If you contacted a company using Zendesk's support software, that company controls your personal data, not Zendesk. To delete or access your data, you need to contact the business, not Zendesk.
This analysis describes what Zendesk's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Millions of consumers interact with businesses through Zendesk-powered support tools without knowing it; this clause determines that those consumers must pursue their privacy rights through the business, not through Zendesk directly, which can significantly affect their practical ability to exercise rights.
If your personal data appears in a business's Zendesk help desk, Zendesk is not the entity responsible for responding to your access or deletion request. You must contact the business directly, which may make it harder to exercise rights if that business is unresponsive.
How other platforms handle this
When we provide the Service to our customers, we act as a data processor on behalf of those customers. Our customers are the data controllers, meaning that they determine the purposes and means of the processing of personal data that is submitted into the Service. If you are an end user of a custome...
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
Docusign may be a 'data controller' or a 'data processor' (or both) depending on the type of personal information and the context in which it is processed. When Docusign determines the purpose and means of processing personal information, we act as a data controller. When Docusign processes personal...
Monitoring
Zendesk has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When Zendesk processes personal data on behalf of its customers, Zendesk acts as a data processor and the customer acts as the data controller. In those cases, the customer's privacy policy and data processing agreement with Zendesk govern the processing of that data, not this Privacy Notice. If you are an end user of a Zendesk customer and have questions about how your personal data is processed, please contact the Zendesk customer directly.— Excerpt from Zendesk's Zendesk Privacy Policy
(1) REGULATORY LANDSCAPE: This provision directly implicates GDPR Article 28 (processor obligations) and Article 4(7)-(8) (definitions of controller and processor), enforceable by EU supervisory authorities including the Irish Data Protection Commission as Zendesk's lead EU regulator. Under GDPR, the business customer as controller bears primary accountability for ensuring lawful processing and enabling data subject rights; Zendesk's obligations flow through the separate Data Processing Agreement. CCPA similarly distinguishes service providers from businesses, with analogous implications for California-resident rights. (2) GOVERNANCE EXPOSURE: High. Enterprise customers relying on Zendesk must ensure their own privacy notices accurately disclose Zendesk as a service provider or processor, that their DPAs with Zendesk are current and compliant with GDPR Article 28, and that they have operational processes to receive and respond to data subject rights requests that may involve data held in Zendesk. Failure to maintain adequate DPAs could expose business customers to regulatory liability independent of Zendesk's own compliance posture. (3) JURISDICTION FLAGS: EU and UK customers face the highest exposure given GDPR and UK GDPR Article 28 requirements. California customers must ensure Zendesk is contractually restricted as a CCPA service provider and that the contractual terms prohibit Zendesk from using service data for its own commercial purposes. Healthcare-adjacent customers should evaluate whether service data could constitute protected health information requiring a Business Associate Agreement under HIPAA. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that their executed DPA with Zendesk reflects current GDPR requirements, incorporates updated Standard Contractual Clauses, and includes a current and complete subprocessor list. The provision shifts responsibility for data subject request fulfillment to the business customer, which may require internal operational investment. DPAs should be reviewed to confirm audit rights and breach notification timelines align with organizational requirements. (5) COMPLIANCE CONSIDERATIONS: Business customers should update their own consumer-facing privacy notices to disclose Zendesk as a processor/service provider. Internal data subject rights workflows should route requests to the team with access to Zendesk data. Organizations subject to GDPR should maintain records of processing activities that include Zendesk as a processor. Annual vendor reviews should confirm Zendesk's DPA, subprocessor list, and transfer mechanism documentation remain current.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Millions of consumers interact with businesses through Zendesk-powered support tools without knowing it; this clause determines that those consumers must pursue their privacy rights through the business, not through Zendesk directly, which can significantly affect their practical ability to exercise rights.
If your personal data appears in a business's Zendesk help desk, Zendesk is not the entity responsible for responding to your access or deletion request. You must contact the business directly, which may make it harder to exercise rights if that business is unresponsive.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Zendesk.