Skip to main content

Article 3 min read

EU-US data transfers after Schrems II

By Shanti Ariker, SVP, General Counsel and Maarten Van Horenbeeck, SVP & Chief Information Security Officer

Last updated November 10, 2022

Here at Zendesk, we believe that trust is at the core of all our interactions with our customers. We recognize the importance of customer trust and of customers’ privacy and the security of their data. Global privacy regulations are evolving at a rapid pace and we are focused on providing the tools our customers need to enable compliance. As a customer, it’s important to understand how vendors use and secure your data. That is why we strive to be transparent about Service Data processed by our products and services, whether there is an international transfer of data, and what risks are associated with the type of data or processing concerned. Since the Schrems II decision in July of 2020, regarding the legality of transatlantic data transfers, we have taken the following steps to enable cross-border transfers of personal data in accordance with EU privacy requirements:

Binding corporate rules and Standard contractual clauses

We provide EU Binding Corporate Rules (“BCR”) for both Controller and Processor, considered the “gold standard” for international data transfers. BCRs are company-wide data protection policies that have been approved for data transfers by our Data Protection Authority. We provide a Data Processing Agreement (DPA), which incorporates our EU BCRs and the new June 2021 Standard Contractual Clauses (SCCs). Our DPA also provides additional safeguards to Annex II of the new DPA/SCCs and provides details on our system access controls, data access controls, transmission controls, and network architecture and security.

Transfer impact assessment guide

We also provide a Transfer Impact Assessment Guide to assist you with knowing your transfers and enabling you to complete the required case-by-case privacy impact assessment and analysis (upon request).

Transparency Report

When it comes to government surveillance, we believe that law enforcement and national security agencies should engage customers first, rather than service providers. We have received very few law enforcement requests over the years, as detailed in our transparency report, which we update every six months. We have not and will not build any backdoors to allow government authorities to circumvent our security measures.

Certifications

We regularly undergo self-assessment and independent, external testing and certification. Our security certifications from third-party auditors include SOC 2 Type II, ISO 27001:2013, and ISO 27018:2014.

Regional data hosting options

We also offer a way to store your data on a regional basis. You have the option to have your service data for select covered functionality hosted in the United States, European Economic Area (EEA), Japan (JP), or Australia (AU). A full description of which services can be hosted in your chosen region is located in our regional data hosting policy page.

Looking ahead Zendesk’s roadmap for future trust features

In this rapidly changing regulatory environment, we are committing to building additional features to provide an enhanced level of protection for our customers. During 2022, Zendesk is working on the following privacy and data protection features to support customers:

  • Bring your own key (BYOK) encryption that will give customers the ability to encrypt their service data using their own enterprise key management system
  • Data Center Location support for all Agent Workspace features
  • Improved data deletion, access control and auditing features on customer data
  • An offering to provide EU-only based customer support, to limit the location of customer advocates with access to your service data

Zendesk is committed to supporting our customers in navigating new data protection and privacy regulations. We are encouraged by the ongoing discussions between the European Commission and the United States government to build a new framework for Europeans’ personal data that is transferred to the United States. Have questions? Please contact your Zendesk account executive or our privacy team at euprivacy@zendesk.com.
For more information on our privacy and security program, please see the below resources:
Schrems II – Frequently Asked Questions (FAQ) guide
Data processing addendum with new SCCs
Regional data hosting policy
Transparency report
How we protect your service data
Information on U.S. Privacy Safeguards White Paper by the U.S. Dept. of Commerce

Related stories

Article
8 min read

Workforce optimisation: The ultimate guide for 2024

Workforce optimisation makes processes more efficient and employees more productive – and gives more flexibility to your bottom line. Learn more about it below.

Article
3 min read

The AI-powered future of CX and EX is here – let us be your guide

The Zendesk Relate event is coming to Las Vegas from 16 to 18 April – you’ll see inspiring speakers, gain knowledge to take home and obtain best practice you can implement.

Article
5 min read

Tech for good: How AI is empowering survivors of domestic violence

The fear of speaking out and asking for help is immense, and real, especially for the…

Article
4 min read

The role of artificial intelligence in enhancing the festive season shopping experience in the UK

It’s no secret that the festive holidays are one of the busiest times for most retailers…