Payment Links
Embedded Checkout
Point-of-Sale (POS) Devices
Payouts
Connected Banking
Bharat Connect for Business
Accounting and Reconciliation
Subscriptions
Online Checkout
Online Stores
Education
Non profit / NGO
Help Guide
FAQs
What's New
Blogs
API Docs
Academy
StayAlert
Security Whitepaper
Information Security
At Zoho Payment Technologies Private Ltd, we are committed to protecting all information assets through robust security practices, continuous employee awareness training, and well-defined incident response programs, thereby integrating data protection into every stage of our operations. Our proactive approach ensures compliance with applicable regulations and leading industry standards.
Overview
Organizational security
Employee background checks
Every employee undergoes a comprehensive background verification conducted by reputable external agencies. This includes checks on criminal records, previous employment history (where applicable), and educational qualifications. Employees are not assigned to any responsibility or task that could pose potential risks to users until this verification process is fully completed.
Security Awareness
Upon induction, every employee signs a Confidentiality Agreement and an Acceptable Use Policy, followed by comprehensive training in information security, privacy, and compliance. Their understanding of these topics is assessed through evaluations such as tests and quizzes, helping us identify areas that may require additional focus. Role-specific training is also provided to ensure employees have the knowledge and skills needed for their responsibilities.
We promote a culture of continuous learning by regularly educating employees on information security, privacy, and compliance through our internal community platform, where updates on organizational security practices are shared. Additionally, we organize internal events and initiatives to enhance awareness, encourage engagement, and drive innovation in security and privacy across the organization.
Dedicated Security and Compliance teams
We have specialized teams dedicated to security, privacy, and compliance that work collaboratively to design, implement, and oversee our organization’s security and privacy programs. These teams are responsible for engineering and maintaining robust defense systems, developing and reviewing security processes, and continuously monitoring our networks to identify and respond to potential threats. They ensure adherence to industry standards and regulatory requirements through regular internal audits and independent third-party assessments. Additionally, they provide expert guidance and consulting support to our engineering and business functions, strengthening our organization’s overall security and compliance posture.
Endpoint security
All workstations issued to Zoho employees run up-to-date OS version and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.
Physical security
At workplace
We control access to our resources (buildings, infrastructure and facilities), where accessing includes consumption, entry, and utilization, with the help of access cards. We provide employees, contractors, vendors, and visitors with different access cards that only allow access strictly specific to the purpose of their entrance into the premises. We establishes and maintains the purposes specific to roles. We maintain access logs to spot and address anomalies.
Monitoring
We monitor all entry and exit movements throughout our premises in all our business centers and data centers through CCTV cameras deployed according to local regulations. Back-up footage is available up to a certain period, depending on the requirements for that location.
Infrastructure security
Network security
Our organization follows a comprehensive, multi-layered approach to network security to ensure the confidentiality, integrity, and availability of systems and data. Advanced firewall technologies are used to protect the network from unauthorized access and unwanted traffic. To strengthen security further, network segmentation is implemented to isolate sensitive information and critical systems. Environments used for testing and development are hosted on separate network segments, completely independent from those supporting the production infrastructure. Firewall configurations are managed under a structured governance framework, with all changes reviewed daily by a qualified network engineer. Additionally, a detailed audit of firewall rules is conducted semi-annually to ensure continued compliance with internal security policies and industry best practices.
Our dedicated Network Operations Center (NOC) and Security Operation Center (SOC) continuously monitors the organization’s infrastructure and applications to detect and respond to discrepancies or potential security threats. Using proprietary monitoring tools, critical parameters are tracked in real time, and automated alerts are generated to notify relevant teams immediately of any abnormal or suspicious activity within the production environment. Through this systematic and proactive approach, the organization maintains a strong network defense posture, ensuring the resilience and ongoing protection of its operational environment
DDoS prevention
Our organization uses advanced technologies from reputable and trusted service providers to safeguard our servers against DDoS attacks. These solutions incorporate multiple layers of DDoS mitigation designed to effectively filter and block malicious traffic while allowing legitimate traffic to flow seamlessly.
This approach ensures continuous availability, stability, and optimal performance of our websites, applications, and APIs, providing a secure and uninterrupted experience for all users.
Server hardening
All servers provisioned for development and testing undergo a comprehensive hardening process to enhance their security posture. This includes disabling unused ports and accounts, removing default passwords, applying industry-recommended security configurations and all servers are equipped with EDR solutions. A standardized base Operating System (OS) image, pre-configured with these hardening controls, is deployed across all servers to ensure uniformity, consistency, and adherence to organizational security requirements and industry best practices.
