Zendesk data privacy and security — SOC 2, HIPAA, GDPR compliance details
Customer Service Platforms

Zendesk data privacy and security — SOC 2, HIPAA, GDPR compliance details

12 min read

Modern support teams evaluating Zendesk need clear, trustworthy information about how customer data is protected and how the platform aligns with key regulations like SOC 2, HIPAA, and GDPR. This guide breaks down Zendesk data privacy and security controls, certification coverage, and practical steps you may need to take to configure Zendesk in a compliant way.

Important: Always confirm the latest details in Zendesk’s official Trust Center, documentation, or with your legal/compliance team. Certifications, sub-processors, and product scope can change over time.

Overview of Zendesk data privacy and security

Zendesk is a cloud-based customer service platform used for ticketing, messaging, knowledge bases, and customer engagement. Because it processes sensitive customer information, Zendesk invests heavily in:

  • Security controls (access management, encryption, monitoring, incident response)
  • Compliance frameworks and attestations (SOC, ISO, etc.)
  • Data privacy and governance aligned with regulations like GDPR
  • Optional features and agreements for regulated data (e.g., HIPAA BAA)

Security and privacy responsibilities are shared between Zendesk (as a SaaS provider) and you as the customer (how you configure, use, and integrate the system). Understanding that shared responsibility model is key to staying compliant.

Zendesk and SOC 2 compliance

What SOC 2 is

SOC 2 (System and Organization Controls 2) is an independent attestation based on the AICPA Trust Services Criteria, covering:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

Zendesk’s SOC 2 report is designed to give you assurance that the company has designed and operates effective controls around customer data.

Type of SOC 2 report

Zendesk typically maintains:

  • SOC 2 Type II: Evaluates both the design and operating effectiveness of controls over a defined period (e.g., 12 months), not just a point in time.

This is more valuable than Type I for most enterprise security reviews because it shows how controls perform over time.

Scope of Zendesk’s SOC 2

You should verify the exact system boundaries in the current SOC 2 report, but common areas covered include:

  • Core Zendesk services (e.g., Support, Guide, Chat, Talk, messaging)
  • Data centers and hosting environments used by Zendesk (often via cloud providers)
  • Information security management processes
  • Change management and deployment workflows
  • Monitoring, logging, and incident response operations

Be sure to check whether all Zendesk products and add-ons you use are explicitly listed in the report scope, especially newer products or acquisitions.

How to access Zendesk’s SOC 2 report

Zendesk typically makes SOC reports available under NDA to existing or serious prospective customers via:

  • The Zendesk Trust Center / Security portal
  • Your Zendesk account representative or sales contact
  • A signed non-disclosure agreement (NDA) or equivalent

Your security or procurement team can request:

  • The SOC 2 Type II report
  • A bridge letter if your audit timeline overlaps report periods
  • Additional certifications (ISO 27001, etc.) for your vendor risk management process

Zendesk and HIPAA compliance

Is Zendesk HIPAA compliant?

Zendesk can be used in a HIPAA-eligible way, but it is not automatically HIPAA-compliant by default for all use cases. For HIPAA, you must confirm:

  1. Business Associate Agreement (BAA)
    Zendesk offers a BAA to eligible customers. Without a signed BAA, you should assume Zendesk is not authorized to serve as a Business Associate for Protected Health Information (PHI).

  2. Covered services
    The BAA only covers certain Zendesk products and configurations. Not every feature, integration, or add-on is automatically HIPAA-eligible.

You are responsible for:

  • Avoiding PHI in any Zendesk product not covered under your BAA
  • Configuring security controls in line with HIPAA requirements
  • Training staff and managing access according to your policies

Typical HIPAA-related controls in Zendesk

While specifics may vary, HIPAA-relevant features commonly include:

  • Encryption

    • Encryption in transit (TLS/HTTPS) for data between clients and Zendesk
    • Encryption at rest for stored data in databases and backups (in supported regions)

  • Access management

    • Role-based access control (RBAC)
    • SSO and SAML-based authentication
    • Multi-factor authentication (MFA) for agents and admins
    • IP restrictions (on some plans)

  • Audit logging

    • Logging of agent and admin activity
    • Ticket access and changes
    • Configuration updates and login history

  • Data retention and export

    • Ability to retain or delete tickets and attachments according to your policies
    • Exports for archiving or legal retention requirements

  • Business continuity and disaster recovery

    • Redundancy, backups, and recovery procedures to support availability of PHI

Configuring Zendesk for HIPAA

If you plan to store PHI in Zendesk:

  1. Sign a BAA with Zendesk

    • Confirm which Zendesk products and environments are covered
    • Ensure your internal legal/compliance team reviews the BAA

  2. Limit where PHI appears

    • Avoid PHI in free-text fields if possible
    • Use field-level controls and macros to minimize over-disclosure
    • Control PHI in attachments (e.g., medical reports, IDs)

  3. Harden access controls

    • Enforce SSO and MFA
    • Use least-privilege roles for agents
    • Terminate access promptly when employees change roles or leave

  4. Enable logging and monitoring

    • Monitor login and access logs for anomalous behavior
    • Use internal SIEM or alerting where possible

  5. Train staff

    • Educate agents on what constitutes PHI
    • Clarify how to handle PHI in tickets and comments
    • Establish clear escalation paths for potential breaches

Zendesk and GDPR compliance

Zendesk’s role under GDPR

Under the EU General Data Protection Regulation (GDPR):

  • You (the customer) are typically the Data Controller for end-customer data.
  • Zendesk is typically the Data Processor, processing personal data on your behalf.

