Vendor compliance profile

Is Zendesk HIPAA compliant?

Zendesk may support some HIPAA-regulated support workflows when an eligible customer purchases Advanced Compliance or an included plan, executes Zendesk's Healthcare Agreement or BAA, uses covered services, and implements the required security configuration. Marketplace apps, social channels, AI features, attachments, exports, and integrations still need scope review.

Visit vendor site

Direct compliance answer

Zendesk HIPAA, BAA, PHI, and SOC 2 snapshot

Last checked: 2026-07-16 | Confidence: High

Direct answerZendesk may support some HIPAA-regulated support workflows when an eligible customer purchases Advanced Compliance or an included plan, executes Zendesk's Healthcare Agreement or BAA, uses covered services, and implements the required security configuration. Marketplace apps, social channels, AI features, attachments, exports, and integrations still need scope review.
BAA availabilityZendesk publishes a BAA path for eligible customers. The agreement applies only to stated covered services and does not automatically cover Marketplace apps, third-party services, social messaging integrations, or every AI and support workflow.
Can it handle PHI?Ticket subjects, email bodies, attachments, transcripts, internal notes, public profiles, notifications, exports, APIs, social messages, AI features, and Marketplace apps can move PHI beyond covered Zendesk services.
SOC 2 caveatZendesk references SOC 2 and ISO evidence in its healthcare and security materials. Request the current reports and confirm the covered system, period, exceptions, and services used by the account.
What to verifyThe current Zendesk plan, Advanced Compliance entitlement, executed BAA, Healthcare Enabled Account status, and covered-service list. Agent authentication, access restrictions, attachments, redaction, exports, notifications, retention, deletion, audit logs, and support access.

HIPAA status signal

Conditional

BAA public signal

Advanced Compliance BAA

SOC 2 evidence signal

Public evidence

PHI warning: Ticket subjects, email bodies, attachments, transcripts, internal notes, public profiles, notifications, exports, APIs, social messages, AI features, and Marketplace apps can move PHI beyond covered Zendesk services.

Search query answers

Is Zendesk HIPAA compliant?

Zendesk provides a conditional HIPAA path through eligible Healthcare Enabled Accounts, Advanced Compliance, and an executed Healthcare Agreement or BAA. Compliance still depends on covered services, plan, security configuration, user access, messaging channels, attachments, AI features, integrations, and the customer's workflow.

Does Zendesk offer a BAA?

Zendesk says eligible customers can execute its Healthcare Agreement, including a BAA for HIPAA-enabled accounts. Confirm the current plan or add-on, covered services, excluded features, configuration requirements, and any separate agreements needed for connected services.

Can Zendesk tickets contain PHI?

Only after the account is HIPAA enabled under the appropriate agreement and the exact ticketing, messaging, attachment, notification, AI, export, and integration workflow is covered and configured. Avoid PHI in public profiles, social channels, unsupported apps, email exports, and external systems.

HIPAA, BAA, and SOC 2 summary

HIPAAZendesk documents Healthcare Enabled Accounts and covered Support ticketing functionality for eligible plans under its Advanced Compliance and Healthcare Agreement framework.
BAAZendesk publishes a BAA path for eligible customers. The agreement applies only to stated covered services and does not automatically cover Marketplace apps, third-party services, social messaging integrations, or every AI and support workflow.
SOC 2Zendesk references SOC 2 and ISO evidence in its healthcare and security materials. Request the current reports and confirm the covered system, period, exceptions, and services used by the account.
PHI riskTicket subjects, email bodies, attachments, transcripts, internal notes, public profiles, notifications, exports, APIs, social messages, AI features, and Marketplace apps can move PHI beyond covered Zendesk services.
CategoryHIPAA-Compliant Help Desk and Ticketing Systems
Last checked2026-07-16
ConfidenceHigh

Public evidence and open questions

What public sources say

  • Zendesk says Advanced Compliance can enable eligible customers to enter into a Healthcare Agreement or BAA.
  • Zendesk lists covered services for eligible Healthcare Enabled Service Plans and publishes security configuration requirements for HIPAA-enabled accounts.
  • Zendesk identifies exclusions and special responsibilities for Marketplace apps, social channels, attachments, exports, APIs, AI, and integrated services.

