SEIF Zendesk Apps – Legal & Data Protection Notice

1. Purpose and scope

This page describes the legal terms and data protection practices applicable to the SEIF applications for Zendesk (the “Apps”).

It does not apply to the seif-consult.com website or to any processing related to browsing that website (cookies, web forms, newsletters, etc.).

The Apps are installed and used within the Customer’s Zendesk environment in order to help the Customer work with their own Zendesk data (tickets, users, organizations, custom objects, etc.).

2. Roles of the parties

  • The Customer, who owns the Zendesk account and installs the Apps, is the Data Controller with respect to the personal data stored in its Zendesk instance and used via the Apps.

  • SEIF acts as a Data Processor, to the extent it provides functionality that allows the Customer to process its own Zendesk data.

The Apps do not change this allocation of roles: the Customer remains responsible for the data it collects in Zendesk and for all configurations it defines (fields, forms, permissions, business rules, etc.).

3. Data processed by the Apps

The Apps only use and process data that is already present and stored in the Customer’s Zendesk instance. They access this data through:

  • the Zendesk Apps Framework (ZAF), via the ZAFClient provided by Zendesk; and

  • the Zendesk APIs (for example /api/v2/...).

Depending on the specific App and the Customer’s configuration, the following categories of data may be processed:

  • Ticket data

    • Ticket IDs

    • Subject, description, status, priority, type - Ticket system fields (e.g. brand, group, assignee, timestamps, etc.)

    • Ticket custom fields (including their values)

  • User data

    • User IDs

    • Name, email address, phone number (if stored in Zendesk)

    • Role (agent, admin, end‑user, etc.)

    • Related organization

    • User custom fields

  • Organization data

    • Organization IDs

    • Name

    • Organization custom fields

  • Custom Objects

    • Keys and fields of custom objects defined by the Customer

    • Custom object records linked to tickets or users (for example contracts, usage tracking, etc.)

  • App settings

    • Technical and functional settings used by the Apps, stored in the app installation settings or, in development mode, in a dedicated user field (e.g. currentUser.customField:appSettings).

The Apps do not access any data beyond what is exposed and authorized by the Customer’s own Zendesk configuration.

4. No external storage and no Zendesk API token input

The Apps run entirely within the Zendesk environment and:

  • do not create any external database at SEIF for storing the Customer’s Zendesk data;

  • do not use browser storage such as localStorage or sessionStorage to persist Zendesk data;

  • do not require the Customer to enter a Zendesk “API token” or API credentials into the Apps.

All storage and updates occur only:

  • in Zendesk app installation settings (/api/v2/apps/installations/...);

  • in Zendesk Custom Objects (/api/v2/custom_objects/...);

  • in Zendesk tickets, users, organizations and account settings, via standard Zendesk APIs.

Authentication to Zendesk APIs is handled by the agent/admin session within the Zendesk Apps Framework (ZAF). The Apps do not maintain any separate authentication database for Zendesk.

5. Purposes of processing

The Apps enable the Customer, among other things, to:

  • simplify or automate the management of tickets, users, organizations, and custom fields;

  • aggregate or format information from tickets, users, or organizations to display it in the Zendesk UI or copy it into other fields;

  • manage Custom Objects within Zendesk (for example contracts, consumed time, ticket–contract relationships, etc.);

  • store and reuse App configuration (display options, lists of fields to hide or use, etc.) within Zendesk.

All such purposes are determined by the Customer, through the selection and configuration of the Apps. SEIF does not use the data for any other purposes (such as external marketing, prospecting, or profiling).

6. Legal basis (for Customers in the EU / EEA / UK)

As Data Controller, the Customer is responsible for identifying and documenting the appropriate legal basis for its processing activities in Zendesk and via the Apps (for example: performance of a contract, legitimate interest, legal obligation, consent).

As Data Processor, SEIF processes the data:

  • based on the documented instructions of the Customer, and

  • in the context of performing the contract under which SEIF provides the Apps and related support.

