Zendesk Apps: Technical Information


SweetHawk specializes in Zendesk apps, integrations and business workflows. We have created apps such as Tasks, Approvals and Calendar. A full list of apps available on the Zendesk App Marketplace can be found on our website.

While each app is different in terms of what data it requires and what level of API access it needs, all apps basically are an an iframe. App iframes are securely hosted on our server.

Most of our apps include some type of 'offline' function, something that can happen even when your support agents aren't online. For example a deadline hits, an approval gets granted, a survey response is left or a calendar event started. It's for these and other functions that we require an additional API authorization that our server may use.

Access to your Zendesk data

When installing an app in your Zendesk instance, any app automatically gains access to your data via the Zendesk App Framework it needs via the user permissions of the person using Zendesk. Access to the server side API needs to be explicitly granted by one of your Zendesk administrators and you will be prompted for this when required.

Note that when granting an app access to the server side API, you are not providing access to data not available via the app framework already, you are then granting access for the SweetHawk app server to access your Zendesk directly ('offline access').

This process of granting API access is very straight forward. The first time you use the app upon installing an app that requires server side API access, follow the prompts to enable it. This must be done by an admin because to initialize the apps securely we need server side access to modify the app's internal settings with a secure token.

Note that the API authorization needs to stay current. If the administrator that granted access is leaving the organization or is downgraded to a regular agent, the API needs to be re-authorized by another administrator for the app to continue to work. Follow in-app prompts to complete this process.

Once you granted our server access, the app is initialized and we create your account if this was the first app you installed. This account is assigned a unique token which identifies your account. This token is never shared with anyone and is required to access the data associated with your app. This token is stored with your app and is used in for example targets, and facilitates secure communication. This initialization process happens behind the scenes on the server side over a secure connection only.

Why do apps need server side API access?

Each is app is subtly different. But the apps only read or write data where you would reasonably expect this. The main reasons the apps need server side access are:

* Calendar: setting ticket fields and at the time of the event start and end, tagging the ticket. Also for sending notifications when other users update a calendar event. For a complete overview, please see which APIs are used by the Calendar app.

* Tasks: setting fields on tickets, such as how many tasks are completed and what the parent ticket ID is. For a complete overview, please see which APIs are used by the Tasks app.

* Due Time: tagging a ticket at the due date/time and sending an in-app notification. For a complete overview, please see which APIs are used by the Due Time app.

* Deadline: updates a ticket with a special tag when the deadline hits. For a complete overview, please see which APIs are used by the Deadline app.

* Approvals: loads ticket data to send messages to approvers, tags tickets if required, sets a custom field called Approval Date when all approvals are granted, and creates targets for automatic approvals.

* Survey: sets a value for the secure token Zendesk user field and creates Dynamic Content for the new customer satisfaction snippet for use in notifications. For a complete overview, please see which APIs are used by the Survey app. Please note that the Survey app does not store any personal data of your customers. The survey data is stored anonymously and is linked to the customer data in Zendesk via the ticket ID only.

* Notify: to allow for quick editing of triggers and to send the notifications.

* Timers: to tag your ticket when a timer ends

* Change manager: to setup ticket fields in your account in relation to change management such as "Impact" and "Risk" and maintain the "Change Type" field as you add and remove change types.

For the Reminders app, access to the API is not required for the app to function, it only needs to be enabled if in-app notifications for agents are desired.

The apps RightGIF, Hide Ticket Fields and Undo do not require access to the REST API.

Data transfer and security

All data is encrypted using TLS 1.2 when transferred and this includes the app iframes that display the app UI inside Zendesk app locations, any data transferred to and from Zendesk APIs but also any external services such as Google Calendar.

Data storage and retention

To create the best experience in the apps, at times we mirror some data from Zendesk when app functionality is used, for example, we download and store ticket data when: a due time is set, a calendar item is created, or tasks are added. The reason the data is stored is for the purpose of caching, performance and to keep the rate of API calls to your Zendesk as low as possible. We also store credentials that are needed for example for external integrations. This information is kept securely on our server.

Expired cache data is cleaned up at times but there is no set policy for this.

After all apps are uninstalled, accounts will be marked for deletion after some time. If you wish to delete your data sooner, or you wish to retain your data longer, please contact us.

Personal information

Apps will store personal information of agents using the apps for role management purposes and for apps to function as advertised but also so they may be contacted about app updates and important messages about potential issues. You may unsubscribe from app updates at any time.

Apps do not store personal data of your customers such as user records or text fields on tickets although we cannot necessarily exclude this data when securely transferred to us via a Zendesk APIs we require to call for other purposes, we only store data that was in fact needed. For example, if we need to access a specific ticket field value on a Zendesk ticket, the only API available to obtain this data also includes the subject, description and other custom text fields of that ticket, which may all include sensitive data.

Please refer to our Privacy Policy for how we treat personal data.

Server technology stack

Our servers are running on AWS EC2 instances in the US East (us-east-1) region deployed via Cloud 66. Our DNS is hosted on AWS Route53.

We use a PostgreSQL database server running on a server only accessible from our multi-tenanted Ruby on Rails application server, with a replication slave.

Our policy is to keep Operating Systems, web server software and application libraries up to date on the latest security patch versions.


Do I have access to my data?

If you wish to obtain your data please contact us and we will kindly oblige.

I'm no longer using your app, can you delete my data?

Of course, just contact us and we'll dispose of your data responsibly.

I use an IP whitelist for my API access, what are your IP addresses? 

You must add all our server's IP addresses:

Note: using an IP whitelist is not recommended as our IP addresses change from time to time and this will stop the apps from functioning correctly. To be notified when our IP addresses change, please add yourself to this mailing list.


Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk