How does GDPR Compliance access and manage your Zendesk data

The GDPR Compliance plugin helps you comply with privacy standards while ensuring secure and transparent management of your Zendesk data. It only interacts with your data when needed, following strict security protocols.

Below, we'll answer key questions about how the plugin accesses, stores, and manages your data.

How does GDPR Compliance access your Zendesk instance?

The app interacts with the Zendesk API, using read/write permissions for authorized agents to perform necessary tasks such as data deletion or retrieval.

It operates on an on-demand basis, meaning it only accesses your data when specific processes are initiated. Once these tasks are complete, the plugin stops interacting with your Zendesk instance until it is needed again.

What data does GDPR Compliance access?

GDPR Compliance has access to various Zendesk API endpoints and data types, including:

• Users: IDs, emails, and associated details.
• Tickets: Fields, comments, events, and attachments.
• Organizations: Data related to organizations.
• Deleted Users: Information about users who have been removed.
• Custom Fields: Ticket and user fields with potential personal data.
• Other Zendesk API endpoints.

Although the plugin has broad access capabilities, it only requests and transfers the specific data needed for GDPR processes, ensuring that unnecessary information is not accessed or used.

What data does GDPR Compliance store?

GDPR Compliance securely stores a minimal amount of data to perform its required processes. The following data is stored on our servers during the processing tasks:

• Subdomain Name: Always stored for identification purposes.
• Agent User ID, Email, and Access Tokens: Continuously stored to maintain access for authorized agents.
• Archived User Data: Collected during the "Retrieve Data" process and may include personal details related to users or tickets.
• Process Targets: During specific processes, such as data retrieval or deletion, process targets like end-user IDs, ticket IDs, organization IDs, and soft-deleted user IDs are temporarily stored. This data is deleted immediately after the process ends.

The stored data is used solely for GDPR compliance purposes, ensuring that only necessary information is retained.

Where is the data stored?

All data processed by GDPR Compliance is securely stored on Amazon Web Services (AWS), S3 servers. These servers ensure high levels of security, with access tokens encrypted to protect your data. AWS is widely recognized for its security standards and robust data protection measures.

How long is the data stored?

GDPR Compliance follows strict retention policies to ensure data is not kept longer than necessary. The data retention periods are as follows:

• Archived Data: Files generated by the "Retrieve Data" process are stored for 48 hours and then automatically deleted.
• Unique IDs of Users, Tickets, and Organizations: This data is stored for the duration of the process and up to 7 days if the process is paused, canceled, or fails, and is deleted immediately after the successful completion of the process.

Additionally, agent details (such as user ID, email, and access tokens) will be deleted according to our Security Policy.

Once the necessary processes are completed, GDPR Compliance promptly deletes the data, ensuring that nothing is stored permanently unless explicitly required for ongoing operations.

If you have additional questions on this topic or need further clarification, please contact our support team for assistance.