Article • 3 min read
EU-US data transfers after Schrems II
By Shanti Ariker, SVP, General Counsel and Maarten Van Horenbeeck, SVP & Chief Information Security Officer
Last updated November 8, 2022
Here at Zendesk, we believe that trust is at the core of all our interactions with our customers. We recognize the importance of customer trust and of customers’ privacy and the security of their data. Global privacy regulations are evolving at a rapid pace and we are focused on providing the tools our customers need to enable compliance.
As a customer, it’s important to understand how vendors use and secure your data. That is why we strive to be transparent about Service Data processed by our products and services, whether there is an international transfer of data, and what risks are associated with the type of data or processing concerned.
Since the Schrems II decision in July of 2020, regarding the legality of transatlantic data transfers, we have taken the following steps to enable cross-border transfers of personal data in accordance with EU privacy requirements:
Binding corporate rules and Standard contractual clauses
We provide EU Binding Corporate Rules (“BCR”) for both Controller and Processor, considered the “gold standard” for international data transfers. BCRs are company-wide data protection policies that have been approved for data transfers by our Data Protection Authority. We provide a Data Processing Agreement (DPA), which incorporates our EU BCRs and the new June 2021 Standard Contractual Clauses (SCCs). Our DPA also provides additional safeguards to Annex II of the new DPA/SCCs and provides details on our system access controls, data access controls, transmission controls, and network architecture and security.
Transfer impact assessment guide
We also provide a Transfer Impact Assessment Guide to assist you with knowing your transfers and enabling you to complete the required case-by-case privacy impact assessment and analysis (upon request).
Transparency report
When it comes to government surveillance, we believe that law enforcement and national security agencies should engage customers first, rather than service providers. We have received very few law enforcement requests over the years, as detailed in our transparency report, which we update every six months. We have not and will not build any backdoors to allow government authorities to circumvent our security measures.
Certifications
We regularly undergo self-assessment and independent, external testing and certification. Our security certifications from third-party auditors include SOC 2 Type II, ISO 27001:2013, and ISO 27018:2014.
Regional data hosting options
We also offer a way to store your data on a regional basis. You have the option to have your service data for select covered functionality hosted in the United States, European Economic Area (EEA), Japan (JP), or Australia (AU). A full description of which services can be hosted in your chosen region is located in our regional data hosting policy page.
Looking ahead: Zendesk’s roadmap for future trust features
In this rapidly changing regulatory environment, we are committing to building additional features to provide an enhanced level of protection for our customers.
During 2022, Zendesk is working on the following privacy and data protection features to support customers:
Bring your own key (BYOK) encryption that will give customers the ability to encrypt their service data using their own enterprise key management system
Data Center Location support for all Agent Workspace features
Improved data deletion, access control and auditing features on customer data
An offering to provide EU-only based customer support, to limit the location of customer advocates with access to your service data
Zendesk is committed to supporting our customers in navigating new data protection and privacy regulations. We are encouraged by the ongoing discussions between the European Commission and the United States government to build a new framework for Europeans’ personal data that is transferred to the United States.
Have questions? Please contact your Zendesk account executive or our privacy team at euprivacy@zendesk.com.
For more information on our privacy and security program, please see the below resources:
Schrems II – Frequently Asked Questions (FAQ) guide
Data processing addendum with new SCCs
Regional data hosting policy
Transparency report
How we protect your service data
Information on U.S. Privacy Safeguards White Paper by the U.S. Dept. of Commerce