為客戶服務提供保護
Zendesk Security
More than 140,000 customers trust Zendesk with their data, and this responsibility is something we take very seriously! We combine enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected. And our customers rest easy knowing their information is safe, their interactions are secure, and their businesses are protected.
檢視資料工作表
資料中心和網路安全
| 物理安全 | |
|---|---|
| 設施 | Zendesk hosts service data in AWS data centers that have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and/or SOC II compliance. AWS infrastructure services includes back-up power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. |
| 現場安全 | AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about AWS physical security. |
| 監控 | All Production Network systems, networked devices, and circuits are constantly monitored and logically administered by Zendesk staff. Physical security, power, and internet connectivity are monitored by AWS. |
| 位置 | Zendesk leverages AWS data centers in the United States, Europe, and Asia Pacific. Customers can choose to locate their Service Data in the US-only or Europe-only* (Zendesk Chat is Europe-only at this time). Learn more about our regional data hosting options. *Only available with Data Center Location Add-on |
| 網路安全 | |
|---|---|
| 專門的安全團隊 | 我們遍布全球的安全團隊 24/7 隨叫隨到,以回應安全警報和事件。 |
| 防護 | Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies which monitor and/or block malicious traffic and network attacks. |
| 架構 | 我們的網路安全架構由多個安全域組成。而更敏感的系統,比如我們的資料庫伺服器,在我們最受信任的安全域中得到保護。其他系統根據其功能、資訊分類和風險,安置在與其敏感度相應的安全域中。根據安全域的不同,將套用額外的安全監控和存取控制。您可在網際網路之間,以及在您內部網路的不同受信任安全域之間設定 DMZ。 |
| 網路漏洞掃描 | 網路安全掃描使我們能夠深入瞭解並快速識別不符合要求或可能存在漏洞的系統。 |
| 協力廠商滲透測試 | In addition to our extensive internal scanning and testing program, each year, Zendesk employs third-party security experts to perform a broad penetration test across the Zendesk Production Network. |
| 安全事故事件管理(SIEM) | 我們的安全事故事件管理(SIEM)系統從重要的網路裝置和主機系統彙集全面的日誌。SIEM 可就根據相關事件通知安全團隊的觸發程式發出警示,以便於調查與回應。 |
| 入侵偵測與防禦 | Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring. |
| 威脅情報計劃 | Zendesk 參與了多項威脅情報共用計劃。我們監控發佈到這些威脅情報網絡中的威脅,並根據風險和受影響程度來採取行動。 |
| DDoS 攻擊安全防護功能 | Zendesk has architected a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provide deeper protection along with our use of AWS DDoS specific services. |
| 邏輯存取 | 將對 Zendesk 生產網路的存取限制在明確「需要瞭解」的基礎上,使用最少的特權,定期進行審核和監控,並由我們的運營團隊進行控制。存取 Zendesk 生產網路的員工必須使用多因素驗證。 |
| 安全事故回應 | 如發生系統警報的情況,該事件將被上報給我們的 24/7 團隊,以保障運營、網路工程和安全。員工會進行安全事故回應流程方面的訓練,包括溝通管道和上報途徑。 |
| 加密 | |
|---|---|
| 傳輸時加密 | 您與 Zendesk Support 和 Chat 伺服器之間的通訊透過業內最佳實務 HTTPS 和傳輸層安全性(TLS)在公用網路上進行加密。TLS 亦支援電郵加密。 |
| 待用加密 | Customers of Zendesk benefit from the protections of encryption at rest for their data. Service Data is encrypted at rest in AWS using AES 256 key encryption. |
| 可用性和連續性 | |
|---|---|
| 運作時間 | Zendesk 維護一個公開的系統狀態網頁,其中包括系統可用性的詳細資訊、定期維護、服務事故記錄,以及相關的安全事件。 |
| 冗餘 | Zendesk employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver high level of service availability, as Service Data is replicated across availability zones. |
| 嚴重損壞修復 | Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities. |
| 增強嚴重損壞修復 | Enhanced Disaster Recovery package adds contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through our capability to prioritize operations of Enhanced Disaster Recovery customers during any declared disaster event. *Only available with Advanced Security Add-on |
應用程式安全
| 安全發展(SDLC) | |
|---|---|
| 安全訓練 | At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Zendesk security controls. |
| Ruby on Rails 架構安全控制 | Most Zendesk products utilize Ruby on Rails framework security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others. |
| QA | Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code. |
