Third-Party App Security: Key Questions to Ask
Learn essential questions to ask third-party app vendors to ensure your Zendesk environment remains secure and your customer data is protected.
Data Privacy Management
May 30, 2025
Did you know that third-party apps caused over a third of breaches and 41% of ransomware attacks in 2024? If you're integrating apps into your Zendesk platform, security risks are unavoidable. But asking the right questions can help you protect sensitive customer data and maintain trust. Here's what you need to know:
Data Security: Ensure vendors use strong encryption (AES-256 for stored data, TLS 1.3 for data in transit) and proper key management. Verify compliance with standards like SOC 2 and ISO 27001.
User Access: Look for multi-factor authentication (MFA), role-based access control (RBAC), and secure session management.
Vendor Practices: Confirm vendors have a formal security review process, disclose third-party partners, and use advanced monitoring tools like SIEM.
Incident Response: Ask about response times (MTTA/MTTR), handling critical vulnerabilities, and evidence preservation.
App Development: Vendors should test for vulnerabilities (SAST/DAST), address OWASP Top 10 risks, and manage third-party code dependencies securely.
Quick Tip: Always prioritize vendors who are transparent about their security measures and certifications. A single weak link can compromise your entire system. Now, let’s dive deeper into how you can safeguard your Zendesk environment.
Shadow Apps: How to Control Risky Third Party Applications
Data Security Questions
Ensuring secure third-party integrations begins with strong data protection practices. It's essential to evaluate how vendors handle encryption, data storage, and key management to minimize the risk of breaches. Additionally, reviewing their storage protocols helps ensure customer data remains safeguarded.
What encryption standards do you use for data storage and transfer?
Encryption is your first line of defense against unauthorized access. Vendors should provide detailed information about their encryption protocols for both data at rest and data in transit to maintain Zendesk's security.
For stored data, the industry standard is AES-256 encryption, which is widely recognized as the gold standard for securing large amounts of customer data in databases and file systems.
For data in transit, vendors should use TLS 1.3 or higher to secure communications between your Zendesk system and any third-party applications.
Encryption methods matter because over 70% of vulnerabilities stem from poor implementation. It's also critical to ask about their key management practices - encryption keys should always be stored separately from the data they protect.
Feature | AES-256 | RSA-4096 | ECC-256 |
|---|---|---|---|
Type | Symmetric | Asymmetric | Asymmetric |
Best Use Cases | Bulk data encryption, file encryption, database encryption | Digital signatures, key exchange, certificate authorities | Mobile applications, IoT devices, resource-constrained environments |
Performance | Very Fast | Slow | Moderate |
Key Size | 256 bits | 4096 bits | 256 bits |
How do you store sensitive customer data securely?
Securing customer data requires multiple layers of protection. Vendors should use database-level encryption, strict access controls, and secure backup procedures to protect personally identifiable information (PII) within Zendesk.
Ask vendors about their data isolation practices. Systems processing PII should operate in isolated environments to minimize the risk of accidental exposure and limit the impact of potential breaches.
Also, inquire about attribute-based access controls to ensure sensitive data is only accessible to those who truly need it. This limits the likelihood of unnecessary access.
Backup security is another critical area. Even if encrypted data is breached, proper key management ensures the data remains unreadable. In fact, there have been no verified cases of compromised encrypted data when encryption keys were securely managed. This underscores the importance of robust key management practices.
Finally, assess whether the vendor adheres to recognized security standards as part of their data storage protocols.
Which security standards does your company follow?
Compliance with established security frameworks provides confidence that vendors follow best practices to protect sensitive information. Look for certifications such as SOC 2, ISO 27001, and regulatory compliance like GDPR or CCPA.
SOC 2 is particularly common among U.S.-based vendors, while ISO 27001 is more globally recognized. These standards outline measures to safeguard sensitive data against unauthorized access, misuse, or destruction.
Request up-to-date audit reports along with certifications. For context, in 2024, the U.S. reported 725 major healthcare data breaches, affecting over 275 million records.
