Recent searches
No recent searches
![Bogdan Gagea's Avatar](https://support.zendesk.com/system/photos/7349809732250/racoon-pedro.gif)
Bogdan Gagea
Joined May 13, 2021
·
Last activity Jun 07, 2024
Following
0
Followers
0
Total activity
25
Votes
12
Subscriptions
9
ACTIVITY OVERVIEW
BADGES
ARTICLES
POSTS
COMMUNITY COMMENTS
ARTICLE COMMENTS
ACTIVITY OVERVIEW
Latest activity by Bogdan Gagea
Bogdan Gagea created an article,
This is the third, and final, installation of our Security Best Practices series. It provides a baseline product-level reference for how to successfully and securely manage your Zendesk Suite instance. As always, we strongly recommend that you consider implementing these product controls and recommendations at the onset of adoption and regularly review your settings and company best practices to ensure that they are both appropriate for your specific use case and correctly adhered to by your employees. Training agents and administrators on how to apply these product controls will help minimize risk exposure—in keeping with our Shared Responsibility Model.
For a high-level overview of our recommended security practices, see the General Security Best Practices document. If you need a more in-depth (but non-product specific) security resource, please take a look at our Zendesk Suite Actionable Security Guide.
This article contains the following sections on Zendesk Suite Product Controls:
Security Best Practices: Zendesk Suite Product Controls
Support
- Account assumption. Enable (or disable) temporary or permanent ‘assume’ privileges allowing Zendesk staff to enter an account for a specific amount of time, without impact to your license or the permitted number of agents. Please note that feature enablement may be overridden by specialized Zendesk staff in case of emergency or when account or application usage is in violation of the Main Services Agreement.
- Custom password configurations. Customize your own password security level to align with internal policies. Zendesk provides the following levels of password security: Recommended, High, Medium, and Low. See Setting the password security level for implementation steps. Note: When Zendesk authentication is enabled, you can set session expiration/inactivity timeout restrictions and/or password expiration at the agent/Admin level.
- Two-factor authentication (‘2FA’) Implement a second authentication security layer. Available natively in the product via SMS message or from a 2-factor authentication app installed on the user’s mobile device, or your 2FA solution to be used should you couple it with Single Sign On within your environment.
- Single Sign On (‘SSO’) (for business and social end-user accounts). Reduce the number of attack surfaces by having users login in once, with a single set of credentials.
- Restrict IP addresses. Limit the agent interface to only those users from coming from a specific range of approved IP addresses.
- Secure Attachment Access. Require users to login to their account before accessing attachments by activating private attachments.
- Malware Scanning. Admins should follow company guidelines on how to manage attachments that have been flagged by our Malware Scanning.
- Redaction. Redact personal or sensitive data on demand in the agent workspace (with Admin/Agent access).
-
Email
-
- Archive customer communications for auditing/legal purposes.
- Disable rich content in emails (i.e., non-plain text/HTML).
- Decommission unused support email addresses.
- Disable wildcard email address when not needed.
- Enable email authentication with SPF, DKIM and DMARC to reduce email spoofing and Business Email Compromise.
- Use DKIM for outbound email to verify the origin of emails (e.g., from within your organization)
- Personalize emails to improve transparency and help build trust between customers and agents.
-
- SPAM. Ensure that tickets aren’t incorrectly marked as ‘SPAM’ via Suspended Ticket notifications.
- Device Tracking. Manage user devices and remove those no longer in use (with Agent/Admin access).
- Sandbox. We recommend using a sandbox environment for testing and launching code before it goes into your production environment. Please note that this is only available with Enterprise plans.
- Support Mobile app. Decide if you want to allow access for Agents via the Support Mobile app, and if not, remove the Mobile App access in Admin Center under “More Security Settings”. Please note that Password Access to the API needs to be allowed for Mobile Apps to work.
- Credit Card (PCI) data. Automatically redact credit card data information (limitations may apply) or add a PCI compliant credit card field
-
Log Management.
-
- Audit logs. Manage your audit logs to keep track of changes in your account. Export reports via the API or as CSV. Only available with Enterprise plans.
- Ticket interaction/event logs. See all actions and notifications that have occurred in your account.
- Integration logs. Track data syncing between your Support instance and your integration via this tool in the Admin Center.
