Zoho awarded its ISO 27018 certification

General | September 17, 2019 | 3 min read

Because of our long-standing commitment to your data privacy, we decided long ago that we would never sell your data or show you advertisements inside the products, even if you are using our free editions.

To further showcase our commitment to your data privacy, we recently underwent the ISO 27018 certification process. This was an opportunity to get our practices vetted by an independent third-party auditing firm and to improve our information management systems, all in the goal of demonstrating our accountability regarding data-handling.

Note: Mentions of ‘we’, ‘our’, ‘us ‘ in this blog refer to Zoho.

What was the process for certification?

All practices regarding how we handle service data were subject to strict evaluation and thorough testing by the auditors who granted us this certificate.

Which Zoho products were audited?

The audit included all our cloud offerings (Zoho, ManageEngine and Site24x7), that is, all the application software that we operate and offer in the cloud (software-as-a-service).

What kind of data was subject to the audit?

All personal information processed by us in our capacity as a Personally Identifiable Information (PII) Processor (‘Service Data’) was available to be audited.

Note: Any mention of ‘data’, ‘information’, ‘your data’ or ‘service data’ in this blog refers to the above mentioned Service Data only.

We’re glad to announce that we made it through, and wanted to share the news! Read on to find out more.

What is ISO 27018?

ISO/IEC 27018:2019 is a code of practices that focuses on safeguarding the PII that is processed in a public cloud. These controls are an extension of the existing ISO/IEC 27002 control set. Here’s what this means:

  • You have the right to know what geographical location your data is stored in, information which should be available to you when signing up.

  • Your Service Data will only be processed when you tell us it should, and it will not be used for any purpose other than for which you have provided.

  • Our application teams have been trained in best practices for processing PII in the cloud, and are committed to providing features and capabilities that help our users secure and effectively manage their data.

  • Our applications enable users to access, manage, rectify, export and erase their data.

  • We have defined and implemented standards, procedures and guidelines that detail how to handle data in a manner consistent with all regulatory and contractual obligations.

  • The development, testing and production environments are segregated, and controls have been put into place in order to minimize any security incidents.

  • We comply with the obligations detailed in the Data Processing Agreements that we sign with our users. This agreement aligns with the mandates of applicable data protection laws.

 

And that’s not all. During our SOC 2 Type II audit in 2018, we included the Privacy Trust Service Principle (TSP) as well in the scope of the audit. This meant than an additional set of control requirements specific to the handling of personal data were tested and included in the audit report.

A number of controls were tested by the auditors. They were tested to validate whether:

  • We identify the information we collect, and how we then use it, who we disclose it to, and for what purpose it is disclosed.

  • Our users are provided with notice of our privacy practices detailing information on how data is collected, processed, disclosed, accessed, secured, retained and disposed.

  • We have constituted a dedicated team trained in different aspects of data privacy that is required to stay up-to-date with the latest changes in the regulatory environment.

  • Periodic reviews of our policies and procedures are conducted to keep them updated and in line with applicable data protection regulations.

  • Periodic privacy awareness training is conducted for our employees, and that the content is tailored to specific business functions and details their responsibilities for protecting personal data.

  • Privacy Impact Assessments are conducted for processing activities which require such a risk assessment, wherein we identify the risks and put the appropriate controls in place.

  • Third-party service providers whom we contract with for processing (i.e., sub-processing) of personal data are subject to strict security and privacy evaluations. We ensure that they use methods equivalent to the controls we maintain at Zoho. This agreement is explicitly detailed in the data protection agreements we sign with them.

  • A documented process to investigate complaints relating to privacy is in place to identify the root cause, take any necessary actions to mitigate its impacts, prevent it from happening again, and inform the relevant stakeholders (such as the affected users and/or the data protection authorities) as required.

These certifications and audit reports are testament to our commitment to industry requirements regarding data-handling accountability. For any questions, please write to privacy@zohocorp.com.

Additional Resources

  1. Zoho’s Privacy Policy
  2. Zoho’s Privacy Policy FAQ
  3. Zoho’s GDPR commitment
Andrew David
Data Privacy

This site uses Akismet to reduce spam. Learn how your comment data is processed.