Zendesk SOC 2 Type II report and security documentation for vendor assessment
Customer Service Platforms

Zendesk SOC 2 Type II report and security documentation for vendor assessment

11 min read

Organizations evaluating Zendesk as a vendor for customer support, CRM, or help desk operations often begin with a detailed security and compliance review. A key component of that process is obtaining the Zendesk SOC 2 Type II report and related security documentation to support your vendor assessment, third‑party risk review, or procurement process.

This guide explains what Zendesk offers from a security and compliance perspective, how to access the Zendesk SOC 2 Type II report, what other documents are available, and how to use them effectively in your vendor risk assessment.

Understanding Zendesk’s SOC 2 Type II Report

What a SOC 2 Type II report is

A SOC 2 Type II report is an independent, third‑party audit that evaluates how well a service organization’s controls are designed and operate over a defined period (commonly 6–12 months). For Zendesk, this typically covers:

  • Security (common criteria)
  • Often additional Trust Services Criteria such as availability, confidentiality, and sometimes privacy or processing integrity depending on scope

The report includes:

  • Management’s description of the system and services
  • Controls in place (technical, administrative, physical)
  • Auditor’s tests of those controls
  • Results of testing, including any exceptions or findings

For vendor assessment teams, the SOC 2 Type II is one of the most critical documents to evaluate how Zendesk protects your data and whether its control environment meets your organization’s requirements.

How to Access Zendesk’s SOC 2 Type II Report

Zendesk treats its SOC 2 Type II report as confidential and typically provides it under NDA to existing or prospective customers. You won’t find the full report publicly indexed, but you can request it through the following channels:

1. Zendesk Security & Trust Center / Compliance Portal

Zendesk maintains a Trust & Security / Compliance portal (often called a Trust Center) where current and prospective customers can request documentation, including:

  • SOC 2 Type II report
  • ISO certificates
  • Penetration testing summaries
  • Security whitepapers

Typical steps:

  1. Visit Zendesk’s Trust or Security page
    Look for links such as:

    • “Security”
    • “Trust Center”
    • “Compliance”
    • “Security Documentation”

  2. Sign in or request access

    • Existing customers may use their Zendesk credentials.
    • Prospective customers may need to submit a form with company and contact details.

  3. Accept NDA or confidentiality terms

    • Some trust portals embed NDA language in the terms of use.
    • Others may send a separate NDA to sign before granting access.

  4. Download the SOC 2 Type II report

    • Usually provided as a PDF.
    • Confirm the report period and issue date to ensure it is current for your assessment.

2. Request via Zendesk Account Manager or Sales

If you’re in an RFP/RFI or procurement process:

  • Ask your Zendesk sales representative or account manager for:
    • The latest SOC 2 Type II report
    • Any bridging letters or gap letters if the report period doesn’t align with your assessment period
  • Your legal or procurement team might need to:
    • Sign or confirm an NDA
    • Identify who in your organization can receive and securely store the report

3. Support Ticket or Customer Success Channel

If you already have a Zendesk instance:

  • Open a support ticket from your admin account and request:
    • “SOC 2 Type II report for vendor assessment”
    • “Security and compliance documentation for third‑party risk review”
  • Provide:
    • Your company name
    • Your role (e.g., Security, Compliance, Procurement)
    • Email address to receive secure links or documentation

Security Documentation Commonly Available from Zendesk

In addition to the SOC 2 Type II report, Zendesk typically provides a set of security and compliance documents your vendor assessment team will find useful.

1. Security Whitepaper / Security Overview

A high-level document that summarizes Zendesk’s security program, including:

  • Governance and risk management
  • Access control and authentication
  • Data protection (encryption, key management, data segregation)
  • Network and infrastructure security
  • Incident response and security monitoring
  • Business continuity and disaster recovery

This document is helpful as a first pass for stakeholders who don’t need the depth of the SOC report but want to understand the overall security posture.

