Zoho has always honoured the privacy of our users, and we have just taken another step to demonstrate our commitment to protecting your data. We have always welcomed opportunities from independent third-party auditors to verify that we practise what we preach. And now, we are proud to announce that we have been certified for compliance with the ISO 27701:2019 – Privacy Information Management System.
Note: Mentions of ‘we’, ‘our’, ‘us ‘ in this blog refer to Zoho Corp.
What was the scope of the audit?
All business units and application teams who handle PII (Personally Identifiable Information) of the external organisation (such as, including but not limited to, prospects, customers, vendors, partners and all other personal information that is handled and/or processed by Zoho) participated in the audit.
Most business units, including Sales, Support, Marketing, Finance, Legal, IT, Compliance, Business Development were audited.
What was the process for certification?
The teams, products and locations that were included in the scope were subject to strict evaluation and thorough testing by the auditors to validate and verify that our practices are in line with the controls of the ISO 27701 standard.
What PII processing roles of Zoho were audited?
The roles of a PII Controller and PII Processor were both audited. This means that the PII that we handle in our capacity as a PII Controller (a.k.a Data Controller in some jurisdictions) and as well as in our capacity as a PII Processor (a.k.a Data Processor in some jurisdictions) were audited.
Note: Any mention of ‘data’, ‘information’, ‘your information’ in this blog refers to the PII defined under the scope of the audit.
What is ISO27701?
In simple words, it is a latest standard(late 2019) which is an extension to the ISO/IEC 27001 and ISO/IEC 27002 standards for privacy management within the context of the organization. The certification standard is designed to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS).
Here’s what this means* about the processing of your PII by Zoho.
Zoho has identified and documented the PII data collected, the specific purpose of processing, and the lawful basis for such processing.
Zoho obtains consent where required and keeps a record of it.
Zoho conducts privacy impact assessments where there is a change in the type or purpose of processing PII.
Zoho has written and established processes to cater to the rights of the PII Principals (a.k.a Data Subjects in some jurisdictions) such as by providing access, allowing rectification and request deletion of their PII.
Zoho collects only the minimum necessary data required for its operations, and adheres to the principles of privacy by design and default in its processing activities and systems.
Zoho has identified and documented the third parties with whom it shares PII , maintains records of the transfers, the countries to which it transfers PII, and has appropriate data processing agreements in place which facilitates the transfers.
* Non-exhaustive list
The controls applicable for a PII Processor were also audited. The controls are similar to those mentioned in the blog on our compliance with the ISO 27018, but extended to include on-premise products that are offered by Zoho (as applicable).
These certifications are testament to our commitment to industry requirements regarding data-handling accountability. For any questions, please write to us at firstname.lastname@example.org.