Verified AI summary ◀▼
Data masking in the early access program helps protect sensitive data by hiding personally identifiable information (PII) from agents in custom roles. You can control which agents see end-user names, phone numbers, and email addresses, reducing unauthorized access. While data masking obscures data based on user permissions, it may limit agents' actions, such as managing end users or accessing certain features.
Customers with Enterprise plans and above can use data masking to protect sensitive data by masking personally identifiable information (PII) from agents in custom roles. When the EAP is complete, the data masking feature will require the Advanced Data Privacy and Protection add-on.
By utilizing data masking, you can ensure that only privileged users can access sensitive information. For example, a company collaborating with various popular artists or VIPs may want to protect their data and limit exposure to only agents who require access to the information.
With data masking, admins and agents with permission to manage custom roles can mask end-user names, phone numbers, and email addresses from selected agents. Team member data is not masked.
Understanding how data masking works
Data masking allows organizations to control which agents can view specific personal data. This means that agents will see only the information necessary for their roles, reducing the risk of unauthorized data access.
To mask PII, edit the custom role and select which end-user fields to hide: name, phone, or email address. See Turning on data masking for details.

Upon saving the role with the new masking settings selected, Zendesk checks whether the role's existing permissions allow for viewing restricted information based on those settings. For example, suppose a role has permission to view end-user profiles, but you'd like to mask end-user PII for the role. In this scenario, a modal (similar to the example below) displays all the permission changes that will be made automatically upon saving to fully hide sensitive information from agents in that role.

After turning on data masking for a role, agents with that role see a lock icon () in the ticketing interface next to the requester PII fields they aren’t permitted to view.

For the EAP, end-user PII is masked in the following areas of Zendesk Support:
- Views: PII is masked in system fields in views and exports when designated for custom roles, ensuring sensitive information is protected.
- Ticketing interface: PII is masked in system fields.
- Knowledge: PII is hidden from agents in custom roles with permission to manage Guide. This applies to user segments, user content, spam, and community moderation views when the custom role has data masking turned on. Note that end-user data that has been made public will be visible to agents, even with data masking in place. For example, if moderation is turned on in your account and an end user posts a comment, their name won't be masked because it can be seen in your help center.
As part of the EAP, data masking is out of scope for the following products: Chat, Talk, Explore, AI agents - Advanced, WFM, Zendesk QA, and Sell. See the Data masking production EAP community page for a list of disclosures, degradations, and limitations.
Understanding the differences between data redaction and data masking
Data redaction and data masking are both techniques used to protect sensitive information, but they serve different purposes.
Data redaction allows admins to permanently remove sensitive information from tickets, ensuring that deleted data can't be retrieved or viewed by any agents. Agents can redact ticket content manually, or with the Advanced Data Privacy and Protection add-on, admins can create triggers to automatically redact ticket data.
Data masking offers a more flexible approach to data protection. With data masking, you can configure your account to obscure sensitive user information, including end-user names, email addresses, or phone numbers, based on custom roles. This means that while the original data remains intact, it is hidden from view for agents without permission. This capability allows companies to maintain data integrity while safeguarding user privacy.
While data redaction permanently removes sensitive information, data masking provides a way to obscure it based on user permissions, allowing for a more nuanced approach to data security in Zendesk.
Understanding how data masking limits what an agent can do
Turning on data masking for a custom role may restrict the actions available to agents assigned to that role. For example, some features intended for reading user data, such as customer lists and profiles, will be inaccessible for agents in roles that mask data. This is because the feature becomes unusable without access to PII.
While the workflow for solving tickets through the Agent Workspace remains unaffected, agents may be unable to perform administrative tasks related to end users, such as updating their contact information or working with suspended tickets, which contain information from the end-user’s email.
Data masking production EAP product limitations
The data masking feature has limitations that affect the following areas of Zendesk. See Data masking production EAP product limitations on the EAP community site for details.
Support:
- Outbound emails
- User information related to Zendesk Talk
- API (excluding the Users API)
- Ticket comments
- Custom user fields
- Legacy CC
- Legacy agent dashboard
- Lookup relationship fields
Mobile: Notifications on the mobile app
Explore: Explore permissions
Guide: Guide user segments and moderator groups
Chat: Chat conversation form fields
Employee service: Approval email notifications
Data masking production EAP disclosures and degradations
Customers with the data masking feature turned on in their accounts will experience the known disclosures and degradations in the following areas of Zendesk. See Data masking production EAP disclosures and degradations on the EAP community site for details.
- Manage end users
- Search and view lists of end users
- Merge tickets
- Search end users in side conversations and ticket conversation CC
- Manage organizations
- Manage suspended tickets
- Conversation ticket subject
- Print ticket and View original email
- Placeholders
- Triggers and automations (business rules)
- Guide user segments