How can I be sure that my data is safe with Freshdesk? Where is the data hosted?
We take matters of data security very seriously at Freshdesk. We are hosted on the highly reliable Amazon AWS servers, that promise optimal uptime, and data security for all our customers and ticket data.
Our hosting partner is AWS and our servers are hosted in a world-class AWS data center, that is protected by biometric locks and 24-hour surveillance. We ensure that our application is always up to date with the latest security patches. All Freshdesk plans include SSL encryption to keep your data safe.
How is the data stored?
The product is built on multi-tenant cloud architecture and every customer's data is logically segregated with a unique tenant ID so that one customer cannot access another customer data.
What information security controls are available / deployed?
Data Segregation:
Freshworks uses a multi-tenant data model to host all its applications. Each application is serviced from an individual virtual private cloud and each customer is uniquely identified by a tenant ID. The application is engineered and verified to ensure that it always fetches data only for the logged-in tenant. Per this design, no customer has access to another customer’s data.
Access control:
Freshworks has an in-built authentication module where it provides the ability for customers to define user names and assign access roles. Users can be authenticated either using the authentication module within Freshworks products or via the customer’s SSO. In case customers are using our own authentication module (SSO, AD, etc..), the password rules for authentication & password policy configured by them will be applied. In addition, customers can restrict support agents and customers who can log in to their support portal to certain IP addresses.
Encryption:
All data at rest is encrypted using AES-256-bit standards with the keys being managed using AWS Key Management Service. All data in transit is encrypted. We support only TLS 1.2 and lower versions are deprecated.
Logs:
All the events and activities are logged and monitored on a monthly basis. Application Audit Logs within the Admin console (Admin >Account > Audit Log) captures the user activities and configuration changes or all agents. These logs are read-only and also encrypted for protection.
Can the data hosting region be moved? How long will the process take?
The hosting region can only be selected at the time of account creation, and if the data center needs to be moved to a different , you can raise a support ticket to support@freshdesk.com. The duration of the migration process depends on the amount of data that needs to be transferred.
Where is the data backed up? Will we lose any data?
All data stored and handled in Freshdesk can be backed up in two ways:
1. A continuous backup is maintained in different data centers to support a system failover if it were to occur in the primary data center.
2. Data is backed up to persistent storage every day and retained for the last seven days.
Application logs are backed up and are maintained for a duration of one year.
All backups are encrypted using AES 256-bit encryption and keys being managed through AWS Key Management Services (KMS).
What is the encryption type used in FD?
All data at rest is encrypted using AES-256-bit standards with the keys being managed using AWS Key Management Service. All data in transit is encrypted using HTTPS with TLS 1.2 and above.
What data does Freshdesk have access to? What data of ours does Freshdesk Analyze?
By Default, Freshdesk does not have access to any of the customer's data. In case a customer wants a Freshdesk representative to work on their account, they have to add them as an occasional agent.
Freshdesk stores and processes customer data, where data refers to all electronic data, messages, or other material submitted to Freshdesk by the customer through the customer’s account in connection with the customer’s use of Freshdesk’s service(s). This data is processed in compliance with applicable laws and regulations for the purpose of providing services in the Freshworks product suite. As a data processor, Freshdesk performs operations or set of operations on this data in relation to services offered.
‘Data hosted’ means data stored for the delivery of services we provide as a data processor and includes data stored for backup. ‘Data’ stated hereby is with reference to definitions specified in the provided link.
How do I erase all the data in my helpdesk?
Data Deletion post account termination: Any data deleted will be erased 90 days post date of termination.
Do you process personal data/PII?
Being the data controller, the customer gets to decide what data to host/process in Freshdesk. Freshdesk processes data in accordance with your terms of service
What is Freshdesk’s Data Retention Policy
Data is retained as long as the customer is active and using our products. If any delete is performed by the users (agents, admin, etc…) - then the delete is immediate. However, logs will be retained. These logs would be retained for 3 months and then archived in a secure environment with no access unless explicitly approved by the senior management to comply with applicable laws. These archived logs would also be purged automatically after 21 days. The log will just contain only information about the action or event and associated details. Logs will not have any data including PII.
Upon Account Termination, all account data will be deleted after 90 days from the date of termination. Logs will be retained as mentioned above.
