Security Policy

App Security Statement

Last update: August 2, 2023

Overview

Lovestock & Leaf develops Zendesk Apps, such as Quickie, Lovely Views, Sticky Notes and Tickler, that Zendesk customers use to extend the functionality of their Zendesk instance.  A full list of our apps are available in the Zendesk Marketplace directory.  Our apps are built using the Zendesk Application Framework (ZAF v2).  They are browser based Javascript apps that are hosted and served from Zendesk, in Zendesk’s domain, and authenticated by Zendesk. The app fetches data over SSL from Zendesk, using the Zendesk API, and displays it securely in the browser. API authentication is provided by the host Zendesk app.

Zendesk Data Access

The majority of our apps have no server side integration and therefore are hosted purely on the Zendesk platform itself.  What this means is that our apps pose a significantly low security or privacy risk to customers as there is no access to or processing of Zendesk client or customer data. The apps also do not store any data outside of Zendesk.

App Specific Data Access

Quickie

Quickie is a browser based JS app that is hosted and served from Zendesk, in Zendesk's domain, and authenticated by Zendesk. The app pulls data over SSL from Zendesk, using the Zendesk API, and displays it in the browser. No customer data is stored by the app, the app stores user preferences such as Bookmarks, searches and the "home" view that are written to Zendesk using the Zendesk API.  The app doesn’t have access to agent login passwords or any api tokens.  We do not have access to the data and the app does not send the data to us or any 3rd party server.

Lovely Views

Lovely Views is a browser based JS app that is majority hosted and served from Zendesk, in Zendesk's domain, and authenticated by Zendesk. Standard JS libs are fetched from jsDelivr. The app fetches data over SSL from Zendesk, using the Zendesk API, and displays it in the browser. 

 No customer data is stored by the app, the app stores user preferences such as Bookmarks, searches and the "home" view that are written to Zendesk using the Zendesk API. Local browser storage is used for non-sensitive data, ticket ID and view counts. The app only sends data to Zendesk. No data gets sent to or is processed on external servers.

Tickler

The customer can configure their checklists to appear based upon values within particular fields. In this case, the app reads these specified ticket fields to determine whether to show the checklists. No data gets sent to us by the app. The app doesn't store any data outside of Zendesk. The only data it does store is the state (not-done, waiting, done, skipped) of each item within the checklists that the customer creates in Tickler. The checklist items can also have comments written in them by the agents, these are also stored in Zendesk.

Sticky Notes

The app is hosted by Zendesk and only runs in the browser. The app stores the notes data in Zendesk ticket, user and organization fields, and these are stored and hosted by Zendesk only. We do not have access to that data and the app does not send the data to any 3rd party server

Escalator (Fork Server component)

For those customers that require automatic creation of sub-tickets, currently Escalator has some automation capabilities built into it.  If a client requires the sub-tickets to immediately be created when a ticket first arrives in Zendesk from a customer, then the add-on to Escalator, named Fork is required, that has a server side component available on our secure platform named CloudMetro, which is hosted securely on Amazon Web Services. 

As mentioned above, Fork requires a server side component and to allow your administrator access to be able to configure Fork, Zendesk Server Side API access is required for the configuration app named “Lovely”.  This app does not do anything on its own, but agents with the administrator role can use it to configure server side apps such as Fork.  

Alternatively, if the automatic creation of the sub-tickets can wait until an agent first opens the ticket, (or when an agent classifies a ticket by setting a field or adding tag), then just Escalator is needed and there is no requirement for the Server Side component.

When installing an app in your Zendesk instance, any app automatically gains access to your data via the Zendesk App Framework it needs via the user permissions of the person using Zendesk. Access to the server side API needs to be explicitly granted by one of your Zendesk administrators and you will be prompted for this when required.

Note that when granting an app access to the server side API, you are not providing access to data not available via the app framework already, you are then granting access for the Lovestock & Leaf app server to access your Zendesk directly ('offline access').

This process of granting API access via Lovely is quite simple and is detailed in the following user guide.

Note that the API authorization must stay current. If the administrator that granted access is leaving the organization or is downgraded to a regular agent, the API needs to be re-authorized by another administrator for the app to continue to work. Follow in-app prompts to complete this process.

Once you grant our server access, the app is initialized and we create your account if this was the first app you installed. This account is assigned a unique token which identifies your account. This token is never shared with anyone and is required to access the data associated with your app. This token is stored with your app and is used in for example targets, and facilitates secure communication. This initialization process happens behind the scenes on the server side over a secure connection only.

Usage tracking and telemetry

Lovestock & Leaf use a secure 3rd Party system named Pendo (which Zendesk also uses) to receive and analyse anonymous agent usage stats. This does NOT contain PII data and has nothing to do with customers, just the agent's anonymous ID (user ID) is all we receive.

