Article

EU-US data transfers after Schrems II

By Shanti Ariker, SVP, General Counsel and Maarten Van Horenbeeck, SVP & Chief Information Security Officer

Published February 1, 2022
Last updated February 1, 2022

Here at Zendesk, we believe that trust is at the core of all our interactions with our customers. We recognize the importance of customer trust and of customers’ privacy and the security of their data. Global privacy regulations are evolving at a rapid pace and we are focused on providing the tools our customers need to enable compliance. As a customer, it’s important to understand how vendors use and secure your data. That is why we strive to be transparent about Service Data processed by our products and services, whether there is an international transfer of data, and what risks are associated with the type of data or processing concerned. Since the Schrems II decision in July of 2020, regarding the legality of transatlantic data transfers, we have taken the following steps to enable cross-border transfers of personal data in accordance with EU privacy requirements:

Binding corporate rules and Standard contractual clauses

We provide EU Binding Corporate Rules (“BCR”) for both Controller and Processor, considered the “gold standard” for international data transfers. BCRs are company-wide data protection policies that have been approved for data transfers by our Data Protection Authority. We provide a Data Processing Agreement (DPA), which incorporates our EU BCRs and the new June 2021 Standard Contractual Clauses (SCCs). Our DPA also provides additional safeguards to Annex II of the new DPA/SCCs and provides details on our system access controls, data access controls, transmission controls, and network architecture and security.

Transfer impact assessment guide

We also provide a Transfer Impact Assessment Guide to assist you with knowing your transfers and enabling you to complete the required case-by-case privacy impact assessment and analysis (upon request).

Transparency Report

When it comes to government surveillance, we believe that law enforcement and national security agencies should engage customers first, rather than service providers. We have received very few law enforcement requests over the years, as detailed in our transparency report, which we update every six months. We have not and will not build any backdoors to allow government authorities to circumvent our security measures.

Certifications

We regularly undergo self-assessment and independent, external testing and certification. Our security certifications from third-party auditors include SOC 2 Type II, ISO 27001:2013, and ISO 27018:2014.

Regional data hosting options

We also offer a way to store your data on a regional basis. You have the option to have your service data for select covered functionality hosted in the United States, European Economic Area (EEA), Japan (JP), or Australia (AU). A full description of which services can be hosted in your chosen region is located in our regional data hosting policy page.

Looking ahead Zendesk’s roadmap for future trust features

In this rapidly changing regulatory environment, we are committing to building additional features to provide an enhanced level of protection for our customers. During 2022, Zendesk is working on the following privacy and data protection features to support customers:

  • Bring your own key (BYOK) encryption that will give customers the ability to encrypt their service data using their own enterprise key management system
  • Data Center Location support for all Agent Workspace features
  • Improved data deletion, access control and auditing features on customer data
  • An offering to provide EU-only based customer support, to limit the location of customer advocates with access to your service data

Zendesk is committed to supporting our customers in navigating new data protection and privacy regulations. We are encouraged by the ongoing discussions between the European Commission and the United States government to build a new framework for Europeans’ personal data that is transferred to the United States. Have questions? Please contact your Zendesk account executive or our privacy team at euprivacy@zendesk.com. For more information on our privacy and security program, please see the below resources: Schrems II - Frequently Asked Questions (FAQ) guide Data processing addendum with new SCCs Regional data hosting policy Transparency report How we protect your service data Information on U.S. Privacy Safeguards White Paper by the U.S. Dept. of Commerce