The Zendesk Group is committed to providing a robust and comprehensive security program for Enterprise Services, including the security measures set forth in these Supplemental Terms (“Enterprise Security Measures”). During the Subscription Term, these Enterprise Security Measures may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as We deem reasonably necessary.
Enterprise Security Measures Utilized by Us
We will abide by these Enterprise Security Measures to protect Service Data as is reasonably necessary to provide the Enterprise Services:
1. Security Policies and Personnel. We have and will maintain a managed security program to identify risks and implement preventative technology, as well as technology and processes for common attack mitigation. This program is and will be reviewed on a regular basis to provide for continued effectiveness and accuracy. We have, and will maintain, a full-time information security team responsible for monitoring and reviewing security infrastructure for Our networks, systems and services, responding to security incidents, and developing and delivering training to Our employees in compliance with Our security policies.
2. Data Transmission. We will maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality, and integrity of Service Data. These safeguards include encryption of Service Data at rest and in transmission with Our user interfaces or APIs (using TLS or similar technologies) over the internet, except for any Non-Zendesk Service that does not support encryption, which You may link to through the Enterprise Services at Your election.
3. Audits and Certifications. Upon Subscriber’s request, and subject to the confidentiality obligations set forth in this Agreement, Zendesk shall make available to Subscriber that is not a competitor of Zendesk (or Subscriber’s independent, third-party auditor that is not a competitor of Zendesk) information regarding Zendesk’s compliance with the obligations set forth in this Agreement in the form of the Zendesk’s ISO 27001 certification and/or SOC 2 (under appropriate non-disclosure protections), or SOC 3 reports.
4. Incident Response. We have an incident management process for security events that may affect the confidentiality, integrity, or availability of Our systems or data that includes a response time under which Zendesk will contact its subscribers upon verification of a security incident that affects Your Service Data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. The incident response program includes 24×7 centralized monitoring systems and on-call staffing to respond to service incidents. Unless ordered otherwise by law enforcement or government agency, You will be notified within seventy-two (72) hours of a Service Data Breach. “Service Data Breach” means an unauthorized access or improper disclosure that has been verified to have affected Your Service Data.
5. Access Control and Privilege Management. We restrict administrative access to production systems to approved personnel. We require such personnel to have unique IDs and associated cryptographic keys and/or use of complex ephemeral tokens. These keys and/or tokens are used to authenticate and identify each person’s activities on Our systems, including access to Service Data. Upon hire, Our approved personnel are assigned unique ID’s and credentials. Upon termination of personnel, or where compromise of such credentials is suspected, these credentials are revoked. Access rights and levels are based on Our employees’ job function and role, using the concepts of least-privilege and need-to-know basis to match access privileges to defined responsibilities.
6. Network Management and Security. The Sub-Processors utilized by Us for hosting services maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth as well as redundant network infrastructure to mitigate the impact of individual component failure. Our security team utilizes industry standard utilities to provide defense against known common unauthorized network activity, monitors security advisory lists for vulnerabilities, and undertakes regular external vulnerability scans and audits.
7. Data Center Environment and Physical Security. The Sub-Processors’ environments which are utilized by Us for hosting services in connection with Our provision of the Enterprise Services employ the following security measures:
- A security organization responsible for physical security functions 24x7x365.
- Access to areas where systems or system components are installed or stored within data centers is restricted through security measures and policies consistent with industry standards.
- N+1 uninterruptible power supply and HVAC systems, backup power generator architecture and advanced fire suppression.
Technical and Organizational Enterprise Security Measures for Third-Party Service Providers Who Process Service Data
Any third-party service providers that are utilized by the Zendesk Group will only be given access to Your Account and Service Data as is reasonably necessary to provide the Enterprise Services. Zendesk maintains a vendor security review program which assesses and manages any potential risks involved in using these third-party service providers who have access to Service Data and such third-party service providers will be subject to, among the other requirements in the Master Subscription Agreement, their implementing and maintaining compliance with the following appropriate technical and organizational security measures:
1. Physical Access Controls. Third-party service providers shall take reasonable measures, such as security personnel and secured buildings, to prevent unauthorized persons from gaining physical access to data processing systems in which Service Data is Processed.
2. System Access Controls. Third-party service providers shall take reasonable measures to prevent data processing systems from being used without authorization. These controls shall vary based on the nature of Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or logging of access on several levels.
3. Data Access Controls. Third-party service providers shall take reasonable measures to provide that Service Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to access Service Data only have access to Service Data to which they have the privilege of access; and, that Service Data cannot be read, copied, modified, or removed without authorization in the course of Processing.
4. Transmission Controls. Third-party service providers shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Service Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.
5. Input Controls. Third-party service providers shall take reasonable measures to ensure that it is possible to check and establish whether and by whom Service Data has been entered into data processing systems, modified or removed; and, any transfer of Service Data to a third-party service provider is made via a secure transmission.
6. Data Protection. Third-party service providers shall take reasonable measures to provide that Service Data is secured to protect against accidental destruction or loss.
7. Logical Separation. Third-party service providers shall logically segregate Service Data from the data of other parties on its systems to ensure that Service Data may be Processed separately.
These terms were last updated on December 1, 2020.