We have updated this policy. If you are a new Subscriber, then this policy will be effective as of October 1, 2021. If you are an existing Subscriber, we are providing you with prior notice of these changes which will be effective as of November 30, 2021. For the previous version of this policy, please expand the section below.
What is a Sub-processor
A sub-processor is a third party data processor engaged by Zendesk, including entities from within the Zendesk Group, who has or potentially will have access to or process Service Data (which may contain Personal Data). Zendesk engages different types of sub-processors to perform various functions as explained in the tables below.
Due Diligence
Zendesk undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or otherwise process Service Data.
Contractual Safeguards
Zendesk generally requires its sub-processors to satisfy equivalent obligations as those required from Zendesk (as a Data Processor) as set forth in Zendesk’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:
- Process Personal Data in accordance with data controller’s (i.e. Subscriber’s) documented instructions (as communicated in writing to the relevant sub-processor by Zendesk);
- In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
- Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
- Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Zendesk is contractually committed to adhere to insofar as they are equally relevant to the sub-processor’s processing of Personal Data on Zendesk’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification Zendesk reserves the right to audit the sub-processor;
- Promptly inform Zendesk about any actual or potential security breach; and
- Cooperate with Zendesk in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
Third-party service providers which incidentally have access to Your Service Data in Innovation Services and are used to provide specific features or components of the product outside of the core hosting of Service Data (“Innovation Service Specific sub-processors”) are regularly reviewed by Zendesk to ensure they work towards implementing each of the standards described in this Section. However, Innovation Service Specific sub-processors may not currently meet all of the measures identified above.
This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Zendesk’s engagement process for sub-processors as well as to provide the actual list of third party sub-processors and content delivery networks used by Zendesk as of the date of this policy (which Zendesk may use in the delivery and support of its Services).
If you are a Zendesk Subscriber and wish to enter into our DPA, please email us at privacy@zendesk.com.
Process to Engage New Sub-processors:
For all Subscribers who have executed Zendesk’s standard DPA, Zendesk will provide notice via this policy of updates to the list of sub-processors that are utilized or which Zendesk proposes to utilize to deliver its Services. Zendesk undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of sub-processing associated with the Zendesk Services. Zendesk Subscribers may subscribe to receive notifications of updates to this policy by clicking “Follow updates” at the top of this policy.
Pursuant to the DPA, a Subscriber may object in writing to the processing of its Personal Data by a new sub-processor within thirty (30) days following the update of this policy and such objection shall describe Subscriber's legitimate reason(s) for objection. If Subscriber does not object during such time period the new sub-processor(s) shall be deemed accepted.
If a Subscriber objects to the use of a new sub-processor pursuant to the process provided under the DPA, Zendesk shall have the right to cure the objection through one of the following options (to be selected at Zendesk’s sole discretion):
(a) Zendesk will cease to use the new sub-processor with regard to Personal Data;
(b) Zendesk will take the corrective steps requested by Subscriber in its objection (which steps will be deemed to resolve Subscriber’s objection) and proceed to use the sub-processor to process Personal Data; or
(c) Zendesk may cease to provide or Subscriber may agree not to use (temporarily or permanently) the particular aspect of a Zendesk Service that would involve use of the sub-processor to process Personal Data.
Termination rights, as applicable and agreed, are set forth exclusively in the DPA.
The following is an up-to-date list (as of the date of this policy) of the names and locations of Zendesk sub-processors and content delivery networks (including members of the Zendesk Group and third parties):
Infrastructure Sub-processors – Service Data Storage and Processing
Zendesk owns or controls access to the infrastructure that Zendesk uses to host and process Service Data submitted to the Services, other than as set forth herein. Currently, the Zendesk production systems used for hosting Service Data for the Services are located in co-location facilities in the United States and Europe and in the infrastructure sub-processors listed below. Subscriber accounts are typically established in one of these regions based on where the Subscriber is located, but may be shifted among locations to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged by Zendesk in the storage of Service Data. Zendesk also uses additional services provided by these sub-processors to process Service Data as needed to provide the Services.
