Sub-processor Policy

 

Zendesk, Inc. (“Zendesk”) uses certain Sub-processors (including members of the Zendesk Group and third parties, as listed below) and content delivery networks to assist it in providing the Zendesk Services as described in the Main Services Agreement ("MSA”). Defined terms used herein shall have the same meaning as defined in the MSA.

What is a Sub-processor

A Sub-processor is a third-party data processor engaged by Zendesk, including entities from the Zendesk Group, who receives Service Data (which may contain Personal Data) from Zendesk for Processing on behalf of our Subscribers and in accordance with our Subscribers' instructions (as communicated by Zendesk) and the terms of its written subcontract. Zendesk engages different types of Sub-processors to perform various functions as explained in the tables below.

Due Diligence

Zendesk undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed Sub-processors.

Contractual Safeguards

Zendesk generally requires its Sub-processors to satisfy equivalent obligations as those required from Zendesk (as a Data Processor) as set forth in Zendesk’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:

• Process Personal Data in accordance with data controller’s (i.e., Subscriber’s) documented instructions (as communicated in writing to the relevant Sub-processor by Zendesk);
• In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
• Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
• Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Zendesk is contractually committed to adhere to insofar as they are equally relevant to the Sub-processor’s Processing of Personal Data on Zendesk’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification Zendesk reserves the right to audit the Sub-processor;
• Promptly inform Zendesk about any actual or potential security breach; and
• Cooperate with Zendesk in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

Sub-processors which incidentally have access to Your Service Data in Innovation Services and are used to provide specific features or components of the product outside of the core hosting of Service Data (“Innovation Service Specific Sub-processors”) are regularly reviewed by Zendesk to ensure they work towards implementing each of the standards described in this Section. However, Innovation Service Specific Sub-processors may not currently meet all of the measures identified above.

This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Zendesk’s engagement process for Sub-processors as well as to provide the actual list of third party Sub-processors and content delivery networks used by Zendesk as of the date of this policy (which Zendesk may use in the delivery and support of its Services).

If you are a Zendesk Subscriber and wish to enter into our DPA, please see our Trust Center at https://www.zendesk.com/trust-center/.

Process to Engage New Sub-processors:

For all Subscribers who have executed Zendesk’s standard DPA, Zendesk will provide notice via this policy of updates to the list of Sub-processors that are utilized or which Zendesk proposes to utilize to deliver its Services. Zendesk undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of sub-processing associated with the Zendesk Services. Zendesk Subscribers may subscribe to receive notifications of updates to this policy by clicking “Follow” at the top of this policy.

Pursuant to the DPA, a Subscriber may object in writing to the Processing of its Personal Data by a newly appointed Sub-processor within thirty (30) days following the update of this policy and such objection shall describe Subscriber's legitimate reason(s) for objection. If Subscriber does not object during such time period, the new Sub-processor(s) shall be deemed accepted.

If a Subscriber objects to the use of a newly appointed Sub-processor pursuant to the process provided under the DPA, Zendesk shall have the right to cure the objection through one of the following options (to be selected at Zendesk’s sole discretion) by either:

(a) instructing the Sub-processor to cease the Processing of Subscriber's Personal Data, in which event the DPA shall continue unaffected; or (b) allowing Subscriber to terminate their DPA and any related services agreement with Zendesk immediately and provide it with a pro rata reimbursement of any sums paid in advance for Services to be provided, but not yet received by Subscriber as of the effective date of termination.

The following is an up-to-date list (as of the date of this policy) of the names, entity type, and locations of Zendesk Sub-processors and content delivery networks (including members of the Zendesk Group and third parties):

Infrastructure Sub-processors – Service Data Storage and Processing

Zendesk owns or controls access to the infrastructure that Zendesk uses to host and Process Service Data submitted to the Services, other than as set forth herein. Currently, the Zendesk production systems used for hosting Service Data for the Services are located in the infrastructure Sub-processors listed below. Subscriber accounts are typically established in one of these regions based on where the Subscriber is located, but may be shifted among locations to ensure performance and availability of the Services. The following table describes the legal entities engaged by Zendesk in the storage of Service Data. Zendesk also uses additional services provided by these Sub-processors to Process Service Data as needed to provide the Services.

