Product Security

All our products are secure by design. All changes and features are subject to our secure coding guidelines and checked by our code analysis tools, vulnerability scanners, and manual review processes. A robust security framework based on OWASP standards and implemented in the application layer provides features to mitigate threats. Our employees think « security first, » and we integrate security into our entire software development process.

Data Security

Our architecture ensures that each customer’s data is logically separated from other customers’ data. In addition, we offer encryption at rest and in transit to protect our customers’ data. Data storage and backup are performed securely.

As part of our commitment to data security, we utilize Zoho as a trusted partner, benefiting from their comprehensive compliance certifications and robust security framework.

Availability

Our disaster recovery and business continuity programs enable us to offer you high availability. Customer data is distributed across geographically dispersed data centers (DCs), so that data in one data center is replicated in another. This ensures that operations run smoothly, with minimal or no downtime in the event of a data center failure. Our data centers are physically secured through strict access control provided by our shared hosting providers.

Operational Security

We have a rigorous logging and monitoring system in place to ensure clean and secure traffic through our servers. We use intrusion detection and prevention systems to provide protection and prevent misuse of our infrastructure. We use a combination of certified third-party scanning tools and internal tools to manage vulnerabilities.

Compliance Certifications At Zoho, we comply with the following industry-accepted standards to help you ensure the security and compliance of your data. Our partnership with Zoho provides additional assurance through their extensive certification portfolio, including ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018, SOC 2 Type II, ISO 9001, SOC 2 + HIPAA, ISO/IEC 27701, and SOC 1 Type II compliance, ensuring that our data handling practices meet the highest international standards for security, privacy, and quality management.

Zoho partener Certifications

The ISO/IEC 27001 standard is one of the most widely recognized independent international security standards. This certificate is awarded to organizations that comply with ISO’s high-level international standards. Zoho has obtained ISO/IEC 27001:2013 certification for applications, systems, people, technologies, and processes.

Applicable to: All Zoho cloud services and on-premises products, ManageEngine, Site24x7, Qntrl, and GSP Solution.

The ISO/IEC 27017 standard provides guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002 and additional controls with implementation guidance that specifically relate to cloud services.

Zoho is certified ISO/IEC 27017:2015 – Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services.

Applicable to: All cloud services of Zoho, ManageEngine, Site24x7, and Qntrl.

The ISO/IEC 27018 standard establishes commonly accepted control objectives, controls, and guidelines for implementing protection measures for personally identifiable information that is processed in a public cloud. These controls are an extension of ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27018 standards that provide guidance to concerned organizations on how their cloud providers handle personally identifiable information (PII). Applicable to: All cloud services of Zoho, ManageEngine, Site24x7, and Qntrl.

Zoho is SOC 2 Type II compliant. SOC 2 is an assessment of the design and operational effectiveness of controls that meet the criteria of AICPA’s Trust Services principles. Applicable to: All cloud services and on-premises products of Zoho, ManageEngine, Site24x7, Qntrl, TrainerCentral, and Zakya.

The ISO 9001 standard is defined as the international standard that specifies requirements for a quality management system (QMS). Organizations use the standard to demonstrate their ability to consistently provide products and services that meet customer requirements and regulatory requirements. The Zoho Desk, Zoho HRMS, and Finance application suites comply with ISO 9001 requirements. Applicable to: Zoho Desk, Zoho Creator, Zoho Projects, Zoho CRM, Zoho HRMS products (e.g., Zoho People, Zoho Payroll) and Zoho Finance Plus products (e.g., Zoho Books, Zoho Invoice, Zoho Inventory, Zoho Subscriptions, Zoho Expense, Zoho Checkout).

SOC 2 + HIPAA – An independent third-party audit firm has reviewed the system description related to application development, production support, and general information technology controls for services provided to customers from Zoho’s offshore development center, based on security, confidentiality, and breach requirements defined in the Health Insurance Portability and Accountability Act (HIPAA) administrative simplification. Zoho’s responsibility is limited insofar as it acts as a « business associate. » Applicable to: Zoho CRM, Zoho Bookings, Zoho Survey, Zoho Forms, Zoho Desk, Zoho Expense, Zoho Checkout, Zoho Creator, Zoho Analytics, Zoho Mail, Zoho Sheet, Zoho Workdrive, Zoho Sign, Zoho SalesIQ, Zoho Sales Inbox, Zoho Meeting, Zoho Pagesense, Zoho Books, Zoho Inventory, Zoho People, Zoho Vault, Zoho Notebook, Zoho Show, Zoho Sprints, Zoho Connect, ZohoOne Engineering, Zoho Bigin, Zoho Campaigns, Zoho Sites, Zoho Assist, Zoho Invoice, Zoho Subscriptions, Zoho Recruit, Zoho Flow, Zoho Writer, Zoho Learn, Zoho Projects, Zoho Cliq, Zoho Marketing Automation, ManageEngine ServiceDesk Plus Cloud, ManageEngine ServiceDesk Plus On-Premises, ManageEngine Desktop Central/MSP on-Premises, MedicalMine, Qntrl.

ISO/IEC 27701 is an extension of ISO/IEC 27001 and ISO/IEC 27002 standards for privacy management in the organizational context. The certification standard is designed to enhance the existing information security management system (ISMS) with additional requirements to establish, implement, maintain, and continually improve a privacy information management system (PIMS). This standard enables organizations to demonstrate their compliance with various applicable privacy regulations worldwide. Applicable to: All business units, cloud services, and on-premises products of Zoho, ManageEngine, Site24x7, Qntrl that operate as a controller of personally identifiable data and/or as a processor of personally identifiable data.

Zoho is SOC 1 Type II compliant as per AICPA’s SSAE18 standard and IAASB’s ISAE 3402 standards. SOC 1 reports are primarily concerned with examining controls that are relevant for the financial reporting of customers. Applicable to: Zoho Books, Zoho Invoice, Zoho Expense, Zoho Inventory, Zoho Subscriptions, Zoho Checkout, Zoho Payroll, Zoho CRM, Zoho Mail, Zoho Projects, Zoho Creator, Zepto Mail.

Privacy at Zoho

Our Privacy Policy and our GDPR-compliant Data Processing Addendum (DPA) demonstrate our commitment to privacy. For more information about our position regarding GDPR, click here.

We analyze, review, and evaluate each third-party service that may handle your data through risk assessments and periodic reviews.

Our products offer you features such as authorization, encryption of fields containing personal information, audit trails, and field labeling designed to improve the privacy of your data.

We have a dedicated team that manages the privacy program through practices such as Data Protection Impact Assessment (DPIA), internal audits, as well as awareness and training of our employees.