To know about Freshworks’ Data Retention Policies, refer these pages:
You can also refer to these links for more details: Third party data sharing, Freshworks Security, Freshworks Data Hosting and Freshworks on GDPR.
This error generally stems from improper SSL certificate configuration, leading to an unencrypted connection. To address this, ensure your SSL certificate is both up-to-date and correctly installed on your server. Additionally, verify that the URL begins with "https" instead of "http." If complications persist, consider engaging your IT team or hosting provider to rectify the SSL configuration.
This error may also arise due to an insecure custom/vanity URL. To rectify this, you can secure your custom URL by acquiring an SSL certificate from us. Connect with us at support@freshdesk.com to obtain the SSL certificate, thereby resolving the 'connection insecure' error associated with your custom URL.
Here are additional troubleshooting steps to troubleshoot SSL issues:
By incorporating these additional troubleshooting steps, users will have a comprehensive guide to resolving SSL issues related to custom domains in Freshdesk.
SSL certificates are free for all Freshdesk accounts, across all applicable plans.
SSL is a form of encryption protocol that secures data between browsers and servers. SSL certificates are issued to websites & web portals to ensure a safer experience for businesses & customers.
When you sign-up for a Freshdesk account, the default account URL, which is usually in the format - yourcompanyname.freshdesk.com is enabled with a default SSL provided by Freshdesk.
When do you need an SSL Certificate?
Any custom portal URL that you create for your helpdesk needs an SSL certificate to load securely (in HTTPS)
How do you get an SSL certificate?
Before SSL Certificate is enabled:
After SSL Certificate is enabled:
No, Freshdesk would only support SSL certificates provided by Let's encrypt, specific for your custom URL - wildcard SSL certificates are not supported. This is because all Freshdesk Accounts use the Freshdesk domain. So, we will not be able to share the public and private keys for the domain.
When HTTPS is not used for the Feedback widget, its content would not load in a portal/website where an SSL certificate is enabled. To overcome this, please navigate to Admin > Channels > Feedback Form >Toggle On the option to "Use HTTPS".
You would have to then replace the widget code on your website with the updated widget code.
From 30th November 2016 (PST), Freshdesk will be moving away from the TLS 1.0 version and will disable the encryption protocol across all its services. The deprecation will have effects on all Freshdesk customers currently using TLS 1.0, and it is advised that you check if you're going to be affected. This solution article will walk you through steps on how you can check if this change affects your business.
Described below are the compatibilities across Desktop Browsers and Mobile Operating Systems.
1. Internet Explorer: Desktop versions of IE 8,9 and 10 are TLS compatible if you are running Windows 7 or higher, but not by default. Future versions of Internet Explorer are compatible by default. Achieve compatibility by following the guide here.
2. Mozilla Firefox: Versions 23 through 26 are compatible, but not by default. Use about:config to enable TLS 1.1 or TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1, or 3 for TLS 1.2. All future versions of Mozilla Firefox are TLS 1.0+ compatible by default.
3. Google Chrome: All versions of Google Chrome above version 38 are compatible by default.
4. Safari: Desktop Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher are, compatible with TLS 1.1 and higher, by default.
Verify your browser compatibility
To verify compatibility for TLS 1.1/TLS 1.2 for your browser, go to this link and if you are able to view a webpage shown below with the message TLS1.1/TLS1.2 Upgrade Test Passed, then your browser is compatible with Freshdesk. Internet Explorer users can achieve compatibility by following the guide here.
Mobile compatibility
Devices running Android OS versions lower than 4.1 are not compatible with TLS versions higher than 1.0. Therefore, the Freshdesk Android app will stop working on devices running these versions of the operating system. Users are advised to upgrade their operating systems to continue using the app.
Devices running Android 4.1 to 4.4 need to be on version 3.5 or higher of the Android app to continue using Freshdesk. Users running Android versions 5.0 or higher will not face any issues and can continue using the existing version of the app installed on their device or upgrade to version 3.5 of the app.
The iOS app will continue to work seamlessly on compatible iOS versions (iOS 8 and above).
Once you have ensured that your Browser/OS will not be affected by the eventual deprecation of TLS, you can follow the steps below to run a compatibility test on your Integrations/API clients (if applicable)
Set up an API client in a test environment. This could be any software that you are using to integrate to Freshdesk or any custom integration code that you have written.
In that test environment, change the API client's endpoint hostname from yourdomain.freshdesk.com to tlstest.freshdesk.com.