Consider the vendor's industry focus when evaluating their certifications. For example, healthcare-focused vendors should demonstrate HIPAA compliance, while those handling payment data need PCI DSS certification. Choosing the right security framework depends on your industry's needs and the sensitivity of the data involved.
It's worth noting that 45% of breaches are caused by malicious activities, while 22% result from accidental errors. Vendors with comprehensive security frameworks are better equipped to handle both intentional attacks and unintentional mistakes.
User Access and Login Security
Keeping third-party applications secure starts with controlling who can access them. Strong authentication and access controls are essential to protect sensitive Zendesk data from unauthorized users.
What login security methods should you use?
Multi-factor authentication (MFA) is non-negotiable for third-party vendors. This extra layer of security significantly reduces the risk of unauthorized access, even if passwords are compromised.
When evaluating vendors, ask about their authentication methods. The most secure options include:
Third-party authentication through platforms such as Google or Microsoft.
Email-password combinations with MFA enabled.
For API access, keep in mind that password-based API authentication will no longer be supported by Zendesk after December 2025. Instead, vendors must use methods like OAuth 2.
To streamline security, choose vendors that offer integrated MFA setup and self-service password reset options. It's also important they provide backup authentication methods for added flexibility.
Do you support role-based access control (RBAC)?
Role-based access control (RBAC) ensures users only access what they need based on their role within the organization.
"Role-based access control (RBAC) is a security approach that authorizes and restricts system access to users based on their role(s) within an organization."
RBAC doesn’t just manage login access - it governs what users can do with the data. For example, some roles may only have read-only access, while others can edit or delete data. This type of control should be implemented across all layers of the system.
For scalability, look for vendors that use Policy as Code. This method separates policy management from the application code, making updates easier without touching the application itself. Vendors should also follow the principle of least privilege, ensuring users only have the permissions needed to perform their tasks.
Efficient systems assign roles to groups rather than individuals, simplifying management. Additionally, robust systems include multiple layers of permission enforcement, such as feature flagging (to show or hide features), binary gating (to allow or deny access), and data filtering (to control what users can see).
How do you handle user sessions?
Proper session management is critical for preventing unauthorized access during active sessions. Poor session handling is responsible for 80% of website security breaches.
Vendors should actively monitor user behavior to detect anomalies, such as unusual login locations or times, which could indicate session hijacking. This includes verifying IP addresses and User-Agent headers for inconsistencies.
Session timeouts are another key feature. Vendors should enforce reasonable timeout periods and ensure proper logout functionality that destroys session tokens on the server side. Regular session ID rotation further reduces the risk of compromised tokens.
Advanced security measures include network segmentation to limit communication across system components and real-time monitoring with Intrusion Detection Systems (IDS) to catch unauthorized access attempts.
"Robust session management is essential to prevent attackers from taking over sessions and causing significant damage." - Yetunde Salami, Web Hosting Expert, Verpex
Some of the most secure vendors also use behavioral biometrics to analyze unique user patterns for authentication and maintain comprehensive user activity monitoring to safeguard sensitive data.
Vendor Security Practices
Vendor security isn't just about technical features; it's about having clear processes and complete transparency. With over one in three breaches in 2024 stemming from third-party relationships, thoroughly evaluating vendor security practices is critical to safeguarding your Zendesk environment.
Do you have a formal security review process?
Trustworthy vendors should have a well-documented and consistently executed security review process in place. They need to clearly outline how they classify data based on sensitivity and the specific security measures they apply to protect each classification. Regular reassessments, up-to-date risk intelligence, and automated tracking tools are key elements of a robust security framework. These practices ensure vendors can continuously monitor and improve their security posture. Alarmingly, 54% of organizations still fail to properly vet their third-party vendors, making this an essential area to address.
Do you clearly identify all third-party partners?
Transparency is non-negotiable when it comes to third-party partnerships. Vendors should disclose all external parties with access to your data. This is especially critical given that 98% of organizations globally work with at least one third-party vendor that has experienced a breach in the past two years. Ask vendors to specify which third parties handle different data types, such as storage, analytics, or backups, as each relationship could introduce vulnerabilities. Additionally, it’s vital to understand how vendors vet and monitor their own partners. Only 34% of organizations feel confident that their suppliers would notify them of a breach involving sensitive information, highlighting the need for rigorous oversight.
