Secure Customer Service

Zendesk Security

More than 140,000 customers trust Zendesk with their data, and this responsibility is something we take very seriously! We combine enterprise-class security features with comprehensive audits of our applications, systems and networks to ensure customer and business data is always protected. And our customers rest easy knowing their information is safe, their interactions are secure, and their businesses are protected.

View datasheet

Data Centre & Network Security

Physical Security
Facilities Zendesk hosts service data in AWS data centres that have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and/or SOC II compliance.

AWS infrastructure services includes back-up power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data.
On-site Security AWS on-site security includes a number of features such as security guards, fencing, security video feeds, intrusion detection technology and other security measures. Learn more about AWS physical security.
Monitoring All Production Network systems, networked devices and circuits are constantly monitored and logically administered by Zendesk staff. Physical security, power and internet connectivity are monitored by AWS.
Location Zendesk leverages AWS data centres in the United States, Europe and Asia Pacific. Customers can choose to locate their Service Data in the US only or Europe only* (Zendesk Chat is Europe only at present). Learn more about our regional data hosting options.

*Only available with Data Centre Location Add-on
Network Security
Dedicated Security Team Our globally distributed Security Team is on call 24/7 to respond to security alerts and events.
Protection Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies which monitor and/or block malicious traffic and network attacks.
Architecture Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilised within the Internet, and internally between the different zones of trust.
Network Vulnerability Scanning Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests In addition to our extensive internal scanning and testing programme, each year Zendesk employs third-party security experts to perform a broad penetration test across the Zendesk Production Network.
Security Incident Event Management (SIEM) Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts triggers which notify the Security team based on correlated events for investigation and response.
Intrusion Detection and Prevention Service ingress and egress points are instrumented and monitored to detect anomalous behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds, and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Program Zendesk participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on our risk and exposure.
DDoS Mitigation Zendesk has designed a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defences, while the use of AWS scaling and protection tools provide deeper protection along with our use of AWS DDoS-specific services.
Logical Access Access to the Zendesk Production Network is restricted by an explicit need-to-know basis, utilises least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Zendesk Production Network are required to use multiple factors of authentication.
Security Incident Response In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption
Encryption in Transit Communications between you and Zendesk Support and Chat servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks. TLS is also supported for encryption of emails.
Encryption at Rest Customers of Zendesk benefit from the protections of encryption at rest for their data. Service Data is encrypted at rest in AWS using AES 256 key encryption.
Availability & Continuity
Uptime Zendesk maintains a publicly available system-status webpage which includes system availability details, scheduled maintenance, service incident history and relevant security events.
Redundancy Zendesk employs service clustering and network redundancies to eliminate single points of failure. Our strict back-up regime and/or our Enhanced Disaster Recovery service allow us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Disaster Recovery Our Disaster Recovery (DR) programme ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
Enhanced Disaster Recovery The Enhanced Disaster Recovery package adds contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through our capability to prioritise operations of Enhanced Disaster Recovery customers during any declared disaster event. *Only available with Advanced Security Add-on

Application Security

Secure Development (SDLC)
Security Training At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors and Zendesk security controls.
Ruby on Rails Framework Security Controls Most Zendesk products utilise Ruby on Rails framework security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.
QA Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Separate Environments Testing and staging environments are logically separated from the Production environment. No actual Service Data is used in the development of test environments.
Application Vulnerabilities
Dynamic Vulnerability Scanning We employ third-party, qualified security tooling to continuously dynamically scan our core applications against the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.
Static Code Analysis The source code repositories for both our platform and mobile applications are scanned for security issues via our integrated static analysis tooling.
Security Penetration Testing In addition to our extensive internal scanning and testing programme, each quarter Zendesk employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Responsible Disclosure / Bug Bounty Programme Our Responsible Disclosure Programme gives security researchers, as well as customers, an avenue for safely testing and notifying Zendesk of security vulnerabilities through our partnership with HackerOne.

Product Security Features

Authentication Security
Authentication Options For admins/agents in Support and Chat, we offer Zendesk sign-in. For Zendesk Support, you may also enable SSO and Google Authentication. For end-users in Support and Chat, we support Zendesk sign-in. For Zendesk Support, you may also enable SSO and social media SSO (Facebook, Twitter, Google) for end-user authentication.
Single sign-on (SSO) Single sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional log-in credentials for your Zendesk Support instance. Both JSON Web Token (JWT) and Security Assertion Markup Language (SAML) are supported. Learn more about security and sign-in settings.

*SAML is only available for Professional and Enterprise accounts *JWT is only available for Team accounts and above
Configurable Password Policy Zendesk Support/Guide provides the following levels of password security: low, medium and high; as well as set customised password rules for agents and admins. Zendesk also allows for different password security levels to apply to end users vs agents and admins. Only admins can change the password security level. *Applies to Professional and Enterprise accounts.
Two-factor authentication (2FA) If you are using Zendesk sign-in on your Zendesk Support instance, you can turn on 2-factor authentication (2FA) for agents and admins. Zendesk supports SMS and numerous authenticator apps for generating passcodes. You may also choose to leverage 2FA in your own environment when coupling enterprise SSO as your authentication method for Zendesk. 2FA provides another layer of security to your Zendesk account, making it more challenging for somebody else to sign in as you. Learn more about 2FA.
Secure Credential Storage Zendesk follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.
API Security & Authentication The Zendesk Support API is TLS only. You can authorise against the API using either basic authentication with your username and password, or with a username and API token. OAuth authentication is also supported. Learn more about API security.
Additional Product Security Features
Role-Based Access Controls Access to data within Zendesk applications is governed by role-based access control (RBAC), and can be configured to define granular access privileges. Zendesk has various permission levels for users (owner, admin, agent, end user etc.). Learn more about Support user roles and user access and security.
IP Restrictions Zendesk Support and Chat can be configured to only allow access from specific IP address ranges you define. These restrictions can be applied to all users or only to your agents. Learn more about using IP restrictions.