If you see a '401 Unauthorized' error, then this test passed. This response means that the underlying TLS connection was successful, despite the '401 Unauthorized' error.
If you instead see an error message that involves TLS or https, then the test has failed. Your API client will require adjustments or upgrades. Please check with your client's documentation on how to upgrade to TLS 1.1 or TLS 1.2 support.
This is how the output would look when connected from cURL.
(The following test cases were run on cURL version 7.50.0)
curl -v -XGET https://tlstest.freshdesk.com/api/v2/tickets --tlsv1.0
Output
* Server aborted the SSL handshake * Closing connection 0 curl: (35) Server aborted the SSL handshake |
curl -v -XGET https://tlstest.freshdesk.com/api/v2/tickets --tlsv1.1
Output
HTTP/1.1 401 Unauthorized …. …. * Connection #0 to host tlstest.freshdesk.com left intact {"code":"invalid_credentials","message":"You have to be logged in to perform this action."} |
If you've got any additional queries, just drop a mail to support@freshdesk.com
If you use Internet Explorer to access Freshdesk, then you can use the following steps to make your browser compatible with TLS 1.2. To change the settings in IE 8, 9 or 10:
Apart from freshworks are there any other parties involved in data storage or processing?
Freshdesk partners with organizations that adhere to global standards and regulations. These organizations include sub-processors or third-parties that Freshworks utilizes to assist in providing its products.
List of sub-processors along with their role in processing and their processing location are disclosed in the following link
Do third party platforms have access to our data?
Third parties only have access to data that is absolutely necessary for them to deliver their services. Further, depending on the services they avail from us, the customers have the option to opt-out of availing services from certain sub-processors. Details of the same can be discussed and mutually agreed upon.
Does a DPA have to be signed?
If you have agreed to freshworks terms of service, which is available online on our website, it also covers the data processing addendum and does not require to be signed additionally. You can find the documentation on the Freshworks security page.
Do I need to execute a signed copy of the DPA for legal/audit records?
In case you want an e-version (instead of online terms) to be executed, contact us at support@freshdesk.com
Need to sign an NDA, details?
If you are an existing customer of Freshworks, by using our products, Freshworks terms of service available online on our website applies by default. In case you want a physical signed copy with special terms included from your side, contact us at support@freshdesk.com
What is the audit and compliance process in Freshdesk?
Freshdesk is audited annually by independent audit firms for ISO 27001, ISO 27701, SOC 2 Type 2, and VAPT. One of the objectives of getting these certifications or attestations is to be able to provide the necessary information to our customers through the audits reports by reputed and independent auditors.
Therefore, we will only be able to support security evaluations by means of Security questionnaires, 3rd party audit reports, certification requests, and evaluation calls.
Further, On a case to case basis where it's mandated by the law/regulations, audits and assessments shall be discussed and agreed in the contract
Is Freshdesk PCI Compliant?
Yes, Freshdesk is PCI Compliant. Freshworks has data security controls in line with the ISO 27001 standards and is audited as per the SOC 2 Type II framework covering the security, confidentiality, and availability of trust service principles.
Further, for running PCI compliant workloads, we work with our customers to satisfy specific use cases where we obfuscate card data that is structured in nature. Examples such as a card data on an email title( using card data masker integration), or providing encrypted fields over a form.
What is CCPA Compliance? Is Freshdesk CCPA Compliant?
To an extent, Freshdesk account holders are ‘consumers’ as defined under the California Consumer Privacy Act of 2018 (“CCPA”) and Freshdesk is a ‘business’ as defined under CCPA. Thus, the following applies to every Freshdesk account holder:
Subject to the provisions of the CCPA, you have the right to request in the manner provided herein, for the following:
a. Right to request for information about the:
- Categories of Personal Data Freshworks has collected about you.
- Specific pieces of Personal Data Freshworks has collected about you.
- Categories of sources from which the Personal Data is collected.
- Business or commercial purpose for collecting Personal Data.
- Categories of third parties with whom the business shares Personal Data.
b. Right to request for deletion of any Personal Data collected about you by Freshdesk.
If you seek to exercise the foregoing rights to access or delete Personal Data which constitutes ‘personal information’ as defined in CCPA, please contact us at privacy@freshworks.com or write to us here. We respond to all requests we receive from you wishing to exercise your data protection rights within a reasonable timeframe in accordance with applicable data protection laws.
