Zoho Mail is GDPR ready

The General Data Protection Regulation (GDPR) is a European Data Protection regulation enforced by the EU Commission to regulate the security of personal data. The GDPR became effective since May 25, 2018. Any organization that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data. In this page, you can find answers to some of the questions from our users related GDPR along with the details of what Zoho Mail has done to ensure that we are ready for GDPR and the other services we offer to all our users, to help them meet their compliance obligations.

Personal Data Collection - Ever Compliant

At Zoho Mail, we have always believed in the importance of privacy and how personal data and user privacy should never be violated. Hence we welcome the enforcement of GDPR. As highlighted to our users, we never serve ads and never have relied on advertising as a revenue source. We never had to and we never will collect users personal information, beyond what is needed for the user to use our service. At every point where we get the user information, we clearly state the purpose of the data and how it will be used.

The user can decide to use the specific feature or not, depending on his/ her requirements.

Zoho Mail's GDPR Readiness

Since we already respect user privacy, we have a set of clear rules and strategy on how to process personal data. Here are some of the points related to GDPR.

Data Security

Every layer of Zoho Mail has security builtin to it. In particular, we have proved our commitment to data privacy and protection by meeting the industry standards for ISO 27001, and SOC 2 Type 2. Also, Zoho Corporation participates in and has certified its compliance with the EU-U.S. We trust that compliance with GDPR will motivate us to move towards the highest standards of operations in protecting customer data.

Data Hosting (Locality)

Zoho servers are located in most secure data centers in US, EU, CN, IN and AU. The region in which we host your service data depends on the Zoho domain from which the admin registered the Zoho Mail account.

The following table lists the Zoho domains and the respective hosting locations.

Zoho Domain - Account creationData Center Location
mail.zoho.comUS (United States)
mail.zoho.euEU (European Union)
mail.zoho.com.cnCN (China)
mail.zoho.inIN (India)
mail.zoho.com.auAU (Australia)
mail.zoho.jpJP (Japan)

Data Encryption

As a part of GDPR compliance, we can help you to migrate the service data from our data centers in the US to EU. The migration can be processed based on the request from the users and may take up to 5 business days from the date of commencement of migration. There should not be any downtime to the services during the data migration.

The Data transmissions when using Zoho Mail via POP/ IMAP/ SMTP are encrypted using Transport Layer Security (TLS) protocol. We also use the latest and secure ciphers like AES_CBC/AES_GCM 256 bit/128-bit keys for email encryption. These ensure that your Zoho Mail data is protected from unauthorized access, disclosure or modification. All data transfers in the web happen in secure mode (HTTPS).

The service data stored in Zoho Mail is Encrypted At Rest(EAR). All the data are encrypted in transit also. We believe our highly secure physical controls at data centers and transit level encryption ensures that your data stays well protected.

Data Access

Each and every user can access only the email account exclusively created for him/ her. When the user is a part of groups, created by the admins, the user gets to access the emails sent to the group which can be controlled by the administrator using the moderation settings for the groups. Apart from that, when the user gets some emails or folders explicitly shared with him/ her, the user gets access to that data, until the owner allows him/ her to do so.

Data Rectification

Users can edit their personal information in their profile, except the email address provided by the administrator. The organization administrator has permissions to add email aliases or remove aliases or change the primary email address of the user.

Data Deletion

We have appropriate features in the web interface to allow users to delete their data. You can delete your email data using the Delete option. When you delete the users, the data associated with the user will be scheduled for deletion and will be deleted within 30 days of actual user deletion.

Data Portability

Zoho Mail provides the feature to export email data from your account. The exported emails are presented in ZIP format. The administrator can export the data of users in the organization or the users can export themselves. The administrator can control whether the data can be exported by the user or not.

Data Retention

When you delete emails they are moved to Trash. The files in Trash can be restored until they are automatically cleaned up by the system. The data retention period in Zoho Mail is 30 days. After that, the emails will be permanently deleted.

Data Disclosure

Data Disclosure is the level of access within the service, where only authorized users can access, alter or delete service data. In the organization setup, the administrator has permissions to change some parts of user data like names, profile images etc. Similarly being the administrator the person can delete the user, add them to groups or remove them from groups, create/ remove aliases, set up mail policies and export user data for backup or compliance purposes.

Audit logs

Data audits help you to secure the system and monitor the Organization administration related activity performed in the Control Panel or usage trend of the Control Panel. The administrator activity logs records the actions by the administrator in the Control Panel and will offer information about various activities in the control panel and the same can be exported from the control panel in CSV format.

Disclaimer: The information presented herein should not be taken as legal advice. We recommend that you seek legal advise on what you need to do to comply with the requirements of GDPR.