The Zendesk Shared Responsibility Model
Zendesk provides a highly configurable, rapidly scalable customer service platform to many of the world’s leading companies across a wide swath of industry sectors. By helping our subscribers leverage our Cloud platform for their customer service needs, we allow them to reduce overhead, scale to meet demand, and provide beautifully simple interactions with their customers.
Moving business into the Cloud brings not only the benefits described above, but can include ambiguity regarding which party is in charge of which control. Not to worry, in order to keep this simple, below you’ll find our Shared Responsibility Model. This framework clarifies which party is responsible for which controls related to the security and privacy of your data. Whether you’re a conscientious admin, corporate security, compliance, or privacy official, or anyone else tasked with setting up appropriate controls for the use of Zendesk Services in your environment, this standard should clearly draw the lines you need to be aware of.
To encapsulate it in one sentence, “Zendesk is tasked with the security of the Service itself, while you are tasked with the security within your particular instances of the Service”.
- Access Controls and Hygiene
- Data, Privacy, Compliance, and Regulatory Considerations
- Security Incidents (Roles and Responsibilities)
- Helpful Links
- Change Log
Please note that capitalized terms shall have the meaning ascribed to them in the Zendesk Main Services Agreement (“MSA”).
I. Access Controls and Hygiene
Controlling access to sensitive systems and the data within them is core to security principles.
- The Subscriber is responsible for all access controls to their instances of the service including:
- Provisioning, modification, ongoing hygiene, maintaining privilege accuracy, and de-provisioning of all users including end users and agents (be they on-premise, remote, or third party workforce)
- Choosing and configuring the method of authentication into the service from supported offerings (may include passwords, MFA, SSO, etc)
- Configuring and monitoring aspects of session handling such as logouts, logged in devices, etc.
- Allowing or disallowing our support staff to enter your Support instance for assistance
- Configuring access to, and understanding the implications of use for Zendesk’s REST API services (where applicable, including integrations, use of the Zendesk Sunshine Service, etc.)
- Configuring any product supported IP restrictions where desired
- Considering other non-product related access controls such as which device types you permit agents to use when accessing your instances, as well as any applicable physical, logical, or policy controls for your users or permitted devices
- Zendesk is responsible for all access controls to the systems underpinning the service including:
- Maintaining policies and procedures for safely provisioning, modification, ongoing hygiene, maintaining privilege accuracy, and de-provisioning of all users (including on-premise, remote, and third party workforce)
- Enforcing Role Based Access Control “RBAC”, the Principle of Least Privilege “PLP”, appropriate credential security including Multi-Factor Authentication “MFA” for all employee and contractor access to critical systems and applications containing subscriber’s Service Data
- Performing periodic checks on the above
Leveraging third parties can greatly improve efficiency, but also introduces security considerations.
- The Subscriber is responsible for considering the security implications of leveraging all third party integrations it makes with the Service including:
- Integrations made via API and/or SDK
- Integrations made via installing Marketplace Apps or enabling third-party channels
- Integrations with any third party aiding subscriber by providing staff, tooling, code, or directly servicing Zendesk instances
- Zendesk is responsible for carefully integrating reputable third parties into the service, including:
- Vetting and exercising ongoing due diligence for all Sub Processors
- Integrating acquisitions into the Service in a safe manner
- Ensuring any product partnerships and/or Service integrations with third parties have the proper security considerations
III. Data, Privacy, Compliance, and Regulatory Considerations
Accounting for the data in use, its proper treatment, any relevant regulatory frameworks, and the importance of third party assurances is a must.
- The Subscriber is responsible for proper treatment of the data they take in and use, including:
- Understanding the data types involved in their particular use case
- Treating such data in accordance with the data classification and privacy policies of their company, applicable laws relevant to the data itself, the users providing it, subscriber’s industry, and any relevant jurisdictions
- Choosing which channels they allow for communication with their instances of the service
- Maintaining instances and Service Data in accordance with any applicable compliance, legal, or regulatory frameworks for which subscriber’s industry, users, or use case may be in scope
- Providing Zendesk with alternate TLS certificates where host mapping to a non-Zendesk parent domain is desired for the encryption of traffic to and from Zendesk UI’s or API’s
- Understanding where data may not be encrypted in transit and treating such channels or protocols accordingly (primarily email, SMS, or third party integrations made at subscriber’s sole discretion which do not support encryption)
- Ensuring the data types involved in subscriber’s instance do not violate the terms and conditions of Zendesk’s Main Services Agreement (please refer to Zendesk MSA)
- Ensuring the level of uptime and disaster recovery subscriber chooses is in accordance with any policies or regulations subscribers are beholden to
- Zendesk is responsible for:
- Properly protecting all Service Data from disclosure at a Service level (i.e. infrastructure or code)
- Encrypting data in transit to or from our UI’s or API’s over public networks
- Encrypting all Service Data at rest
- Providing subscribers with information on data collected by in-product cookies as well as default use of the services
- Accurately describing how we use Service Data, including Personal Data, in anonymized and non-anonymized manners to provide our Services or otherwise.
