers to inactive Service Data stored physically in any digital form. Encrypting it provides extra protection from unauthorized access. The encrypted Service Data at rest includes:
- Zendesk Support users, ticket content and attachments
- Zendesk Guide contents
- Search data
- Logs (local and offsite)
- Backups (Service Data and configurations)
Enhanced disaster recovery
Zendesk Support performs daily backups of customers’ Service Data to provide basic disaster recovery. Customers can also have real-time data replication as well as dedicated capacity and failover to a different data center in a secondary region in the event of a disaster.
All customers are assigned to a specific POD in one of our data centers. Customers with the Enhanced DR feature are also assigned a secondary (warm) POD which contains a real-time replication of their Service Data and dedicated redundant capacity. The primary and secondary PODs are located in two separate geographically diverse data centers. In the event of a significant disaster, this allows Zendesk Support to failover from the primary POD to the secondary POD more seamlessly. To break this down a little further, here are some additional details:
- In addition to our standard data backup practices, the extra layer of real-time replication in a secondary location lessens the chance of any Service Data loss as the result of a significant disaster. Because of this real-time replication we are able to maintain a targeted Recovery Point Objective (RPO) of 0 hours from the point of impact.
- The secondary POD has a full application stack and dedicated redundant capacity in place. This combined with the Service Data being readily available allows for a straight forward failover from the primary POD within a short number of hours. For customers with the Enhanced DR feature there is a targeted Recovery Time Objective (RTO) of 8 hours, after a declaration of a disaster.
- We have extensively tested both our US and EU Enhanced DR functionality. These exercises consisted of a full failover from each data center to its secondary site and a rollback to its original state. Each quarter we perform an exercise that touches either our US or EU Enhanced DR. The scenarios for these exercises vary and include different elements of our business continuity and disaster recovery plans.
- Our business continuity and disaster recovery plan and associated technical runbooks are detailed and have been vetted through each DR exercise.
The Health Insurance Portability and Accountability Act (HIPAA) is a set of rules and regulations passed by the U.S. Congress designed to protect the privacy and security of individuals’ personal health information (PHI) and electronic personal health information (ePHI).Ω
It applies to providers of health care, health plans, and health care clearinghouse services. These providers are required to handle patient personal health information (PHI/ePHI) in a way that meets defined security standards. When providers (known as covered entities) use third-party vendors or services (business associates) where personal health information might be stored, those business associates need to adhere to the standards as well. This agreement is contractually defined in a Business Associate Agreement (BAA).
Zendesk helps customers fulfill their HIPAA obligations by providing these covered entities or business associates with appropriate security configuration options to help safeguard protected health information (PHI) which may exist within Service Data from misuse and wrongful disclosure. Please note Zendesk is limited to the status of a business associate. Moreover, Zendesk is not a holder of the ‘Designated Record Set’. The HIPAA requirements for a business associate are met through Zendesk's SOC2 and ISO27001/ISO27018 certifications and internal HIPAA audits. For more information on HIPAA please see below or email security if you would like more information regarding the specifics of Zendesk's HIPAA program.
Zendesk's customers with HIPAA obligations can now sign Zendesk's BAA online by the customer's account executive requesting the BAA from Zendesk Legal.
Note that Zendesk's BAA only covers the following products (special configurations apply). Any other Zendesk products or third party services (including integrations or applications) cannot be HIPAA-enabled.
- Support Enterprise
- Support Elite
- Chat Premium
- Talk Enterprise
- Talk Professional
- Legacy Talk Advanced
- Guide Lite
- Guide Professional
- Guide Enterprise
To review our security configuration requirements for HIPAA Enabled Accounts, please visit https://help.zendesk.com/hc/en-us/articles/360001499747 (note that our security configurations may change from time to time due to changes in law and regulation and changes to the Zendesk Service, so it is always advised to ‘follow’ this article to be apprised of any changes). For further security information, please contact firstname.lastname@example.org. Please contact your Zendesk account executive if you would like to request the BAA or have any questions on how to set up a HIPAA-enabled account.
Exceptions to the Advanced Security Offering
The advanced security features detailed above may not apply to the following services:
- Zendesk Net Promoter Score (NPS) Surveys
- Zendesk Insights (note, however, that Insights can be HIPAA-enabled per the Zendesk BAA and required security configurations)
- Other services managed and hosted by third parties and the data you enter into these other services, as defined in our Master Subscription Agreement