Entity Name	Purpose	Data Hosting Location
Amazon Web Services, Inc.	Cloud Service Provider for all Zendesk features and functionality	United States, Ireland, Germany, United Kingdom, Japan, Australia
Google LLC	Cloud Service Provider for Zendesk WFM (Tymeshift)	United States, Germany
Google Cloud EMEA Limited	Cloud Service Provider for Zendesk QA (Klaus)	Germany
Google Cloud EMEA Limited	Cloud Service Provider for Ultimate Functionality	Belgium or United States

Service Specific Sub-processors

Zendesk works with certain third parties to provide specific functionality within the Services. These providers are the Sub-processors set forth below. In order to provide the relevant functionality, these Sub-processors access and Process Service Data. Their use is limited to the indicated Services.

If Subscriber has purchased the Zendesk Suite or Sales Suite, the Sub-processors used for the Suites will be in accordance with the Sub-processors listed for the underlying Services that make up the Zendesk Suite or Sales Suite as detailed in this policy. Definitions for the terms used to refer to the Applicable Services included below can be found in the Service-Specific Supplemental Terms found here: https://support.zendesk.com/hc/en-us/articles/4408831944730. For reference, such definitions are as follows:

• Ticketing System Functionality: means Zendesk Support and help desk functionality, email support functionality and Agent Workspace functionality available within Zendesk Suite.
• Voice Functionality: means Zendesk Talk and call center software available within Zendesk Suite.
• Analytics Functionality: means Zendesk Explore and reporting and analytics functionality available within Zendesk Suite.