-
- End user verification. Require end users to register and verify their email address.
- Least privilege. Restrict user access to ensure that users only have access to task dependent products. Learn more about Support user roles.
- Custom Roles. Delegate access by role/job description. Please note that this feature is only available for Enterprise plans.
- Allowlisting. Define who has access to your instance to reduce the exposure of sensitive data and unauthorized system access.
- Blocklisting. Suspend, reject or prevent users from accessing your instance if/when you perceive a threat to your security.
- Remove accounts/users. Regularly review the users on your account and suspend/demote users who no longer need access to your system.
- Custom Roles. Delegate access by role/job description. Please note that this feature is only available for Enterprise.
- CC and Follower Blocklisting. Prevent others from being tagged on tickets and notified of customer conversations to limit access to sensitive customer information and vulnerability to a data breach.
- Limit Team Member and End-User Inactive Session Length. Helps limit the window of time that a session can be utilized, before sign-in must occur again to reduce unauthorized access to systems and data.
- Disable Ability for Admins to Set Passwords for Users. Enforce least privilege and remove the ability to set a password without having a user apply 2FA and verify their email address through the normal password reset process. See this document for more information about setting password security levels.
- Webhooks. Use TLS/HTTPS to securely connect to third party endpoints such as applications or websites.
- Zendesk Marketplace Only install Third Party Applications that you trust. To learn more, see here.
-
API Access
-
- Disable password access to your API to limit the exposure of protected information.
- API Tokens. Have your Admin set up least privilege access to reduce the number of people who have access to your API and sensitive customer data (e.g., PII, PHI etc.). Please see the Security Configuration Requirements for HIPAA or HDS Enabled Accounts for related information about API token management.
-
- OAuth clients. Secure access to your API (and related data). Choose the right flow type for your use case and prefer Authorization Code Grant or Implicit Grant over Password Grant if possible. Visit OWASP for a detailed list of industry best practices.
- Self-Build Apps and Integrations For app and integration best practices visit the Documentation portal.
Guide
- Moderate Content. Review Guide content to ensure that SPAM isn’t being posted to your Help Center.
- API. Disable password access to your API to minimize the exposure of sensitive data.
- API Tokens. Have your Admin set up least privilege access to reduce the number of people who have access to your API and opportunities for data compromise.
- Restrict Help Center Access. Apply IP address restrictions to limit user access based on authentication and segmentation.
- Article Interaction/event Logs. See all actions taken by agents on an article to ensure adherence to company best practices.
- Agent/Alias Display Name. Allow agents to personalize their signatures, increasing trust between agents and customers, as well as, the online safety of your agents.
- Unsafe Content. Prevent unsafe content from being displayed in your Help Center.
Chat
- Chat API. Have your Admin set up least privilege access to reduce the number of people who have access to sensitive data. Be sure to acknowledge the following restrictions.
- Native File Attachment Allow Listing. Restrict file sharing to only those extensions needed for specific job tasks.
- Gating via Support. Apply cascading security configurations across products (only applicable for Suite plans).
- Credit Card (PCI) data. Automatically redact credit card data information in chats and chat history (limitations may apply) to reduce data compromise.
- Agent/Alias Display Name. Allow agents to personalize their signatures, increasing trust between agents and customers, as well as, the online safety of your agents. (Chat standalone)
- Visitor Authentication. Enable visitor authentication via token or shared secret to ensure that only authorized users have access.
- Authentication controls. Send private chat attachments with authentication controls (only available with the Agent Workspace).
- Blocklisting. Suspend, reject or prevent users from accessing your account if/when they pose a risk to your security or violate company policy.
- Restrict Chat Widget by location (e.g., country or domain) to reduce your exposure to bad actors and or malicious nation state actors.
- Custom Roles. Delegate access to Chat by role/job description. Please note that this feature is only available with Enterprise plans.
Talk
- Call Recording. Opt-in or opt-out of call recording based on the number, caller or end user.
- Delete Recordings. Automatic deletion of recordings—enable automatic deletion of talk recordings.
- Talk API Delete Recording Feature. Use this endpoint feature to programmatically delete recordings from tickets, where applicable. Manual deletion can also be applied for erasure obligation, right to be forgotten as well as industry privacy and compliance requirements. Note: Automatic Redaction is a separate feature that can’t currently be used to redact credit card information from Voicemail transcripts.
