Authorization and access to your data
All third-party apps installed from the Zendesk Marketplace technically have access to your Zendesk data ("your data") through the Zendesk App Framework. However, our Playlist Routing (formerly known as Playlist Ticket Assignment) service also needs to access your data from our servers.
Authorizing with OAuth
Playlist uses Zendesk’s OAuth authorization flow, which requires you to explicitly grant API access to your Zendesk account. Here is a summary of the authorization flow:
- Zendesk admin installs the app and lands on a page asking for authorization.
- Admin clicks on "Authorize" to initiate the flow.
- A window pops up, describing the scope of access that will be granted to Playlist.
- If admin authorizes, our server generates a token to identify your account.
- The token is stored as a hidden, secure setting in Zendesk.
Server-to-server communication
The app (Playlist iframe in Zendesk) will then use the secure: true parameter to proxy requests through Zendesk's servers. Therefore, communication between Zendesk and our service is always server to server. The token is never exposed to clients or users.
When our endpoint receives a request, it will verify the token to validate the user’s identity. If we are able to verify the token, the user is authorized and the request is carried out. Otherwise, the request is rejected.
Why does Playlist need server-side API access?
Playlist only reads and writes data where it needs. Here are a couple of reasons why server-side API access is required:
Scheduled jobs
Some features like round robin assignment need to work even when no one is logged in to Zendesk. Scheduled jobs are constantly running on our server to distribute tickets and sync permissions.
Webhooks
Admins can configure Zendesk triggers to send a message (usually just the ticket ID) to our webhooks when a ticket is created or updated. This enables advanced workflows such as real-time routing and same agent assignment.
Data security
We only collect and process information that is absolutely required to provide you with services as advertised. Please visit our Privacy Policy to learn more about how we collect, use, and share personal information that you provide us with third-party service providers.
AWS data center
Amazon Web Services is our only cloud provider. Our servers are located in the us-west-2 region (Oregon, USA). Data is backed up daily to us-east-2 (Ohio).
IP restrictions
Playlist supports IP restrictions for Zendesk. Contact us for an updated list of IP addresses.
Encryption
All data is encrypted in transit using TLS 1.2 and at rest with the industry standard AES 256 encryption algorithm.
Penetration testing
Our latest penetration test was completed by a third party in March 2021. Executive summary is available upon request.
Data processed by Playlist
Here’s a summary of data that's processed by our service.
| Object | Fields | Read | Write | Comments |
|---|---|---|---|---|
| View | ID | x | ||
| User (agents and admins) | User ID, Name, Role, Custom role ID | x | Only agents. We never collect information about end-users. |
|
| Ticket | Ticket ID, Status, Assignee ID, custom fields managed by Playlist | x | x |
Custom fields are updated to create an audit trail. If using the Same Agent workflow, Playlist will also reference Requester ID to query for the user's most recent tickets. |
| Group Membership | User ID, Group ID | x | Used to determine which agents have access based on group restrictions. | |
| Attribute Value | ID, Name, Attribute ID | x | Only applies if you enable Playlist's skills-based routing solution. | |
| Agent Attribute | Agent ID, Attribute Value ID | x | Only applies if you enable Playlist's skills-based routing solution. | |
| Ticket Attribute | Ticket ID, Attribute Value ID | x | Only applies if you enable Playlist's skills-based routing solution. | |
| Target | All fields | x | x | App automatically creates an http target when certain features are enabled (soon to be deprecated). |
| Webhook | All fields | x | x | App automatically creates a webhook when certain features are enabled. |
| OAuth Token | Token | x | Token is always encrypted. | |
| App Installation | Enabled, Group restrictions, Role restrictions | x | Details of your Playlist app installation. | |
| Schedule | ID, Name, Time Zone, Intervals | x | Only for Zendesk Professional and Enterprise. |
Admin contact details
We automatically collect the name and email address of the admin who authorizes Playlist. This admin is our initial point of contact. We may offer an onboarding session and send important updates to the admin as described in our Privacy Policy. Playlist never collects any information about your end-users (customers).
Analytics
We may track Playlist usage to monitor the app’s performance and make improvements to it over time. This is non-identifiable data, and we only aggregate information such as the number of tickets auto assigned by Playlist.
Please contact us if you have any questions or would like to learn more.