The Zendesk Group is committed to providing a robust and comprehensive security program for Innovation Services, including the security measures set forth in these Supplemental Terms (“Innovation Security Measures”). During the Subscription Term, these Innovation Security Measures may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as We deem reasonably necessary. The Enterprise Security Measures and any security provisions negotiated prior to December 2, 2019 do not apply to Innovation Services.
Innovation Security Measures Utilized by Us
We will abide by these Innovation Security Measures to protect Service Data as is reasonably necessary to provide the Innovation Services:
1. Security Policies and Personnel. We have and will maintain a managed security program to identify risks and implement preventative technology, as well as technology and processes for common attack mitigation. We have, and will maintain, a full-time information security team responsible for safeguarding Our networks, systems and services, responding to security incidents, and developing and delivering training to Our employees in compliance with Our security policies.
2. Data Transmission. We will maintain commercially reasonable administrative, physical and technical safeguards to protect the availability, confidentiality and integrity of Service Data.
3. Incident Response. We have an incident management process for security events that may affect the confidentiality, integrity, or availability of Our systems or data that includes a response time under which Zendesk will contact its subscribers upon verification of a security incident that affects Your Service Data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Unless ordered otherwise by law enforcement or government agency, You will be notified within seventy-two (72) hours of a Service Data Breach. “Service Data Breach” means an unauthorized access or improper disclosure that has been verified to have affected Your Service Data.
4. Access Control and Privilege Management. We restrict administrative access to production systems to approved personnel.
5. Network Management and Security. The data centers utilized by Us maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth. Our security team utilizes industry standard tools and methods to provide defense against known common unauthorized network activity and undertakes regular external vulnerability scans.
6. Data Center Environment and Physical Security. The data center environments which are utilized by Us in connection with Our provision of the Innovation Services employ the following security measures:
- A security organization responsible for physical security functions.
- Access to areas where systems or system components are installed or stored within data centers is restricted through security measures and policies consistent with industry standards.
Technical and Organizational Innovation Security Measures for Third-Party Service Providers
Zendesk may use third-party service providers during the provisioning of the Innovation Services, and may give those service providers access to Your Account and Service Data as is reasonably necessary to provide the Innovation Services. Zendesk maintains a vendor security review program which assesses and manages any potential risks involved in using these third-party service providers who have access to Service Data.
Third-party service providers which are used for long-term hosting of Service Data (identified as Infrastructure Sub-processors here) will be subject to, among the other requirements in the Master Subscription Agreement, their implementing and maintaining compliance with the following appropriate technical and organizational security measures:
1. Physical Access Controls. Third-party service providers shall take reasonable measures to prevent unauthorized persons from gaining physical access to data processing systems in which Service Data is Processed.
2. System Access Controls. Third-party service providers shall take reasonable measures to prevent data processing systems from being used without authorization.
3. Data Access Controls. Third-party service providers shall take reasonable measures to provide that Service Data is accessible and manageable only by properly authorized staff.
4. Transmission Controls. Third-party service providers shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Service Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.
5. Input Controls. Third-party service providers shall take reasonable measures designed to ensure that it is possible to check and establish whether and by whom Service Data has been entered into data processing systems, modified or removed; and, any transfer of Service Data to a third-party service provider is made via a secure transmission.
6. Logical Separation. Third-party service providers shall logically segregate Service Data from the data of other parties on its systems to ensure that Service Data may be Processed separately.
Innovation Service Specific Sub-processors
Third-party service providers which incidentally have access to Your Service Data in Innovation Services, but are used to provide specific features or components of the product outside of the core hosting of Service Data (“Innovation Service Specific Sub-processors”) are regularly reviewed by Zendesk to ensure they work towards implementing each of the standards applicable to Infrastructure Sub-processors. A list of these third-party service providers can be found here and are the providers designated as Innovation Service Specific Sub-Processors.
These terms were last updated on June 2, 2020.