Explore
- Manage Explore Permissions. Enable Explore access based on least privilege access (with Admin access).
- Set up Dataset Permissions. Set dataset permissions using least privilege access (with Admin access).
Messaging (Native)
- End User Authentication. Enable end user authentication for Web Widget and Mobile SDK.
- Allowlisting. Only allow the Web Widget to be loaded on specific domains.
Edited Jun 12, 2024 · Bogdan Gagea
0
Followers
8
Votes
0
Comments
Bogdan Gagea created an article,
Talk is now under the scope of Zendesk’s FedRAMP Tailored ATO with a low risk designation (Li-SaaS), as defined by FedRAMP.gov.
Zendesk products currently in scope for FedRAMP ATO include:
- Support
- Guide
- Gather
- Explore
- Talk
- Sunshine Conversations
- Messaging Functionality (Generative AI functionality is not yet included in scope, and should not be turned on; additional limitations apply)
- Certain Product Add-Ons*
*As Zendesk's Add-Ons and FedRAMP program continue to evolve, please email fedramp@zendesk.com for the most up-to-date scoping information.
Talk Configurations
When using Talk, you must adhere to the following configurations in order to remain in scope with our FedRAMP Tailored ATO:
- Use US-based phone numbers
- Disable the Talk recording feature
- Disable voicemail (and transcripts)
Additional Considerations
The above configurations ensure that all data stays within our FedRAMP compliant environment. Failure to follow one of more of these configurations renders this obsolete (i.e., data is no longer contained within the compliant environment). Supplemental Terms for Zendesk’s FedRAMP Tailored Certification
Disclaimer: The security configurations in this document may change from time to time due to changes in law, regulation or the Zendesk Service. This document contains Zendesk’s recommendations for the minimum effective security configurations when using the covered Services. It does not constitute an exhaustive template for all controls over such data nor does it constitute legal advice. Each Zendesk Subscriber should seek their own legal counsel with regard to their security compliance requirements and should make additional changes to their security configurations in accordance with their own independent analysis, so long as such changes do not counteract or degrade the security of the configurations outlined in this document.
Edited Aug 13, 2024 · Bogdan Gagea
0
Followers
14
Votes
0
Comments
Bogdan Gagea created an article,
Readtime: 7 minutes
This resource provides an overview of recommended security best practices for Zendesk suite Subscribers to implement in their own instance. We recommend that you consider implementing these practices at the onset of adoption and routinely check your settings and company best practices to ensure that they are appropriate and correctly adhered to by employees.
Zendesk offers a wide-range of controls to help you keep your information (and that of your customers) safe and secure. We strongly recommend training agents and administrators to apply these security best practices and minimize your risk exposure— in keeping with our Shared Responsibility Model. This framework outlines the responsibilities of each Zendesk Subscriber when it comes to ensuring the security of their instance. For more information about specific product controls and recommendations, see The Zendesk Suite Product Controls and Recommendations Guide.
This article contains the following sections on Best Practices for Zendesk Suite:
- General
- Access Control
- Systems Access, Networks and Domains
- Data Management
- API
- Monitoring
- Disaster Recovery
Security Best Practices for Zendesk Suite
General
- Use a sandbox for testing and development to keep your production instance clean.
- Restrict Mobile App usage for Agent workflows and/or use cases.
- Enable content moderation in your Guide Help Center and forum threads to prevent spam and/or unwanted content in your Gather community.
- Review any and all automated functions that send notifications to ensure that they are notifying the correct people.
Access Control
General
-
When using Zendesk Native Authentication:
- Customize the password security level to match your company’s internal policies.
- Set the lowest session expiration necessary for your agents and admins.
- Disable unnecessary social logins for end-users.
-
When using Single Sign-On (SSO):
- Utilize either native in-product SSO, or your existing enterprise Single Sign-On to centrally manage your configurations.
- Couple any MFA you operate with your SSO to cover Zendesk logins
- If you wish to still allow for password authentication via Zendesk Native Authentication should you be concerned about availability during an SSO outage, then leave the do not disable password authentication. If however, you wish to eliminate the ability for passwords to be used once SSO has been configured, then disable password use. Note that disabling password access will terminate all open sessions where passwords were used to authenticate.
