Frequently Asked Questions on Zoho Security

We have an Information Security Management System (ISMS) in place derived from ISO standards, which takes into account our security objectives and the risks and mitigations concerning all the interested parties. We have achieved ISO 27001, ISO27017 & ISO27018 certifications to demonstrate our compliance with the standards.

The Data Center where your data is stored is selected automatically based on the Country chosen by you while signing up for Zoho services.  The information regarding which Data Center has been selected is displayed right below the Country picklist in the sign up form.

At any instant, you can know which Data Center your data resides in by looking at the URL on the browser when you are logged in to Zoho and are using our applications, or by clicking here.

• 1. If the URL is in the format of *.zoho.com (where * indicates the name of a Zoho Application such as crm, people, one), then your data is stored in the US(United States) DC. 
• 2. If the URL is in the format of *.zoho.eu, then your data is stored in the EU(European) DC.
• 3. If the URL is in the format of *.zoho.in, then your data is stored in the IN(Indian) DC.
• 4. If the URL is in the format of *.zoho.com.au, then your data is stored in the AU(Australian) DC.
• 5. If the URL is in the format of *.zoho.jp, then your data is stored in the JP(Japan) DC.

Access to your data is restricted to a small number of employees on a need-to-know basis in order to provide you technical support. This access is reviewed periodically.

We encrypt customer data both in transit and at rest. Data at rest is encrypted using industry-standard AES-256. All customer data is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2/1.3 with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. To know more about encryption at Zoho, click here.

We own and maintain the keys using our in-house Key Management Service(KMS). Currently, there is no provision for customers to upload their own keys.

The passwords you use to access Zoho services are stored in a non-reversible encryption scheme. We use bcrypt hashing algorithm with per-user-salt, so that even if our login database was stolen, it would be prohibitively expensive to reverse engineer the passwords.

Our framework distributes and maintains the cloud space for our customers. Data of multiple customers is logically separated from each other and our framework ensures that no customer's service data becomes accessible to another customer.

We use technologies from well-established and trustworthy service providers, who offer multiple DDoS mitigation capabilities to prevent disruptions caused by such attacks.

Yes, we conduct automated and manual penetration testing efforts regularly. We use a combination of certified third party scanning tools and in-house tools for scanning codes.

If you discover a vulnerability in one of our products, you can let us know so that we can fix it as soon as possible. We also have a responsible disclosure policy and bug bounty program. Please find further details at https://bugbounty.zohocorp.com/

We have a dedicated Incident Response Team which is responsible for incident detection, assessment, forensics, containment, and recovery activities. In cases where we are controllers of data and an incident leads to a data breach, the affected customers will be notified within 72 hours after we become aware of it. In cases where we are processors of data and an incident leads to a data breach, the respective controllers will be informed without undue delay. 

For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address). The Complete report will be provided to customers on request within 5 to 7 working days.

We notify the incidents that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we provide you with necessary evidences regarding incidents that apply to you. Root Cause Analysis will be provided on request.

Amongst the Zoho services, all the Zoho finance Plus products (ie) Zoho Books, Zoho Invoice, Zoho Inventory, Zoho Subscription, Zoho Expense, Zoho Checkout and Zoho Commerce, are PCI DSS compliant. The Payments service that the customers use to purchase subscriptions of Zoho is also PCI compliant.

Other Zoho services never transmit or store your credit card details.

Additional security features that can be availed by customers:

• Multi factor Authentication
• Configurable password policy
• IP restrictions
• Role based Access control
• Encryption for custom fields
• Account activity audit

We hold the data in your account as long as you choose to use Zoho Services. Once you terminate your Zoho user account, your data will eventually get deleted from active database during the next clean-up that occurs once in 6 months. The data deleted from the active database will be deleted from backups after 3 months.

We have a business continuity plan for our major operations such as support and infrastructure management. For redundancy, Data in primary Data Center (DC) is replicated in the secondary. In case of failure of the primary DC, secondary DC takes over and the operations are carried on smoothly with minimum or no loss of time.

We run full back-ups once a week and incremental back-ups everyday. Back-up data in a DC is stored in the same location and encrypted at rest, as the original data. We additionally restore and validate backups every week. A retention time of 3 months is applicable for all backed up data. In case of a request from a specific customer, we will restore their data from the backup and make it available to them.

We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.  Access to production environments is facilitated through a separate network with stricter rules and hardened devices. Access control is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys.

Our availability SLA commitment is 99.9% monthly uptime. We have redundancies implemented at various levels starting from the infrastructure to the ISP to achieve this. Data from the primary data center is replicated in the secondary, and a read-only version of Zoho apps is always served from the secondary data center.

We have a risk assessment policy and procedure to identify, analyze and mitigate risks by implementing appropriate controls. We perform risk assessment for every major change that happens in our environment. The overall risks are reviewed and updated once in a year. 

Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.

We are ISO 27001, ISO 27017 and ISO 27018 certified.  And Zoho is also SOC 2 Type II compliant in Security, Confidentiality, Processing Integrity , Availability, and Privacy. These ISO and SOC audits are conducted annually, covers all the important and essential controls.

Click here for more details.

We always provide utmost importance to customer’s privacy. When we receive requests from law enforcement authorities, we review such requests to see if the applicable legal process is followed to obtain a valid and binding order. We object to overboard or otherwise inappropriate requests. Unless prohibited by law, we notify customers before disclosing customer data so that the customers can seek protection from disclosure.