Zendesk Apps: Technical information - Data, Security & Architecture


SweetHawk is a developer of Zendesk apps. We have created apps such as Tasks and Subtickets, Approve and Calendar. A full list of apps is available on the Zendesk Apps Marketplace or on our website. We take data privacy extremely seriously and are GDPR and CCPA compliant. We work to the best security and software development practices and are SOC 2 compliant.

While each app is very different in terms of how it is built, a reductionist would describe Zendesk apps as a bunch of iframes running some custom code. Should you wish to find out more about how a Zendesk app is built, please check out the documentation of the Zendesk Apps Framework (ZAF).


Where SweetHawk apps may differ from the majority of apps on the marketplace is that we operate a separate Software-as-a-Service (SaaS) that is accessed via the Zendesk app's iframe(s). It's important to understand in this context is that all iframes authenticate with our servers via a secure SSO-style mechanism using JWT tokens.

Some apps (Survey and Approvals) are accessed by users outside of Zendesk depending on the app's use and configuration. These users are assigned a secure authentication token which they will receive exclusively in their email. SweetHawk does not utilize passwords at all.

Offline access

Some of our apps also include some type of 'offline' function, something that can happen even when your support agents aren't online. For example a deadline hits, an approval gets granted, a survey response is left or a calendar event started. It's for these and other functions that we request an additional API authorization that our server may use.

What data is accessed via the server-side API?

Per our GDPR/CCPA compliance, we only transfer and store data that is absolutely needed for the apps to function. We do not collect personal data for the purposes of selling this information, but only for transactional needs of the apps themselves.

Below is data each app may access but apps may also synchronize basic information of your agents (employees): email address, first/last name and profile picture.

App Offline access Customer data stored
Approve Yes From ticket data as configured in-app
Calendar Yes From ticket data as configured in-app and calendar data from external calendars
Change Manager Yes  
Deadline Yes  
Due Time Yes  
Field Conditions    
Future Tickets Yes  
Hide Ticket Fields    
Liquid Placeholders Yes  
Notify Write only* Ticket data as configured in-app
Recurring Tickets Write only*  
Reminders Optional (used for in-app reminders)  
Super Suite    
Survey Yes None (survey responses are anonymously stored against ticket IDs)
Tasks and Subtickets Yes  
Timers Yes  

* Write only access means the scope of the access token cannot read any of your data


Data flow

SweetHawk also uses 3rd party providers as outlined on our GDPR/CCPA compliance page (DPA available). The diagram below shows how data flows between those providers. Since the apps work within Zendesk support, most of the data flows to and from it, the exact details depends on which apps you use and their configuration.


Data transfer and security

All data is encrypted using TLS 1.2 when transferred and this includes the app iframes that display the app UI inside Zendesk app locations, any data transferred to and from Zendesk APIs but also any external services such as Google Calendar.

Data storage and retention

Data created within apps is usually kept in perpetuity, as most apps offer a history of audit logs and past records.

All data is encrypted at rest using Amazon Elastic Block Store encryption.

After all apps are uninstalled, accounts will be marked for deletion after some time. If you wish to delete your data sooner, or you wish to retain your data longer, please contact us.

Please refer to our Privacy Policy for how we treat personal data.

Server technology stack

Our servers are running on AWS EC2 instances in the US East (us-east-1) region.

We use a PostgreSQL database server running on a server only accessible from our multi-tenanted Ruby on Rails application server, with a replication slave.

Our policy is to keep Operating Systems, web server software and application libraries up to date on the latest security patch versions.


I use an IP whitelist for my API access, what are your IP addresses? 

Please click here for information about managing IP Restrictions while using SweetHawk apps.


Was this article helpful?
10 out of 11 found this helpful



Please sign in to leave a comment.