- Keep Account Assumption disabled unless you require a Zendesk employee to enter your account (either when interacting with Zendesk’s Support, advocates, Professional Services, etc.).
Users
- Review connected devices associated with your Agent profile and remove those that are no longer in use or look suspicious. Note that only Agents, Admins and Owners have access to this functionality.
- If creating a “closed” Zendesk instance, require end-users to register and verify their emails before they can submit tickets to cut down on potential spam.
- Apply custom roles for your agents to limit user access to only what is necessary for each job function.
- Consider user segment and/or brand-based privileged access when using Guide.
- Leverage the allowlist to define specific users, or groups of users, who have access to your account and/or the ability to submit requests / chats.
- Suspend, reject, and/or prevent users from interacting with Zendesk Services via the blocklist, when necessary.
- Review the users on your account and suspend/demote users who no longer need access to your system.
Passwords
- Zendesk provides the following levels of password security: Recommended, High, Medium, and Low. Zendesk suggests the Recommended password security level for both team members and end users. See Setting the password security level for implementation steps.
- Two-Factor Authentication (2FA) is the recommended standard for agent and Admin login to Zendesk.
- Where different populations have different security needs, consider setting one custom password security level for End Users and another for Agents and Admins when using Zendesk’s native authentication.
- Create a unique password for your Zendesk account (i.e., one not currently used to login to external systems or applications).
- Enable email alerts for logins from new devices so Agents can monitor their accounts for logins from new (and unauthorized) devices. See Checking devices and applications that accessed your account in the Zendesk Agent Guide.
System, Network Access and Domains
- Use Contextual Workspaces to optimize your workflows and show only applicable tools (e.g., macros. apps, forms, etc.) and ensure that Agents only have access to the system functions and workflows that are needed to complete a task.
- Restrict access based on IP addresses for the agents and/or end users.
- Suspend, reject, and/or prevent users from interacting with Zendesk Services via the blocklist, when necessary.
- Where requiring non-Zendesk URLs, generate your own SSL certificates or Zendesk-provisioned SSL certificates with host mapping and provide secure access to your help center. Where supplying your own SSL certificate, be sure to kept up to date.
Data Management
-
Data Usage
- Capture only data that is needed to complete a given use case, minimizing the exposure of sensitive customer and/or internal data.
-
Deletion/Redaction
- Refer to the "Complying with privacy and data protection law" guides for deletion and redaction recommendations, in accordance with privacy regulations.
- Consider not recording calls, and/or automatic deletion of recordings when using Talk functionality, where such recordings could be challenging for your compliance with industry or legal regulations.
- Enable automatic redaction to protect sensitive customer data in tickets and chats. Note: This feature leverages a Luhn check which will redact most, but not all, credit card numbers.
- Manually redact credit card information from the Zendesk Agent Workspace, where permissions allow. Note that even after deletion data may still persist in logs for up to 30 days.
-
Compliance
- Should your use case involve Protected Health Information (“PHI”), enter into a Business Associate Agreement (BAA) with Zendesk and implement the required security configurations forHealth Insurance Portability and Accountability Act (HIPAA) related Personal Health Information (PHI) and electronic personal health information (ePHI) data management, as necessary for you as a healthcare provider or healthcare data manager.s
- Should you use credit card numbers for identification purposes, add a credit card field to your ticket form to meet Payment Card Industry Data Security Standard (PCI DSS) compliance requirements (note this field does not store or surface the full credit card number and cannot be used for payments or transactions).
- For those who need to be in scope for PHI, ePHI, HIPAA and/or PCI DSS compliance:
-
Privacy
- Consult the "Complying with privacy and data protection law" section of the Help Center for product-specific privacy considerations.
- Access the Trust Center to learn how our Global Privacy Program helps you stay compliant, no matter where you’re located or who you do business with.
- Apply email archiving when there’s a business need to maintain archives of customer communications outside of Zendesk Services for policy, regulatory, or legal purposes.
- Disable Chat email piping unless required when using Chat.
- Use rich content in incoming emails only when necessary for your workflow.
- Enable email authentication with SPF, DKIM, and DMARC to reduce spoofed email and spam your account receives.
