Frequently Asked Questions on Privacy
Yes. Please refer https://www.zoho.com/privacy.html
What is your GDPR commitment?
In order to understand our GDPR commitment, please refer to https://www.zoho.com/gdpr.html
What are your terms of service?
Our terms of service can be accessed at https://www.zoho.com/terms.html
Do you have a dedicated person or team responsible for Privacy?
Yes, we have dedicated privacy team who manage the privacy program at Zoho. We have also appointed a Data Protection Officer (DPO).
Where is my data stored?
The Data Center where your data is stored is selected automatically based on the Country chosen by you while signing up for Zoho services. The information regarding which Data Center has been selected is displayed right below the Country picklist in the sign-up form. To know which Data Center is associated with a particular Country, click here. Alternatively, at any instant, you can know which Data Center your data resides in by looking at the URL on the browser when you are logged in to Zoho and are using our applications.
1. If the URL is in the format of *.zoho.com (where * indicates the name of a Zoho Application such as crm, people, one), then your data is stored in the US(United States) DC.
2. If the URL is in the format of *.zoho.eu, then your data is stored in the EU(European) DC.
3. If the URL is in the format of *.zoho.in, then your data is stored in the IN(Indian) DC.
4. If the URL is in the format of *.zoho.com.au, then your data is stored in the AU(Australian) DC.
How can I exercise my rights that the GDPR provides for?
If you believe that Zoho owns, controls, or processes information pertaining to you, then send an email to firstname.lastname@example.org to exercise the rights that the GDPR grant.
If you are from the European Economic Area and you believe that we store, use, or process your personal data on behalf of one of our customers, please contact the corresponding customer to access, rectify, erase, restrict, or object to the process, or to export your personal data as our customers will be the controllers. Controllers will usually be the administrator of the account. Any request for the data that is held by our customers will be forwarded to the respective customers. We will extend our support to our customer in responding to your request within a reasonable time frame.
Is your US data center GDPR compliant?
Yes. Our GDPR compliance program covers both our EU and US data centres. However, when using the US data centre, there is the additional requirement of compliance with data transfer requirements for transfer from the EU to US, such as a Standard Contractual Clauses based agreement, which you can access from here. Zoho also has certified its compliance with the EU-U.S Privacy Shield Framework.
Who owns service data?
How secure is my data with Zoho?
At Zoho, we take data security very seriously. That's why we have been audited for industry standards certifications such as ISO 27001, ISO 27017, ISO 27018 and compliance with the SOC 2 Type II. We have taken steps to implement appropriate administrative, technical & physical safeguards to prevent unauthorized access, use, modification, disclosure or destruction of the information you entrust to us. If you have any concerns regarding the security of your data, we encourage you to check our Security Whitepaper or write to us at email@example.com with any questions.
How do you ensure that the cross-border transfer is conducted according to applicable laws and regulations?
The transfer (access) of data by and between our group entities is based on the intra-company agreement which is mutually signed by all our group entities. This agreement references the model contractual clauses approved by the European Commission. Zoho also has certified its compliance with the EU-U.S Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Please refer here for more details.
Do you comply with the EU-US privacy shield Framework and the Swiss-US Privacy Shield Framework?
Yes. Zoho Corporation participates in and has certified its compliance with the EU-U.S Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Please refer here for more details.
Have you appointed a Data Protection Officer?
How do I delete or close my Zoho account, and delete the data associated with it?
How do I opt out of marketing emails from Zoho?
You can opt out of receiving newsletters and other non-essential messages by using the Unsubscribe function included in all such messages.
You can also send an email to firstname.lastname@example.org, and we will remove you from our mailing list.
Certain legislations may require us to provide this option more explicitly for users of certain geographies. This has been fittingly incorporated into our sign up forms and likewise reflects in our related processes. However, please note that you will continue to receive notices and essential transactional emails . For example, updates regarding your Zoho account, subscription reminders, and other such important updates.
What kind of emails are sent by Zoho?
Zoho, in our capacity of a Data Controller, send you emails providing you with information you've requested us for. We also send mails inviting you to our events, webinars and the like which we think may be of interest to you. This communication is based on the preference you've provided us with. Emails are also generated through your use of our application. These emails are generated by the actions done by you. For example, if you share a document through Zoho Docs or invite one of your data subjects to join your Zoho organisation by adding their email ID through the UI or via the API(through your use of our application), they receive an auto-generated email from the respective service notifying the recipient that you've shared a document with them or that you've invited them to join your Zoho organisation. This is done in our capacity of a Data Processor.
In all cases, if you or your recipient thinks the email is inappropriate or that it has been received in error, you can report it to us at email@example.com and we will take the necessary action
What personal data do you, as a company, collect and process?
