The GDPR is here.
The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which came into force on May 25, 2018. Simply put, EU residents will now have a greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data.
Data Collection – beyond compliance
At Zoho Desk, we believe that GDPR is a force for good. We have always honored our users' right to data privacy and collection. We have never relied on advertising as a revenue stream. We have never served ads to our users, and never will. This means that we have no necessity to collect and process users' personal information beyond what is required for the functioning of our product. It's been this way ever since we came into business – long before GDPR.
Zoho Desk's GDPR Readiness
Everything starts with setting a clear strategy and rules on how to process Personal Data. Here is how we're actively prepared for the GDPR.
Zoho Desk has security built into every layer of the product. In particular, we have demonstrated our commitment to data privacy and protection by meeting the industry standards for ISO 27001, and SOC 2 Type 2. We believe it offers customers the highest forms of independent assurance available concerning security compliance. Also, we recognize that the GDPR will help us move towards the highest standards of operations in protecting customer data.
Data Hosting (Locality)
Zoho servers are located in the most secure types of data centers in US, EU, IN, AU and CN. The region in which we host your service data depends upon the domain on which you registered your Zoho Desk.
The table below lists the different domains and their data hosting locations:
Account Registration Domain
Hosting Region (Data Center)
US (United States)
EU (European Union)
AU (Australia and New Zealand)
As part of our GDPR compliance journey, we can perform migration of service data between any of our data centers starting May 2018. This migration is carried out on customers' request and may take up to five (5) business days from the date of the commencement of such migration. Also, we do not expect any downtime to services during the data migration.
All data transmissions during backup and in-flight are encrypted using Transport Layer Security (TLS) 1.2 protocols. We also use the latest and secure ciphers like AES_CBC/AES_GCM 256 bit/128 bit keys for encryption. These ensure that your Zoho Desk data is protected from unauthorized access, disclosure, or modification.
By default, sensitive data such as passwords, auth tokens, ticket conversations, attachments, etc., are encrypted. Additionally, you can encrypt custom fields that add an extra layer of security for data like credit card numbers and personally identifiable information that your company might define as requiring additional protection. We believe our stringent physical controls at data centers and transit-level encryption ensure your data stays protected.
Zoho Desk provides options to access all the data collected.
The table below lists the different types of information and how users could access them:
Agents can view their profile information like email address, phone, etc., under Setup → Personal Settings → My Information.
End User Profile
End Users can view their personal information like name, email address, tickets, etc., under My Information tab in Help Center.
Comments and Attachments
End Users can view their ticket's comments and attachments under My Tickets tab in Help Center.
Customers can edit all of their personal information except the email address. We don't allow you to edit email address since it is the unique identifier of the primary contact. However, we could assist you in replacing the email address associated with your Zoho Desk account. You can write to us to request a replacement.
We have appropriate methods in place to erase service data from within the interface. You can delete your data by exercising the Delete option. Additionally, you can anonymize a deleted agent, in adherence with the right to be forgotten that's outlined in GDPR. This means that there will be no trace of their personal data across the product.
Zoho Desk provides options to obtain your service data from the account. You can exercise the export option provided for each module. The exported data is presented in CSV format. We also offer a free one-time bulk export from the back end on request.
The data retention period in Zoho Desk is 60 days. When you delete files, they are moved to the Recycle Bin. The files here stay for 60 days upon deletion, and you could restore it if you need to. After that, they will be deleted from the Recycle Bin and database.
Data disclosure defines the level of access so that only authorized users can access, alter, or delete service data. Profiles in Zoho Desk help you assign permissions for a set of users. Also, customers can set Data Sharing rules and set Field-level permissions to define the extent of access to the service data.
Data audits help you secure your system and monitor for unexpected changes or usage trends. We will soon be providing you with audit logs as part of our GDPR compliance-enabling feature. These audit logs will offer information about every add, update and delete made to your database records in a comprehensible and user-friendly format.
1. What is Service Data?
Any information (includes personal data) used, stored or transmitted via Zoho Desk is referred to as Service Data.
2. Who is the owner and controller of the data I store in Zoho Desk?
The customer is the controller and the owner of data throughout the time they are subscribed to Zoho Desk. Customers are provided with tools necessary to exercise their right to be in control of their data. Zoho Desk is a processor that carries out all processing operations based on the Controller's instructions.