What remains unconfirmed

  • Whether the buyer's exact Zendesk plan, Advanced Compliance entitlement, account, services, add-ons, AI features, and channels are covered by an executed agreement.
  • Whether email, Talk, messaging, attachments, APIs, exports, social channels, Marketplace apps, support access, and subprocessors fit the intended PHI workflow.

What it may be used for

  • HIPAA-regulated support ticketing after the eligible plan, Advanced Compliance, BAA, covered services, and security configuration are documented.
  • Healthcare help desk workflows with restricted agents, governed attachments, controlled messaging, and reviewed integrations.
  • Non-PHI customer support where sensitive clinical context is intentionally excluded.

What not to use it for

  • Introducing PHI before the Healthcare Agreement or BAA and eligible account configuration are complete.
  • Sending PHI through social messaging, uncovered Marketplace apps, public profiles, email exports, or third-party services without separate review.
  • Assuming Advanced Compliance covers every Zendesk product, AI feature, add-on, integration, or customer configuration.

What to verify with the vendor

  • The current Zendesk plan, Advanced Compliance entitlement, executed BAA, Healthcare Enabled Account status, and covered-service list.
  • Agent authentication, access restrictions, attachments, redaction, exports, notifications, retention, deletion, audit logs, and support access.
  • Whether messaging, Talk, Explore, AI agents, QA, APIs, social channels, Marketplace apps, and AWS integrations are covered or separately governed.
  • Whether PHI can appear in subject lines, email copies, public profiles, community posts, support screenshots, transcripts, or external analytics.

Safer alternatives and related profiles

Safer alternatives to consider

  • Help Scout Pro after its BAA, HIPAA activation, AI addendum, notifications, and integrations are verified.
  • Freshdesk only after Freshworks confirms the BAA scope and required account configuration for the exact suite products.
  • A healthcare-specific patient communication or support platform with explicit ticketing, attachment, messaging, and AI coverage.

FAQ

Is Zendesk HIPAA compliant?

Zendesk provides a conditional HIPAA path through eligible Healthcare Enabled Accounts, Advanced Compliance, and an executed Healthcare Agreement or BAA. Compliance still depends on covered services, plan, security configuration, user access, messaging channels, attachments, AI features, integrations, and the customer's workflow.

Does Zendesk offer a BAA?

Zendesk says eligible customers can execute its Healthcare Agreement, including a BAA for HIPAA-enabled accounts. Confirm the current plan or add-on, covered services, excluded features, configuration requirements, and any separate agreements needed for connected services.

Can Zendesk tickets contain PHI?

Only after the account is HIPAA enabled under the appropriate agreement and the exact ticketing, messaging, attachment, notification, AI, export, and integration workflow is covered and configured. Avoid PHI in public profiles, social channels, unsupported apps, email exports, and external systems.

Will Zendesk sign a BAA?

Zendesk publishes a BAA path for eligible customers. The agreement applies only to stated covered services and does not automatically cover Marketplace apps, third-party services, social messaging integrations, or every AI and support workflow.

Can Zendesk be used with PHI?

Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.

Does SOC 2 mean Zendesk is HIPAA compliant?

No. SOC 2 evidence can support security diligence, but it does not prove HIPAA compliance, confirm BAA coverage, or approve PHI use. Review HIPAA terms, BAA scope, covered services, configuration, and intended workflow separately.

What should buyers verify before using Zendesk with PHI?

The current Zendesk plan, Advanced Compliance entitlement, executed BAA, Healthcare Enabled Account status, and covered-service list. Agent authentication, access restrictions, attachments, redaction, exports, notifications, retention, deletion, audit logs, and support access. Whether messaging, Talk, Explore, AI agents, QA, APIs, social channels, Marketplace apps, and AWS integrations are covered or separately governed. Whether PHI can appear in subject lines, email copies, public profiles, community posts, support screenshots, transcripts, or external analytics.

Last checked and source notes

Last checked
2026-07-16
Confidence
High
Dataset rows
271 vendors