7. Subprocessors

SEIF may engage technical service providers as subprocessors in order to:

  • host, deploy, and operate the Apps;

  • monitor, log, and secure the platform;

  • provide support and diagnostics tools.

These providers may access the Apps (code and technical logs), but do not host or store the Customer’s Zendesk data in a separate SEIF-controlled database. The data remains in the Customer’s Zendesk environment.

Where a provider could access personal data in the context of support or incident handling, SEIF ensures that:

  • appropriate confidentiality and security commitments are in place; and

  • the provider acts only on SEIF’s instructions, and SEIF itself acts only on the Customer’s instructions.

An up‑to‑date list of significant technical subprocessors can be provided to the Customer upon request.

8. International data transfers

Because the Apps run inside Zendesk, the primary data flows are those of Zendesk itself.

Customers should therefore refer to Zendesk’s own commitments (Data Processing Agreement, transfer mechanisms, Data Privacy Framework certifications, Standard Contractual Clauses, etc.) for most cross‑border transfer aspects.

Where SEIF or its subprocessors process personal data originating from the EU / EEA / UK in a country without an adequate level of protection, SEIF will implement appropriate safeguards (such as the European Commission’s Standard Contractual Clauses or UK equivalents) in accordance with applicable data protection laws.

9. Security

SEIF implements reasonable technical and organizational measures to protect the Apps and, where access is required, any personal data involved, including:

  • controlled access to development and support environments;

  • internal security and confidentiality policies;

  • technical logging and monitoring of the Apps;

  • encryption mechanisms where appropriate and technically feasible for the tools used.

For the Customer’s Zendesk data, primary security is provided by Zendesk’s own mechanisms (user authentication, role‑based permissions, encryption by Zendesk, etc.). SEIF does not bypass these mechanisms and relies only on official Zendesk APIs and SDKs.

In the event of a security incident that materially involves personal data in connection with use of the Apps, SEIF will:

  • notify the affected Customer without undue delay; and

  • provide available information to help the Customer assess the incident and, where required, fulfill its notification obligations towards supervisory authorities and data subjects.

10. Retention and deletion

Because the Apps do not create any separate SEIF database for Zendesk data:

there is no standalone retention of Zendesk data by SEIF;

data retention periods are entirely determined and managed by the Customer within its Zendesk instance (retention rules, ticket lifecycle, deletion of users or organizations, deletion of custom objects, etc.).

In practice:

  • when an App is uninstalled, Zendesk stops invoking the App; app installation settings may be deleted or become inaccessible in line with Zendesk’s behavior;

  • if the Customer has created Custom Objects for the purposes of an App (for example “Contracts”), those objects and records are Zendesk resources. Deleting them is the Customer’s responsibility, via Zendesk administration or APIs.

Upon the Customer’s request, SEIF can provide reasonable assistance to help the Customer understand which data is used by a given App and how to delete that data in Zendesk.

11. Data subject rights

Data subjects’ rights (access, rectification, erasure, restriction, portability, objection, etc.) must be exercised directly with the Customer, who is the Data Controller.

As Data Processor, SEIF:

  • does not respond directly to data subject requests, unless instructed to do so by the Customer or required by law; and

  • will provide reasonable assistance to the Customer, where technically feasible and proportionate, to enable the Customer to handle such requests within Zendesk (for example by documenting which fields are used by an App).

12. Changes to this notice

SEIF may update this notice from time to time, for example if the Apps evolve, if legal requirements change, or if new technical subprocessors are added.

The “Last updated” date below reflects the latest version. By continuing to use the Apps after an update, the Customer is deemed to have taken note of the updated version.

13. Contact

For any questions related to SEIF’s Zendesk Apps or to data protection in this context, Customers may contact:

SEIF – Zendesk Apps & Data

Address: La Clémentinière, 44860 Pont Saint Martin, France

Phone: +33 2 57 48 00 86

Email: help@seif-consult.com

Last updated: March 12, 2026