I’m not sure where to put it as this is not exactly a technical issue… Please consider the following:
• Users (role ‘customer’) have access to Zammads web UI.
• Some customer creates a ticket via e-mail and they are cc’ing someone else (3rd party, employee).
• For whatever reason that 3rd party replies to that e-mail (reply to all) but deletes the ticket owner (in this case, the customer)—so their e-mail is only sent to Zammad.
While the ticket owner/customer wouldn’t get an e-mail with that answer, they can still see that answer when they login to Zammad (web interface).
I hope you’re understanding what I’m trying to explain. While I think this situation wouldn’t appear often, I can tell you that it happened with one of my customers and their employees.
The employee replied to the ticket (to: Zammad) with some personal information. They did not include the ticket owner/their CEO in ‘to’ neither ‘cc’/‘bcc’ but they (ticket owner/CEO) would still be possible to see that answer within Zammad web interface.
Our DPO means that this should not be the case.
I can’t think of a solution—except for having a trigger welcoming CC’ed ‘users’/addresses (which doesn’t seem to be possible at the moment).
Do you have any ideas/statements regarding this situation?