Security is one of the top concerns for businesses moving to a cloud-based solution. Entrusting your data to a third-party SaaS service provider requires rigorous security measures. More than 125,000 customers trust Zendesk with their data and Zendesk takes this responsibility seriously. To ensure customer and business data is always protected, Zendesk combines enterprise-class security features with comprehensive audits of our applications, systems, and networks. Our customers know their information is safe, their interactions are secure, and their businesses are protected.
Zendesk uses best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our subscribers meet their own compliance standards.
Zendesk leverages secure components, such as FIPS-140 certified encryption solutions, to protect customer data. Portions of the Zendesk solution can be configured to meet PCI and HIPAA/HITECH Attestation standards. Zendesk has also developed and created tools to allow our customers to meet their obligations under GDPR.
With secure-by-design, cloud-native architecture built on Amazon Web Services (AWS), Zendesk delivers value quickly and scales on-demand. Security is an important part of everything Zendesk designs.
Physical security
Zendesk ensures the confidentiality, availability and integrity of your data with industry best practices. In addition, Zendesk operates in data centers that have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and SOC II compliance.
Application security
Zendesk takes steps to securely develop and test against security threats to ensure the safety of your data. Zendesk maintains a Secure Development Lifecycle, in which training our developers, and performing design and code reviews, takes a prime role. In addition, Zendesk employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Data security
Zendesk data security includes:
- Encryption In Transit: Communications between customer and Zendesk servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks, ensuring yoursubdomain.zendesk.com and subdomains are accessed only over HTTPS. TLS is also supported for encryption of emails.
- Encryption At Rest: As a Zendesk customer, you benefit from the protections of encryption at rest for your primary and secondary DR data stores and storage of attachments.
Availability and business continuity
Zendesk maintains a Disaster Recovery program to ensure services remain available or are easily recoverable in the case of a disaster. This includes service clustering and network redundancies to eliminate single points of failure. You can remain up-to-date on availability issues through a publicly-available Status website that includes scheduled maintenance information and service incident history.
Network security
Zendesk maintains a globally-distributed Security team. The team is available 24/7 to respond to security alerts. Zendesk keeps a continuous watch on the security of our customer’s data with network vulnerability scanning and the use of intrusion detection and prevention systems. Zendesk also participates in Threat Intelligence Programs.
Product security features
Zendesk makes it seamless for account administrators to manage access and sharing policies with authentication and single-sign on (SSO) options. Zendesk also provides for two-factor authentication and IP restrictions to enable administrators to determine who can access their service. All communications with the Zendesk user interface or APIs are encrypted using industry-standard HTTPS over public networks. Network traffic between our customers and Zendesk is secure.
Compliance certification and membership
Zendesk implements security best practices, in addition to what AWS provides, to meet not just industry-based compliance, but the most stringent requirements, including: Zendesk’s CX products and solutions meets rigorous security, privacy, and compliance standards, including:
Access to data by Zendesk
To help troubleshoot problems within a Zendesk account, customers can allow Zendesk support to assume access to an account for a specific amount of time. By default, account assumption is deactivated and can only be activated by an account administrator. Access can be granted for a set period of time, or indefinitely, and can be turned off at any time. For more information, see Granting Zendesk temporary access to your account.
For more information about Zendesk security
- Download the Zendesk Secure by Design data sheet attached to this article.
- Refer to Zendesk's General security best practices for details on how you can help manage the safety of your Zendesk account.
- Send email to security@zendesk.com