Zendesk Particulars: Information Security Measures

Zendesk Particulars: Information Security Measures

  1. End of Life Notice. PolyAI will provide you with at least three (3) months advance notice of any feature end of life or deprecation.
  2. PolyAI warrants and represents that it shall use commercially reasonable efforts to implement and maintain the security measures detailed below to keep all content, materials, data (including personal data) and non-public information provided or made available by you (collectively, " Data ") secure and protect Data against unauthorized or unlawful processing, accidental loss, destruction or damage, as further set forth below. In doing so, PolyAI will act in good faith and diligence, using reasonable care and skill.

A. Definitions:

  • "Process" means any operation in relation to Data irrespective of the purposes and means applied, including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
  • "Breach" means any (a) unauthorized Processing of Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by PolyAI regarding Processing Data or otherwise put in place to comply with these requirements. For the avoidance of doubt, "unauthorized Processing" includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
  • "Incident" means any impairment to the security of Data including any (i) act that violates any law or any PolyAI security policy, (ii) unplanned service disruption that prevents the normal operation of the Services, or (iii) Breach.

3. Measures: Technical and organizational measures for the storage, handling, and disposal of and Data.

  • PolyAI will utilize industry standard encryption algorithms and key strengths to encrypt the following:
  • Encrypt all Data that is in electronic form while in transit over all public wired networks (i.e. Internet) and all wireless networks.
  • Encrypt all Data while in storage. "In Storage" means information stored in databases, in file systems, and on various forms of online and offline media (Mobile devices, laptops, DASD, tape, etc.) and is also commonly referred to as "at rest."
  • Except where prohibited by law, PolyAI will promptly remove Data upon (a) completion of the Services; or (b) request by you (or Zendesk, as applicable) to be removed from PolyAI's environment, and destroy it within a reasonable timeframe, but in no case longer than twenty-one (21) days after the date of request or cessation of services. PolyAI will provide you (or Zendesk, as applicable) with a written certification regarding such removal, destruction, and/or cleaning within thirty (30) days of such occurrence.

4. Measures: Malicious Code Protection.

  • All workstations and servers (virtual or physical) will run the current version of industry standard anti-virus and/or anti-malware software with the most recent updates available on any workstation or server. Virus definitions must be updated promptly upon release by the anti-virus software provider. PolyAI will configure equipment and have supporting policies to prohibit users from disabling antivirus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Data or PolyAI's computing environment.
  • PolyAI will scan incoming and outgoing content for malicious code on all gateways to public networks including email and proxy servers.
  • PolyAI will quarantine or remove files that have been identified as infected and will log the event.

5. Measures: Technical and organizational measures for access control, especially to control the legitimacy of authorized entrants to the facilities and systems where Data may be accessed:

  • PolyAI ensures measures are taken to secure the premises (for example, securing entries and exits) as well as measures within its building through the use of the following procedures:
  • security and encryption of all personal computers or other mobile devices that may access Data;
  • limited access to employees and contractors except for authorized visitors;
  • identification of the persons having access authority;
  • restriction on keys;
  • visitors books (including timekeeping); and
  • security alarm system or other appropriate security measures.

PolyAI will revoke access to physical locations, systems, and applications that contain or process Data within twenty-four (24) hours of the cessation of such Authorized Agent's need to access the system(s) or application(s).


6. Measures: Technical (password / password protection) and organizational (user master record) measures concerning user identification and authentication:

PolyAI shall inform you upon its reasonable request which authorized persons are entrusted with access to Data.

User control shall include the following measures:

  • restricted VPN profile;
  • implementation of 2-factor authentication

Access control to Data shall include the following measures:

  • effective and measured disciplinary action against individuals who access data without authorization.

7. Measures: Technical and organizational measures concerning the security of networks (including wireless networks) utilized by PolyAI.

All network controls shall include the following measures:

  • On a regular basis, PolyAI will run internal and external network vulnerability scans. Vulnerabilities identified will be remediated in a commercially reasonable manner and timeframe based on severity.

PolyAI will deploy reasonably appropriate firewall technology in operation of its networks.

  • At a minimum, PolyAI will review firewall rule sets quarterly to ensure that legacy rules are removed and active rules are configured correctly.
  • PolyAI will deploy intrusion detection or prevention systems in order to monitor networks for inappropriate activity.
  • PolyAI shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.

Wireless network controls shall include the following additional measures:

  • Network access to wireless networks should be restricted only to those authorized.
  • Access points shall be segmented from an internal, wired LAN using a gateway device.
  • The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value.
  • Encryption of all wireless connections will be enabled using industry standard encryption algorithms. Encryption protocols will be based on "Wireless Protected Access" (WPA2) or stronger.

8. Measures: PolyAI will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, PolyAI will (i) promptly take all necessary steps to prevent any further compromise of Data or any future Incidents; (ii) notify you within twenty-four (24) hours of the Incident being identified and provide a written report within three (3) days thereafter; and (iii) respond promptly to any reasonable request from you for detailed information pertaining to the Incident. Vendor's notice and report will contain a description of the nature of the Incident, its impact, and any investigative, corrective, or remedial actions taken or planned.

9. Measures: Business Continuity & Disaster Recovery. PolyAI has provided you commercially reasonable and industry standard business continuity plan to maintain availability of the Service (the " Continuity Plan "). The Continuity Plan does and shall include, but is not limited to, elements such as (a) crisis management, plan and team activation, event & communication process documentation; (b) event management, business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, and system(s) details, recovery activities, and identification of the people / teams required for such recovery. PolyAI shall maintain such Continuity Plan throughout the term of all subscriptions; provided that Vendor shall have the right to modify or amend the Continuity Plan provided such modification or amendment does not have a material adverse effect on PolyAI ability to maintain availability of the Service.


10. At your request, PolyAI shall make commercially reasonable modifications to its information security program or to the procedures and practices thereunder to conform to your baseline security requirements as outlined in all applicable exhibits to the Agreement and as they exist from time to time. You shall provide PolyAI with documentation of such baselines, which shall be part of your confidential information under the Agreement. PolyAI shall develop a written information security plan for you containing, at a minimum, the topics called for in this Agreement.