// Trust & Security Report

    Zendesk, Inc. logo

    Zendesk, Inc.

    Zendesk AI (AI-powered customer/employee service platform: AI Agents, Copilot, Voice, Contact Center, Advanced Data Privacy and Protection add-on)

    Certifications held

    13

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    We undergo routine audits to receive updated SOC 2 Type II reports, available upon request and under NDA. Request the latest SOC 2 Type II report.

    Verify on zendesk.com
    ISO 27001:2022
    HELD

    Zendesk is ISO 27001:2022 certified. Download the certificate.

    Verify on zendesk.com
    ISO 27018:2019
    HELD

    Zendesk is ISO 27018:2019 certified. The certificate is available for download here.

    Verify on zendesk.com
    ISO 27701:2019
    HELD

    Zendesk is ISO 27701:2019 certified. The certificate is available for download here.

    Verify on zendesk.com
    ISO 27017:2015
    HELD

    Zendesk is ISO 27017:2015 certified. The certificate is available for download here.

    Verify on zendesk.com
    ISO 42001 (AI Management System)
    HELD

    ISO 42001 is the world's first international standard for managing artificial intelligence. Achieving certification means that Zendesk's AI practices - spanning design and development through deployment and ongoing monitoring - have been independently audited for conformance with a formal Artificial Intelligence Management System (AIMS).

    Verify on zendesk.com
    FedRAMP LI-SaaS
    HELD

    Zendesk is FedRAMP authorized with Low Impact Software-as-a-Service (LI-SaaS) and is listed in the FedRAMP Marketplace.

    Verify on zendesk.com
    Cyber Essentials Plus
    HELD

    Cyber Essentials Plus is a UK government-backed certification that demonstrates an organization's commitment to strong cybersecurity through independent verification of key controls.

    Verify on zendesk.com
    CSA STAR AI Levels 1 & 2
    HELD

    CSA STAR AI Levels 1 & 2 certify advanced cloud security and AI governance practices, with Zendesk proudly being the first in the industry to achieve this recognition.

    Verify on zendesk.com
    PCI-DSS
    HELD

    PCI-DSS - For more information on automatically redacting credit card numbers or adding a credit card identification field

    Verify on zendesk.com
    HIPAA (BAA available)
    HELD

    HIPAA - For more information on our HIPAA program and our BAA

    Verify on zendesk.com
    HDS (Health Data Hosting, France)
    HELD

    HDS - For more information on our HDS program

    Verify on zendesk.com
    CSA STAR (Cloud Security Alliance CAIQ)
    HELD

    Zendesk completed a publicly available Consensus Assessment Initiative (CAI) Questionnaire, based on the results of our due diligence self-assessment. The CSA CAIQ is available here.

    Verify on zendesk.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer-selectable data locality: United States (US), Australia (AU), Japan (JP), or European Economic Area (EEA), per the Regional Data Hosting Policy. Hosted on AWS in US, Europe, and Asia Pacific.

    Generative AI features are powered by third-party LLMs but are NOT trained on Zendesk customer data; 'no third-party will use your inputs to train their models or otherwise improve their services' and 'these features are not trained on Zendesk customer data.' For LLMs hosted on Zendesk-controlled infrastructure (AWS Bedrock, Azure, GCP, Groq, Fireworks AI) the LLM provider never accesses Service Data and is not a sub-processor. Zendesk's own proprietary ML models are not generative; they may be trained on customer data ONLY to the extent the customer instructs (e.g. account-scoped intelligent triage/AI agent training within that customer's own instance), with data minimization and sanitization controls. Net: not trained on customer data by default; opt-in, account-scoped training only for the customer's own benefit.

    // Security controls

    Encryption in transit

    HTTPS/TLS 1.2 or higher over public networks; opportunistic TLS for email

    zendesk.com

    Encryption at rest

    AES-256 key encryption in AWS; BYOK available via Advanced Data Privacy and Protection add-on

    zendesk.com

    Bug bounty / responsible disclosure

    Responsible Disclosure / Bug Bounty Program via partnership with HackerOne

    zendesk.com

    Penetration testing

    Annual third-party penetration tests across Production and Corporate Networks, plus per-application pen tests on products

    zendesk.com

    Authentication / access

    SSO (SAML, OIDC), social SSO, 2FA (SMS or authenticator app), RBAC, IP restrictions, configurable password policies, MFA required for production access

    zendesk.com

    Hosting & resilience

    AWS data centers (ISO 27001 / PCI DSS L1 / SOC 2 certified), multi-AZ replication, Disaster Recovery program with optional contractual RTO/RPO via Enhanced DR

    zendesk.com

    Data protection add-on

    Advanced Data Privacy and Protection: BYOK encryption, custom data retention, data masking, PII redaction, access logs

    zendesk.com

    Self-serve artifacts

    Conveyor Trust Portal for on-demand certifications, audit reports, policies, and questionnaire answers

    zendesk.com

    // Products & data scope

    Zendesk AI Agents (customer service)Generative AI customer support automation

    data: Processes end-customer conversation/ticket Service Data; powered by third-party LLMs that do not train on customer data; account-scoped.

    Up to ~80% automation claim; learns within the customer's own account context only.

    Zendesk CopilotAgent-assist / generative AI for service teams

    data: Assists agents, admins, knowledge and analytics roles using account Service Data; LLM providers do not access or retain data when hosted on Zendesk-controlled infra.

    Role-specific copilots; real-time suggestions.

    Employee Service AI / internal serviceInternal helpdesk AI

    data: Permission-gated answers within the employee-service instance; same no-third-party-training posture.

    Targets internal IT/HR use cases.

    Voice / Contact Center (agentic AI)AI voice and omnichannel contact center

    data: Voice and digital channel Service Data; note SMS and some third-party integrations are encryption exceptions.

    Enterprise contact center without middleware.

    Advanced Data Privacy and Protection (add-on)Data governance add-on

    data: Adds BYOK, custom retention, masking, PII redaction, access logs over base Service Data.

    Paid add-on for higher data-sensitivity tiers (e.g. HIPAA, regulated industries).

    // What to watch

    • Trust center evidence is geo-redirected (zendesk.de in EU); content is identical across regions, certificates downloadable from the canonical trust center.
    • SOC 2 Type II report and ISO certificates require NDA / request via Conveyor Trust Portal, not openly downloadable.
    • Zendesk's own proprietary (non-generative) ML models CAN be trained on a customer's data when the customer instructs it (account-scoped, opt-in) - this is normal and not cross-customer, but procurement should note the distinction.
    • Encryption exceptions exist for in-product SMS and customer-chosen third-party integrations.

    // At a glance

    Pricing model

    Paid subscription, tiered plans (Suite/Support tiers from small business to Enterprise/Enterprise Plus) plus usage-based AI Agent automated resolutions; 14-day free trial. Add-ons (Advanced Data Privacy and Protection, Enhanced Disaster Recovery) priced separately.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Zendesk, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    zendesk.com

    > Browse all vendor trust reports