Data storage and data security in Freshdesk

How can I be sure that my data is safe with Freshdesk? Where is the data hosted?

We take matters of data security very seriously at Freshdesk. We are hosted on the highly reliable Amazon AWS servers, that promise optimal uptime, and data security for all our customers and ticket data.

Our hosting partner is AWS and our servers are hosted in a world-class AWS data center, that is protected by biometric locks and 24-hour surveillance. We ensure that our application is always up to date with the latest security patches. All Freshdesk plans include SSL encryption to keep your data safe.

How is the data stored?

The product is built on multi-tenant cloud architecture and every customer's data is logically segregated with a unique tenant ID so that one customer cannot access another customer data.

What information security controls are available / deployed?

Data Segregation:

Freshworks uses a multi-tenant data model to host all its applications. Each application is serviced from an individual virtual private cloud and each customer is uniquely identified by a tenant ID. The application is engineered and verified to ensure that it always fetches data only for the logged-in tenant. Per this design, no customer has access to another customer’s data.

Access control:

Freshworks has an in-built authentication module where it provides the ability for customers to define user names and assign access roles. Users can be authenticated either using the authentication module within Freshworks products or via the customer’s SSO. In case customers are using our own authentication module (SSO, AD, etc..), the password rules for authentication & password policy configured by them will be applied. In addition, customers can restrict support agents and customers who can log in to their support portal to certain IP addresses.

Encryption:

All data at rest is encrypted using AES-256-bit standards with the keys being managed using AWS Key Management Service. All data in transit is encrypted. We support only TLS 1.2 and lower versions are deprecated.

Logs:

All the events and activities are logged and monitored on a monthly basis. Application Audit Logs within the Admin console (Admin >Account > Audit Log) captures the user activities and configuration changes or all agents. These logs are read-only and also encrypted for protection.

Can the data hosting region be moved? How long will the process take?

The hosting region can only be selected at the time of account creation, and if the data center needs to be moved to a different , you can raise a support ticket to support@freshdesk.com. The duration of the migration process depends on the amount of data that needs to be transferred.

Where is the data backed up? Will we lose any data?

All data stored and handled in Freshdesk can be backed up in two ways:

1. A continuous backup is maintained in different data centers to support a system failover if it were to occur in the primary data center.

2. Data is backed up to persistent storage every day and retained for the last seven days.

Application logs are backed up and are maintained for a duration of one year.

All backups are encrypted using AES 256-bit encryption and keys being managed through AWS Key Management Services (KMS).

What is the encryption type used in FD?

All data at rest is encrypted using AES-256-bit standards with the keys being managed using AWS Key Management Service. All data in transit is encrypted using HTTPS with TLS 1.2 and above.

What data does Freshdesk have access to? What data of ours does Freshdesk Analyze?

By Default, Freshdesk does not have access to any of the customer's data. In case a customer wants a Freshdesk representative to work on their account, they have to add them as an occasional agent.

Freshdesk stores and processes customer data, where data refers to all electronic data, messages, or other material submitted to Freshdesk by the customer through the customer’s account in connection with the customer’s use of Freshdesk’s service(s). This data is processed in compliance with applicable laws and regulations for the purpose of providing services in the Freshworks product suite. As a data processor, Freshdesk performs operations or set of operations on this data in relation to services offered.

‘Data hosted’ means data stored for the delivery of services we provide as a data processor and includes data stored for backup. ‘Data’ stated hereby is with reference to definitions specified in the provided link.

How do I erase all the data in my helpdesk?

Data Deletion post account termination: Any data deleted will be erased 90 days post date of termination.

Do you process personal data/PII?

Being the data controller, the customer gets to decide what data to host/process in Freshdesk. Freshdesk processes data in accordance with your terms of service

What is Freshdesk’s Data Retention Policy

Data is retained as long as the customer is active and using our products. If any delete is performed by the users (agents, admin, etc…) - then the delete is immediate. However, logs will be retained. These logs would be retained for 3 months and then archived in a secure environment with no access unless explicitly approved by the senior management to comply with applicable laws. These archived logs would also be purged automatically after 21 days. The log will just contain only information about the action or event and associated details. Logs will not have any data including PII.

Upon Account Termination, all account data will be deleted after 90 days from the date of termination. Logs will be retained as mentioned above.

To know about Freshworks’ Data Retention Policies, refer these pages:

You can also refer to these links for more details: Third party data sharing, Freshworks Security, Freshworks Data Hosting and Freshworks on GDPR.

