Cover your bases

The Brazilian General Data Protection Law or Lei Geral de Proteção de Dados Pessoais (“LGPD”), was entered into effect on 18 September 2020. LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and provides individual rights.

Zendesk subscribers that collect and store personal data in Zendesk Services may be considered “controllers” under the LGPD. Controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the LGPD. Zendesk acts as a “processor,” as such term is defined in the LGPD, with respect to the processing of personal data through our Services.

Subscribers can view our Product Guides and Service Data Deletion Policy for more detailed information on how to use Zendesk’s products to align with compliance initiatives.The National Authority for Protection Data (“ANPD”) may issue additional guidance for the LGPD in the future. Zendesk will continue to actively track the law and we will continue to keep our subscribers updated on features and functionality they can use to support their compliance efforts.

Zendesk’s LGPD Addendum has been incorporated into Zendesk’s Data Processing Agreement. If you would like to review and/or execute Zendesk’s Data Processing Agreement, please click here.

The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”) is a U.S. law enacted in the State of California, which went into force on 1 January 2020. It expands upon the privacy rights available to certain California consumers, and requires certain companies to comply with various data protection requirements. Please also visit the final CCPA Regulations and the California Privacy Rights Act (“CPRA”). A few CPRA provisions went into effect on 16 December 2020, with the remaining provisions of the CPRA becoming operative on 1 January 2023.

Zendesk subscribers that collect and store personal information in Zendesk Services may be considered “Businesses” under the CCPA. Businesses bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the CCPA. Zendesk acts as a “Service Provider,” as such term is defined in the current version of the CCPA, with respect to the processing of personal information through our Services. Therefore, Zendesk collects, accesses, maintains, uses, processes, and transfers the personal information of our subscribers and our subscriber’s end users processed through the Services solely for the purpose of performing our obligations under our existing contract(s) with our subscribers; and for no commercial purpose other than the performance of such obligations and improvement of the Services we provide.

We do not “sell” our subscriber’s personal information as defined under the CCPA. We may share aggregated and/or anonymised information regarding use of the Service(s), which is not considered personal information under the CCPA, with third parties to help us develop and improve the Services and provide our subscribers with more relevant content and service offerings as detailed in our subscriber agreements.

Zendesk’s CCPA Addendum has been incorporated into Zendesk’s Data Processing Agreement. If you would like to review and/or execute Zendesk’s Data Processing Agreement, please click here.

If you would like to review and/or execute Zendesk’s US State Addendum to the Main Services Agreement, please click here.

Canada’s Personal Information Protection and Electronic Documents Act went into effect in 2000 and is focused around ten fair information principles, which form the rules for collection, use, access, and disclosure of personal information. In October of 2021, the International Technology Association of Canada and Information Technology Industry Council suggested changes to PIPEDA to provide greater privacy and transparency rights for Canadian citizens.

You can review and/or execute Zendesk’s DPA here. The Zendesk DPA covers the specific processing activities and security measures applicable to our Services and incorporates the new EU Standard Contractual Clauses (“EU SCCs”).

Subscribers can read our Product Guides and Service Data Deletion Policy for detailed information on how to use Zendesk’s products to assist in compliance with data protection and privacy laws.

Since our inception, Zendesk’s approach has been anchored by a strong commitment to privacy, security, compliance, and transparency. This approach includes supporting our subscribers’ compliance with EU data protection requirements, such as those set out in the General Data Protection Regulation (“GDPR”).

If a subscriber collects, transmits, hosts, or analyses personal data of EU citizens, GDPR requires the subscriber to use third-party data processors who guarantee their ability to implement the technical and organisational requirements of the GDPR. To further earn our subscribers’ trust, our Data Processing Agreement (“DPA”) has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR.

Binding Corporate Rules (BCRs): Binding Corporate Rules (“BCRs”) are company-wide data protection policies approved by European data protection authorities to facilitate intra-group transfers of personal data from the European Economic Area (“EEA”) to countries outside the EEA. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with those authorities. Subscribers can find the full list of approved entities on the Binding Corporate Rules Approved List here. In 2017 Zendesk completed the EU approval process with the Irish Data Protection Commissioner (“DPC”) (peer reviewed by both the UK Information Commissioner’s Office and the Dutch Data Protection Authority) BCRs as processor and as a controller. This significant regulatory approval validated Zendesk’s implementation of the highest possible standards for protecting personal data globally, covering both the personal data of its customers and its employees. Zendesk is one of the first software companies in the world to have received approval for its BCRs; and was the second company ever to receive approval from the Irish DPC.

