// Trust & Security Report

    Zendesk, Inc. (formerly Ultimate.ai Oy, Helsinki - acquired by Zendesk, March 2024) logo

    Zendesk, Inc. (formerly Ultimate.ai Oy, Helsinki - acquired by Zendesk, March 2024)

    Ultimate.ai was a standalone conversational-AI / customer-service-automation platform founded in Helsinki in 2016. Zendesk acquired it in March 2024 and fully absorbed it into the Zendesk Suite; it is no longer sold as an independent product. It now operates as 'AI Agents - Advanced (Ultimate)', the top automation tier of Zendesk's AI Agents line (sitting above 'AI Agents - Essential').

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Product-in-scope list for SOC 2: 'Ticketing, Help Center, Community Forums, Messaging and live chat, Reporting and Analytics, Messaging platform (Sunshine Conversations), Voice, AI Agents, Mobile Apps, Mobile Software Development Kits, Automations & intelligence.'

    Verify on support.zendesk.com
    ISO 27001:2022
    HELD

    'The scope of the ISO/IEC 27001:2013 ... certifications are bounded by Zendesk, Inc.'s global network infrastructure' covering management of Zendesk's core services; AI Agents is separately listed as SOC 2/ISO/HIPAA in-scope on the compliance-scope page.

    Verify on support.zendesk.com
    ISO 27018:2019 (cloud PII)
    HELD

    'The scope of the ... ISO/IEC 27018:2014 ... certifications are bounded by Zendesk, Inc.'s global network infrastructure.'

    Verify on support.zendesk.com
    ISO 27701:2019 (privacy)
    HELD

    'The scope of the ... ISO/IEC 27701:2019 ... certifications are bounded by Zendesk, Inc.'s global network infrastructure.'

    Verify on support.zendesk.com
    ISO 42001:2023 (AI management system)
    HELD

    'The scope of the ... ISO/IEC 42001:2023 certifications are bounded by Zendesk, Inc.'s global network infrastructure.' Blog: 'Zendesk achieves ISO 42001 certification... scope includes Zendesk AI, Zendesk LMS, Zendesk QA, and Zendesk WFM.'

    Verify on support.zendesk.com
    GDPR posture
    HELD

    Zendesk is described in its own privacy documentation as 'a third-party data processor under the GDPR' and offers 'features to support GDPR compliance, including native notice options seamlessly embedded into our tools,' plus a public Data Processing Agreement incorporating EU SCCs.

    Verify on zendesk.com
    HIPAA (BAA available)
    HELD

    AI Agents is listed among the products in scope for the SOC 2 / ISO 27001 / HIPAA compliance table on Zendesk's own compliance-scope page; HIPAA support requires signing a BAA and the Advanced Data Privacy and Protection add-on.

    Verify on support.zendesk.com
    PCI DSS
    HELD

    'PCI-DSS - For more information on automatically redacting credit card numbers or adding a credit card identification field' (corporate/platform-level cert; not confirmed as AI-Agents-specific in the product compliance-scope table).

    Verify on zendesk.com
    CSA STAR AI Levels 1 & 2
    HELD

    'CSA STAR AI Levels 1 & 2 certify advanced cloud security and AI governance practices, with Zendesk proudly being the first in the industry to achieve this recognition.'

    Verify on zendesk.com
    Cyber Essentials Plus
    HELD

    UK government-backed certification 'that demonstrates an organization's commitment to strong cybersecurity through independent verification of key controls.'

    Verify on zendesk.com
    > Show 1 unconfirmed / not-held certifications
    FedRAMP LI-SaaS
    NOT CONFIRMED

    FedRAMP Li-SaaS Tailored product list: 'Ticketing, Help Center, Community Forums, Reporting and Analytics, Voice, Messaging, Agent Workspace, AI Agents - Essential.' Only the Essential (lower) tier is in scope; 'AI Agents - Advanced (Ultimate)' is NOT listed as FedRAMP in-scope.

    source: support.zendesk.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Customer-selectable data locality (US, EU/EEA, Australia, Japan) per Zendesk's Regional Data Hosting Policy; specific policy applying to the legacy Ultimate.ai workloads post-migration was not independently confirmed.

    Zendesk's own AI Data Use documentation names the acquired product explicitly: for 'AI Agents - Advanced (Ultimate),' 'if Service Data is needed for training, customers directly determine how to sanitize the training dataset' - i.e. training only happens on an opt-in, customer-controlled, account-scoped basis, not by default and not shared cross-customer. Generative AI features on third-party LLMs are separately stated to not be trained on Zendesk customer data at all. Set to null rather than false because Advanced/Ultimate-tier training is customer-instructed, not categorically absent.

    // Security controls

    Encryption in transit

    HTTPS/TLS 1.2+ (platform-wide Zendesk standard; not a distinct Ultimate.ai control)

    zendesk.com

    Encryption at rest

    AES-256 in AWS; BYOK available via Advanced Data Privacy and Protection add-on

    zendesk.com

    Hosting

    Data hosted within Zendesk's SOC 2-certified AWS cloud environment

    support.zendesk.com

    Bug bounty

    HackerOne-run responsible disclosure / bug bounty program (platform-wide)

    zendesk.com

    // Products & data scope

    AI Agents - Advanced (Ultimate)Enterprise conversational AI / multi-step workflow automation for customer service

    data: Processes end-customer conversation Service Data across web, mobile, email, and voice; can be trained on account-scoped Service Data only if the customer opts in and controls sanitization.

    This is the direct successor product to the standalone Ultimate.ai platform; NOT covered by Zendesk's FedRAMP LI-SaaS authorization (only 'AI Agents - Essential' is).

    AI Agents - EssentialEntry-tier AI customer service automation

    data: Lower-complexity automation bundled into standard Zendesk Suite plans.

    This tier, not the former Ultimate/Advanced tier, is the one covered by FedRAMP LI-SaaS.

    // What to watch

    • IDENTITY: 'Ultimate.ai' is not an operating, independently-assessable vendor as of this review. ultimate.ai 301-redirects to https://www.zendesk.com/service/ai/ai-agents.
    • All certifications listed here are Zendesk's corporate/platform certifications, not certifications independently earned by 'Ultimate.ai' as a company. They are attributed to the acquired product only because Zendesk's own compliance-scope documentation explicitly lists 'AI Agents' (SOC 2/ISO 27001/HIPAA) and by name 'AI Agents - Advanced (Ultimate)' (AI Data Use policy) as in-scope. Treat this as inherited-via-acquisition coverage, not organic Ultimate.ai certification history.
    • FedRAMP LI-SaaS explicitly does NOT cover the Advanced/Ultimate tier - only 'AI Agents - Essential.' Any AIFOXX listing implying FedRAMP coverage for 'Ultimate' would be an over-claim.
    • Recommend the two listings be reconciled (merge/redirect 'ultimate-ai' to 'zendesk-ai', or clearly label 'ultimate-ai' as a legacy/discontinued brand) rather than displaying them as two independent competing vendors.
    • trains_on_customer_data set to null (not false): the Advanced/Ultimate tier permits customer-instructed, account-scoped training, which differs from the platform-wide 'never trains on customer data' claim used for generative LLM features.

    // At a glance

    Pricing model

    No longer sold standalone. Available only as a paid add-on/tier ('Advanced') within Zendesk Suite subscriptions; legacy independent Ultimate.ai pricing/contracts no longer apply.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Zendesk, Inc. (formerly Ultimate.ai Oy, Helsinki - acquired by Zendesk, March 2024)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    zendesk.com

    > Browse all vendor trust reports