| Entity Name | Entity Type | Entity Country |
| Amazon Web Services, Inc. | Cloud Service Provider | United States, Ireland, Germany, Japan |
| Google Inc. | Cloud Service Provider | United States |
Service Specific Sub-processors
Zendesk works with certain third parties to provide specific functionality within the Services. These providers are the sub-processors set forth below. In order to provide the relevant functionality these sub-processors access Service Data. Their use is limited to the indicated Services. If Subscriber has purchased the Zendesk Support Suite or Sales Suite, the sub-processors used for the Suites will be in accordance with the sub-processors listed for the underlying Services that make up the Zendesk Support Suite or Sales Suite as applicable and detailed in this policy. Definitions for the terms used to refer to the Applicable Services included below can be found in the Service-Specific Supplemental Terms found here: https://support.zendesk.com/hc/en-us/articles/360047508453-Supplemental-terms-Zendesk-s-service-specific-terms. For reference, such definitions are as follows:
- Ticketing System Functionality: means Zendesk Support and help desk functionality, email support functionality and agent workspace functionality available within Zendesk Suite.
- Voice Functionality: means Zendesk Talk and call center software available within Zendesk Suite.
-
Analytics Functionality: means Zendesk Explore and reporting and analytics functionality available within Zendesk Suite.
| Entity Name | Purpose | Applicable Services | Entity Country | |
| Twilio, Inc. | Zendesk Talk’s cloud center software is built on Twilio, Inc.’s (“Twilio”) development platform. Twilio’s development platform provides the APIs from which Zendesk Talk accesses the telecommunications infrastructure, including phone numbers, voice minutes, web client, and phone call recording and transcription. Twilio has access to Subscribers’ and End-Users’ information as needed to deliver the Talk and Text messages between Subscribers and End-Users. This includes Service Data contained in the messages and the Personal Data of Subscribers’ Agents and End-Users as needed to send and deliver the messages. Zendesk Support also uses Twilio for two-factor authentication of End-Users. The only information Twilio has access to for this purpose is End-User phone number. | Voice Functionality, Ticketing System Functionality, Zendesk Sell | United States | |
| GoodData Corporation | GoodData Corporation (“GoodData”) is the analytics provider that Zendesk uses to provide Insights and Analytics within the Services. | All | United States | |
| Sendgrid, Inc. | Sendgrid, Inc. (“Sendgrid”) is an email campaign service provider used within Zendesk Explore to send notification emails and dashboards to Agents and End-Users. The primary information Sendgrid has access to is the email addresses of recipients of the emails and the content of the emails themselves. The content of the emails may include the dashboards Subscriber has chosen to include in the email campaign. | Analytics Functionality, Zendesk Sell | United States | |
| Cloudflare, Inc. | Cloudflare, Inc. (“Cloudflare”) provides content distribution, security, abuse prevention and DNS services for web traffic transmitted to and from the Services. This allows Zendesk to efficiently manage traffic and secure the Services. The primary information Cloudflare has access to is information in and associated with the Zendesk website URL that the End-User or Agent is interacting with (which includes End-User or Agent IP address). All information (including Service Data) contained in web traffic transmitted to and from the Services is transmitted through Cloudflare’s systems. Cloudflare also processes a limited amount of Personal Data (specifically Agent and End-User IP addresses, browser and operating system related information) for logging and abuse prevention purposes. | All | United States | |
| Pendo.io, Inc. | Pendo.io, Inc. (“Pendo”) is a third-party analytics provider that Zendesk uses to capture how users interact with the Service. Zendesk uses this information to analyze and improve the Services. The primary information Pendo has access to is information in and associated with the Zendesk website URL that the Agent and End-User is interacting with, such as time spent on page, items clicked (including Service Data contained in those items), Agent email addresses, End-User email addresses, etc. | All | United States | |