What security monitoring tools do you use?
Continuous monitoring is a cornerstone of effective security for your Zendesk platform. Vendors should be transparent about their real-time threat detection capabilities and the tools they use. Look for solutions incorporating Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) tools for round-the-clock monitoring. Advanced vendors may also utilize Threat Intelligence Platforms (TIPs) to analyze data from multiple sources, offering actionable insights into existing and potential threats. It’s equally important for vendors to explain their escalation processes and automated response strategies when threats are detected.
For example, Adelante CX emphasizes its security commitment by adhering to enterprise-grade compliance standards like SOC 2, ISO 27001, HIPAA, and GDPR. Their approach includes continuous monitoring as part of a comprehensive security framework tailored specifically for Zendesk environments.
The stakes are high - companies that experience a data breach often underperform by more than 15% over three years. A vendor’s ability to detect and respond to threats quickly can significantly impact your organization's reputation and long-term success. These monitoring practices are the foundation of a strong incident response strategy.
Security Incident Response
When it comes to safeguarding your systems, incident response acts as your ultimate line of defense. While vendor security practices lay the groundwork, having a solid incident response plan is essential to prevent breaches that could harm both Zendesk's operations and its reputation. Knowing exactly how to respond before an incident occurs is key to protecting your customer support and maintaining trust.
Here are some critical questions to ask vendors to understand how they manage incidents and mitigate risks effectively.
What are your incident response time metrics?
Speed matters when responding to security incidents. Ask vendors for specific metrics like Mean Time to Acknowledge (MTTA) and Mean Time to Resolve (MTTR) for incidents of varying severity. Clear escalation procedures are also important. These metrics can give you a sense of how prepared a vendor is to handle emergencies quickly and efficiently.
How do you handle critical security vulnerabilities?
Critical vulnerabilities demand immediate attention. Vendors should explain how they assess and prioritize threats, using tools like the Common Vulnerability Scoring System (CVSS), EPSS, or CISA's Known Exploited Vulnerabilities (KEV) Catalog. It's important to understand their remediation timelines and whether they use continuous scanning and automated prioritization to identify and address risks.
Consider this: Over 18,590 new Common Vulnerabilities and Exposures (CVEs) were added in 2022. Yet, in 2023, less than 1% of vulnerabilities posed the highest level of risk or were actively exploited. Alarmingly, 75% of high-risk vulnerabilities were exploited in the wild within just three weeks of disclosure.
"For over a decade now, a statistically small number of vulnerabilities has represented a majority of operational cyber risk to organizations." - Gartner
Additionally, published exploits were available for 25% of high-risk vulnerabilities on the same day they were disclosed. This highlights the urgency of having vendors who can act quickly and decisively.
Do you preserve evidence after security incidents?
Preserving evidence is a crucial part of incident response. Vendors should clearly outline their processes for collecting, preserving, and analyzing forensic evidence. This includes maintaining system logs, secure backups, and having clear policies for evidence retention. Proper evidence handling ensures thorough investigations and helps meet legal and regulatory requirements.
Regulations like GDPR, HIPAA, and CCPA often impose strict timelines and documentation standards for incident response. Vendors must not only understand these requirements but also have procedures in place to help you stay compliant. Maintaining the integrity of forensic evidence throughout the investigation is critical to meeting these obligations and protecting your organization.
Secure App Development Practices
Building a secure third-party app starts with strong development practices. While incident response tackles issues after they arise, a secure development process aims to prevent vulnerabilities from ever entering your Zendesk environment. This proactive approach is essential for safeguarding customer data, especially given the alarming number of vulnerabilities in modern apps.
Consider this: Over 75% of applications have flaws, and 61% contain high or critical vulnerabilities. With cybercrime-related losses hitting $12.5 billion in 2023, it’s clear that understanding and prioritizing secure development practices is non-negotiable.
Do you regularly test for security vulnerabilities?
