HIPAA compliance with Zoho Sign

The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Sign has been designed and built (as described below) to help its customers use the app and associated internal services in a HIPAA compliant manner. 

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

Zoho Sign, by design, is built on a zero-knowledge architecture to guarantee the highest levels of data security and privacy. All user data is processed according to the guiding principle mentioned below.

All processed organization, user, and signer data are always encrypted at rest with AES-256 encryption and transmitted through a secure SSL/TLS connection.

  • All documents uploaded by the users and signers are converted into the Portable Document Format (PDF) and encrypted at rest. 
  • All images (of signatures, initials, stamps, organization logos, and other image fields), font styles (of signatures and initials), hand-drawn patterns (of signatures and initials), and files (of bulk data) uploaded by users and signers are encrypted at rest.
  • All data associated with user profiles, organizations, signature requests, documents, signature certificate credentials, and signers; entered or configured by users and signers (including field data, email templates, legal disclosure, and recipient notes/messages) is encrypted at rest.
  • All document signing links generated by the app and associated internal services are encrypted at rest.
  • The public key infrastructure or asymmetric cryptography (with a pair of public and private keys) is used to sign documents digitally and generate a cryptographic hash for each signed document and completion certificates, if generated.
  • Zoho Sign employs Zoho's technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. Access requests are heavily regulated by our principles of least privilege and role-based permissions to minimize the risk of data exposure.

How we label and encrypt ePHI field data

Zoho Sign enables users to enter and collect diverse information and data from signers in documents when setting up signature requests and at the time of signing respectively. Due to the broad applicable nature of Zoho Sign, the application and associated internal services are used across business functions, with varying levels of complexity and customization in terms of use case and implementation. This poses an active challenge in differentiating the importance and sensitivity of the data, and as a result, Zoho Sign blankets all processed data as equally important, private, and confidential, and hence encrypts them by default as a matter of principle as mentioned above. Therefore, there is no explicit provision in Zoho Sign presently to label some data as protected information as all the data in question is already elevated to that level and subject to organization-wide encryption measures.

How we restrict access to data

Zoho Sign employs a role-based access system where users are assigned two levels of permissions to access documents and associated data under an organization. Users are strictly restricted to only accessing and viewing documents they own or have received for signing whereas administrators can access documents, configuration data, and reports across the organization. Administrators, when necessary, may enable sharing of documents and templates across specific users and teams to facilitate enhanced collaboration across groups of individuals or teams.

How we audit changes to document data and account configurations

Zoho Sign provides reports for all documents signed and signature requests created and sent using the app and associated internal services. Administrators can access these reports in the form of a dashboard or a list, and generate and export custom reports for specific durations. For each signature request, the details of all sender and recipient interactions are captured in a comprehensive audit trail which is never deleted unless done so by the associated user themselves or by an administrator. Senders and administrators can access and export the audit trail from the app interface, along with a digitally signed certificate of completion for signed documents. All administrative actions such as addition and removal of users; sharing of documents and templates; management of folders, documents, and document types; and changes to signature requests, general settings, and account configurations are audited and can be monitored in the app interface by organization administrators.

How customers can request for assistance

Zoho Sign operates an active support channel through email through which users can reach out to our team of backend engineers and raise requests for data backup, audit data, and access control troubleshooting.

How we keep customer data secure and accessible at all times

Zoho Sign's distributed grid architecture enables us to always keep our application up and running and helps users access their data at anytime. If our primary data center goes down, users will automatically be connected to the secondary center, and there will be no data loss during the process. Changes to the data will automatically be synced when the primary data center is back online. Users can also set up automatic cloud backup to an integrated external cloud storage provider of their choosing for purposes such as personal logging, book-keeping, and disaster recovery. This backs up signed documents and the associated completion certificates instantaneously as their sign workflows are completed. Additionally, users can request for immediate bulk backup of all their data on an ad-hoc basis through our support channel. This is initiated as soon as the user confirms the bulk backup action but the overall duration of the process depends on the amount of data held by the user in their account with a summary email being sent to them upon completion of the backup.

To view the complete list of security and privacy certifications that were awarded to or apply to Zoho Sign, please visit our page on compliance.