A shared responsibility model

Zoho Sign follows industry-best security and privacy standards to offer users with the best service possible. While we work towards offering a great document signing and user experience, we treat the security and privacy of our users with the utmost care, and we also believe that it’s a shared responsibility between us and our users.

A clear outline of the user's responsibility, Zoho Sign's responsibility, and the shared responsibility as a whole will help all of us overcome any challenges in data security and privacy.

User responsibilities

  •  Data accountability
  •  Passwords
  •  MFA
  •  Client and end point security

Zoho Sign responsibility

  •  Availability of services
  •  Application-level controls
  •   Data storage
  •   Data security
  •   Reporting security incidents
  •   24*5 technical assistance (excluding public holidays)

Shared responsibilities

  •   Data management
  •   Data security
  •   Recipient authentication
  •   Deliverability
  •  Legality and compliance

Understanding shared responsibility between Zoho Sign and its users

Data management

Zoho Sign's responsibilities:

  • Zoho Sign provides you with identity and access management controls, roles, profiles, data backup, and multi-portal setup to ensure confidentiality and integrity of data within the organization.
  • All user actions are audited in the Activity Logs within Zoho Sign.
  • Provision for data backup.

The user's responsibilities:

  • Configure Identity and Access Management controls such as single sign-on, password policies, multi-factor authentication, and other settings as required
  • Assign user roles and profiles based on your requirements. Admins can ensure that only specific users can access and manage sensitive information by assigning roles and profiles to the each user in the organization.
  • Configure data backup for emergency situations. The users ensure that their confidential information is safely backed up to the provided cloud storage solutions for enhanced document recovery and security. Alternatively, users can also enable Automatic cloud backup to backup completed documents and certificates of completion to a cloud storage platform.

Data security

Zoho Sign's responsibilities:

  • All documents are converted into PDFs, and a cryptographic hash is generated for each document using public key infrastructure (PKI) to enable digital signing.
  • Data is always transmitted through a secure SSL/TLS connection in transit and encrypted with AES 256-bit encryption while at rest.

The user's responsibilities:

Note: User are responsible for educating their signers on all required actions to ensure a seamless and secure signing process.

After receiving the link, signers are responsible for keeping it secure and ensuring it is not sent to unauthorized individuals or external systems, including unintended recipients and online archiving tools. Signers must follow these guidelines:

  • Do not share the signing link with anyone.
  • Do not bookmark or save the signing link page.
  • Access the link only from trusted and secure networks.
  • Disable or avoid browser extensions that auto-archive or share content.
  • Use Incognito, Private Browsing, or a similar private mode when accessing sensitive signing links.
  • Avoid using link preview or page translation features on the signing page.
  • Avoid using browser options like “Save Page As” or printing to PDF.
  • Report any suspicious activity or unauthorized data access immediately to support@zohosign.com

Recipient authentication

Zoho Sign's responsibilities:

  • For identification and verification purposes, users choose from multiple authentication methods including SMS OTP, Email OTP, WhatsApp, EU-eID, and Dynamic Knowledge-Based Authentication (KBA).
  • Zoho Sign has integrated with numerous trust service providers across the globe for increased compliance.

The user's responsibilities:

  • Users can set authentication methods to verify their signer's identity and save confidential information.
  • Some methods include adding a password on downloaded documents and reports and enabling OTP for signing links, allowing only the verified signers to view the information on confidential documents.
  • Enable trust service providers depending on the sensitivity of the document.

Deliverability

Zoho Sign's responsibilities:

  • Zoho Sign delivers the signing links to recipients to ensure a smooth workflow using different delivery methods, such as email, SMS, and WhatsApp.

The user's responsibilities:

For increased authenticity and a seamless workflow that ensures your signing links reach your recipients with no hassle:

  • Administrators can enable DKIM (DomainKeys Identified Mail) to send Zoho Sign's emails from their company's email address
  • Use custom SMTP, a setup where a business or user configures their own email server to send emails from Zoho Sign.
  • Send documents for signature via WhatsApp to deliver document links or authenticate their recipients by sending a document signing link directly to their WhatsApp number.

Legal validity and compliance

Zoho Sign's responsibilities:

  • Zoho Sign is legally compliant with major regional electronic and digital signature regulations around the globe, giving digital signatures the same legal standing as traditional wet signatures in a court of law.

The user's responsibilities:

Always check your local laws to ensure that any document being signed digitally using Zoho Sign uses the right method. This includes the authentication method, type of signature, and digital signature provider.

FAQs

  • The shared responsibility model talks about the responsibilities involved and how they are divided between Zoho Sign and its users.