Zendesk data and privacy: A complete guide for 2026
Stevia Putri
Stanley Nicholas
Last edited March 3, 2026
Expert Verified
When you're handling customer support tickets, you're not just managing conversations. You're stewarding personal data: names, email addresses, payment information, and sometimes sensitive details customers share in moments of frustration or need. That is why understanding how your customer service platform handles data privacy is not optional. It is foundational.
Zendesk has built a reputation as an enterprise-grade customer service platform used by over 110,000 companies, including Fortune 100 and Fortune 500 organizations. But reputation is not the same as understanding exactly how they protect your data. This guide breaks down Zendesk's approach to data privacy, their security certifications, compliance frameworks, and the practical features available to keep customer information secure.
We will also look at how alternatives like eesel AI approach data privacy differently, because choosing the right platform depends on matching your specific compliance needs with the right tool.
What is Zendesk's approach to data privacy?
Zendesk operates on a shared responsibility model. This means they handle the security and privacy of the platform itself, while you (the customer) are responsible for how you configure and use that platform. Think of it like renting a safe deposit box: the bank secures the vault, but you decide what goes inside and who has the key.
In privacy terms, Zendesk acts as a data processor for the information your customers submit through tickets, while your business remains the data controller. This distinction matters because it determines who is accountable for what under regulations like GDPR.
Zendesk's privacy program is built on several core principles:
- Transparency: Clear documentation of what data is collected and how it is used, available in their Privacy Notice
- Data minimization: Collecting only what is necessary to provide the service
- Security by design: Building privacy protections into the platform architecture rather than bolting them on later
For data hosting, Zendesk primarily uses Amazon Web Services (AWS) and offers multiple region options. You can choose to host your data in the United States, Australia, Japan, or the European Economic Area. This matters for compliance with data localization requirements in certain jurisdictions.
Zendesk security certifications and compliance
Zendesk maintains an extensive list of security certifications. If you are evaluating them for enterprise use, this is where they demonstrate their credibility.
Security certifications
| Certification | What it means |
|---|---|
| SOC 2 Type II | Independent audit of security controls, with reports available under NDA |
| ISO 27001:2022 | Information security management system certification |
| ISO 27018:2019 | Specific protections for personally identifiable information in cloud environments |
| ISO 27701:2019 | Privacy information management certification |
| ISO 27017:2015 | Cloud services security best practices |
| ISO 42001 | AI management system certification (increasingly important as they expand AI features) |
| FedRAMP LI-SaaS | Authorization for use by US government agencies |
| Cyber Essentials Plus | UK government-backed cybersecurity certification |
| CSA STAR AI Levels 1 & 2 | Cloud security and AI governance (Zendesk was the first in the industry to achieve this) |
Source: Zendesk Trust Center
Privacy compliance frameworks
Beyond security certifications, Zendesk supports compliance with major privacy regulations worldwide:
| Regulation | Zendesk's compliance approach |
|---|---|
| GDPR (EU) | Data Processing Agreement available, Binding Corporate Rules approved in 2017 by the Irish Data Protection Commissioner |
| CCPA/CPRA (California) | CCPA Addendum incorporated into their Data Processing Agreement |
| HIPAA (US Healthcare) | Business Associate Agreement available with Advanced Compliance Add-on |
| PIPEDA (Canada) | Compliant with Canada's Personal Information Protection and Electronic Documents Act |
| LGPD (Brazil) | LGPD Addendum incorporated into Data Processing Agreement |
| HDS (France) | Health Data Hosting certification for healthcare providers |
Zendesk also participates in the Data Privacy Framework program, with active certifications for EU-U.S., UK Extension, and Swiss-U.S. frameworks. These certifications are current through December 2026.
Key Zendesk privacy features
Zendesk offers privacy features at two levels: standard features included in all plans, and advanced features available as an add-on for enterprise customers.
Standard privacy features
Every Zendesk customer gets access to these data protection capabilities:
- Encryption in transit and at rest: All communications use HTTPS/TLS 1.2 or higher, while stored data is encrypted using AES-256
- Role-based access controls: Define who can see what data based on their role in your organization
- Audit logs: Track who accessed what data and when
- Data retention policies: Configure how long different types of data are kept
- Redaction capabilities: Manually remove sensitive information from tickets
Advanced Data Privacy and Protection add-on
For businesses with higher compliance requirements, Zendesk offers the Advanced Data Privacy and Protection (ADPP) add-on. This is available on Suite and Support Enterprise plans and above.
| Feature | What it does |
|---|---|
| BYOK (Bring Your Own Key) | You control the encryption keys for your data |
| Advanced data retention | Create custom, conditional deletion schedules |
| Data masking | Limit what agents can see based on their role |
| AI-powered redaction | Automatically detect and suggest removal of sensitive data |
| Access logs | Detailed records of who searched for and accessed what data |
The automatic redaction feature is particularly useful for PCI compliance. It can detect and redact credit card numbers from tickets and call recordings in Zendesk Voice.