Entity Name	Purpose and Data Processed	Applicable Services	Data Hosting Location
Twilio, Inc.	Zendesk Talk’s cloud center software is built on Twilio, Inc.’s (“Twilio”) development platform. Twilio’s development platform provides the APIs from which Zendesk Talk accesses the telecommunications infrastructure, including phone numbers, voice minutes, web client, and phone call recording and transcription. Twilio has access to Subscribers’ and End-Users’ information as needed to deliver the Talk and Text messages between Subscribers and End-Users. This includes Service Data contained in the messages and the Personal Data of Subscribers’ Agents and End-Users as needed to send and deliver the messages.	Voice Functionality, Zendesk Sell	Voice Functionality: United States, Ireland, Australia Zendesk Sell: United States
GoodData Corporation	GoodData Corporation (“GoodData”) is the analytics provider that Zendesk uses in Insights reporting, our legacy analytics feature. Insights is a legacy Service that is not available to new Subscribers and GoodData is only an applicable Sub-processor for a limited number of existing Subscribers using Insights. Where Insights is used, GoodData may Process Service Data from all of the Services used by the relevant Subscriber.	Insights (Legacy Service)	United States
SendGrid, Inc.	SendGrid, Inc. (“SendGrid”) is an email campaign service provider used to send notification emails and dashboards to Agents and End-Users. The primary information SendGrid has access to is the email addresses of recipients of the emails and the content of the emails themselves. The content of the emails may include the dashboards Subscriber has chosen to include in the email campaign, chat analytics reports, and chat transcripts that have been exported via email.	Analytics Functionality, Zendesk Sell, Live Chat Functionality, Zendesk QA (Klaus)	United States
Cloudflare, Inc.	Cloudflare, Inc. (“Cloudflare”) provides content distribution, security, abuse prevention and DNS services for web traffic transmitted to and from the Services. This allows Zendesk to efficiently manage traffic and secure the Services. The primary information Cloudflare has access to is information in and associated with the Zendesk website URL with which the End-User or Agent is interacting (including End-User or Agent IP address). All information (including Service Data) contained in web traffic transmitted to and from the Services is transmitted through Cloudflare’s systems. Cloudflare also Processes a limited amount of Personal Data (specifically Agent and End-User IP addresses, browser and operating system related information) for logging, security, and abuse prevention purposes.	All	Local (Cloudflare routes traffic to worldwide data centers closest to the user's location. Logging by Cloudflare is performed in the United States.)
Pendo.io, Inc.	Pendo.io, Inc. (“Pendo”) is a third-party analytics provider that Zendesk uses to capture how users interact with the Service. Zendesk uses this information to analyze and improve the Services. The primary information Pendo has access to is information in and associated with the Zendesk website URL that the Agent and End-User are interacting with, such as time spent on page, items clicked (including Service Data contained in those items), Agent email addresses, End-User email addresses, etc.	All	United States
Datadog, Inc.	Datadog, Inc. (“Datadog”) is a third-party logging platform that Zendesk uses for ingesting, parsing, querying and performing analytics on Service application and infrastructure logs (“Logs”). These Logs are then used for debugging, troubleshooting, auditing, reporting, and detecting and alerting on unexpected application behavior. Incidental to the purpose of the Log Processing, Service Data and Personal Data may be Processed by Datadog. Examples of the data that may be in the Logs includes: timestamp, token ID, email address, user agent, username, Account ID, User ID, name, IP address, application paths and parameters, Session IDs, provisioned infrastructure, Ticket and Help Center data, Agent data and other types of Service Data.	All	United States, Germany
MongoDB, Inc.	MongoDB, Inc. (“MongoDB”) provides scalable database services used to host select Service Data related to messaging integrations. The primary data MongoDB has access to includes messages exchanged through Sunshine Conversations and other messaging integrations, profile metadata supplied by messaging channels, metadata supplied by SDK integrator/APIs, messaging channel identities and credentials, push notification certificates and API keys, and webhook information.	Sunshine Conversations, Zendesk messaging, WhatsApp Integration and Social Messaging Add-Ons	United States, Ireland, Germany, Japan, Australia
Functional Software, Inc.	Functional Software, Inc. ("Sentry") is a cross-platform error monitoring tool with a focus on error reporting. Zendesk uses Sentry to capture errors thrown within the Service to better understand and resolve issues in real-time. Incidental to the purpose of the error monitoring, Service Data and Personal Data may be Processed by Sentry. Examples of the data that may be in the logs include: timestamp, token ID, email address, user agent, username, Account ID, User ID, name, IP address, application paths and parameters, Session IDs, provisioned infrastructure, Ticket and Help Center data, Agent data and other types of Service Data.	All	United States, Germany
Google LLC	Google LLC ("Google") supports the translation functionality that is available to Agents within Agent Workspace. If the translation functionality is used by Agents, Google will Process all Service Data that is translated within Agent Workspace.	Translation Functionality within Agent Workspace, Live Chat Functionality	No hosting of Service Data
OpenAI, L.L.C.	OpenAI, L.L.C. ("OpenAI") provides generative artificial intelligence ("AI") and natural language processing services to Zendesk to support Zendesk Services within (a) the Advanced AI Add-On, including, without limitation, automated summarization of correspondence, text revision, and text completion, (b) AI agents, (c) Zendesk QA (Klaus), (d) Ultimate Functionality, and (e) other generative AI features enabled by Subscriber.	Advanced AI Add-On, AI agents, Zendesk QA (Klaus), Ultimate Functionality, and other generative AI features enabled by Subscriber	No hosting of Service Data
Snowflake Inc.	Snowflake Inc. ("Snowflake") provides data warehouse services underlying the Zendesk platform, allowing for efficient provision and trend analysis of the Services and day to day business operations, as well as supporting advanced Analytics Functionality available to Subscribers. Snowflake may access a copy of all Service Data for the above-referenced purposes.	All	United States, Germany
Confluent, Inc.	Confluent, Inc. (“Confluent”) provides the infrastructure for Kafka clusters where all tickets and agent activity data flow through. Data Processed through Confluence includes ticket data and user activities, such as type of task, timestamp and agent ID. The use of Zendesk WFM (Tymeshift), and the applicability of Confluent as a Sub-processor, is optional and may be enabled by Subscribers.	Zendesk WFM (Tymeshift)	United States
The Rocket Science Group LLC	The Rocket Science Group LLC (“Mailchimp") is used to send emails to End-Users and Agents (e.g., notifications and CSAT surveys) within Zendesk QA (Klaus). The primary Service Data Processed by Mailchimp includes recipients' names and email addresses. The use of Zendesk QA (Klaus), and the applicability of Mailchimp as a Sub-processor, is optional and may be enabled by Subscribers.	Zendesk QA (Klaus)	United States
Microsoft Corporation	Microsoft Corporation ("Microsoft") hosts large language models used to provide machine learning/artificial intelligence automated features within Zendesk QA (Klaus). Microsoft Processes the Service Data contained in customer conversations. The use of Zendesk QA (Klaus), and the applicability of Microsoft as a Sub-processor, is optional and may be enabled by Subscribers.	Zendesk QA (Klaus)	United States, France, Netherlands, Sweden
Google Cloud EMEA Limited	Google Cloud EMEA Limited ("Google EMEA") hosts large language models used to provide machine learning/artificial intelligence automated features within Zendesk QA (Klaus). Google EMEA Processes the Service Data contained in customer conversations. The use of Zendesk QA (Klaus), and the use of Google EMEA as a Sub-processor, is optional and may be enabled by Subscribers.	Zendesk QA (Klaus)	No hosting of Service Data
Deepgram Inc.	Deepgram Inc. ("Deepgram") provides services that support voice-related features within Zendesk QA (Klaus) and Voice Functionality, including generating transcripts and providing analysis and data redaction functionality for such recordings and transcripts. Deepgram Processes the Service Data contained in voice recordings.	Zendesk QA (Klaus), Voice Functionality	United States
MongoDB, Inc.	MongoDB, Inc. (“MongoDB”) provides scalable database services used to host select Service Data related to messaging within Ultimate Functionality. The primary data MongoDB has access to includes data within chat messages exchanged through Ultimate Functionality, which may include names, email addresses, phone numbers, and order numbers. The use of Ultimate Functionality, and the applicability of MongoDB as a Sub-processor for this functionality, is optional and may be enabled by Subscribers.	Ultimate Functionality	Belgium or United States
Microsoft Ireland Operations Limited	Microsoft Ireland Operations Limited ("Microsoft") hosts large language models used to provide machine learning/artificial intelligence automated features within Ultimate Functionality. Microsoft Processes the Service Data contained in chat logs. The use of Ultimate Functionality, and the applicability of Microsoft as a Sub-processor for this functionality, is optional and may be enabled by Subscribers.	Ultimate Functionality	No hosting of Service Data
Aiven Oy	Aiven Oy ("Aiven" provides search and data analytics functionality within Ultimate Functionality. The primary Service Data that Aiven may access includes End-User messages. The use of Ultimate Functionality, and the applicability of Aiven as a Sub-processor for this functionality, is optional and may be enabled by Subscribers.	Ultimate Functionality	Belgium or United States
Functional Software, Inc.	Functional Software, Inc. ("Sentry") is a cross-platform error monitoring tool used to capture errors thrown within Ultimate Functionality and provide error reporting to better understand and resolve issues in real-time. Incidental to the purpose of the error monitoring, Service Data and Personal Data may be Processed by Sentry within logs, including, for example, IP addresses and User IDs. The use of Ultimate Functionality, and the applicability of Sentry as a Sub-processor for this functionality, is optional and may be enabled by Subscribers.	Ultimate Functionality	United States
Raintank, Inc.	Raintain, Inc. ("Grafana Labs") provides logging and observability functionality within Ultimate Functionality. Incidental to the purpose of the logging functionality, Service Data may be Processed by Grafana Labs. Examples of the data that may be included in the logs are user names, email addresses, bot configuration, and system events. The use of Ultimate Functionality, and the applicability of Grafana Labs as a Sub-processor for this functionality, is optional and may be enabled by Subscribers.	Ultimate Functionality	Belgium or United States