Intrusion detection and prevention
To ensure robust protection against potential threats, an Intrusion Prevention System (IPS) is deployed to inspect and mitigate critical and high-severity traffic identified by Threat Intelligence. This system automatically blocks or drops malicious or suspicious packets at the network firewall level, providing real-time prevention against exploitation attempts and unauthorized access.
For medium- and low-severity traffic, an Intrusion Detection System (IDS) is used to continuously monitor, log, and analyze network activity. This approach offers comprehensive visibility into potential threats without disrupting legitimate business operations, enabling timely investigation and response through our security operations processes.
By combining IPS for high-risk threats with IDS for ongoing monitoring of lower-severity events, we maintain a balanced and adaptive defense posture that aligns with our organization’s risk management framework.
Data security
Secure by design
All changes and new features within our applications are governed by a formal change management policy, ensuring that every modification is properly authorized before being deployed to the production environment. Our Software Development Life Cycle (SDLC) enforces strict adherence to secure coding standards and includes comprehensive screening of code changes through automated code analysis tools, vulnerability scanners, and manual reviews. Security and privacy considerations are integrated at multiple stages of the SDLC to maintain the integrity of our applications.
At the application layer, we implement a robust security framework aligned with OWASP (Open Web Application Security Project) standards. This framework protects against common web application threats, including SQL injection, Cross-Site Scripting (XSS), and application-layer Denial-of-Service (DoS) attacks, ensuring secure, reliable, and resilient application performance.
Data isolation
Our platform ensures strict data isolation for all customers by logically separating each customer’s service data using secure protocols within our framework. This guarantees that no customer’s data is accessible to any other customer, maintaining the confidentiality and integrity of each account.
All service data is securely stored on our servers while you use our services. Data ownership remains with the customer, and we do not share or disclose any customer data to third parties without explicit consent, ensuring complete control and privacy.
Encryption
In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We enforce Transport Layer Security (TLS 1.2/1.3) with robust ciphers for all connections, including web access, API access, mobile applications, and email client access via IMAP, POP, or SMTP. This ensures secure connections by authenticating both parties and encrypting data during transmission. For email services, opportunistic TLS is enabled by default, providing secure email delivery and reducing the risk of eavesdropping between mail servers when supported.
Our encrypted connections fully support Perfect Forward Secrecy (PFS), ensuring that even in the unlikely event of a future security compromise, past communications cannot be decrypted. Additionally, we implement HTTP Strict Transport Security (HSTS) headers across all web connections, instructing modern browsers to use encrypted connections exclusively, even if an insecure URL is entered. Authentication cookies on our web applications are also flagged as secure, further enhancing the protection of user sessions.
Data at Rest: Sensitive customer data stored on our servers is encrypted using the 256-bit Advanced Encryption Standard (AES). The scope of data encrypted at rest depends on the specific services chosen by the customer. Encryption keys are securely managed in-house through our Key Management Service (KMS). To enhance security, data encryption keys are further encrypted using master keys, which are stored on separate servers with strictly controlled access.
Both data at rest and data in transit are protected using cryptographic algorithms and protocols that comply with NIST (National Institute of Standards and Technology) recommendations, ensuring the highest standards of security and confidentiality.
Identity and Access control
Multi-Factor Authentication
It provides an extra layer of security by demanding an additional verification that the user must possess, in addition to the password. This can greatly reduce the risk of unauthorized access if a user’s password is compromised. You can configure multi-factor authentication using One-Auth. Currently, different modes like biometric Touch ID or Face ID, Push Notification, QR code, and Time-based OTP are supported.
Administrative access
We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.
Operational security
Logging and Monitoring
Our organization continuously monitors and analyzes data collected from services, internal network traffic, and the usage of devices and terminals. This information is captured in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically reviewed to detect anomalies, such as unusual employee activity or unauthorized attempts to access customer data. All logs are securely stored on servers isolated from full system access, ensuring centralized access control and their continued availability.
Comprehensive audit logging is enabled for all update and delete operations performed by users, and these logs are accessible to customers across all services. We also use a file integrity monitoring system to track any changes to sensitive files, and all logs are maintained in a tamper-proof manner to ensure accuracy and reliability.
Vulnerability management
Our organization operates a comprehensive vulnerability management process to proactively detect and address security threats. This process uses certified third-party scanning tools, proprietary in-house tools, and both automated and manual penetration testing. In addition, our security team continuously monitors inbound security reports and public sources such as mailing lists, posts, blogs, and wikis to identify potential vulnerabilities that could affect the organization’s infrastructure.
All identified vulnerabilities are formally logged, assessed, and prioritized based on severity, then assigned to a responsible owner. Associated risks are evaluated, and each vulnerability is tracked until fully remediated through system patching or the implementation of appropriate controls, ensuring the continued security and resilience of our systems.