How Zendesk handles data subject requests
Under GDPR and similar regulations, individuals have rights regarding their personal data. Zendesk provides tools to help you comply with these requests:
| Right | How Zendesk supports it |
|---|---|
| Right of access | Export user data via the UI or API |
| Right to rectification | Update personal data through user profiles |
| Right to erasure | Delete user data and redact ticket content |
| Right to data portability | Export data in usable formats |
| Right to object | Manage consent and processing objections |
The workflow for handling erasure requests involves two steps: first deleting personal data from ticket comments, then deleting the user record itself. Zendesk replaces deleted user data with "Permanently Deleted User" placeholders to maintain ticket history without retaining personal information.
Source: Zendesk compliance guide
Zendesk AI and data privacy
With AI becoming central to customer service platforms, understanding how Zendesk handles data in their AI features is critical.
Zendesk AI uses a multi-LLM architecture, which means they are not locked into a single AI provider. They use OpenAI, Microsoft Azure, Amazon Bedrock, and Google Cloud Platform depending on the specific feature and use case. This approach reduces vendor lock-in and allows them to select the best model for each task.
Key privacy commitments for Zendesk AI:
- Zero data retention: When using OpenAI endpoints, Zendesk has negotiated zero data retention, meaning your data is not stored by OpenAI
- No training on customer data: Third-party LLM providers do not use Zendesk customer data to train their models
- Account-specific models: When Zendesk creates machine learning models for your account, they use only your data and do not share those models with other customers
- HIPAA eligible: Zendesk AI can be covered under their Business Associate Agreement for healthcare use cases
Source: Zendesk Trust Center AI section
eesel AI: An alternative approach to customer service data privacy
While Zendesk offers comprehensive privacy controls for enterprise compliance, it is worth understanding how other platforms approach data privacy. At eesel AI, we have taken a different approach that some businesses find better fits their needs.
The teammate model
Instead of treating privacy as a configuration challenge, we have built it into how you "hire" eesel as an AI teammate. Here is how it works:
-
Onboard in minutes: Connect eesel to your help desk and it learns from your past tickets, help center, and connected docs. No manual training or uploads required.
-
Start with guidance: Like any new hire, eesel begins with oversight. You can have it draft replies for review before sending, limit it to specific ticket types, or set business hours when it operates.
-
Level up based on performance: As eesel proves itself, you expand its scope. You decide when to promote it from drafting to autonomous responses based on actual performance, not arbitrary timelines.
-
Define escalation in plain English: Instead of complex configuration, you write natural language instructions like "Always escalate billing disputes to a human" or "For VIP customers, CC the account manager."
Data privacy at eesel
Our privacy approach follows the same teammate logic:
- Data isolation: Your data serves only your bots and is never used to train models for other customers
- Encryption: Data is encrypted in transit and at rest, isolated per customer
- Compliance: We support GDPR and CCPA programs
- Data residency: EU data residency is available on Business plans and above
- Subprocessors: We only work with SOC 2 Type II certified providers like OpenAI and Pinecone
For businesses that need additional control, we offer zero-retention options, self-hosted deployments, and custom security configurations on our Custom plan.
Pricing that scales with usage
Unlike per-seat pricing models, eesel charges based on AI interactions (one interaction equals one AI reply or action). This means you are not penalized for having a large team.
| Plan | Monthly | Annual | Interactions | Key features |
|---|---|---|---|---|
| Team | $299 | $239/mo | 1,000 | Train on website/docs, Copilot, Slack, reports |
| Business | $799 | $639/mo | 3,000 | + Past tickets, MS Teams, AI Actions, EU data residency |
| Custom | Contact us | Custom | Unlimited | + Multi-agent orchestration, custom integrations, advanced security |
Source: eesel AI pricing
Choosing the right customer service platform for your privacy needs
Both Zendesk and eesel AI take data privacy seriously, but they serve different needs.
Choose Zendesk if:
- You need extensive compliance certifications for enterprise requirements
- You are in a heavily regulated industry like healthcare or government
- You want a traditional help desk platform with privacy add-ons
- You have the resources to manage complex configuration
Consider eesel AI if:
- You want privacy controls that are simpler to implement and manage
- You prefer a progressive rollout where you build confidence over time
- You are looking for an AI-first approach to customer service
- You want predictable pricing based on usage, not headcount
The key is matching the platform's approach to your actual needs. Enterprise-grade certifications matter if you are a Fortune 500 company. They matter less if you are a growing SaaS business that just needs solid privacy practices without the complexity.
Either way, do not treat data privacy as an afterthought. Ask hard questions about how your customer service platform handles data before you commit, because switching later is always more expensive than choosing right the first time.
Frequently Asked Questions
Share this post
Article by
Stevia Putri
Stevia Putri is a marketing generalist at eesel AI, where she helps turn powerful AI tools into stories that resonate. She’s driven by curiosity, clarity, and the human side of technology.