To access Zendesk's EU BCRs and UK addenda please visit:

• Zendesk's Data Processor and Data Controller Binding Corporate Rules

Data Subject Requests: An individual who seeks to exercise their data protection rights in respect of personal data stored or processed by us on behalf of a subscriber of ours within the subscriber’s Service Data (including to seek access to, or to correct, amend, delete, port, or restrict processing of such personal data) should direct such query to our subscriber (the data controller). Upon receipt of a request from one of our subscribers to remove personal data from Zendesk, we will respond to such request within thirty (30) days. We will retain personal data that we process and store on behalf of our subscribers for as long as needed to provide the Services to our subscribers.

Zendesk's data subject request platform is available at this webform: https://www.zendesk.com/datasubjectrequest/

HDS enables healthcare providers in France to use Zendesk’s customer service and engagement platform with confidence that our platform has appropriate technical and governance measures in place to secure and protect personal health information (PHI). Additional information is available here.

The New Zealand Privacy Act in 2020 commenced on 1 December 2020, applies to agencies and maintains the principle-based framework of the 1993 Act. The 2020 Act states that organisations are responsible for ensuring that personal information sent outside of New Zealand is adequately protected and added mandatory breach notification requirements. https://www.zendesk.com/company/anz-privacy/

The Personal Data Protection Act of Singapore establishes data protection laws that govern the collection, use, and disclosure of Personal Data as of July 2, 2014. Zendesk is a recognised Infocomm Development Authority of Singapore (IDA) Data Intermediary as a Software-as-a-Service (“SaaS”) Service Provider. Additional information is available here.

The United Kingdom withdrew from the European Union on 31 January 2020. On 28 June 2021, the European Commission adopted adequacy decisions for transfers of personal data to the United Kingdom under GDPR.

To achieve a HIPAA-Enabled Account, you will need to (1) purchase the Advanced Security Deployed Associated Service or Advanced Compliance Deployed Associated Service Add-On; (2) enable a set of security configurations as outlined by Zendesk; and (3) execute our Business Associate Agreement (“BAA”). For more details, including a list of which Services can be HIPAA-enabled, please see Advanced Compliance.

All models developed by Zendesk are classification models – this means they are trained to read and classify inputs into one of a set number of categories created by Zendesk. Because these models are not generative, no content is produced by the model, and it is not possible for data to be reproduced by the model.

Does Zendesk use customer Service Data to train machine learning models?

Zendesk offers three types of machine learning functionality:

1. Account-specific ML functionality: Zendesk creates machine learning models tailored to a customer’s account using only data existing in the account. Account-specific models will not be used by any other customer.

2. Generic ML functionality: Zendesk uses Service Data to train its generic, cross-account machine learning models to be predictive and useful to multiple Zendesk customers. These include global and industry models. These models will never disclose one customer’s Service Data to another customer, because they are not “generative” (i.e. they do not create text).

3. Generative ML functionality supported by OpenAI: OpenAI models are pre-trained and Zendesk customer data will never be used by OpenAI (or any other third party) to train their model(s).

How does Zendesk protect Service Data when used for model training? Before Service Data is used to train generic ML functionality, Zendesk applies aggregation and sanitation processes, as necessary. No fields designed to intake personal data or ticket attachments are used for model training. Zendesk is committed to ensuring that no Service Data will be reproduced by the model. There is no risk that one customer’s data will be exposed to another customer through the model’s output. See AI Data Use Information.

Hallucinations are an intrinsic risk for generative AI features. Zendesk does two things to mitigate this risk:

• Zendesk utilises the Retrieval Augmented Generation (RAG) technique to ensure that generated replies or search results are grounded in specific knowledge base content

• Zendesk development team regularly inspects replies with negative end user feedback for hallucinations to develop tools that can automatically detect and prevent such scenarios.

All Service Data is hosted in Zendesk’s existing AWS regions. For sub-processor hosting locations, please see the Zendesk Sub-processor Policy

Use of Zendesk AI does not impact any Subscriber data locality commitments, including those available in the Data Centre Location Add-on. Service Data of eligible Subscribers will continue to be hosted in the selected region.

Note: Zendesk WFM (Tymeshift), Zendesk QA (Klaus), and Ultimate Service Data are hosted in Google Cloud Platform in the regions provided below:

All Zendesk products and features are designed with privacy in-mind, and the Zendesk AI is no different.

Subscribers are able to comply with various privacy laws (including GDPR and CCPA) when using Zendesk, including Zendesk AI features.

The Zendesk AI is eligible for coverage under Zendesk’s Business Associate Agreement (BAA).

Subscribers interested in executing a BAA with Zendesk must have access to the Advanced Compliance Add-on.

Additional Zendesk policies are available here.