The Pendo service does not send any contents of tickets or user data. We’re only interested in how users are using the app. We don't collect every button click, just when certain functionality that we’re interested in is activated. We’ll collect a reference to the functionality being activated along with a user ID (which the app generates and is different to the Zendesk user ID). A complete list of the types of data being sent will be able to be provided if needed. We have chosen Pendo because Zendesk is already using Pendo to monitor user activity in the Support app.

Application Software Security

OWASP - Software Assurance Maturity Model (SAMM)

Lovestock & Leaf utilises industry standards, such as SAMM to build in security for our SLDC.  Currently, we are using OWASP recommended tools such as Retire.js and Snyk as part of an overall effort to monitor and combat the The Ten Most Critical Web Application Security Risks as identified by OWASP.  Prior to release, each of our apps are also reviewed by the Zendesk Application Development Team.  

Source Code Analysis

We currently conduct manual source code analysis by peer review and also through our Technical Director before submitting code to Zendesk for release.  

The Zendesk Engineering Team also conducts a review of each app submitted to identify any security issues to ensure that there are no risks before approving the app for sale in the marketplace.

L&L also uses automated code editors MS Visual Studio, CodeStream for collaboration and plugins such as ESlint for code validation. 

Use of Content Delivery Network (CDN)

L&L currently uses jsDelivr https://www.jsDelivr.com/ as the CDN recommended by the Zendesk Development Framework Team  to host third party Javascript libraries used as part of our apps.

Company Audit & Compliance

Lovestock & Leaf has undergone rigorous security and operational audits and assessments from key corporate clients in line with ISO 27001 standards.  This has included both legal and security risk analysis on our organisation, systems and handling of sensitive data and we have achieved full compliance to their high standards.  As part of our vendor contracts with these organisations, we need to maintain this level of compliance and it is regularly audited by the client.  As the majority of our apps have no server side components, there is no requirement for us to comply with SSAE-16, PCI DSS, or ISO 27001 compliant facilities.  Given that Zendesk stores the Service data however, Zendesk themselves are compliant with these certifications under their privacy and data protection measures.  

https://www.zendesk.com/company/privacy-and-data-protection/ 

App Security Responsible Disclosure Policy

Lovestock & Leaf aims to keep its apps safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the apps, we appreciate your help in disclosing it to us in a responsible manner.

Link to detailed App Security Responsible Disclosure Policy >

Risk Management

  • An annual Information Security risk assessment is performed covering Lovestock & Leaf facilities and information assets.
  • The risk assessment is conducted using an industry standard methodology (traditionally ISO 27002) to aid in identifying, measuring, and treating known risks.
  • Risk assessment results and risk mitigation suggestions are shared with the management team.
  • Our risk assessment results specify proposed changes to systems, processes, policies, or tools, in order to reduce security vulnerabilities and threats.

GDPR and Privacy Obligations

Our privacy policy is below:

https://www.lovestockleaf.com/privacy-policy.html

Our app licence agreement terms are available below

https://www.lovestockleaf.com/apps-terms-and-conditions.html

The agreement includes detail on our commitment to the GDPR and our privacy obligations.

Third Party Sub-Processors

We may update this list from time to time as our business needs change. Lovestock & Leaf takes active measures to ensure it complies with GDPR requirements if and when it engages sub-processors from other countries. In the absence of a privacy shield certificate, we request our sub processors execute a DPA to ensure that we are GDPR compliant.

Lovestock & Leaf currently uses the following sub-processors:

Entity Name Purpose/Activity DPA Data Hosting Location
Amazon Web Services Cloud Service Provider https://aws.amazon.com/blogs/security/aws-gdpr-data-processing-addendum/ United States
Zendesk Integration platform/support/crm Signed DPA United States
Cloudflare CDN https://www.cloudflare.com/en-gb/cloudflare-customer-dpa/ United States
Stripe Processing payments Signed DPA United States
Slack Internal communications Signed DPA United States
ChartMogul Data Analysis Signed DPA United States/Ireland
Xero Accounting https://www.xero.com/au/legal/terms/data-processing/ United States
Google Cloud Enterprise Workspace/Email Agreed to as part of Admin on Google Workspace United States
Mailchimp Email Management https://mailchimp.com/en-au/legal/data-processing-addendum/ United States
Pendo* In App User Analytics https://www.pendo.io/legal/data-processing-addendum/ United States
* Pendo.io, Inc. (“Pendo”) is a third-party analytics provider that Zendesk uses to capture how users interact with the Service. Zendesk uses this information to analyze and improve the Services. The primary information Pendo has access to is information in and associated with the Zendesk website URL that the Agent and End-User are interacting with, such as time spent on page, items clicked (including Service Data contained in those items). We do not capture the user's email address, only their domain and user ID so the data is anonymised.