// Trust & Security Report
Zendesk, Inc.
Zendesk AI (AI-powered customer/employee service platform: AI Agents, Copilot, Voice, Contact Center, Advanced Data Privacy and Protection add-on)
Certifications held
13
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on zendesk.com“We undergo routine audits to receive updated SOC 2 Type II reports, available upon request and under NDA. Request the latest SOC 2 Type II report.”
Verify on zendesk.com“Zendesk is ISO 27001:2022 certified. Download the certificate.”
Verify on zendesk.com“Zendesk is ISO 27018:2019 certified. The certificate is available for download here.”
Verify on zendesk.com“Zendesk is ISO 27701:2019 certified. The certificate is available for download here.”
Verify on zendesk.com“Zendesk is ISO 27017:2015 certified. The certificate is available for download here.”
Verify on zendesk.com“ISO 42001 is the world's first international standard for managing artificial intelligence. Achieving certification means that Zendesk's AI practices - spanning design and development through deployment and ongoing monitoring - have been independently audited for conformance with a formal Artificial Intelligence Management System (AIMS).”
Verify on zendesk.com“Zendesk is FedRAMP authorized with Low Impact Software-as-a-Service (LI-SaaS) and is listed in the FedRAMP Marketplace.”
Verify on zendesk.com“Cyber Essentials Plus is a UK government-backed certification that demonstrates an organization's commitment to strong cybersecurity through independent verification of key controls.”
Verify on zendesk.com“CSA STAR AI Levels 1 & 2 certify advanced cloud security and AI governance practices, with Zendesk proudly being the first in the industry to achieve this recognition.”
Verify on zendesk.com“PCI-DSS - For more information on automatically redacting credit card numbers or adding a credit card identification field”
Verify on zendesk.com“HIPAA - For more information on our HIPAA program and our BAA”
Verify on zendesk.com“HDS - For more information on our HDS program”
Verify on zendesk.com“Zendesk completed a publicly available Consensus Assessment Initiative (CAI) Questionnaire, based on the results of our due diligence self-assessment. The CSA CAIQ is available here.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer-selectable data locality: United States (US), Australia (AU), Japan (JP), or European Economic Area (EEA), per the Regional Data Hosting Policy. Hosted on AWS in US, Europe, and Asia Pacific.
Generative AI features are powered by third-party LLMs but are NOT trained on Zendesk customer data; 'no third-party will use your inputs to train their models or otherwise improve their services' and 'these features are not trained on Zendesk customer data.' For LLMs hosted on Zendesk-controlled infrastructure (AWS Bedrock, Azure, GCP, Groq, Fireworks AI) the LLM provider never accesses Service Data and is not a sub-processor. Zendesk's own proprietary ML models are not generative; they may be trained on customer data ONLY to the extent the customer instructs (e.g. account-scoped intelligent triage/AI agent training within that customer's own instance), with data minimization and sanitization controls. Net: not trained on customer data by default; opt-in, account-scoped training only for the customer's own benefit.
// Security controls
Encryption in transit
HTTPS/TLS 1.2 or higher over public networks; opportunistic TLS for email
zendesk.comEncryption at rest
AES-256 key encryption in AWS; BYOK available via Advanced Data Privacy and Protection add-on
zendesk.comBug bounty / responsible disclosure
Responsible Disclosure / Bug Bounty Program via partnership with HackerOne
zendesk.comPenetration testing
Annual third-party penetration tests across Production and Corporate Networks, plus per-application pen tests on products
zendesk.comAuthentication / access
SSO (SAML, OIDC), social SSO, 2FA (SMS or authenticator app), RBAC, IP restrictions, configurable password policies, MFA required for production access
zendesk.comHosting & resilience
AWS data centers (ISO 27001 / PCI DSS L1 / SOC 2 certified), multi-AZ replication, Disaster Recovery program with optional contractual RTO/RPO via Enhanced DR
zendesk.comData protection add-on
Advanced Data Privacy and Protection: BYOK encryption, custom data retention, data masking, PII redaction, access logs
zendesk.comSelf-serve artifacts
Conveyor Trust Portal for on-demand certifications, audit reports, policies, and questionnaire answers
zendesk.com// Products & data scope
data: Processes end-customer conversation/ticket Service Data; powered by third-party LLMs that do not train on customer data; account-scoped.
Up to ~80% automation claim; learns within the customer's own account context only.
data: Assists agents, admins, knowledge and analytics roles using account Service Data; LLM providers do not access or retain data when hosted on Zendesk-controlled infra.
Role-specific copilots; real-time suggestions.
data: Permission-gated answers within the employee-service instance; same no-third-party-training posture.
Targets internal IT/HR use cases.
data: Voice and digital channel Service Data; note SMS and some third-party integrations are encryption exceptions.
Enterprise contact center without middleware.
data: Adds BYOK, custom retention, masking, PII redaction, access logs over base Service Data.
Paid add-on for higher data-sensitivity tiers (e.g. HIPAA, regulated industries).
// What to watch
- Trust center evidence is geo-redirected (zendesk.de in EU); content is identical across regions, certificates downloadable from the canonical trust center.
- SOC 2 Type II report and ISO certificates require NDA / request via Conveyor Trust Portal, not openly downloadable.
- Zendesk's own proprietary (non-generative) ML models CAN be trained on a customer's data when the customer instructs it (account-scoped, opt-in) - this is normal and not cross-customer, but procurement should note the distinction.
- Encryption exceptions exist for in-product SMS and customer-chosen third-party integrations.
// At a glance
Pricing model
Paid subscription, tiered plans (Suite/Support tiers from small business to Enterprise/Enterprise Plus) plus usage-based AI Agent automated resolutions; 14-day free trial. Add-ons (Advanced Data Privacy and Protection, Enhanced Disaster Recovery) priced separately.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Zendesk, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
zendesk.com