Zoho Sign - Product Security

  • Overview

    Zoho Sign handles sensitive and confidential business documents that must be highly secure. As we are the trusted digital signature application for thousands of businesses across the globe, our research and development team has taken all efforts in protecting our users' data.

    Our entire product, including the web app, extensions, APIs, mobile apps, and more, is designed and developed keeping security and privacy as a top priority. We are equipped to handle modern cyberattacks at all levels in our network, system, and processes to ensure that our users' data is always secure.

    This document contains a comprehensive list of security measures taken by us to ensure confidentiality, integrity, and availability of the application.

  • Zero-knowledge architecture

    Zoho Sign leverages zero-knowledge architecture to guarantee the highest levels of data security and privacy following the below principles:

    • All documents are converted into PDFs, and a cryptographic hash is generated for each document
    • Public key infrastructure framework (a pair of public and private keys) is used to digitally sign documents
    • Only the encrypted data gets transmitted and stored in our servers
    • Data is always transmitted through a secure SSL/TLS connection
    • All data is encrypted with AES 256-bit encryption while at rest
    • Zoho employees cannot view users' data in plain text

    How authentication works

    • Whenever a user would like to access Zoho Sign from the web, an extension, or mobile apps, they will always be automatically redirected to the Zoho Accounts login page
    • The login credentials will be submitted to the Zoho Accounts server for authentication
    • Upon successful authentication, cookie information will be set for the user's session and user access will be redirected to:
    • Data is always transmitted through a secure SSL/TLS connection
    • All data is encrypted with AES 256-bit encryption while at rest
    • Zoho employees cannot view users' data in plain text

    Multi-factor authentication (MFA)

    Multi-factor authentication serves as an additional layer of security for user accounts. Once configured, users will need to authenticate at two levels to get access to the application on the web, browser extensions, and mobile apps.

    • The first level of authentication will be through Zoho Accounts login credentials
    • The second level of authentication can be through any of the following options:
      • Zoho OneAuth
      • Mobile-based OTP
      • Time-based OTP
      • Yubikey

    Role of security in SDLC

    Zoho Sign is designed and developed within a security-focused software development lifecycle process based on OWASP (Open Web Application Security Project) standards.

    • Security processes are rigorously applied at each stage of design, development, and validation
    • All modules are rolled out to production only if they meet our internal security standards and pass the validation tests set by the panel of experts
    • No module is excluded from internal validation procedures
    • Our developers take regular, industry-standard security training to stay up to date with the latest threat landscape
  • How digital signing works

    Zoho Sign leverages the public key infrastructure model to securely sign documents and ensure authenticity, integrity, and non-repudiation.

    Sender side

    • The sender will upload the document, fill in the document details, add recipients, and send it out to collect signatures
    • A cryptographic hash will then be generated for the document
    • The generated hash will be encrypted using the sender's private key (the private key will also be securely stored in a FIPS-compliant HSM box)
    • The encrypted hash will then be appended to the document
    • The encrypted document will be sent to recipients along with the sender's public key certificate

    Recipient side

    • The recipient will receive the document with the sender's public key certificate attached
    • The recipient then decrypts the encrypted hash using the sender's public key certificate
    • The hash generated by the sender will be obtained upon decryption
    • A cryptographic hash will once again be generated for the document on the recipient side
    • Both cryptographic hashes should match with each other

    Certificate authorities

    Zoho Sign uses digital signature certificates issued by the following certificate authorities in the specified data centers of operation.

    • GlobalSign GCC R6 AATL CA 2020 (in US, AU, and JP)
    • QuoVadis EU Issuing Certificate Authority G4 (in EU)
    • Capricorn CA 2014 (in IN)

    Additionally, Zoho Sign also offers role-based access, comprehensive audit trails, reports, advanced signer authentication processes, advanced and qualified digital signatures, signatures via USB token and PFX-based DSCs, blockchain-based timestamping, and a certificate of completion allowing users to send and sign documents with confidence.

  • Legality

    Documents signed with Zoho Sign meet the requirements of the ESIGN Act in the United States and eIDAS in the European Union, in addition to other national laws. Please check our legality guide for more information.

  • Network security

    • Our networks and infrastructure are designed and developed to keep our user's data safe
    • All communication between the application and our servers is fully encrypted and tunneled through an SSL/TLS connection
    • Our network is thoroughly screened and protected with powerful intrusion detection and prevention systems
    • The application runs inside a secure operating system for maximum protection against vulnerabilities
    • Traffic into our servers is thoroughly scanned for viruses using the state-of-the-art virus scanning protocols
  • Physical security

    • Our data centers are located in multiple locations around the world and use highly sophisticated features to protect our customer data
    • All our data centers are protected 'round the clock with on-site security personnel
    • Access to data centers is restricted to a small group of authorized personnel
    • Two-levels of authentication, including biometric authentication, are required to enter the data center
    • All access and activities are completely audited
    • Audits are carried out periodically and all security processes are reviewed by management
  • Redundancy and availability

    • Our distributed grid architecture helps us always keep our application up and running (99.9%) and helps users access their data at any time.
    • If the primary data center goes down, users will automatically be connected to the secondary center, and there will be no data loss during the process Data will automatically be synced when the primary data center is back online
    • Users can also configure the periodic data backup for disaster recovery purposes
    • There is also a provision for read-only access from secondary data centers:

  • Security and privacy certifications

    Zoho Sign, as a part of Zoho, has received the following security and privacy certifications from reputed regulatory bodies worldwide:

    • SOC 2 Type II
    • SOC 2 + HIPAA
    • ISO/IEC 27001
    • ISO/IEC 27017
    • ISO/IEC 27018
    • ISO/IEC 27701
    • ISO/IEC 20000 (for network operations center and datacenter operations)
    • ISO 9001
    • CSA STAR Self-Assessment
    • Signal spam (for Zoho)
    • GDPR
    • CCPA
  • Penetration testing

    Zoho Sign undergoes regular penetration testing done by both our in-house security experts and third-parties through a standardized VAPT process to ensure the highest levels of data security. Our users can contact us at any time to get the latest penetration test reports. There is also an open bug bounty program to test the application and get rewarded for every relevant find.

  • Reporting a security issue

    We respect security researchers who responsibly report legitimate vulnerabilities and help us improve the security of our services. If you find a security issue or bug in our web application, extensions, or mobile apps, please report it to us at https://bugbounty.zohocorp.com/ or security@zohocorp.com

    We also recommend our users immediately inform us when they receive Zoho Sign-themed fraudulent emails (or) Zoho Sign being used for fraudulent activities. Just send an email to abuse@zohocorp.com along with the incident details—we'll take care of the rest.

  • Conclusion

    Our research and development team is constantly working to keep our users' data secure and private. We hope this document helped you to get a clear picture of the measures we take to keep your data safe.

Still can't find what you're looking for?

Write to us: support@zohosign.com or support@eu.zohosign.com (for residents of the EU)