Zoho's security culture
Secure software development
Security is prioritized at every step of the product development life cycle. Before being pushed live, every new feature and product update passes through multiple layers of verification, including code analyzer tools, vulnerability scanners, and a manual review processes by Zoho security experts.
Security as an organizational priority
Zoho’s dedication to security is baked into our org structure and strategic priorities at every level. To that end, privacy and security teams report directly to the CEO and top management. These teams stay on the cutting edge by taking on a consistent regimen of training on the latest laws, standards, and industry expectations.
Our security-minded culture extends to each individual Zoho employee—not just those who work on security- related teams. When inducted, Zoho employees sign a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Additionally, we provide training on specific aspects of security, based on role and data access.
Monitoring and management of our network security creates multiple layers of protection.
DDoS prevention technology ensures our websites, apps, and APIs stay up even in the event of a cyber attack.
Development and testing servers are hardened, including built-in server hardening within the base OS image.
Multi-layered intrusion detection and prevention, including machine intelligence and proprietary WAF.
Zoho’s strict policies ensure security remains at the forefront of our operations at every level.
Every Zoho employee goes through external background checks before interfacing with users to mitigate any potential personnel risks.
Dedicated vulnerability management teams identify and secure potential threats before they can be exploited.
All operations undergo periodic internal and independent audits, guaranteeing consistent compliance.
Ownership over our data centers allows us to ensure security at the physical level.
Each customer’s data is logically separated from other customers’ data across geographically diverse Data Centers (DCs).
Our disaster recovery protocol replicates data across DCs in near real time. In case of primary DC failure, a secondary DC takes over, allowing operations to continue with little to no downtime.
Two-factor and biometric authentication and approval is required for all direct DC access.
We utilize 100% data encryption in transit; selectively at rest.
- In transit: TLS Encryption Protocol — Latest version 1.2/1.3 SHA 256 and ciphers AES_CBC/AES_GCM 256 bit/128 bit keys)
- At rest: 256-bit Advanced Encryption Standard (AES), Key Management Service (KMS)
- All keys are physically separated and stored in different servers with limited access
- Want to learn more about Zoho’s encryption protocols? Read our encryption whitepaper
Zoho conducts rolling internal and extrenal privacy and security audits in order to maintain our global ISO and SOC 2 certifications, ensuing our users that their data is in good hands.