When Zendesk moves your data from Europe or the UK to the US, it says it uses approved legal mechanisms including Standard Contractual Clauses and the EU-US Data Privacy Framework to keep that transfer lawful.
This analysis describes what Zendesk's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The adequacy of international transfer mechanisms is a live regulatory issue; if Zendesk's reliance on the Data Privacy Framework or SCCs is found insufficient, EU and UK users' data could be transferred in ways that regulators consider unlawful, though the DPF is currently an operative adequacy mechanism.
Interpretive note: The ongoing legal and political stability of the EU-US Data Privacy Framework creates interpretive uncertainty regarding whether this transfer mechanism will remain operative, which affects the practical adequacy of protections described.
Your personal data may be transferred from the EU or UK to the United States under legal frameworks that are subject to ongoing regulatory and political scrutiny, meaning the protections associated with those transfers could change depending on future legal developments.
How other platforms handle this
Datadog complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Datadog has certified to the U.S. Department of Commerce that it adheres to the EU-...
In addition to the above rights, your local laws (including those in the EU, UK, Japan, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Virginia, or Utah) may afford you f...
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...
Monitoring
Zendesk has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Zendesk complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. When Zendesk transfers personal data from the EU, UK, or Switzerland to the United States, it relies on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission.— Excerpt from Zendesk's Zendesk Privacy Policy
(1) REGULATORY LANDSCAPE: This provision engages GDPR Chapter V (transfers to third countries), including Article 46 (transfer mechanisms) and Article 45 (adequacy decisions). The EU-U.S. Data Privacy Framework was adopted as an adequacy decision in July 2023, but remains subject to potential legal challenge before the Court of Justice of the European Union, as prior frameworks (Safe Harbor and Privacy Shield) were invalidated. The Irish Data Protection Commission and other EU supervisory authorities retain oversight. Standard Contractual Clauses adopted under GDPR Commission Implementing Decision 2021/914 are the fallback mechanism. UK adequacy and SCCs under UK GDPR are separately governed by the ICO and the UK Secretary of State. (2) GOVERNANCE EXPOSURE: Medium. Zendesk's reliance on the Data Privacy Framework provides a currently operative adequacy basis for EU-US transfers; however, organizations should monitor DPF stability given its political and legal vulnerabilities. SCC reliance requires transfer impact assessments for high-risk transfers under post-Schrems II guidance, and organizations should confirm Zendesk has conducted and documented these assessments. (3) JURISDICTION FLAGS: EU and UK data subjects carry the highest exposure. Swiss transfers are also covered by the Swiss-US DPF, though Swiss data protection law (nFADP) creates separate requirements. Organizations with operations in EU member states with historically strict DPA enforcement (Germany, France, Netherlands) should conduct additional due diligence. (4) CONTRACT AND VENDOR IMPLICATIONS: Business customers' DPAs with Zendesk should reference the specific transfer mechanisms Zendesk relies on and confirm that SCCs are executed in the correct module for the controller-processor relationship. If the DPF is invalidated, fallback SCC provisions must be operational without requiring new contract execution. Procurement teams should confirm transfer mechanism documentation is available and current. (5) COMPLIANCE CONSIDERATIONS: Organizations should track developments in DPF legal challenges and maintain contingency plans if the framework is invalidated. Transfer impact assessments should be documented for transfers relying on SCCs. Records of processing activities should identify Zendesk as a processor and document the transfer mechanism in use. Legal teams should evaluate whether supplementary measures are needed for high-risk data categories processed through Zendesk.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The adequacy of international transfer mechanisms is a live regulatory issue; if Zendesk's reliance on the Data Privacy Framework or SCCs is found insufficient, EU and UK users' data could be transferred in ways that regulators consider unlawful, though the DPF is currently an operative adequacy mechanism.
Your personal data may be transferred from the EU or UK to the United States under legal frameworks that are subject to ongoing regulatory and political scrutiny, meaning the protections associated with those transfers could change depending on future legal developments.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Zendesk.