Introduction
SweetHawk is a developer of Zendesk apps. We have created apps such as Tasks and Subtickets, Approve and Calendar. A full list of apps is available on the Zendesk Apps Marketplace or on our website. We take data privacy extremely seriously and are GDPR and CCPA compliant. We work to the best security and software development practices and are SOC 2 compliant.
While each app is very different in terms of how it is built, a reductionist would describe Zendesk apps as a bunch of iframes running some custom code. Should you wish to find out more about how a Zendesk app is built, please check out the documentation of the Zendesk Apps Framework (ZAF).
Authentication
Where SweetHawk apps may differ from the majority of apps on the marketplace is that we operate a separate Software-as-a-Service (SaaS) that is accessed via the Zendesk app's iframe(s). It's important to understand in this context is that all iframes authenticate with our servers via a secure SSO-style mechanism using JWT tokens.
Some apps (Survey and Approvals) are accessed by users outside of Zendesk depending on the app's use and configuration. These users are assigned a secure authentication token which they will receive exclusively in their email. SweetHawk does not utilize passwords at all.
Offline access
Some of our apps also include some type of 'offline' function, something that can happen even when your support agents aren't online. For example a deadline hits, an approval gets granted, a survey response is left or a calendar event started. It's for these and other functions that we request an additional API authorization that our server may use.
What data is accessed via the server-side API?
Per our GDPR/CCPA compliance, we only transfer and store data that is absolutely needed for the apps to function. We do not collect personal data for the purposes of selling this information, but only for transactional needs of the apps themselves.
Below is data each app may access but apps may also synchronize basic information of your agents (employees): email address, first/last name and profile picture.
| App | Offline access | Customer data stored |
| Approve | Yes | From ticket data as configured in-app |
| Calendar | Yes | From ticket data as configured in-app and calendar data from external calendars |
| Change Manager | Yes | |
| Deadline | Yes | |
| Due Time | Yes | |
| Field Conditions | ||
| Future Tickets | Yes | |
| Hide Ticket Fields | ||
| Liquid Placeholders | Yes | |
| Notify | Write only* | Ticket data as configured in-app |
| Recurring Tickets | Write only* | |
| Reminders | Optional (used for in-app reminders) | |
| Super Suite | ||
| Survey | Yes | None (survey responses are anonymously stored against ticket IDs) |
| Tasks and Subtickets | Yes | |
| Timers | Yes | |
| Undo |
* Write only access means the scope of the access token cannot read any of your data
Data flow
SweetHawk also uses 3rd party providers as outlined on our GDPR/CCPA compliance page (DPA available). The diagram below shows how data flows between those providers. Since the apps work within Zendesk support, most of the data flows to and from it, the exact details depends on which apps you use and their configuration.
Data transfer and security
All data is encrypted using TLS 1.2 when transferred and this includes the app iframes that display the app UI inside Zendesk app locations, any data transferred to and from Zendesk APIs but also any external services such as Google Calendar.
Data storage and retention
Data created within apps is usually kept in perpetuity, as most apps offer a history of audit logs and past records.
All data is encrypted at rest using Amazon Elastic Block Store encryption.
After all apps are uninstalled, accounts will be marked for deletion after some time. If you wish to delete your data sooner, or you wish to retain your data longer, please contact us.
Please refer to our Privacy Policy for how we treat personal data.
Server technology stack
Our servers are running on AWS EC2 instances in the US East (us-east-1) region.
We use a PostgreSQL database server running on a server only accessible from our multi-tenanted Ruby on Rails application server, with a replication slave.
Our policy is to keep Operating Systems, web server software and application libraries up to date on the latest security patch versions.
I use an IP whitelist for my API access, what are your IP addresses?
You must add all our server's IP addresses:
3.82.57.172
52.206.12.163
54.242.179.158
54.227.71.163
54.210.38.6
54.175.245.19
Note: using an IP whitelist is not recommended as our IP addresses change from time to time and this will stop the apps from functioning correctly. To be notified when our IP addresses change, please add yourself to this mailing list.
Comments
0 comments