This guide describes how certain features and functionality in Zendesk Sunshine Conversations can assist with your obligations under privacy law.
To learn about meeting your obligations in other Zendesk products, see Complying with Privacy and Data Protection Law in Zendesk products.
Meeting an access obligation
Individuals from certain regions have a right of access. On request, you may have an obligation to inform an end user or agent where their personal data is being held and for what purposes.
Sunshine Conversations authenticates callers to its API using JSON Web Tokens (JWTs) that allow access to be scoped to several different levels and can be set to expire at a specific date and time. Access to Sunshine Conversations data through JWTs can be limited to access to an individual user's conversation history and metadata, access to a single business account (app) and all of the user data contained within it, access to a group of business accounts (such as parent company and divisions) as well as global access for all business accounts provisioned on the software provider’s system.
With respect to audits and logs, all generated logs are transferred and stored in a secured and encrypted location. In the event of suspected or confirmed unauthorized data access, Sunshine Conversations can provide audit logs to help you investigate, respond to, and remediate the issue.
To export the data from Sunshine Conversations, please follow the steps described in Meeting a data portability obligation.
Meeting a correction obligation
Individuals from certain regions have a right to rectification, or the right to have inaccuracies in their personal data corrected. On request, you may have an obligation to provide the individual with their personal data and fix inaccuracies or add missing information.
To meet a correction obligation, Sunshine Conversations allows you to delete the existing information and re-create the personal data with the necessary fixes.
See Meeting an erasure obligation for more detail.
Meeting an erasure obligation
Individuals from certain regions have a right to erasure, or the right to be forgotten or deleted. On request, you may have an obligation to delete the personal data of an individual.
To delete a user's personal data, Sunshine Conversations gives you full control over app, user, and message deletion. You can easily delete a single user profile along with the conversation history attached to it. You can also delete single messages. Sunshine Conversations also supports deleting an app. This means you can delete a customer (a business) and immediately delete all associated data of the users of that business.
Meeting a data portability obligation
Individuals from certain regions have a right to data portability. On request, you may have an obligation to provide an individual with their personal data or to transmit the data to another organization.
Businesses can easily export data about users, including metadata and conversation history, to another system as required by privacy and data protection law. The feature exports data in a commonly used machine readable format (JSON), which can then be imported into another system. The Get App User API allows you to retrieve all of the metadata (including channel-specific metadata) Sunshine Conversations stores on a user. The Get Messages API retrieves all the messages exchanged between your software and a user, across any channel the user has used to communicate. If your software takes advantage of Sunshine Conversations’s built-in business system integrations, you can use the Get App User Business System IDs to find the business system entity (such as a ticket ID or Slack channel) associated with the user.
Meeting an objection obligation
Individuals from certain regions have a right of objection, or the right to object to direct marketing. You may have an obligation to stop processing personal data for direct marketing purposes when you receive an objection from an individual.
Since Sunshine Conversations as a platform does not actively offer direct marketing as a feature, it's up to the business to be aware of how the end user information is being used. With that, if the business wishes to meet this objection obligation within the platform, Sunshine Conversations allows you to delete the existing information and re-create the personal data with the necessary fixes. See Meeting an erasure obligation for more detail.
This document is for informational purposes only and does not constitute legal advice. Readers should always seek legal advice before taking any action with respect to the matters discussed herein.