Add-on | Advanced Data Privacy and Protection (ADPP) |
Advanced Encryption enhances data security by allowing your company to encrypt Service Data using your own enterprise Key Management Service (KMS). This ensures that sensitive information stored in Zendesk remains secure and inaccessible to unauthorized parties. Maintaining your own encryption keys provides greater security and compliance while giving you complete control over access and usage.
You can turn on Advanced Encryption in your production or sandbox account. Zendesk recommends testing it on sandbox first. See Setting up Advanced Encryption to learn more.
This article covers the following topics:
Understanding how Advanced Encryption works
When using Advanced Encryption, you manage your own encryption keys outside of Zendesk. You can use any of the following supported Key Management Systems: AWS KMS, Azure Key Vault, Google Cloud KMS, or Thales CipherTrust Manager, which is an EU-based KMS based in Europe and managed and hosted by European companies.
Advanced Encryption relies on envelope encryption. On encryption, Zendesk generates a Data Encryption Key (DEK) for the data chunk and requests the KMS to encrypt this key. It then discards the plain key and keeps the encrypted key.
Whenever Zendesk needs to access encrypted data, it will request the KMS to decrypt the data key using the master key. This happens in transit; data is encrypted when it comes into Zendesk before our applications process it, and it stays encrypted until there's a use case that requires decryption.
Data encryption doesn't impact the agent experience. Agents can continue to search and access the data they are permitted to see based on their role. However, there are a few limitations.
Data encrypted in Zendesk
Advanced Encryption supports backfilling and encrypting newly created and existing users in your Zendesk account.
Advanced Encryption encrypts the following user fields for end-user data in Zendesk Support, Guide, and Talk:
- Name
- Alias
- Signature
- Details
- Notes
The user fields listed above are encrypted in the following areas of Zendesk Support:
- End user management
- Team member management
- User data in the context of a ticket (requester, CC, followers, assignee)
- Group and organization memberships
- User placeholder resolution in ticket comments and emails
- User creation through single sign-on, Web Widget, and email
- Ticket views
- Support search
- Triggers and automations (business rules)
- Support users created through messaging conversations
- Side conversations
All features in Guide and Talk are covered, except @mentions in Gather and Guide, which will be turned off if encryption is activated.
Advanced encryption vs. standard encryption
Advanced Encryption complements standard encryption used by all Zendesk accounts.
State | Advanced encryption | Standard encryption |
---|---|---|
In transit |
Data is encrypted with customer-managed keys as soon as possible at the HTTP proxy layer or equivalent entry point. |
All communications with the Zendesk UI and APIs are encrypted through industry standard HTTPS and Transport Layer Security (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Zendesk is secure during transit. For email, Zendesk leverages opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service subscribers that customers may choose to leverage at their discretion. |
At rest |
Data in the database remains encrypted. If a third party or foreign government attempts to get access to a running database, the data will be returned in ciphertext. |
Service Data is encrypted at rest in AWS using AES-256 key encryption. |
In use |
The data remains encrypted while in use and is only decrypted if a use case requires it. Any decryption actions are logged and auditable when leveraging an external Security Information and Event Management (SIEM) integration. |
Data fetched from the data stores is processed in plaintext. |
Advanced Encryption limitations
Advanced Encryption comes with some trade-offs that you should be aware of. When data is encrypted, you may encounter functionality limitations and unavailable features.
General limitations
- Any functionality outside of the scope described in Data encrypted in Zendesk, including but not limited to legacy Chat, Sell, QA, integrations, and mobile, might be broken or show encrypted data in the UI or API responses. For these reasons, Zendesk encourages you to activate and test Advanced Encryption in a sandbox account before activating it in production.
- Key rotation is not yet supported.
Support limitations
- Ticket sharing is not yet supported.
- Encrypted accounts will become ineligible for account region moves. If you wish to move your data to a different region, request the move before activating Advanced Encryption.
- Premium sandboxes created after activating Advanced Encryption will show encrypted copied data.
- Messaging triggers with conditions based on an end-user name won’t work.
- Snippet highlighting, wildcard search, phrase search, and non-space delimited languages (such as Chinese and Japanese) won’t work.
- Search match and ranking might be different.
- Searching for side conversations by user name won’t work. Instead, search by the subject line of the side conversation or parent ticket.
- Support views sorting by user name (requester and assignee) will be turned off for accounts with encryption activated.
- Support views grouped by user name (requester and assignee) will display user names that are out of order.
- CSV exports will display placeholders instead of user names.
Imports and exports degradation
- Users imported through the bulk actions importer will not be encrypted, but users added through the data importer will be encrypted.
- XML exports for users will not be supported, but CSV and JSON exports are supported.
Gather and Guide degradation
- @mentions will be turned off.
Data storage limitations
Advanced Encryption introduces a new way of encrypting sensitive data using Customer Managed Keys (CMK). To ensure Zendesk’s functionality is not compromised, Zendesk services decrypt sensitive data while processing requests originating from many channels, including browsers, REST APIs, and email. Zendesk guarantees that plaintext data is never stored in permanent storage and is only kept for the minimum amount of time necessary to fulfill the request.
The following items are current exceptions:
- Gateway (NGINX + Cloudflare) stores public help center pages, which might contain user profile data for up to three minutes.
- Outbound email temporarily stores email bodies before the email is delivered by Simple Mail Transfer Protocol (SMTP).
- The original email body of inbound email is maintained after the ticket or comment is created and powers additional collaboration features.
- Explore user datasets are stored in plaintext.
- Bulk import and export files are temporarily stored in plaintext for 30 days. The files are deleted after 30 days.
- User data in Sunshine Conversations datastores is stored in plaintext. (Support datastores are covered.)
- User data in real-time services (for example, agent presence and the Talk call console) is retained in plaintext for up to seven days to power the agent UI.
- Agent and admin user data will appear in plaintext for customer sales and support cases to assist customers.
0 comments