Why are we getting a 'connection insecure' error when we try to access our support URL?

This error generally stems from improper SSL certificate configuration, leading to an unencrypted connection. To address this, ensure your SSL certificate is both up-to-date and correctly installed on your server. Additionally, verify that the URL begins with "https" instead of "http." If complications persist, consider engaging your IT team or hosting provider to rectify the SSL configuration.

This error may also arise due to an insecure custom/vanity URL. To rectify this, you can secure your custom URL by acquiring an SSL certificate from us. Connect with us at support@freshdesk.com to obtain the SSL certificate, thereby resolving the 'connection insecure' error associated with your custom URL.

Here are additional troubleshooting steps to troubleshoot SSL issues:

Verify CNAME Record Values: Ensure that the CNAME record values for your custom domain are correctly configured in both your DNS provider and Freshdesk. Use tools like MX Toolbox to cross-check the records and confirm they match.

Check Existing CNAME Values in Freshdesk: Navigate to your Freshdesk settings and confirm the existing CNAME values to which your custom domain should be pointed. If you can't locate these values, it might be necessary to remove and re-add your custom domain to regenerate accurate CNAME records.

Regenerate CNAME Records: In cases where CNAME records appear incorrect or mismatched, removing the custom domain from the portal and adding it back can generate fresh CNAME records. This step is especially useful if you suspect discrepancies in the records.

Align Domain with New CNAME Value: Once new CNAME records are generated, ensure your custom domain is correctly pointed to the newly provided CNAME value within Freshdesk settings.

Apply for SSL Certificate: With accurate CNAME records in place, reapply for an SSL certificate from within Freshdesk. This step should proceed without errors, and you'll likely see an "Awaiting Activation" message.

Activation Waiting Period: After applying for the SSL certificate, be patient as it may take up to 24 hours for the SSL certificate to activate. During this time, ensure your domain settings remain unchanged for successful activation.

By incorporating these additional troubleshooting steps, users will have a comprehensive guide to resolving SSL issues related to custom domains in Freshdesk.

What is the pricing for SSL certificates? Does it differ with respect to plan?

How do I request a new SSL certificate?

Can we use a wildcard SSL certificate with Freshdesk?

Why is the Feedback Form not loading on my website after I added an SSL certificate?

TLS 1.0 Support Deprecation

From 30th November 2016 (PST), Freshdesk will be moving away from the TLS 1.0 version and will disable the encryption protocol across all its services. The deprecation will have effects on all Freshdesk customers currently using TLS 1.0, and it is advised that you check if you're going to be affected. This solution article will walk you through steps on how you can check if this change affects your business.

Described below are the compatibilities across Desktop Browsers and Mobile Operating Systems.

Desktop browser compatibility

1. Internet Explorer: Desktop versions of IE 8,9 and 10 are TLS compatible if you are running Windows 7 or higher, but not by default. Future versions of Internet Explorer are compatible by default. Achieve compatibility by following the guide here.

2. Mozilla Firefox: Versions 23 through 26 are compatible, but not by default. Use about:config to enable TLS 1.1 or TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1, or 3 for TLS 1.2. All future versions of Mozilla Firefox are TLS 1.0+ compatible by default.

3. Google Chrome: All versions of Google Chrome above version 38 are compatible by default.

4. Safari: Desktop Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher are, compatible with TLS 1.1 and higher, by default.

Verify your browser compatibility

To verify compatibility for TLS 1.1/TLS 1.2 for your browser, go to this link and if you are able to view a webpage shown below with the message TLS1.1/TLS1.2 Upgrade Test Passed, then your browser is compatible with Freshdesk. Internet Explorer users can achieve compatibility by following the guide here.

Mobile compatibility

Devices running Android OS versions lower than 4.1 are not compatible with TLS versions higher than 1.0. Therefore, the Freshdesk Android app will stop working on devices running these versions of the operating system. Users are advised to upgrade their operating systems to continue using the app.

Devices running Android 4.1 to 4.4 need to be on version 3.5 or higher of the Android app to continue using Freshdesk. Users running Android versions 5.0 or higher will not face any issues and can continue using the existing version of the app installed on their device or upgrade to version 3.5 of the app.

The iOS app will continue to work seamlessly on compatible iOS versions (iOS 8 and above).