Security testing shouldn’t be an afterthought - it needs to be embedded into every stage of the development process. When evaluating vendors, ask how often they test for vulnerabilities and what methods they use. The best practices combine multiple testing techniques to catch a wide variety of issues.
For example, vendors should use SAST (Static Application Security Testing) to analyze code for vulnerabilities and DAST (Dynamic Application Security Testing) to simulate real-world attacks during runtime. Manual penetration testing is also crucial, as it can uncover flaws automated tools might miss. Ideally, security testing should be part of their continuous integration pipeline, ensuring vulnerabilities are detected and resolved early in development. This process should extend beyond the main application code to include third-party components and libraries.
How do you address OWASP Top 10 security risks?
The OWASP Top 10 highlights the most critical security risks for web applications. Vendors with strong security practices will have clear plans to address issues like injection attacks, broken authentication, misconfigurations, and cross-site scripting.
When assessing vendors, ask for specific examples of how they mitigate each risk. For instance:
Injection attacks: They should validate user inputs and use parameterized queries.
Authentication vulnerabilities: Enforcing robust password policies and multi-factor authentication is key.
Misconfigurations: Regular security reviews help identify and resolve gaps.
Look for vendors who align their practices with OWASP guidelines. Companies like Adelante CX, for example, design their Zendesk apps with these principles in mind, ensuring compliance with SOC 2, ISO 27001, HIPAA, and GDPR from the ground up.
How do you manage third-party code dependencies?
Modern apps often rely on third-party libraries, which can introduce serious security risks. In fact, 84% of commercial applications include at least one vulnerable dependency. Managing these dependencies effectively is a critical part of secure development.
Vendors should use automated tools like Snyk or OWASP Dependency-Check to identify vulnerabilities in libraries and perform regular audits to ensure dependencies remain secure. Practices such as version pinning can help control updates and reduce the risk of unexpected changes introducing new vulnerabilities.
A thorough approach combines automated scans, manual reviews, and scheduled audits to secure third-party code. Vendors should prioritize libraries with a strong reputation, regular updates, and proven security practices. Additionally, they should document their decision-making process for each integration and enforce strict policies for addressing high-severity vulnerabilities. These measures help protect your Zendesk environment from potential risks.
Conclusion: Protecting Your Zendesk Setup
The questions outlined earlier are key to ensuring the security of your Zendesk environment. Protecting this setup starts with demanding complete transparency from every vendor you work with. The numbers tell a striking story: 73% of organizations are more inclined to buy from vendors who actively identify, address, and disclose security vulnerabilities. Meanwhile, 64% of companies expect tech providers to be upfront about vulnerabilities, updates, and patching processes. Without this level of openness, the risk of costly breaches increases significantly.
When vendors fail to meet these expectations, your customer data could be in jeopardy. A lack of transparency often opens the door to breaches. Take the 2013 Target breach as a sobering example - it affected 40 million customers and cost the company over $200 million. Many breaches, like this one, stem from weak third-party connections.
The consequences of poor vendor selection are steep. More than half of consumers lose trust in brands that experience data breaches, with 70% stopping their purchases altogether and 30% facing personal data exposure. Your choice of third-party apps doesn't just affect your operations - it directly impacts customer trust and your company's reputation.
"System security should not depend on the secrecy of the implementation or its components."
US National Institute of Standards and Technology (NIST)
To align with these principles, partner with vendors who uphold high security standards. Seek out those who provide thorough documentation on their data governance policies, security protocols, and compliance measures. Confirm their certifications, such as GDPR, HIPAA, or ISO 27001, and ensure they’ve undergone independent security assessments tailored to your business needs.
Your Zendesk environment should be treated with the same security rigor as any other critical business system. This means enabling two-factor authentication for all users, applying role-based access controls, and conducting regular audits of integrated apps to verify their security and updates. Additionally, establish clear contractual agreements with vendors that define security responsibilities, requirements, and liabilities.
Ultimately, these measures highlight the importance of selecting vendors with proven security practices. While companies like Adelante CX offer secure, enterprise-ready Zendesk apps, the responsibility of thorough vendor vetting remains firmly in your hands. Prioritizing security isn't just about protecting your system - it’s about safeguarding your customers and your business.