| 獨立的環境 | Testing and staging environments are logically separated from the Production environment. No actual Service Data is used in the development or test environments. |
| 應用程式漏洞 | |
|---|---|
| 動態漏洞掃描 | We employ third-party, qualified security tooling to continuously dynamically scan our core applications against the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues. |
| 靜態程式碼分析 | The source code repositories for both our platform and mobile applications are scanned for security issues via our integrated static analysis tooling. |
| 安全滲透測試 | 除了全面的內部掃描和測試計劃之外,每個季度 Zendesk 都會透過協力廠商安全專家來對我們整個產品系列的不同應用程式進行細緻的滲透測試。 |
| 負責任披露 / 漏洞懸賞計劃 | Our Responsible Disclosure Program gives security researchers, as well as customers, an avenue for safely testing and notifying Zendesk of security vulnerabilities through our partnership with HackerOne. |
產品安全功能
| 驗證安全 | |
|---|---|
| 驗證選項 |
For admins/agents in Support and Chat, we offer Zendesk sign-in. For Zendesk Support, you may also enable SSO, and Google Authentication. For end-users in Support and Chat, we support Zendesk sign-in. For Zendesk Support, you may also enable SSO and social media SSO (Facebook, Twitter, Google) for end-user authentication. |
| 單一登入(SSO) | Single sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your Zendesk Support instance. Both JSON Web Token (JWT) and Security Assertion Markup Language (SAML) are supported. Learn more about security and sign-in settings. *SAML is only available for Professional and Enterprise accounts *JWT is only available for Team accounts and above |
| 可設定的密碼政策 | Zendesk Support/Guide provides the following levels of password security: low, medium, and high, as well as set custom password rules for agents and admins. Zendesk also allows for different password security levels to apply to end users vs. agents and admins. Only admins can change the password security level. *Applies to Professional and Enterprise accounts. |
| 雙因素驗證(2FA) | If you are using Zendesk sign-in on your Zendesk Support instance, you can turn on 2-factor authentication (2FA) for agents and admins. Zendesk supports SMS and numerous authenticator apps for generating passcodes. You may also choose to leverage 2FA in your own environment where coupling enterprise SSO as your authentication method for Zendesk. 2FA provides another layer of security to your Zendesk account, making it more challenging for somebody else to sign in as you. Learn more about 2FA. |
| 安全憑證儲存 | Zendesk 遵循安全憑證儲存的最佳實務,從不以人工可讀的格式儲存密碼,並僅經過雜湊演算法處理,安全、單向隨機產生。 |
| API 安全和驗證 | The Zendesk Support API is TLS-only. You can authorize against the API using either basic authentication with your username and password, or with a username and API token. OAuth authentication is also supported. Learn more about API security. |
| 其他產品安全功能 | |
|---|---|
| Role Based Access Controls | Access to data within Zendesk applications is governed by role based access control (RBAC), and can be configured to define granular access privileges. Zendesk has various permission levels for users (owner, admin, agent, end-user, etc.). Learn more about Support user roles and user access & security. |
| IP 限制 | Zendesk Support and Chat can be configured to only allow access from specific IP address ranges you define. These restrictions can be applied to all users or only to your agents. Learn more about using IP restrictions. *Only available for Enterprise Support accounts and Chat Enterprise |
| 私人附件 | In Zendesk Support, you can configure your instance so users are required to sign-in to view ticket attachments. If not configured, the attachments are accessible via a long and random token ticket ID. |