2. Compliance Certificates and Attestations

Zendesk typically maintains various industry-standard certifications and attestations, such as:

  • SOC 2 Type II (and sometimes SOC 3 for a public summary)
  • ISO/IEC 27001 (information security management)
  • Potentially ISO/IEC 27017 (cloud security) and ISO/IEC 27018 (protection of PII in the cloud)
  • Regional or industry compliance statements (e.g., GDPR, CCPA readiness, or HIPAA for applicable products and configurations)

Ask specifically for:

  • Latest ISO certificates (with issue and expiry dates)
  • Scope statements showing which products, regions, and services are covered

3. Data Protection and Privacy Documentation

For legal and privacy teams, Zendesk usually provides:

  • Data Processing Agreement (DPA) or Addendum

    • Clarifies roles (controller/processor)
    • Defines subprocessors
    • Describes data handling, transfers, and retention

  • Privacy Policy and Product‑specific privacy documentation

    • Details on what data is collected, how it is used, and how data subject rights are supported

  • Subprocessor list

    • Public or available via the Trust Center
    • Shows third parties Zendesk uses to process or host data, with locations

4. Penetration Testing and Vulnerability Management Summaries

Zendesk may share:

  • Penetration test summary reports (performed by independent third parties)
  • High-level vulnerability management processes:
    • Scanning cadence
    • Severity classification
    • Patch timelines (e.g., SLAs for critical/high vulnerabilities)

These documents help your security team validate that Zendesk’s controls are actively tested and maintained.

5. Product‑Specific Security Documentation

Depending on which Zendesk products you use (e.g., Support, Guide, Chat, Sell, Sunshine, or Suite), you may need:

  • Feature‑level security descriptions (e.g., for agent authentication, API access, SSO, OAuth)
  • Encryption specifics (in transit and at rest)
  • Logging and audit trail information
  • Roles and permissions capabilities

Check the Zendesk Help Center and security pages for product‑specific security guides or FAQs.

What to Look for in the Zendesk SOC 2 Type II Report

Once you have the SOC 2 Type II report, your vendor assessment should focus on specific aspects relevant to your risk posture and regulatory environment.

1. Scope and Services Covered

Confirm:

  • Which Zendesk services are within the audit scope:
    • Core support platform
    • Specific modules (e.g., Chat, Talk, Sell, Sunshine)
    • Infrastructure components (cloud providers, data centers)
  • The Time period (e.g., “January 1, 2024 to December 31, 2024”)
  • The Trust Services Criteria covered:
    • Security (always)
    • Availability, confidentiality, privacy, processing integrity (as applicable)

Align this scope with the Zendesk products and features your organization plans to use.

2. Control Environment and Governance

Review:

  • Information security governance:

    • Security leadership roles
    • Policies and standards
    • Risk assessment processes

  • Organizational structure:

    • Security team responsibilities
    • Separation of duties

Assess whether Zendesk’s governance practices align with your own policies and regulatory obligations.

3. Logical Access and Identity Management

Key areas include:

  • User access provisioning and deprovisioning
  • Multi‑factor authentication (MFA) for internal access
  • Role‑based access and least privilege
  • Periodic access reviews
  • Password policies and SSO support for your users

These controls are essential to verify how Zendesk restricts access to your data internally and what capabilities you have for managing your own users within the platform.

4. Data Protection and Encryption

Review the controls that address:

  • Encryption in transit (e.g., TLS for web/UI and API traffic)
  • Encryption at rest (databases, backups, storage)
  • Key management practices
  • Data classification and handling procedures

Check whether the encryption standards meet your corporate security policy and any regulatory requirements you must follow.

5. Change Management and Software Development

Evaluate:

  • Secure software development lifecycle (SSDLC) practices
  • Change testing and approvals
  • Separation of development, test, and production environments
  • Release management processes

This will help you understand how Zendesk controls the risk associated with code changes and new features.

6. Operations, Monitoring, and Incident Response

Look for:

  • Logging and monitoring of systems, networks, and applications
  • Use of centralized logging / SIEM
  • Incident detection and response processes
  • Communication procedures and timelines in the event of an incident that affects customers

Make sure the incident response procedures align with your expectations for notification and collaboration during security events.

7. Availability, Business Continuity, and Disaster Recovery

If the report includes the availability criteria, review:

  • Backup procedures
  • Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO)
  • Data center or cloud region redundancy
  • Business continuity and disaster recovery testing frequency

This helps your team assess resilience and service reliability for critical customer support operations.

8. Exceptions and Auditor’s Findings

Carefully read:

  • Any control exceptions or failed tests
  • Auditor commentary on impact and remediation
  • Management’s response and remediation plan

Use this information to:

  • Determine whether risks are acceptable
  • Identify any compensating controls required on your side
  • Clarify open issues with Zendesk’s security or account team

Using Zendesk’s Security Documentation in Vendor Assessment

1. Align with Your Vendor Risk Framework

Map Zendesk’s controls and documentation to your internal standards, such as:

  • ISO 27001 control sets
  • NIST CSF or NIST 800‑53
  • Internal security policy requirements
  • Regulatory obligations (e.g., GDPR, HIPAA, financial regulations)

You can use Zendesk’s SOC 2 control descriptions as primary evidence to satisfy many of your assessment questions.

