In order to automatically merge tickets, Auto Merge needs to access your Zendesk account via API. This article provides technical information on the app and how we ("Playlist") protect your data.
Zendesk OAuth scope
Auto Merge uses OAuth for authentication (see Zendesk OAuth flow). Here's the OAuth scope required by our service:
- Read: global (all data)
- Write: tickets
- Write: targets (soon to be deprecated by Zendesk)
- Write: webhooks
- Write: apps
Data stored on our server
Only metadata such as the IDs of your custom ticket fields are stored on our database. We never collect any personal information or ticket content.
Because Auto Merge needs to work even when no one is logged in to Zendesk, we need to store an encrypted version of your OAuth token on our database. Please note that the token is encrypted on our server before it's stored on our database. It's never exposed to users on the client side.
Server location
Our server is located in the AWS region US-WEST-2 (Oregon). Data is backed up daily to US-EAST-2 (Ohio).
Data encryption
All data is encrypted in transit using TLS 1.2 and at rest using the industry standard AES-256 encryption algorithm. We use AWS KMS to manage our encryption keys and AWS's SDK to encrypt/decrypt data.
IP restrictions
Auto Merge has fixed IP addresses, so you can enable IP restrictions if required by your team. Contact us for an updated list of IP addresses.
Data processed by our server
The following ticket fields are always processed by our server:
- Requester ID
- Status
- Subject
- Last public comment (usually the ticket description)
Additionally, the following ticket fields may also be processed by our server depending on your configuration:
- Brand ID
- External ID
- Form ID
- Group ID
- Received at (channel)
- Tags
- Custom fields
Penetration testing
Our latest penetration test was completed by a third party in March 2021. Executive summary available upon request.
Multi-factor authentication
MFA is enabled and enforced on all of our systems. We use the Google Authenticator app with SMS as a fallback.
API rate limits
Auto Merge has a rate limit of 20,000 requests/day and up to 20 requests/second. This limit can be increased for high volume customers and is subject to change.