| Datadog, Inc. | Datadog, Inc. (“Datadog”) is a third party logging platform that Zendesk uses for ingesting, parsing, querying and performing analytics on Service application and infrastructure logs (“Logs”). These Logs are then used for debugging, troubleshooting, auditing, reporting, and detecting and alerting on unexpected application behavior. Incidental to the purpose of the Log Processing, Service Data and Personal Data may be Processed by Datadog. Examples of the data that may be in the Logs includes: timestamp, token ID, email address, user agent, username, Account ID, User ID, name, IP address, application paths and parameters, Session IDs, provisioned infrastructure, Ticket and Help Center data, Agent data and other types of Service Data. | All | United States | |
| Accenture International Limited |
|
All | Ireland | |
| MongoDB | MongoDB Inc. (“MongoDB”) provides scalable database services used to host select Service Data related to messaging integrations. The primary data MongoDB has access to includes messages exchanged through Sunshine Conversations and other messaging integrations, profile metadata supplied by messaging channels, metadata supplied by SDK integrator/APIs, messaging channel identities and credentials, push notification certificates and API keys, and webhook information. | All | United States | |
| 84Codes | 84 Codes AB (“84 Codes”) provides scalable RabbitMQ as a service. This serves as the queuing mechanism used for processing Service Data in messaging integrations. The primary data 84 Codes has access to is messages exchanged through Sunshine Conversations and other messaging integrations, profile metadata supplied by integrated messaging channels, metadata supplied by the SDK integrator/API, messaging channel identities, and webhook information. | All | Sweden |
Innovation Service Specific Sub-processors
| Entity Name | Purpose | Applicable Services | Entity Country |
| Clearbit | APIHub, Inc. ("Clearbit") is a third party marketing data engine that Zendesk uses within the Reach functionality available in Zendesk Sell. Reach is optional and must be enabled by Subscribers. The primary Service Data processed by Clearbit includes lead name, lead email address, lead company name, lead company website, contact name, contact email address, contact company name, and contact company address. | Zendesk Sell | United States |
Zendesk Group Sub-processors
The following entities are members of the Zendesk Group. Accordingly, they function as sub-processors to provide the Services.
| Entity Name | Country |
| Zendesk, Inc. | United States |
| Zendesk International Ltd | Ireland |
| Zendesk Pty. Ltd | Australia |
| Zendesk UK Ltd | United Kingdom |
| Zendesk, Inc. | Philippines |
| Zendesk Singapore Pte. Ltd. | Singapore |
| Zendesk Brasil Software Corporativo LTDA | Brazil |
| Kabushiki Kaisha Zendesk | Japan |
| We Are Cloud SAS | France |
| Smooch Technologies ULC | Canada |
Content Delivery Networks
As explained above, Zendesk’s Services may use content delivery networks (“CDNs”) to provide the Services, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes use of CDNs by Zendesk’s Services.
| CDN Provider | Services Using CDN | CDN Location | Description of CDN Services |
| Akamai | All Zendesk Services | Global | Public website content served to website visitors may be stored with Akamai, and transmitted by Akamai to website visitors, to expedite transmission. |
| Amazon Web Services, Inc. | All Zendesk Services | Global | Public website content served to website visitors may be stored with Amazon Web Services, Inc., and transmitted by Amazon Web Services, Inc., to website visitors, to expedite transmission. |
| Verizon Digital Media Services, Inc. | All Zendesk Services | Global | Public website content served to website visitors may be stored with Verizon Digital Media Services, and transmitted by Verizon Digital Media Services to website visitors, to expedite transmission. |
3 Comments
February 1, 2021 - Sub-processor Policy updated to revise select "Applicable Services" terminology. No sub-processors were added or removed as part of this update.
June 1, 2021 - Sub-processor Policy updated to revise the "Ticketing System Functionality" definition. No sub-processors were added or removed as part of this update.
October 1, 2021 - Sub-processor Policy updated to modify MongoDB and 84Codes applicability and purpose descriptions. No new sub-processors were added or removed as part of this update.
Article is closed for comments.