- Digitally sign outbound emails from Zendesk to verify that they originated within your organization.
- Leverage personalized email replies and agent aliases to provide transparency to end-users who are communicating with agents via ticketing.
- Decommission unused or unnecessary Support addresses to minimize spoofing risk.
API
- Make use of tokens instead of passwords to prevent unauthorized password access to the API.
- Deploy OAuth to authenticate and limit the amount of access granted to tokens in the API. Disable where unneeded.
- Safeguard API tokens in a secure location outside of the application. Where possible, OAuth tokens are recommended over API tokens.
Monitoring
- Regularly review and monitor account audit logs that show changes to your account. Helpful tip: Your API can also be leveraged to export audit logs as needed.
Disaster Recovery
Zendesk maintains a Global Business Resilience Program to ensure we have the ability to rapidly adapt and respond to business disruptions, safeguard people and assets, while maintaining continuous business operations.’ Outside of this, there are several steps that you can take to additionally secure the continuity of your business.
- Opt in to Enhanced Disaster Recovery for security redundancy that includes real-time data replication, traffic prioritization, zone availability redundancy and priority recovery planning.
- If using Voice functionality, enable a Talk failover number for business continuity purposes.
- If you desire to have password access in the event of external SSO system outages, consider not disabling Zendesk native authentication (SSO can be set up as strict, or allowing password bypass).
- Apply an incremental export API and/or bulk downloads of your Service Data if you require non-editable data stores to be preserved within your own environment.
- Enable automated email forwarding from your personal third-party email address to Zendesk Support to retain a copy of the email outside of Zendesk.
- Opt in to Enhanced Disaster Recovery for security redundancy that includes real-time data replication, traffic prioritization, zone availability redundancy and priority recovery planning.
- Use the incremental export API to retrieve Zendesk Support items that have been changed since the last API call request. See the API Reference for more information.
If you suspect that a security incident within your Zendesk instance was directly caused by our Service itself, you should submit a ticket to security@zendesk.com. For clarification on when to contact Zendesk about security-related responsibilities, consult the Shared Responsibility Model.
Edited Sep 20, 2024 · Bogdan Gagea
1
Follower
12
Votes
0
Comments
Bogdan Gagea created an article,
Like you, we care about the data that we put into our tools and services. Whether you’re using this data to meet internal privacy policies, evaluate our offerings via vendor or privacy review or determine where your use case falls according to regulatory frameworks, we make it easy for you to find the information you need. The list below includes default data points captured (by product) regardless of use case. For a more comprehensive picture of your data types, use this resource in combination with your specific use case data and any resultant data types.
Please consider these points when using this list:
- Non-default, custom configurations, integrations or use of third party services may alter this list respectively.
- Your individual use case will largely determine the type, amount, and sensitivity of data you and/or your end users put into your instance(s) of the service.
- As a Data Processor for thousands of Data Controllers (i.e., Subscribers), we don’t always have insight into individual customer use cases, nor can we integrate individual tenant data policies into our service. You, as the Data Controller, are tasked with administering the data in your instance and using the tools that we provide you with to ensure your treatment of data maps to your own policies as well as regulatory frameworks within your industry.
- For more information on contractual requirements for data treatment, please see our Main Services Agreement (“MSA”). You should also refer to the Zendesk Shared Responsibility model for more information on responsibility boundaries.
This article covers the data points captured by the following Zendesk services:
- Support
- Guide
- Gather
- Chat
- Messaging
- Sell
- Talk
- Explore
- SunCo (Conversations)
- Sunshine
- Mobile Apps
- Software Development Kits (SDKs)
Default data points captured by the services (at minimum):
Support:
- Username (which may or may not be the individual's actual name).
- Salted hash of the user's password (where passwords are chosen as the authentication mechanism).
- IP address as perceived by our edge architecture (which may or may not be the actual user’s originating IP address).
- Selections made within drop down menus or radio boxes.
- Any text entered into free form text fields (e.g., titles, text boxes, ticket comment fields, satisfaction survey fields, search fields, etc.).
- Date and time of events as perceived by the app.
- Any data added to Agent or Admin profiles or signatures.
- Any data digested by incoming emails (where emails are allowed for ticket instantiation).