How and whom do you notify in case of a data breach? What is your breach notification timeline?
Breach notifications to our customers are performed in accordance with our internal Privacy Incident Response Policy. Zoho Group will notify the customers, without undue delay after becoming aware of the incident. For general incidents that affect all our customers, we will notify customers through our blogs, forums, and social media. With respect to incidents that relate to a specific customer or organization, we will notify the concerned customer or organization through their primary email address.
Does Zoho employees have access to my data?
Access to your data is restricted to a small number of employees on a need-to-know basis in order to provide you technical support. This access is reviewed periodically.
If I sign up for Zoho services from zoho.eu, will my data be stored and processed only within the EU? Is there a scenario where my data will be transferred out of the EU?
The data may be accessed by the employees of our Indian entity (Zoho Corporation Private Limited), in order to provide you technical support on the basis of the Model Contractual Clauses between Zoho Netherlands and Zoho India. We have a data processing agreement in place based on Standard Contractual Clauses that provides for access to the EU data center by the employees of Zoho India. However, there is no physical transfer of data out of the EU.
How can I get a copy of your data processing addendum(DPA)?
If you are the organization administrator and would like to sign a DPA with us for your organization, we’ve made it available to be signed electronically in just a few easy steps.
Note: Make sure that you have logged into your Zoho account before initiating the signing process.
Who should I contact in case of questions regarding the DPA?
If you have any questions regarding the DPA, please drop an email to firstname.lastname@example.org
Does the GDPR require EU personal data to stay within the EU?
No. GDPR does not mandate that the personal data reside within the EU. Instead, it facilitates international data transfers to countries outside of EU that have appropriate safeguards in place. Our Data Processing Addendum that references the EU Model Contractual Clauses will continue to legalize the data transfers to countries outside of the EU territory.
Our GDPR compliance program covers both our EU and US data centers. We are also considering to expand those to our India and Australian data centers as well.
Do you share my data with your reselling partners? If so, how can I opt-out?
We may share your personal data with our authorized reselling partners in your region, solely for the purpose of contacting you about products that you have downloaded or services that you have signed up for in the cases where we do not have expertise in assisting you in your regional language. However, we would notify you through email before we share your details with them. Our partners are carefully evaluated before we on-board them. We also execute written agreements with them which defines their responsibilities and ours.
If you do not wish to work with our partners, you can drop us an email at email@example.com and we will do the needful.
In our capacity of a Data Processor, cookies are set by our applications for the purposes of maintaining the security of the applications, to manage some configurations, and to provide a smooth user experience.
How long is my data retained after deletion? When will my data be deleted?
We hold the data in your account as long as you choose to use Zoho services. Once you terminate your Zoho account, your data will eventually get deleted from active database during the next clean-up that occurs once in six months. The data deleted from the active database will be deleted from backups after three months.
What is the policy for Inactive accounts?
We reserve the right to terminate unpaid user accounts that are inactive for a continuous period of 120 days. In the event of such a termination, all data associated with such user account will be deleted. We will provide you prior notice of such a termination and option to back-up your data. Please refer to the section 'Inactive User Accounts Policy' in our Terms of Service.
Do you sell my data to advertisers?
How is my service data handled?
Are sub-contractors or vendors involved in the processing of my service data?
Yes, sub-contractors and vendors are involved in the processing of service data. However, sub-contractors and vendors may vary based on the Zoho service you are using. Different Zoho services may use different sub-processors or vendors for various purposes. Involvement of a sub-contractor or vendor in the processing of your data depends on your usage of a particular feature within the applicable Zoho service. The current list of the sub-processors is available here. You can always verify this list to learn about the sub-processors used in each Zoho service.
Is there an option to export all my service data?
The export option is provided within the user interface of each service. You can find information on how to export your data and the formats available for exporting your data through the user interface by referring to the help pages of the respective services.
Do you provide an option for deleting any or all of my service data?
The option to delete the data is provided within the user interface of each Zoho service. While some data may be deleted immediately from the active database, some data might be moved to the recycle bin and will be deleted subsequently. However, the data will remain in the backups for 3 months in encrypted form.
Do any other entities in the Zoho group have access to or use our data?
Does Zoho disclose our data to law enforcement authorities?
Yes, if required by law, your personal data and service data may be disclosed or preserved in order to comply with any applicable law, legal process, regulation or governmental request, including to meet national security requirements
Are you registered with any Data Protection Authority?
We are registered with the Netherlands Data Protection Authority. Our registration numbers are m164347o and m1648926. You can check our registration at the public register maintained by the Authority for Personal Data records on its website www.autoriteitpersoonsgegevens.nl