security culture

Zoho's security culture

Secure software development

Security is prioritized at every step of the product development life cycle. Before being pushed live, every new feature and product update passes through multiple layers of verification, including code analyzer tools, vulnerability scanners, and a manual review processes by Zoho security experts.

Security as an organizational priority

Zoho’s dedication to security is baked into our org structure and strategic priorities at every level. To that end, privacy and security teams report directly to the CEO and top management. These teams stay on the cutting edge by taking on a consistent regimen of training on the latest laws, standards, and industry expectations.

Security-conscious workforce

Our security-minded culture extends to each individual Zoho employee—not just those who work on security- related teams. When inducted, Zoho employees sign a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Additionally, we provide training on specific aspects of security, based on role and data access.

network security

Network security

Monitoring and management of our network security creates multiple layers of protection.

DDoS prevention technology ensures our websites, apps, and APIs stay up even in the event of a cyber attack.

Development and testing servers are hardened, including built-in server hardening within the base OS image.

Multi-layered intrusion detection and prevention, including machine intelligence and proprietary WAF.

organizational security

Organizational security

Zoho’s strict policies ensure security remains at the forefront of our operations at every level.

Every Zoho employee goes through external background checks before interfacing with users to mitigate any potential personnel risks.

Dedicated vulnerability management teams identify and secure potential threats before they can be exploited.

All operations undergo periodic internal and independent audits, guaranteeing consistent compliance.

hardware security

Hardware security

Ownership over our data centers allows us to ensure security at the physical level.

Each customer’s data is logically separated from other customers’ data across geographically diverse Data Centers (DCs).

Our disaster recovery protocol replicates data across DCs in near real time. In case of primary DC failure, a secondary DC takes over, allowing operations to continue with little to no downtime.

Two-factor and biometric authentication and approval is required for all direct DC access.

High-security encryption

We utilize 100% data encryption in transit; selectively at rest.

  • In transit: TLS Encryption Protocol — Latest version 1.2/1.3 SHA 256 and ciphers AES_CBC/AES_GCM 256 bit/128 bit keys)
  • At rest: 256-bit Advanced Encryption Standard (AES), Key Management Service (KMS)
  • All keys are physically separated and stored in different servers with limited access
  • Want to learn more about Zoho’s encryption protocols?
Read our encryption whitepaper

Fully certified

Zoho conducts rolling internal and extrenal privacy and security audits in order to maintain our global ISO and SOC 2 certifications, ensuing our users that their data is in good hands.