Zendesk Apps: Technical information - Data, Security & Architecture


SweetHawk specializes in Zendesk apps, integrations and business workflows. We have created apps such as Tasks and Subtickets, Approve and Calendar. A full list of apps is available on the Zendesk Apps Marketplace or on our website.

While each app is different in terms of what data it requires and what level of API access it needs, all apps basically are an an iframe. App iframes are securely hosted on our server.

Most of our apps include some type of 'offline' function, something that can happen even when your support agents aren't online. For example a deadline hits, an approval gets granted, a survey response is left or a calendar event started. It's for these and other functions that we require an additional API authorization that our server may use.

Access to your Zendesk data

When installing an app in your Zendesk instance, any app automatically gains access to your data via the Zendesk App Framework it needs via the user permissions of the person using Zendesk. If needed, access to the server side API needs to be explicitly granted by one of your Zendesk administrators and you will be prompted for this when required.

Note that when granting an app access to the server side API, you are not providing access to data not available via the app framework already, you are then granting access for the SweetHawk app server to access your Zendesk directly ('offline access').

This process of granting API access is very straight forward. The first time you use the app upon installing an app that requires server side API access, follow the prompts to enable it. This must be done by an admin because to initialize the apps securely we need server side access to modify the app's internal settings with a secure token.

Note that the API authorization needs to stay current. If the administrator that granted access is leaving the organization or is downgraded to a regular agent, the API needs to be re-authorized by another administrator for the app to continue to work. Follow in-app prompts to complete this process.

Once you granted our server access, the app is initialized by creating any essential triggers or webhooks if needed. Webhooks are configured with a unique unguessable token which identifies your account. Because the Webhook is created via the server side this token is never visible to anyone.

Why do apps need server side API access?

Each is app is subtly different. But the apps only read or write data where you would reasonably expect this. The main reasons the apps need server side access are:

  • Calendar: setting ticket fields and at the time of the event start and end, tagging the ticket. Also for sending notifications when other users update a calendar event. For a complete overview, please see which APIs are used by the Calendar app.

  • Tasks: setting fields on tickets, such as how many tasks are completed and what the parent ticket ID is. For a complete overview, please see which APIs are used by the Tasks app.

  • Due Time: tagging a ticket at the due date/time and sending an in-app notification. For a complete overview, please see which APIs are used by the Due Time app.

  • Deadline: updates a ticket with a special tag when the deadline hits. For a complete overview, please see which APIs are used by the Deadline app.

  • Approve: loads ticket data to send messages to approvers, tags tickets if required, sets a custom field called Approval Date when all approvals are granted, and creates webhooks for automatic approvals. (also applies to legacy Approvals app)

  • Survey: sets a value for the secure token Zendesk user field and creates Dynamic Content for the new customer satisfaction snippet for use in notifications. For a complete overview, please see which APIs are used by the Survey app. Please note that the Survey app does not store any personal data of your customers. The survey data is stored anonymously and is linked to the customer data in Zendesk via the ticket ID only.

  • Notify: to allow for quick editing of triggers and to send the notifications.

  • SLA Timers: to create webhooks and to tag your ticket when a timer ends

  • Change manager: to setup ticket fields in your account in relation to change management such as "Impact" and "Risk" and maintain the "Change Type" field as you add and remove change types.

  • Future Tickets: to copy tickets and create new ones

  • Recurring Tickets: to create new tickets

For the Reminders app, access to the API is not required for the app to function, it only needs to be enabled if in-app notifications for agents are desired.

The apps Field ConditionsHide Ticket Fields and Undo do not require access to the REST API.

Data flow

SweetHawk also uses 3rd party providers as outlined on our GDPR/CCPA compliance page (DPA available). The diagram below shows how data flows between those providers. Since the apps work within Zendesk support, most of the data flows to and from it, the exact details depends on which apps you use and their configuration.


Data transfer and security

All data is encrypted using TLS 1.2 when transferred and this includes the app iframes that display the app UI inside Zendesk app locations, any data transferred to and from Zendesk APIs but also any external services such as Google Calendar.

Data storage and retention

Data created within apps is usually kept in perpetuity, as most apps offer a history of audit logs and past records.

All data is encrypted at rest using Amazon Elastic Block Store encryption.

After all apps are uninstalled, accounts will be marked for deletion after some time. If you wish to delete your data sooner, or you wish to retain your data longer, please contact us.


Authentication happens via Single Sign-On with Zendesk Support as the app iframes get loaded by agents who have the app(s) enabled. Once authenticated, users are assigned an unguessable token to authenticate them for further requests with the SweetHawk application server where necessary.

Some apps (Survey and Approvals) are accessed by users outside of Zendesk depending on the app's use and configuration. These users are also assigned a secure authentication token which they will receive exclusively in their email.

Personal information

Apps will store personal information (names and email addresses) of agents using the apps as part of the advertised functionality but also so the key users may be notified of essential app updates, billing notifications and for any administrative actions that may be required.

Apps do not store personal data of your customers such as user records or text fields on tickets although we cannot necessarily exclude this data when securely transferred to us via a Zendesk APIs we require to call for other purposes, we only store data that was in fact needed. For example, if we need to access a specific ticket field value on a Zendesk ticket, the only API available to obtain this data also includes the subject, description and other custom text fields of that ticket, which may all include sensitive data.

Please refer to our Privacy Policy for how we treat personal data.

Server technology stack

Our servers are running on AWS EC2 instances in the US East (us-east-1) region.

We use a PostgreSQL database server running on a server only accessible from our multi-tenanted Ruby on Rails application server, with a replication slave.

Our policy is to keep Operating Systems, web server software and application libraries up to date on the latest security patch versions.


Do I have access to my data?

If you wish to obtain your data please contact us and we will kindly oblige.

I'm no longer using your app, can you delete my data?

Of course, just contact us and we'll dispose of your data responsibly.

I use an IP whitelist for my API access, what are your IP addresses? 

You must add all our server's IP addresses:

Note: using an IP whitelist is not recommended as our IP addresses change from time to time and this will stop the apps from functioning correctly. To be notified when our IP addresses change, please add yourself to this mailing list.


Was this article helpful?
1 out of 1 found this helpful



Please sign in to leave a comment.