Privacy concern with customer email addresses shared with all agents

Scenario: A member of staff sends an email to the HR department via Zammad from their own private email address. ‘HR’ is a restricted Zammad group that only the HR dept can view and search for tickets in. This bit works fine.

Problem: Whenever a member of staff does this, Zammad obviously creates a ‘customer’ account for them, and from thereon their email address becomes searchable (and auto-populates in ‘to’ fields) for all Zammad agents, not just HR agents.

Is there a way to protect the contact details of some ‘customers’ so that they don’t appear in elastic search results? Or does HR have to have a completely separate Zammad instance?



Hello Martin,

I would not allow users to email Zammad from their private email addresses in the first place to especifically avoid such situations…

Another side effect could be that an Agent replies to that ticket created “from the outside world” and unwillingly leaks sensitive information to an email address outside your organization. Your DPO won’t be very happy about that, I feel … :slight_smile:

My 2 cents.


Hi Martin, yes data protection is a concern.

With regard to users emailing Zammad from a personal email address though, this is normal in the context how how we are using Zammad across multiple departments, including HR. It’s quite normal for staff to email HR from a personal email address, as they will often engage with HR on a personal rather than purely professional basis.

I think you’ve answered my question though, in that what you’ve said supports my understanding that ‘customer’ contact information cannot be segregated in Zammad, i.e. The contact information of some ‘customers’ in some ‘Organizations’ cannot be hidden in the elastic search from some agents. Is that right?

Hi Martin (it’s like talking to myself :slight_smile: )

please don’t take my word from granted.
I speak from my own experience, which is not vast :slight_smile: .
Perhaps other members in the Zammad Community have another opinion and would like to share their experiences.

If your MTA runs on Postfix, maybe this would be handy:


1 Like

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.