By writing to us, you agree to receive communication from us seeking information from you in order to verify you to be the consumer from whom we have collected the Personal Data from and such other information as reasonably required to enable us to honor your request.
The list of categories of Personal Data collected and disclosed about consumers are enlisted under the head ‘What Personal Data does Freshworks collect and why?’ and the list of categories of third parties to whom the Personal Data was or maybe made disclosed are enlisted under the head ‘Sharing of Personal Data’. Separately, Freshworks does not sell your Personal Data
In Freshdesk, a ‘delete’ or ‘export’ request from a customer must be routed via the admin, who validates if the requestor is genuine.
As an administrator of your helpdesk account, you can
To soft delete a contact in Freshdesk,
Navigate to the left Menu bar, click on the People icon() and select the Contacts tab.
Select one or more Contacts you wish to delete by clicking on the checkboxes adjacent to their name.
Click on the Delete button on the top bar.
Click Confirm on the prompt that appears.
To permanently delete contacts data - tickets, forums, calls & profiles from Freshdesk,
Navigate to the left Menu bar, click on the People icon() and select the Contacts tab.
Click on the Filter icon () on the All Contacts page and select the Deleted Contacts view.
Click on the Contact’s name you wish to delete permanently.
Click the Delete forever button from the top bar.
Click DELETE FOREVER on the prompt that appears.
If the deleted contact was previously an agent with the account, Freshdesk permanently deletes their PII(Personally Identifiable Information) such that the individual is not identifiable thereafter.
For business continuity, Freshdesk retains their contributions to the business, such as ticket responses, notes, knowledge base articles, forum topics/comments, support calls, surveys, automation rules, ticket templates, contacts, companies, tags, etc.
For any further information or clarifications, please reach out to support@freshdesk.com.
In Freshdesk, a ‘delete’ or ‘export’ request from a customer must be routed via the admin, who validates if the requestor is genuine.
As an administrator of your Freshdesk account, here’s how you can export customer data:
Navigate to the People icon and click on Contacts.
Select the Export button towards your right.
Click on the required fields to extract customer data.
Select the Export button to receive an email with the export.
Additionally, you may use the Freshdesk API call to pull all the customers’ profile information.
Customer ticket export
Navigate to Tickets tab from the menu.
Navigate to the Filters panel on the right, and choose the required option from the Contacts dropdown.
Now click on Apply button to filter tickets.
Click on Export button above the Filter page.
Select the export format, time interval, and click on the required fields to extract customer data.
Select the Export button to receive an email with the export.
Alternatively, you can also use the Freshdesk API call to export all the tickets of a customer.
As a data controller, you need to assess the data you’re collecting in ticket fields or contact fields - you must ensure this is kept to a minimum just enough to provide the necessary service or support.
As a data processor, Freshworks performs operations or a set of functions on this data only on your authorization and in compliance with applicable regulations. If you use ‘consent’ as the basis for processing personal data and you’d like to make it more explicit, you can add a checkbox-type mandatory field to your ‘New ticket’ form.
For those on plans other than Estate and Forest, manually display the checkbox: I consent to ABC collecting my email id, phone number, location, and IP.
If you are on Estate or Forest plans, you can use the Portal Customization feature to state - ‘I consent to such data being shared with third parties and link it to your Terms of Service’
For any further information or clarifications, please reach out to support@freshdesk.com.
GDPR mandates that personal data should not be retained for periods longer than necessary for the purposes it was collected. Additionally, we must comply if a customer decides to exercise their right to be forgotten/erased. Freshdesk provides the following options to delete customer data,
As an administrator of your Freshdesk account, you can use the ‘Delete forever’ option under a contact’s profile to delete the contact once you receive a request for data erasure. This action will permanently delete customer information in the system and tickets/chats/calls they were part of.
Based on your data retention policies, if you wish to automate the deletion of tickets in the system, please use our ‘Delete ticket’ API. This API moves tickets to Trash, and Freshdesk will permanently delete the tickets after 30 days. You can also periodically go to the ticket list view, filter by date, and perform a bulk-delete action.
For any further information or clarifications, please reach out to support@freshdesk.com.
Start your 14-day free trial. No credit card required. No strings attached.
Start Free TrialCopyright © Freshworks Inc. All Rights Reserved.