2. Complete Security Questionnaires More Efficiently

Many organizations use:

  • SIG (Standardized Information Gathering) questionnaires
  • Custom vendor security questionnaires
  • Cloud security questionnaires

You can streamline this process by:

  • Pulling answers from Zendesk’s security whitepaper and Trust Center
  • Mapping questionnaire items directly to SOC 2 controls and test results
  • Referencing specific sections or pages of the SOC 2 report as evidence

3. Support Legal, Privacy, and DPA Reviews

Legal and privacy teams should use:

  • SOC 2 sections on privacy and security
  • The DPA, privacy policy, and subprocessor list

Key questions to answer:

  • Where is data stored and processed?
  • How is cross‑border data transfer handled?
  • What subprocessors are involved and how are they vetted?
  • How does Zendesk support data subject rights and deletion?

These details help ensure your use of Zendesk is consistent with your own privacy commitments.

4. Establish Ongoing Monitoring and Review

Vendor risk management doesn’t end at onboarding. As part of your ongoing monitoring:

  • Track expiry and issuance dates for:
    • SOC 2 Type II reports
    • ISO certificates
  • Schedule periodic reviews:
    • Annually for new SOC 2 reports
    • When major product changes or new features are adopted
  • Subscribe to:
    • Zendesk security or status notifications
    • Updates to the subprocessor list

This ensures your assessment stays current as Zendesk’s environment evolves.

Common Questions About Zendesk’s SOC 2 Type II and Security Docs

Is Zendesk’s SOC 2 Type II report publicly available?

No. Due to the detailed and sensitive nature of SOC 2 reports, Zendesk restricts access to customers and serious prospects, usually under NDA. Public‑facing materials (like a SOC 3 or high-level security overview) may be available without NDA.

How current is the Zendesk SOC 2 report?

SOC 2 reports cover a specific historical period. When you receive the report:

  • Check the period covered (e.g., 12‑month period ending on a certain date)
  • Confirm whether a newer report is available or if a bridging letter can address gaps

Can we share the SOC 2 report internally?

Typically, yes, but:

  • Treat it as confidential and restricted within your organization
  • Store it in a secure repository used for vendor risk documentation
  • Do not redistribute it externally or post it publicly

Your NDA or terms of use for Zendesk’s Trust Center will define these rules explicitly.

What if our questionnaire asks for details not in the SOC report?

If you need additional clarity:

  • Ask your Zendesk security or account contact if:
    • There is a supplemental security FAQ
    • They can complete specific sections of your questionnaire
    • They can provide additional technical detail about certain controls

Often, Zendesk will either answer directly or point you to existing documentation that addresses your questions.

Practical Steps to Complete Your Vendor Assessment

To streamline your review of Zendesk as a vendor:

  1. Gather documentation

    • SOC 2 Type II report
    • Security whitepaper or overview
    • ISO certificates and compliance statements
    • DPA and privacy documentation
    • Pen test summary (if available)
    • Product‑specific security docs for the Zendesk modules you will use

  2. Review the SOC 2 report

    • Confirm scope and period
    • Validate key controls: access management, encryption, monitoring, incident response, availability
    • Note any exceptions and remediation plans

  3. Complete internal checklists and questionnaires

    • Map Zendesk controls to your security framework
    • Document evidence references (SOC 2 section/page, whitepaper, or specific policy)

  4. Engage stakeholders

    • Security and IT for technical controls
    • Privacy/legal for data processing and compliance
    • Procurement for contract clauses (e.g., audit rights, notification timelines)

  5. Define conditions of approval

    • Any required compensating controls on your side
    • Any follow‑up questions or clarifications for Zendesk
    • Required review cadence (e.g., annual SOC 2 refresh)

By obtaining and carefully reviewing Zendesk’s SOC 2 Type II report and related security documentation, you can perform a thorough, defensible vendor assessment. These materials provide the evidence you need to evaluate Zendesk’s security posture, align controls with your internal requirements, and document your due diligence for auditors, regulators, and internal stakeholders.

Back to Customer Service Platforms

Keep Reading

More from Customer Service Platforms

How to migrate from Salesforce Service Cloud to Zendesk

Read more

Zendesk training and certification — Zendesk Admin and Agent training resources

Read more

How to set up Zendesk AI Agents for automated customer resolution

Read more