Legal Information and Resources
Last Modified: May 17 2018
Zendesk, Inc. (“Zendesk”) uses certain subprocessors (including members of the Zendesk Group and third parties, as listed below), subcontractors and content delivery networks to assist it in providing Zendesk Connect as described in the Subscription Service Agreement (“SSA”). Defined terms used herein shall have the same meaning as defined in the SSA. For all other Zendesk Services, please see the general Zendesk Subprocessor Policy.
What is a Subprocessor:
A subprocessor is a third party data processor engaged by Zendesk, including entities from within the Zendesk Group, who has or potentially will have access to or process Service Data (which may contain Personal Data). Zendesk engages different types of subprocessors to perform various functions as explained in the tables below.
Zendesk undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to or process Service Data.
Zendesk requires its subprocessors to satisfy equivalent obligations as those required from Zendesk (as a Data Processor) as set forth in Zendesk’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:
- process Personal Data in accordance with data controller’s (i.e. Subscriber’s) documented instructions (as communicated in writing to the relevant subprocessor by Zendesk);
- in connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
- promptly inform Zendesk about any actual or potential security breach; and
- cooperate with Zendesk in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Zendesk’s engagement process for subprocessors as well as to provide the actual list of third party subprocessors and content delivery networks used by Zendesk as of the date of this policy (which Zendesk may use in the delivery and support of its Services).
If you are a Zendesk Connect Subscriber and wish to enter into our DPA, please email us at email@example.com. In your email, please state that you are a Zendesk Connect Subscriber.
Process to Engage New Subprocessors:
For all Subscribers who have executed Zendesk’s standard DPA, Zendesk will provide notice via this policy of updates to the list of subprocessors that are utilized or which Zendesk proposes to utilize to deliver its Services. Zendesk undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of subprocessing associated with the Zendesk Services.
Pursuant to the DPA, a Subscriber can object in writing to the processing of its Personal Data by a new subprocessor within thirty (30) days following the updating of this policy and shall describe its legitimate reasons to object. If Subscriber does not object during such time period the new subprocessor(s) shall be deemed accepted.
If a Subscriber objects to the use of a new subprocessor pursuant to the process provided under the DPA, Zendesk shall have the right to cure the objection through one of the following options (to be selected at Zendesk’s sole discretion):
(a) Zendesk will cease to use the new subprocessor with regard to Personal Data;
(b) Zendesk will take the corrective steps requested by Subscriber in its objection (which remove Subscriber’s objection) and proceed to use the subprocessor to process Personal Data; or
(c) Zendesk may cease to provide or Subscriber may agree not to use (temporarily or permanently) the particular aspect of Zendesk Connect that would involve use of the subprocessor to process Personal Data.
Termination rights, as applicable and agreed, are set forth exclusively in the DPA.
The following is an up-to-date list (as of the date of this policy) of the names and locations of Zendesk Connect subprocessors and content delivery networks (including members of the Zendesk Group and third parties):
Infrastructure Subprocessors – Service Data Storage
Zendesk owns or controls access to the infrastructure that Zendesk uses to host Service Data submitted to the Services, other than as set forth below. Currently, the Zendesk production systems for Zendesk Connect are located in co-location facilities in the United States. Service Data may be shifted among data centers within a region to ensure performance and availability of Zendesk Connect. The following table describes the countries and legal entities engaged in the storage of Service Data by Zendesk.
|Entity Name||Entity Type||Entity Country|
|Google Inc.||Cloud Service Provider||United States|
Zendesk works with certain third parties to provide specific functionality within Zendesk Connect. These providers are the Subprocessors set forth below. In order to provide the relevant functionality these Subprocessors access Service Data.
|Entity Name||Purpose||Entity Country|
|Mailgun Technologies, Inc.||Mailgun Technologies, Inc. (“Mailgun”) is an email campaign service provider that Zendesk makes available to Subscriber’s within Zendesk Connect. Mailgun provides the default email campaign functionality with Zendesk Connect. Mailgun has access to the email addresses of the End-Users receiving the email campaign and the content of the email campaign itself.||United States|
|Mailup, Inc.||Mailup, Inc. (“Mailup”) provides the online email editor that is used within Zendesk Connect. Zendesk Connect Subscribers can use the email editor to create email campaign content. Mailup has access to all email campaign content that is created in the editor.||United States|
|Google, Inc.||Google, Inc. (“Google”) provides the ability to send web messages within Zendesk Connect. To perform this function, Google has access to the recipient contact information and the content of the web message.||Canada|
|MongoDB, Inc.||MongoDB, Inc. (“MongoDB”) provides log back ups for certain Connect Account metadata. The primary information that MongoDB has access to is Agent names, Agent email addresses and as
search query strings which may contain End-User and personal data.
|Pendo.io, Inc.||Pendo.io, Inc. (“Pendo”) is a third-party analytics provider that Zendesk uses to track how users interact with the Service. Zendesk uses this information to improve the Services. The primary information Pendo has access to is information in and associated with the Zendesk website URL that the Agent and End-User is interacting with, such as time spent on page, items clicked (including Service Data contained in those items), Agent emails, and End-User emails.||United States|
|Cloudflare, Inc.||Cloudflare, Inc. (“Cloudflare”) provides content distribution, security and DNS services for web traffic transmitted to and from the Services. This allows Zendesk to efficiently manage traffic and secure the Services. The primary information Cloudflare has access to is information in and associated with the Zendesk website URL that the End-User is interacting with (which includes End-User IP address). All information (including Service Data) contained in web traffic transmitted to and from the Services is transmitted through Cloudflare’s systems, but Cloudflare does not have access to this information.||United States|
|Metaverse Mod Squad||Metaverse Mod Squad (“Metaverse”) is a third-party service provider that assists Zendesk with the provision of customer support only and is not involved in technical operations which would include the prevention of and addressing technical or service issues. Metaverse has limited access to Subscribers’ information, including Service Data. This limited access is with the dependent on permission granted by Subscribers to Metaverse. Metaverse may have access to the following identifying information about Subscribers and End-Users for the sole purpose of dealing with Subscribers’ support requests: first and last name, email address and phone number. In addition and with Subscriber permission, this Metaverse may be provided access to Service Data for the purpose of dealing with support requests.||Ireland|
Zendesk Group Subprocessors
The following entities are members of the Zendesk Group. Accordingly, they function as subprocessors to provide Zendesk Connect.
|Zendesk, Inc.||United States|
|Zendesk International Ltd||Ireland|
|Zendesk Pty. Ltd||Australia|
|Zendesk UK Ltd||United Kingdom|
|Zendesk Singapore Pte. Ltd.||Singapore|
|Zendesk Brasil Software
|Kabushiki Kaisha Zendesk||Japan|
|We Are Cloud SAS||France|
Content Delivery Networks
As explained above, Zendesk Connect may use content delivery networks (“CDNs”) to provide Zendesk Connect, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes use of CDNs by Zendesk Connect.
|CDN Provider||CDN Location||Description of CDN Services|
|Cloudflare||Global||Public website content served to website visitors may be stored with Cloudflare, and transmitted by Cloudflare to website visitors, to expedite transmission.|