- Any data contained in attachments.
- Owner, Admin configuration choices.
- Contact information for the instance Owner and Agents.
- Email addresses of Users.
- Any communication, setup, or integration data entered into the Side Conversation feature.
- The chosen domain name of your instance (as well as any TLS certificate data you, or a third party TLS certificate service upload, where using host mapping)
Guide:
- Any data added to Guide help center articles.
- Any data added to Guide help center article comment sections (where comments are enabled).
- Any attachments or images uploaded to the Guide help center (e.g,. comments, images, logos, article attachments, front page images, etc.).
- Any custom code added to the Guide help center.
Gather:
- Any topics or posts added to the Gather community
- And attachments or images added to Gather topics or posts.
Chat:
- Username (which may or may not be the individual's actual name), or visitor number where unauthenticated End Users are allowed.
- Email of the End User (which may or may not be the actual email when unauthenticated Chats are allowed). Please note that unauthenticated (i.e., anonymous Chats will begin even when no username or email is submitted by the End User).
- Salted hash of the user's password (where passwords are chosen as the authentication mechanism).
- IP address as perceived by our edge architecture (which may or may not be the actual originating IP address)
- Country and City associated with said IP address.
- Any text data added to the Chat window.
- Operating System (OS) and version used by Chat End User(s).
- End User's device type.
- Browser and version of the Chat End User.
- Date and time of events as perceived by the application.
- Any data in attachments, Owner or Admin configuration choices.
- Owner’s contact information.
- Any data collected by custom fields when created via Software Developer Kit (SDK).
Messaging (Workspace + Bot)
- Username (which may or may not be the individual's actual name).
- IP address of users as perceived by the edge architecture (which may or may not be the actual user’s originating IP address).
- Country and City associated with said IP address.
- Choices made within drop down menus or radio boxes.
- Any text entered into free form text fields (e.g.,titles, text boxes, ticket comment fields, satisfaction survey fields, search fields, etc.).
- Date and time of events as perceived by the app.
- Any data digested by incorporated channels (e.g, email, chat, voip, Instagram, etc.).
- Any data contained in attachments.
- Email address of users.
- Operating System (OS) and version used by a user.
- User’s device type and model.
- Browser and version of a user.
- Any workflows or bot configurations created with Flow Builder.
- User unique identifier (this could be the user’s email address, or a business defined identifier - not controlled by Zendesk). This is referred internally as an external_id.
- Zendesk Software Development Kit (SDK) version number.
- App version and app code.
Sell:
- Username (which may or may not be the individual's actual name).
- Salted hash of the user's password (where passwords are chosen as the authentication mechanism).
- IP address of users as perceived by our edge architecture (which may or may not be the actual user’s originating IP address).
- Country and city associated with said IP address.
- Choices made within drop down menus or radio boxes.
- Any text entered into free form text fields (e.g., titles, text boxes, ticket comment fields, satisfaction survey fields, search fields, etc.).
- Date and time of events as perceived by the app.
- Any data added to a user profile or signature.
- Any data digested by incoming and outgoing emails (when email integration is enabled).
- Any data in calendar events.
- Any data contained in attachments.
- Owner and Admin configuration choices.
- Contact information for the instance owner and users.
- Email address of users.
- Operating System (OS) and version used by a user.
- User’s device type.
- Browser and version of a user.
- Call recordings (if enabled).
- Text messages (if enabled).
- Any data filled in for Leads, Contacts, Deals or any of associated objects (e.g. Notes, Tags, Calls) including data entered in custom fields.
Talk:
- The choice of whether or not to retain call recordings is entirely yours as a Zendesk Talk subscriber. When choosing to record calls, the content of any calls will be captured and retained until either your decision to delete such calls, or your termination of account.
- Originating telephone number (caller)
- The destination number (call recipient)
- The country of origin for the call (as determined by number).
- The user name or ID of agent answering (which may or may not be the actual person's name).
- Duration of call.
- When choosing to record custom greeting messages or privacy warnings, the content of such recordings will be captured and retained until deleted by Subscriber, or upon termination of account.
Explore:
Use of the Explore product primarily entails the analytics of data already existing within a Subscriber’s Support instance. Additional data points include:
- Any new names and/or email addresses added as dashboard export recipients
- Any text used for custom dashboard titles or search queries
- Any images uploaded to dashboards.
