Security
Security is a top priority for Thank You Auto-Solve. This document explains how we protect your data.
Authentication
OAuth 2.0
We use Zendesk's official OAuth 2.0 flow for authentication:
- No passwords are stored
- Tokens are scoped to minimum required permissions (
read write) - Tokens can be revoked at any time via disconnect
Token Storage
- Access tokens are stored in Cloudflare KV
- All data is encrypted at rest
- Tokens are automatically refreshed when expired
- Disconnecting permanently deletes stored tokens
Webhook Security
Signature Verification
Every incoming webhook is verified using HMAC-SHA256:
- Zendesk signs each webhook with a secret key
- We verify the signature before processing
- Invalid signatures are rejected with 401 error
Timestamp Validation
Webhooks include a timestamp that we validate:
- Requests older than 5 minutes are rejected
- Prevents replay attacks
- Ensures request freshness
Data Handling
What We Process
- Ticket ID
- Comment body (for classification)
- Subdomain (for routing)
What We DON'T Store
- Customer personal information
- Ticket content (processed in memory only)
- Historical ticket data
- Agent information
Data Retention
- Message content is processed in real-time and immediately discarded
- Only OAuth tokens and configuration settings are persisted
- All data is deleted when you disconnect the app
Third-Party Services
OpenAI
Message content is sent to OpenAI for classification:
- Used solely for thank-you detection
- Subject to OpenAI's data usage policies
- API data is not used for model training
Cloudflare
Our backend runs on Cloudflare Workers:
- Enterprise-grade security
- Global edge network
- SOC 2 Type II certified
Permissions
The app requests minimal Zendesk permissions:
| Permission | Purpose |
|---|---|
read | Read ticket content for classification |
write | Update ticket status and add notes |
We do NOT request:
- User management permissions
- Organization access
- Admin settings access
Compliance
GDPR
- Data processing is minimized to essential operations
- No personal data is stored beyond OAuth tokens
- Full data deletion on disconnect
- No data sharing with third parties (except OpenAI for classification)
Data Residency
- Backend runs on Cloudflare's global network
- Data processing occurs at the nearest edge location
- Token storage uses Cloudflare's distributed KV store
Security Contact
Found a security issue? Please email us at:
thankyouautosolve@terrydjony.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
We take all security reports seriously and will respond within 48 hours.