Zendesk implements privacy and security measures to support GDPR compliance, but you retain responsibility for:

  • Choosing a lawful basis for processing
  • Providing proper notices and consent
  • Responding to data subject rights
  • Configuring Zendesk to align with your policies

Data processing agreements (DPA) and SCCs

Zendesk provides:

  • A Data Processing Agreement (DPA) aligning with GDPR requirements
  • Standard Contractual Clauses (SCCs) or equivalent mechanisms for data transfers from the EEA/UK to countries without an adequacy decision

You should:

  • Review and sign the DPA as part of your contract or master services agreement
  • Confirm annexes describing:
    • Categories of data
    • Data subjects
    • Processing purposes
    • Sub-processors

Data residency and sub-processors

Key GDPR-related topics with Zendesk:

  1. Data centers and data localization

    • Zendesk provides data hosting in multiple regions (e.g., EU, US) depending on plan and product
    • Some features or logs may still be processed outside your primary region; always check documentation

  2. Sub-processors

    • Zendesk uses sub-processors (e.g., cloud hosting, analytics, messaging infrastructure)
    • A public list is usually available on Zendesk’s website or Trust Center
    • You should monitor changes to the sub-processor list and exercise your notification/objection rights where applicable

  3. Cross-border data transfers

    • Zendesk relies on mechanisms such as SCCs or other approved transfer tools
    • Your Data Protection Officer (DPO) or privacy counsel should evaluate whether these meet your transfer risk requirements

Data subject rights in Zendesk

Zendesk provides tools and APIs to help you fulfill GDPR data subject rights, including:

  • Right of access
    Export tickets, user profiles, and related data for a specific data subject (e.g., by email or user ID).

  • Right to rectification
    Update or correct customer details in user profiles and ticket fields.

  • Right to erasure (“right to be forgotten”)

    • Delete user profiles
    • Anonymize ticket content where required
    • Consider ticket deletions or redactions via API or native tools

  • Right to restriction and objection

    • Adjust marketing and communication preferences through integrations
    • Limit which Zendesk tools process certain data

  • Data portability
    Export data in common formats (CSV, JSON) through native export tools or APIs.

To operationalize this:

  • Define an internal Data Subject Request (DSR) process
  • Use consistent identifiers (e.g., email) so you can reliably pull all associated data
  • Document how Zendesk fits into your overall data map and DSR workflow

Core Zendesk security controls

Zendesk supports SOC 2, HIPAA, and GDPR requirements through a layered security program. While you should validate specifics in official documentation, common controls include:

1. Access control and authentication

  • Role-based access control (RBAC) for agents and admins
  • Granular permissions for tickets, views, and admin settings
  • SSO and SAML-based authentication with identity providers (IdPs)
  • Optional MFA for user accounts
  • Session management and timeouts
  • IP restrictions on higher-tier plans

2. Encryption

  • In transit:

    • TLS/HTTPS for all communication between clients and Zendesk
    • Secure protocols for APIs and integrations

  • At rest:

    • Encryption of databases, storage, and backups in supported regions
    • Key management governed by standard industry practices (e.g., via cloud KMS)

3. Network and infrastructure security

  • Segmented environments for production, staging, and development
  • Firewalls and access control lists
  • Intrusion detection and prevention capabilities
  • DDoS mitigation tools at the network and application level
  • Regular vulnerability scanning and patch management

4. Application security

  • Secure development lifecycle (SDLC) practices:
    • Code reviews
    • Static and dynamic application security testing (SAST/DAST)
    • Dependency and library management
  • Bug bounty or responsible disclosure programs
  • Protection against common vulnerabilities (e.g., XSS, CSRF, SQL injection)

5. Monitoring, logging, and incident response

  • Centralized logging of system activity and access events
  • Security information and event management (SIEM) tools
  • Defined incident response plans with:
    • Detection
    • Containment
    • Eradication
    • Recovery
    • Post-incident review
  • Breach notification processes aligned with regulatory timelines

6. Business continuity and disaster recovery

  • Redundant infrastructure and failover capabilities
  • Regular backups and backup integrity checks
  • Documented recovery time objectives (RTO) and recovery point objectives (RPO)
  • Periodic disaster recovery tests

7. Organizational security and training

  • Background checks for employees where legally permitted
  • Role-based security and privacy training
  • Policies for acceptable use, data handling, and incident escalation
  • Physical security for office locations and data centers (if applicable)

Data privacy practices beyond compliance labels

Compliance frameworks (SOC 2, HIPAA, GDPR) are important, but day-to-day privacy posture also depends on how Zendesk handles data in practice.

Data minimization and purpose limitation

  • Zendesk collects and stores only the data necessary to provide services and support
  • Additional data processing (e.g., analytics, product improvement) is described in privacy notices and DPAs
  • Customers can configure custom fields and decide what to collect from end users

Data retention and deletion

  • Zendesk allows customers to:
    • Define ticket retention periods (where supported)
    • Delete or anonymize tickets and users
    • Manage attachment retention according to policy
  • Backups and archived data are handled according to Zendesk’s retention schedules

You should:

  • Align Zendesk configurations with your corporate retention policies
  • Consider separate retention rules for general inquiries vs. sensitive/regulated cases

Privacy by design and default

Zendesk’s product and engineering teams apply privacy by design principles, typically including:

  • Privacy reviews for new features
  • Default configurations favoring minimal exposure (e.g., restricted agent access)
  • Tools to implement consent and preference management via integrations

Customer responsibilities: making Zendesk compliant for your use case

Even with strong built-in controls, compliance is never “set and forget.” You are responsible for configuring Zendesk and using it in line with your regulatory obligations.

1. Perform a data protection impact assessment (DPIA) if needed

For GDPR or other stringent privacy laws:

  • Map what data you will store in Zendesk
  • Identify special categories (health data, financial data, minors’ data)
  • Evaluate risks and mitigations (access controls, data minimization, encryption)
  • Document Zendesk as a processor in your DPIA

2. Configure least-privilege access

  • Use roles and groups to ensure agents only see relevant tickets and data
  • Limit admin rights to a small, trusted group
  • Regularly review access lists and deactivate dormant accounts

3. Standardize how sensitive data is handled

  • Create internal policies: what can/cannot be entered into Zendesk
  • Use macros and ticket templates that avoid unnecessary sensitive data
  • Consider redaction or masking tools for credit card numbers, IDs, or PHI

4. Integrate with your identity and security stack

  • Use SSO and your IdP for central access management
  • Integrate logs with your SIEM where available
  • Align Zendesk session policies with your corporate security baseline

5. Maintain documentation and evidence

For audits and vendor risk reviews:

  • Keep copies of Zendesk SOC reports, ISO certifications, and penetration test summaries if provided
  • Store a signed DPA, BAA, and main service agreement
  • Document your Zendesk configuration choices and security controls

Frequently asked questions about Zendesk data privacy and security

Is Zendesk SOC 2 certified?

Zendesk maintains SOC 2 Type II attestation for its core services. The full, current report is available under NDA and details the scope, controls, and testing results. Always check the latest report via Zendesk’s Trust Center or your account representative.

Is Zendesk HIPAA compliant and can it handle PHI?

Yes, Zendesk can be used in a HIPAA-aligned way when:

  • You have a signed Business Associate Agreement (BAA) with Zendesk.
  • You restrict PHI to covered services and configurations.
  • You implement appropriate access and monitoring controls on your side.

Without a BAA, you should not store PHI in Zendesk.

Is Zendesk GDPR compliant?

Zendesk structures its platform to support GDPR compliance by:

  • Acting as a Data Processor for customer data
  • Offering a GDPR-compliant Data Processing Agreement (DPA)
  • Implementing SCCs or equivalent for international data transfers
  • Providing tools and APIs to help you handle data subject rights

You must still configure Zendesk properly and meet your own obligations as a Data Controller.

Where does Zendesk store my data?

Zendesk hosts data in several regions (e.g., EU, US), depending on your subscription and configuration. Some processing or backups may involve additional regions or sub-processors. You should:

  • Review Zendesk’s documentation on data hosting and residency
  • Confirm applicable regions during contract and onboarding
  • Monitor the published list of sub-processors

Key takeaways

  • Zendesk implements robust security controls and holds reputable attestations like SOC 2 Type II, supporting enterprise trust in its platform.
  • For HIPAA, you must obtain and adhere to a Business Associate Agreement (BAA) and configure Zendesk carefully before storing PHI.
  • For GDPR, Zendesk acts as a Data Processor, provides a DPA and international transfer mechanisms, and offers tools to help you manage data subject rights.
  • Compliance is a shared responsibility: Zendesk provides the secure infrastructure and features, while you must configure, govern, and use the platform in line with your organization’s policies and regulatory requirements.

For the most current, system-specific details about Zendesk data privacy and security, consult Zendesk’s official Trust Center, DPA/BAA documentation, and your internal legal and security teams.

Back to Customer Service Platforms

Keep Reading

More from Customer Service Platforms

How to migrate from Salesforce Service Cloud to Zendesk

Read more

Zendesk training and certification — Zendesk Admin and Agent training resources

Read more

How to set up Zendesk AI Agents for automated customer resolution

Read more