- Providing subscribers with tools and features which help them to meet their own obligations for the proper treatment of personal or regulated data.
- Complying with applicable laws and regulatory frameworks relevant to our service offerings and locations of business
- Obtaining and providing independent third party compliance assurances relevant to our service offerings
Proper security requires insight into processes and activity.
- The Subscriber is responsible for the monitoring of all activity within their instances of the service, including:
- Monitoring user activity (either via UI views or API logs)
- Exercising due diligence on communications with unknown individuals or untrusted content derived via the service
- Maintaining logs or data pulled from the Service in accordance with any applicable regulations
- Zendesk is responsible for monitoring processes and activity of the service itself, including:
- Privileged access and activities within the production network
- Incoming traffic to alert on or block known-bad submissions or IP addresses
- Service uptime
- Anomalous behavior within corporate or production network assets
- The security of code, infrastructure, traffic, and relevant employee or contractor personnel
Keeping systems and code up to date and patched can prevent many security issues.
- The Subscriber is responsible for maintaining and patching any systems or code beyond Zendesk architectural and/or contractual boundaries*, including:
- Its own infrastructure, including employee endpoints, networks, custom infrastructure, or third party middleware it uses to access the Zendesk Service(s) and/or to further process its Service Data prior to ingress, or upon egress from Zendesk systems
- Its own non-standard code leveraged to provide additional functionality to the Zendesk Service(s), including internally or third party developed code Subscriber has developed itself or purchased for use with Zendesk Service(s). This also includes any custom code developed by Zendesk Professional Services at Subscribers request, provided the responsibility of such code and maintenance thereof has been turned over to the Subscriber as part of the custom engagement.
- Zendesk is responsible for maintaining and patching all systems and code within its architectural and/or contractual boundaries, including:
- Its own logically managed infrastructure within hosting provider facilities used to provide the Service(s), including operating systems, security infrastructure and systems under its direct control, container and orchestration systems, etc.
- Its own physically and/or logically managed infrastructure used within the Zendesk corporate environment such as employee endpoints, corporate network infrastructure, etc.
- The proprietary code bases underpinning the Zendesk Service(s).
VI. Security Incidents
Despite best efforts, things can sometimes go wrong. How you recognise, respond, and recover from a security incident is key to successful mitigation and keeping customer trust. This section lays out the roles and responsibilities of each party during security incidents.
- The Subscriber is responsible for any security incident or breach within their particular instances, which was not caused by, or made via vulnerabilities or incidents within the service itself, including
- Investigating and remediating any any suspected or actual breach within their particular instance caused by (i) insufficient access control or hygiene (including use of weak or exploitable public credentials), (ii) insufficient monitoring of user activities, (iii) failure to perform due diligence on communications or untrusted content derived via interactions with users, or (iv) any incident or breach brought on via integration with any third party, where such integration was made at the subscriber’s sole discretion.
- Making any required notifications to government or law enforcement agencies, or end users related to breaches caused by Subscriber actions, integrated third parties, or related to Service Data Breach notifications received from Zendesk regarding Subscriber’s instance
- Zendesk is responsible for controls for investigating security incidents, as well as notifying affected subscribers for Service Data Breaches occurring via the service itself, including
- Having a documented Security Incident Response Policy as well as staff with relevant security roles and responsibilities
- Investigating anomalous activity
- Containing any confirmed Service Data Breach
- Notifying any affected subscribers or relevant government or law enforcement agencies where required by law.
- Ensuring robust backup and disaster recovery processes are in place and tested
VII. Helpful Links
Access Controls and Hygiene
Managing security and user access in Zendesk Support (aggregated links)
Data, Privacy, Compliance, and Regulatory Considerations
Support Ticket Events Audit Log API
Should you have any further questions, please contact us at firstname.lastname@example.org
VIII. Change Log
June 16th, 2023
- Addition of a change log
- Addition of Section V Maintenance
- Clarifying detail of incidents caused by use of weak or publicly exploitable credentials used by Subscribers and/or their End-users as the Subscriber's responsibility within section VI "Security Incidents"