Malware and spam protection
All user files are scanned using our automated system, designed to prevent the spread of malware within our ecosystem. Our custom anti-malware engine is regularly updated with intelligence from trusted external sources and scans files for blacklisted signatures and malicious patterns. In addition, our proprietary detection engine, enhanced with machine learning techniques, ensures that customer data remains protected from malware threats.
To prevent email-based threats, We support Domain-based Message Authentication, Reporting, and Conformance (DMARC), which uses SPF and DKIM to verify message authenticity. Our proprietary detection engine also monitors for abuse of Zoho Payments services, identifying phishing, spam, and other malicious activity to safeguard both our platform and our users.
Backup
We maintain a robust backup and recovery program where incremental backups are performed daily, along with full weekly backups of our databases, managed through the Zoho Admin Console (ZAC) across our data centers. All backup data is securely stored within the data center, encrypted using the AES-256 algorithm, and preserved in tar.gz format. Backups are retained for three months. Upon customer request, data within the retention period can be securely restored. The restoration time depends on the volume of data and operational complexity.
To ensure backup integrity and reliability, our servers use Redundant Array of Independent Disks (RAID) configurations. Backup operations are systematically scheduled, monitored, and tracked, with immediate re-execution in case of any failure. Full backup integrity and validation are automatically verified by the ZAC tool to ensure data consistency and availability.
We also recommend that customers regularly export their data from Zoho services and maintain local copies within their own secure infrastructure to supplement our organizational backup measures.
Disaster recovery and business continuity
All application data is stored on highly resilient storage systems with real-time replication across multiple data centers. In the event of a primary data center failure, operations automatically shift to the secondary data center, ensuring continuity with minimal or no service disruption. Both data centers are supported by multiple internet service providers to maintain reliable connectivity.
To support business continuity, our facilities are equipped with power backup systems, climate control, and fire-prevention mechanisms, enhancing operational resilience. In addition to data redundancy, we maintain a comprehensive business continuity plan covering critical functions such as support and infrastructure management. Regular disaster recovery exercises are conducted to validate these measures and ensure uninterrupted service operations.
Incident Management
We have a structured Incident Management framework to ensure the timely identification, reporting, and resolution of any incidents that may impact our services, systems, or customer data.
Our dedicated Incident Management team continuously monitors the environment to detect and respond to incidents affecting our operations or customers. We promptly notify affected stakeholders, outlining the nature of the incident, its potential impact, and the corrective or preventive actions being taken. We also implement robust preventive and detective controls to reduce the likelihood of recurrence and to strengthen the overall resilience of our systems and processes.
We respond to the security or operational incidents you report to us through incidents@zohopayments.com. All reported incidents are treated with the highest priority and are promptly addressed by our team. For general incidents, we notify users through our blogs, forums, and social media. For incidents specific to an individual user or organization, we notify the concerned party via email using the primary email address of the registered organization administrator.
Breach Notification
In the event of a confirmed data breach involving personal or sensitive information, we notify the appropriate regulatory authorities and affected data subjects in accordance with applicable laws and regulatory requirements.
As a data controller, we report any data breaches to the relevant authorities within the required timeframe upon becoming aware of them. When acting as a data processor, we promptly notify the concerned data controller without undue delay. We remain committed to transparency, accountability, and continuous improvement in our security and incident response practices to protect the data and trust of our customers, partners, and employees.
Responsible Disclosures
We maintain a dedicated Bug Bounty program to engage with the global community of security researchers. This program acknowledges and rewards researchers who identify potential vulnerabilities. Our team works closely with the community to verify, reproduce, respond to, implement, and remediate reported security issues promptly and effectively.
Security researchers are encouraged to submit identified vulnerabilities through our Bug Bounty portal: https://bugbounty.zohocorp.com/. Alternatively, vulnerabilities can be reported directly to our security team at support@zohopayments.com
Vendor and Third-Party Supplier Management
We follow a comprehensive vendor management policy to evaluate and qualify all vendors. New vendors are onboarded only after a thorough review of their service delivery processes and the completion of risk assessments. To maintain our security standards, we establish formal agreements requiring vendors to uphold the same commitments to confidentiality, availability, and integrity that we extend to our customers.
The effectiveness of vendors’ processes and security measures is continuously monitored through periodic reviews and assessments in accordance with applicable laws and ensuring ongoing alignment with our organizational security and operational standards.
Conclusion
At Zoho Payments, the security and protection of your data are both a fundamental right and an ongoing organizational commitment. We remain steadfast in upholding the highest standards of data security and ensuring the continued confidentiality, integrity, and availability of your information. For additional information or inquiries, please refer to our FAQs or contact us directly at support@zohopayments.com
