Security & Trust

Security & Trust

Built by Zendesk practitioners who understand the sensitivity of configuration data. We built the security foundations first — before adding features.

What We Store & What We Don’t

What Configly stores

  • Zendesk configuration metadata (trigger definitions, automation rules, macro actions, view conditions, field definitions, SLA policies)
  • Versioned snapshots of configuration state
  • Dependency mappings between configuration objects
  • Virtual changes from What-If simulation
  • User account information (email, name, auth tokens)

What Configly does NOT store

  • Ticket data
  • Customer PII (end-user names, emails, phone numbers)
  • Agent conversation content
  • Attachments or files
  • Help Centre article content
  • Payment or billing data from Zendesk

We recognise that configuration data may contain business-sensitive information — organisation names in trigger conditions, customer-identifying tags, agent names in metadata fields — and we treat all of it with the same encryption and isolation protections as if it were PII.

Infrastructure

Encryption & Infrastructure

Encryption in transit

TLS 1.2+ on all connections

Encryption at rest

AES-256 encryption for all stored data

Token storage

OAuth tokens encrypted with AES-256-GCM

Infrastructure

Digital Ocean, London (LON1) region

Database

PostgreSQL with encrypted connections

SSL/TLS

Nginx reverse proxy with Let’s Encrypt certificates

Error monitoring

Sentry (EU region, GDPR-compliant, DPA signed)

Access Control

Authentication & Access

  • Zendesk OAuth 2.0 — we never see or store your Zendesk password
  • Scoped access — OAuth tokens requested with minimum required permissions
  • Token refresh — tokens automatically refreshed, old tokens invalidated
  • User auth — social login via Google/Microsoft or email
  • Session management — JWT-based sessions with configurable expiry
  • SSO/SAML support (planned)
  • MFA enforcement (planned)
Transparency

Auditability & Transparency

Every API call Configly makes is visible in your Zendesk audit log.

You can independently verify exactly what Configly has accessed at any time. Our current OAuth scopes are read-only — Configly cannot modify your Zendesk configuration.

Data Lifecycle

Data Retention & Deletion

  • User-controlled deletion — delete connected Zendesk instances and all associated data at any time
  • Snapshot retention — configuration snapshots retained while your account is active
  • Automatic cascade — account deletion removes all stored configuration data, snapshots, dependencies, virtual changes, and authentication tokens automatically
  • Analytics cache — AI analysis cache data is purged within 30 days of account deletion
  • No lock-in — your configuration data belongs to you
Isolation

Tenant Isolation

Database isolation

Each customer’s data is logically isolated at the database level

No shared data

No shared configuration data between tenants

Scoped queries

API endpoints enforce tenant-scoped queries

Access Model

Read-Only by Design

Configly currently operates in read-only mode — we pull configuration data from your Zendesk instance but never modify it.

When we introduce write capabilities in the future, they will include dry-run preview, rollback support, approval workflows, and a full audit trail.

We built the read-only foundation deliberately so the trust model is solid before we add write capabilities.

Compliance

Compliance & Certifications

Current

  • Security best practices
  • Encryption at rest and in transit
  • Tenant isolation
  • UK-hosted infrastructure
  • UK DPA/GDPR compliant
  • Data Processing Agreement available

Planned

  • SOC 2 Type II certification (on roadmap as customer base grows)

Data residency: London (LON1) by default

Contact

Contact & Responsible Disclosure

Security questions

[email protected]

Responsible disclosure

Report vulnerabilities to [email protected]

General enquiries

[email protected]

security.txt Security Overview PDF Data Processing Agreement