Sunshine Conversations (SunCo):
- Name, Email, Creation Date of Sunshine Conversations Administrator
- Name, Creation Date of all created Service Accounts
- Name, Creation Date, Channel Integrations, Webhooks and API Keys of all created Apps
- External ID, Sign-Up Date and, when applicable, Given Name, Last Name, Email, Avatar URL, Locale and all elected custom user properties of all End Users using the services
- Unread Count and Read Timestamps of all Conversations
- Conversation ID, Author ID, Name, Avatar, Received Date, Channel Source, Attachment and Content of all Messages in a Conversation
- Channel Name, Conversation Title, SDK Version, User Agent, External ID, Display Name and Personal Identifiable Information of all Clients automatically generated for Users when they send Messages
- Third-party credentials and IDs, configuration and other integration metadata of all Integrations created via the Dashboard
- Triggers, Target URL and Secrets of all Webhooks
- Template Name and Message Content of Templates created for all structured Messages.
Sunshine:
In addition to what is captured in Support:
Custom Objects (if used)
- Object Types (definitions of objects) as defined here.
- Object Records (objects created based on Object Types).
- Relationship Types (definition of relationship between objects) as defined here.
- Relationship records (relationships created based on Relationship Types).
- Custom Objects Events (early access only) as defined here.
- Metadata of Custom Object Jobs as defined here.
Profiles (if used)
- Custom Profiles assigned to users as defined here.
Events (if used)
- Custom Events associated with profiles as defined here.
Mobile Apps:
Support Mobile Application
- Username (which may or may not be the individual's actual name).
- Salted hash of the user's password (where passwords are chosen as the authentication mechanism).
- IP as perceived by the edge architecture (which may or may not be the actual user’s originating IP address).
- Choices made within drop down menus or radio boxes.
- Any text entered into free form text fields (titles, text boxes, ticket comment fields, satisfaction survey fields, search fields, etc.).
- Date and time of events as perceived by the app.
- Any data added to agent or admin profiles or signatures.
- Any data digested by incoming emails (where emails are allowed for ticket instantiation).
- Any data contained in attachments.
- Owner, admin configuration choices.
- Contact information for the instance owner and Agents.
- Email address of Users.
- Operating System and version used by a user.
- User’s device type.
Sell Mobile Application
- Username (which may or may not be the individual's actual name).
- Salted hash of the user's password (where passwords are chosen as the authentication mechanism).
- IP of users as perceived by the edge architecture (which may or may not be the actual user’s originating IP address).
- Country and city associated with said IP (?)
- Choices made within drop down menus or radio boxes.
- Any text entered into free form text fields (titles, text boxes, ticket comment fields, satisfaction survey fields, search fields, etc.).
- Date and time of events as perceived by the app.
- Any data added to a user profile or signature.
- Any data digested by incoming and outgoing emails (when email integration is enabled).
- Any data in calendar events.
- Any data contained in attachments.
- Owner, admin configuration choices.
- Contact information for the instance owner and users.
- Email address of users.
- Operating System and version used by a user.
- User’s device type.
- Browser and version of a user.
- Call recordings (if enabled).
- Text messages (if enabled).
- Any data filled in for Leads, Contacts, Deals or any of associated objects (e.g. Notes, Tags, Calls) including data entered in custom fields.
Chat Mobile Application
- Username (which may or may not be the individual's actual name).
- Salted hash of the user's password (where passwords are chosen as the authentication mechanism).
- IP as perceived by the edge architecture (which may or may not be the actual originating IP address).
- Country and City associated with said IP.
- Any text data added to a Chat conversation.
- Operating System and version used by Chat end users.
- End user's device type.
- Browser and version of the Chat end user.
- Date and time of events as perceived by the app.
- Any data in attachments.
Software Development Kits (SDKs)
See here for a comprehensive list of default data types captured when using our Software Development Kits (SDKs).
Other Resources:
For concerns around data privacy within Zendesk services, refer to our Security page, Trust Center, In-Product Cookie Policy, and our Main Services Agreement.
Edited Apr 16, 2024 · Bogdan Gagea
3
Followers
14
Votes
0
Comments