*Only available for Enterprise Support accounts and Chat Enterprise
Private Attachments In Zendesk Support, you can configure your instance to require users to sign in to view ticket attachments. If not configured, the attachments are accessible via a long and random token ticket ID.
Transmission Security All communications with Zendesk UI’s and API’s are encrypted using industry standard HTTPS/TLS over public networks. This ensures that all traffic between you and Zendesk is secure during transit. For email, our product also leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
Email Signing (DKIM/DMARC) Zendesk Support offers DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for signing outbound emails from Zendesk when you have set up an external email domain on your Zendesk. Using an email service that supports these features allows you to stop email spoofing. Learn more about digitally signing your email.
Device Tracking For added security, your Zendesk Support instance tracks the devices used to sign in to each user account. When someone signs into an account from a new device, it is added to the device list in that user's profile. That user can get an email notification when a new device is added, and should follow up if the activity seems suspicious. Suspicious sessions can be terminated from the agent UI.
Redacting Sensitive Data Redaction for Zendesk Support and Chat provides the ability to redact or remove sensitive data in ticket comments, customised fields, and Chats so that you can protect confidential information. The data is redacted from tickets to prevent sensitive information from being stored in Zendesk. Learn more about securing sensitive data.

*Only available for Enterprise accounts
Spam Filter for Help Centre Zendesk Support offers a spam filtering service which prevents end-user spam posts from being published on your Help Centre or Web Portal. Learn more about filtering spam in Help Center.

Compliance Certifications and Memberships

Security Compliance
SOC 2 Type II We have an SOC 2 Type II report, available on request and under NDA. For more information contact security@zendesk.com.
ISO 27001:2013 Zendesk is ISO 27001:2013 certified. The certificate is available for download here
ISO 27018:2014 Zendesk is ISO 27018:2014 certified. The certificate is available for download here
Memberships
Skyhigh Enterprise-Ready Zendesk received the Skyhigh Enterprise-Ready™ seal, the highest rating in the CloudTrust™ programme. It is bestowed on cloud services that fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices and legal protection.
Cloud Security Alliance Zendesk is a member of the Cloud Security Alliance (CSA),a not-for-profit organisation with a mission to promote the use of best practices for providing security assurance within Cloud Computing. CSA has launched the Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing offerings. We've completed a publicly available Consensus Assessment Initiative (CAI) Questionnaire, based on the results of our due diligence self-assessment.
Privacy Certifications
TRUSTe® Privacy Certification Programmes Zendesk has demonstrated that our privacy programmes, policies and practices meet the requirements of EU-US Privacy Shield and/or Swiss-US Privacy Shield. These companies have self-certified their participation in Privacy Shield with the US Department of Commerce at https://www.privacyshield.gov/list. TRUSTe verifies Privacy Shield compliance consistent with the requirements of the Privacy Shield Supplemental Principle on Verification.
EU - US and Swiss - US Privacy Shield Certification Zendesk has certified compliance with the US-EU and Swiss - US Privacy Shield frameworks to the US Department of Commerce and has been added to the Department of Commerce list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.
Privacy Policy Learn more about privacy at Zendesk
Industry-Based Compliance
HIPAA We help customers address their HIPAA obligations by leveraging appropriate security configuration options in Zendesk products. We also make our Business Associate Agreement (BAA) available for execution by subscribers.

*BAA is only available with the purchase of the Advanced Security Add-on and only applicable to certain Zendesk products (special configuration rules apply).
Using Zendesk in a PCI Environment View our white paper on PCI compliance or learn more about our PCI compliant field for Zendesk Support.

*Enterprise account required

Additional Security Methodologies

Security Awareness
Policies Zendesk has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Zendesk information assets.
Training All new employees attend a Security Awareness Training which is given on hiring and annually thereafter. All engineers receive annual Secure Coding Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
Employee Vetting
Background Checks Zendesk performs background checks on all new employees in accordance with local laws. These checks are also required to be completed for contractors. The background check includes Criminal, Education and Employment verification. Cleaning crews are included.
Confidentiality Agreements All new hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality agreements.

Downloadable security resources

Even our resources are protected. To gain access, please fill in the brief form below.

Please enter your forename
Please enter your surname
Please enter a valid email address
Please select your country

Almost complete. Just tell us about the company you keep.

Please enter your company name
Please select number of employees
Please select your industry
Please also send me occasional emails about Zendesk products and services. (You can unsubscribe at any time.)
Please select an option

Your request has been sent!

One of our representatives will contact you shortly.

Sorry, something went wrong!

Please reload the page and try again, or you can email us at support@zendesk.com.

We are sending your request...please wait.

If you need access to our SOC 2 report, please email us at security@zendesk.com.