Innovation Services Sub-processors

Zendesk Sell is supported by additional Innovation Services Sub-processors, which can be viewed by expanding below.

Zendesk Group Sub-processors

The following entities are members of the Zendesk Group. Accordingly, they may function as Sub-processors to provide the Services.

Entity Name	Country
Zendesk, Inc. FutureSimple Inc. ZD Sub Holdings Smooch Technologies US Inc. Tymeshift, Inc.	United States
Zendesk International Limited	Ireland
Zendesk ApS	Denmark
Zendesk GmbH Ultimate.ai GmbH	Germany
Zendesk Pty., Ltd	Australia
Zendesk UK Limited Ultimate.ai Ltd	United Kingdom
Zendesk Incorporated	Philippines
Zendesk Singapore Pte. Ltd.	Singapore
Zendesk Brasil Software Corporativo LTDA	Brazil
Kabushiki Kaisha Zendesk	Japan
Zendesk France SAS	France
Base sp. z o. o. (Base spółka z ograniczoną odpowiedzialnością)	Poland
Smooch Technologies ULC	Canada
Zendesk Technologies Private Limited	India
Zendesk Korea LLC	South Korea
Cleverly, Unipessoal, LDA Tymeshift Portugal, Unipessoal Lda	Portugal
Zendesk Technologies Spain S.L.	Spain
Zendesk, S. de R.L. de C.V.	Mexico
Zendesk Sweden AB	Sweden
Zendesk Netherlands B.V.	Netherlands
Zendesk Italy S.r.l.	Italy
Tymeshift doo Novi Sad	Serbia
Qualitista OÜ	Estonia
Ultimate Enterprises Oy	Finland

Content Delivery Networks

As explained above, Zendesk’s Services may use content delivery networks (“CDNs”) to provide the Services, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes the use of CDNs by Zendesk’s Services.