01
Application and acceptance
This Data Processing Addendum forms part of and is incorporated into the applicable Auditrak agreement. Customers accept it when they accept the Terms of Service, install or authorize the Zendesk app, connect Zendesk, authorize an audit, or sign an order form, subscription terms or other agreement that incorporates this DPA by reference. It applies when Auditrak processes Personal Data on behalf of a customer in connection with Zendesk Marketplace app installation, Zendesk connection, audit execution, product results, report generation, support, security and service operations.
02
Roles
For Zendesk data processed as part of an Auditrak audit or report workflow, the customer is generally the Controller and Auditrak is the Processor. For website inquiries, support conversations, account administration, billing and Auditrak business operations, Auditrak may act as an independent Controller.
03
Customer instructions
Auditrak processes customer Personal Data only to provide and secure the service, according to the customer's documented instructions in the agreement, app configuration, audit settings, support requests or written communications, or as required by law.
04
Customer responsibilities
Customers are responsible for Zendesk permissions, app installation approval, selecting the tickets and settings included in each audit, maintaining a valid legal basis, and avoiding unnecessary secrets, credentials, payment data, protected health information or other data that is not needed for the support audit.
05
Auditrak commitments
Auditrak will process customer Personal Data only for the agreed purposes, keep authorized personnel under confidentiality obligations, use appropriate technical and organizational measures, engage subprocessors under written data protection terms, and assist with privacy requests, security incidents and deletion workflows as required by applicable law.
06
PII-aware and AI processing
Auditrak is designed to preserve useful business evidence while reducing unnecessary sensitive detail in analyzed material and customer-facing reports. Certain workflows may use AI providers for analysis and report generation. Auditrak aims to send only the material reasonably needed for the selected workflow, subject to PII-aware preparation and redaction controls.
07
Security measures
Auditrak uses approved Zendesk authorization, HTTPS/TLS for data in transit, managed-provider encryption at rest where supported, internal access controls, sanitized logs and monitoring.
08
Subprocessors
The customer gives Auditrak general authorization to use the subprocessors listed on the Subprocessors page. Auditrak remains responsible for subprocessor performance to the extent required by applicable data protection law and will update the public list when material changes occur.
09
Data subject requests
Auditrak will reasonably assist customers with data subject requests relating to customer Personal Data. Requests relating to underlying Zendesk ticket data may need to be handled through the customer because the customer controls the Zendesk account and support relationship.
10
Deletion and return
After termination, offboarding or written request, Auditrak will delete or return customer Personal Data according to the agreement and applicable law, unless retention is required or permitted for legal, security, backup, dispute-resolution, accounting or compliance purposes.
11
Personal data breach
Auditrak will notify the customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting customer Personal Data and will provide available information reasonably needed for the customer to meet its own obligations.
12
Audits and information
Auditrak will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security and service constraints. The parties will first use available documentation, security summaries, provider attestations and written responses before any deeper audit.
13
International transfers
Auditrak and subprocessors may process data in countries where they operate. Where required for EEA, UK or Swiss Personal Data, the parties intend to rely on appropriate safeguards such as Standard Contractual Clauses, UK Addendum, transfer impact assessments or equivalent mechanisms.
14
Precedence
If there is a conflict between this DPA and the Terms regarding processing of customer Personal Data, this DPA controls to the extent of the conflict. Mandatory transfer clauses control for the relevant international transfer.
Annex 1
Processing details
Subject matterProcessing Zendesk data and related service data to provide Auditrak audits, product results, PII-aware report generation, support, security and service administration.
NatureAccess, retrieval, preparation, redaction, analysis, classification, summarization, report generation, storage, transmission, display, download, logging, deletion and support.
PurposesZendesk connection, Voice-of-Customer analysis, recurring demand detection, self-service and automation recommendations, report generation, reliability, security and support.
Data subjectsZendesk ticket requesters, end users, support agents, administrators, customer contacts and individuals mentioned inside support conversations.
Data categoriesNames, email addresses, Zendesk identifiers, organization information, ticket content, ticket details, tags, custom fields, timestamps, CSAT-related content where selected, generated findings, reports, support communications and service logs.
Sensitive dataAuditrak is not designed for secrets, payment card data, health data, government identifiers or special-category data. Customers should avoid including such data unless expressly agreed in writing.
Annex 2
Authorized subprocessors
The current public list of authorized subprocessors is maintained on the Subprocessors page. Auditrak may update that list as described in this DPA and the applicable customer agreement.