What's my plan?
All Suites Enterprise or Enterprise Plus
Support Enterprise

Verified AI summary ◀▼

Data masking in the early access program lets you hide personally identifiable information like names, emails, and phone numbers from agents in custom roles. This feature helps protect sensitive data and supports compliance with regulations like GDPR. While data remains unchanged in the database, agents see only what's necessary, reducing unauthorized access. Note that some features and actions may be limited.

Note: The features described in this article are currently available in an early access program (EAP). To learn more, see the Data masking EAP community page. You can sign up for the EAP here.

Customers on Enterprise plans and higher can use data masking to mask select fields containing personally identifiable information (PII). The fields available for masking include name, email, and phone number, and are masked from agents in custom roles. When the EAP is complete, this feature will require the Advanced Data Privacy and Protection add-on.

Data masking can help reduce unnecessary exposure to sensitive information by limiting what data agents are able to view. For example, a company collaborating with high-profile clients or VIPs may want to restrict access so that agents cannot see certain user data unless it's required for their role. This practice also supports compliance with regulations such as the General Data Protection Regulation (GDPR), which emphasizes data minimization and controlled access.

This article includes the following topics:
  • Understanding how data masking works
  • Understanding the differences between data redaction and data masking
  • Data masking EAP product limitations
  • Data masking EAP disclosures and degradations

Understanding how data masking works

Data masking allows admins and agents with permission to create and assign agents to custom roles to determine which data is masked from the agent.

When a role is configured with data masking, agents see only the information necessary for their responsibilities, reducing the risk of unauthorized access. Masking applies only at the presentation layer. Data in the database remains unchanged, and agents in roles without masking still see the full information. Upon saving a role with masking settings, Zendesk automatically adjusts permissions to hide restricted data. Agents assigned to the role will see a lock icon next to any PII fields they are not permitted to view.

Maskable system fields:
  • Name
  • Email
  • Phone

For the EAP, name, email, and phone number can be masked in the following areas of Zendesk Support:

  • Views: Selected PII is masked in system fields, including exports.
  • Ticketing interface: Selected PII is masked in system fields.
  • Knowledge: Selected PII is masked from agents with permission to manage Guide. This applies to user segments, user content, spam, and community moderation views when the custom role has data masking turned on. Note that end-user data that has been made public will be visible to agents, even with data masking in place. For example, if moderation is turned on and an end user posts a comment, their name won't be masked because it can be seen in the help center.

As part of the EAP, data masking is out of scope for the following products: Chat, Talk, Explore, AI agents - Advanced, WFM, Zendesk QA, and Sell. See the Data masking EAP community page for a list of disclosures, degradations, and limitations.

Understanding the differences between data redaction and data masking

Data redaction and data masking are both techniques used to protect sensitive information, but they serve different purposes.

Data redaction allows admins or agents in custom roles with permission to permanently remove sensitive information from tickets, ensuring that deleted data can't be retrieved or viewed by any agents. Agents can redact ticket content manually, or with the Advanced Data Privacy and Protection add-on, admins can create triggers to automatically redact ticket data.

Data masking offers an alternative approach to protecting sensitive information. It allows certain roles to have end-user names, email addresses, and phone numbers obscured based on custom role settings. This means that while the original data remains intact, it is hidden from view for agents without permission. This capability allows customers to maintain data integrity while safeguarding user privacy.

While data redaction permanently removes sensitive information, data masking provides a way to obscure it based on user permissions.

Data masking EAP product limitations

Agents with data masking enabled may have certain actions restricted. For example, features that require access to user data, such as customer lists and profiles, will be inaccessible to agents in roles that mask data because these features rely on PII. While workflows for solving tickets in the Agent Workspace remain unaffected, agents may be unable to perform administrative tasks related to end users, such as updating contact information or managing suspended tickets that include end-user email information.

Data masking feature has limitations that affect the following areas of Zendesk.

Support:

  • PII in ticket comments
  • Custom user fields
  • Legacy CC

Mobile: Notifications on the mobile app

Explore: Explore

Chat: Chat conversation form fields

Employee service: Approval email notifications

See Data masking production EAP product limitations on the EAP community site for more details.

Data masking EAP disclosures and degradations

Customers with the data masking feature turned on in their accounts will experience the known disclosures and degradations in the following areas of Zendesk. See Data masking EAP disclosures and degradations on the EAP community site for details.

  • Manage end users
  • Search and view lists of end users
  • Merge tickets
  • Search end users in side conversations and ticket conversation CC
  • Manage organizations
  • Manage suspended tickets
  • Conversation ticket subject
  • Print ticket and View original email
  • Placeholders
  • Triggers and automations (business rules)
Powered by Zendesk