| 傳輸安全 | All communications with Zendesk UI’s and API’s are encrypted using industry standard HTTPS/TLS over public networks. This ensures that all traffic between you and Zendesk is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. |
| 電郵簽章(DKIM/DMARC) | 當您在 Zendesk 中已設定外部電郵網域時,Zendesk Support 提供 DKIM(網域金鑰識別郵件)和 DMARC(網域型訊息驗證、報告和一致性),用於簽署從 Zendesk 寄出的電郵。使用支援這些功能的電郵服務可使您避免電郵欺騙。瞭解更多關於電郵數位簽章的資訊。 |
| 裝置追蹤 | For added security, your Zendesk Support instance tracks the devices used to sign in to each user account. When someone signs into an account from a new device, it is added to the device list in that user's profile. That user can get an email notification when a new device is added, and should follow-up if the activity seems suspicious. Suspicious sessions can be terminated from the agent UI. |
| Redacting Sensitive Data | Redaction for Zendesk Support and Chat provides the ability to redact, or remove sensitive data in ticket comments, custom fields, and Chats so that you can protect confidential information. The data is redacted from tickets to prevent sensitive information from being stored in Zendesk. Learn more about securing sensitive data. *Only available for Enterprise accounts |
| Spam Filter for Help Center | Zendesk Support offers a spam filtering service which prevents end-user spam posts from being published on your Help Center or Web Portal. Learn more about filtering spam in Help Center. |
法規遵循認證和會員資格
| 安全法規遵循 | |
|---|---|
| SOC 2 II 型 | 我們有一個 SOC 2 II 型報告,可根據需要和保密協定提供。如需更多資訊請聯絡 security@zendesk.com。 |
| ISO 27001:2013 | Zendesk is ISO 27001:2013 certified. The certificate is available for download here |
| ISO 27018:2014 | Zendesk is ISO 27018:2014 certified. The certificate is available for download here |
| 會員資格 | |
|---|---|
| Skyhigh Enterprise-Ready | Zendesk 已獲得 Skyhigh Enterprise-Ready™ 印章,這是 CloudTrust™ 計劃的最高評級。此印章被授予完全滿足針對資料保護、驗證、服務安全、商業慣例和法律保護最嚴格要求的雲端服務。 |
| 雲端安全聯盟 | Zendesk 是雲端安全聯盟(CSA)成員,這是一個非營利組織,其使命是推廣最佳實務的使用,以便在雲端運算中提供安全保證。CSA 已推出安全、信任和保證註冊(STAR),這是一項可公開存取的註冊,記錄了各種雲端運算產品所提供的安全控制。我們已根據審查評鑑自我評估的結果,完成一項公開的自我評估(CAI)問卷調查。 |
| 隱私認證 | |
|---|---|
| TRUSTe® 隱私認證計劃 | Zendesk has demonstrated that our privacy programs, policies, and practices meet the requirements of EU-U.S. Privacy Shield and/or Swiss-U.S. Privacy Shield. These companies have self-certified their participation in Privacy Shield with the U.S. Department of Commerce at https://www.privacyshield.gov/list. TRUSTe verifies Privacy Shield compliance consistent with the requirements of the Privacy Shield Supplemental Principle on Verification. |
| EU - U.S. and Swiss - U.S. Privacy Shield Certification | Zendesk has certified compliance with the U.S.-EU and Swiss - U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States. |
| 隱私政策 | 瞭解更多關於 Zendesk 隱私的資訊 |
| 行業法規遵循 | |
|---|---|
| HIPAA | We help customers address their HIPAA obligations by leveraging appropriate security configuration options in Zendesk products. Additionally, we make our Business Associate Agreement (BAA) available for execution by subscribers. *BAA is only available with the purchase of the Advanced Security Add-on and only applicable to certain Zendesk products (special configuration rules apply). |
| 在 PCI 環境中使用 Zendesk | View our whitepaper on PCI compliance or learn more about our PCI compliant field for Zendesk Support. *Enterprise account required |
其他安全方法
| 安全意識 | |
|---|---|
| 政策 | Zendesk has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Zendesk information assets. |
| 訓練 | 所有新員工均需參加安全意識訓練,此訓練在入職時提供,且之後每年提供一次。所有工程師均需每年參加安全編碼訓練。安全團隊也會透過電郵、部落格貼文,以及在內部活動示範中提供關於安全意識的更多最新訊息。 |
| 員工審查 | |
|---|---|
| 背景調查 | Zendesk 根據當地法律,對所有新員工進行背景調查。承包商也需要完成這些調查。背景調查包括刑事、教育和就業核查。清潔工也包括在內。 |
| 保密協議 | 所有新員工都會透過招聘程序進行審查,並需要簽署保密協定。 |
若您需存取我們的 SOC 2 報告,請傳送電郵至 security@zendesk.com。