Once you have ensured that your Browser/OS will not be affected by the eventual deprecation of TLS, you can follow the steps below to run a compatibility test on your Integrations/API clients (if applicable)

Steps to check for API compatibility

Set up an API client in a test environment. This could be any software that you are using to integrate to Freshdesk or any custom integration code that you have written.
In that test environment, change the API client's endpoint hostname from yourdomain.freshdesk.com to tlstest.freshdesk.com.
If you see a '401 Unauthorized' error, then this test passed. This response means that the underlying TLS connection was successful, despite the '401 Unauthorized' error.
If you instead see an error message that involves TLS or https, then the test has failed. Your API client will require adjustments or upgrades. Please check with your client's documentation on how to upgrade to TLS 1.1 or TLS 1.2 support.

Example using cURL

This is how the output would look when connected from cURL.

(The following test cases were run on cURL version 7.50.0)

Failure case

curl -v -XGET https://tlstest.freshdesk.com/api/v2/tickets --tlsv1.0

Output

* Server aborted the SSL handshake

* Closing connection 0

curl: (35) Server aborted the SSL handshake

Successful case

curl -v -XGET https://tlstest.freshdesk.com/api/v2/tickets --tlsv1.1

Output

HTTP/1.1 401 Unauthorized

….

* Connection #0 to host tlstest.freshdesk.com left intact

{"code":"invalid_credentials","message":"You have to be logged in to perform this action."}

If you've got any additional queries, just drop a mail to support@freshdesk.com

Enabling TLS 1.2 in Internet Explorer

Third-party data sharing in Freshdesk

Signing DPA, NDA, and data compliance with Freshdesk:

Does a DPA have to be signed?

If you have agreed to freshworks terms of service, which is available online on our website, it also covers the data processing addendum and does not require to be signed additionally. You can find the documentation on the Freshworks security page.

Do I need to execute a signed copy of the DPA for legal/audit records?

In case you want an e-version (instead of online terms) to be executed, contact us at support@freshdesk.com

Need to sign an NDA, details?

If you are an existing customer of Freshworks, by using our products, Freshworks terms of service available online on our website applies by default. In case you want a physical signed copy with special terms included from your side, contact us at support@freshdesk.com

What is the audit and compliance process in Freshdesk?

Freshdesk is audited annually by independent audit firms for ISO 27001, ISO 27701, SOC 2 Type 2, and VAPT. One of the objectives of getting these certifications or attestations is to be able to provide the necessary information to our customers through the audits reports by reputed and independent auditors.

Therefore, we will only be able to support security evaluations by means of Security questionnaires, 3rd party audit reports, certification requests, and evaluation calls.

Further, On a case to case basis where it's mandated by the law/regulations, audits and assessments shall be discussed and agreed in the contract

Is Freshdesk PCI Compliant?

Yes, Freshdesk is PCI Compliant. Freshworks has data security controls in line with the ISO 27001 standards and is audited as per the SOC 2 Type II framework covering the security, confidentiality, and availability of trust service principles.

Further, for running PCI compliant workloads, we work with our customers to satisfy specific use cases where we obfuscate card data that is structured in nature. Examples such as a card data on an email title( using card data masker integration), or providing encrypted fields over a form.

What is CCPA Compliance? Is Freshdesk CCPA Compliant?

To an extent, Freshdesk account holders are ‘consumers’ as defined under the California Consumer Privacy Act of 2018 (“CCPA”) and Freshdesk is a ‘business’ as defined under CCPA. Thus, the following applies to every Freshdesk account holder:

Subject to the provisions of the CCPA, you have the right to request in the manner provided herein, for the following:

a. Right to request for information about the:

- Categories of Personal Data Freshworks has collected about you.

- Specific pieces of Personal Data Freshworks has collected about you.

- Categories of sources from which the Personal Data is collected.

- Business or commercial purpose for collecting Personal Data.

- Categories of third parties with whom the business shares Personal Data.

b. Right to request for deletion of any Personal Data collected about you by Freshdesk.

If you seek to exercise the foregoing rights to access or delete Personal Data which constitutes ‘personal information’ as defined in CCPA, please contact us at privacy@freshworks.com or write to us here. We respond to all requests we receive from you wishing to exercise your data protection rights within a reasonable timeframe in accordance with applicable data protection laws.

By writing to us, you agree to receive communication from us seeking information from you in order to verify you to be the consumer from whom we have collected the Personal Data from and such other information as reasonably required to enable us to honor your request.

The list of categories of Personal Data collected and disclosed about consumers are enlisted under the head ‘What Personal Data does Freshworks collect and why?’ and the list of categories of third parties to whom the Personal Data was or maybe made disclosed are enlisted under the head ‘Sharing of Personal Data’. Separately, Freshworks does not sell your Personal Data

How do I delete user data?