Secure transactional email service with GDPR compliance

ZeptoMail is GDPR compliant

The General Data Protection Regulation (GDPR) is a European Data Protection regulation enforced by the EU Commission to regulate the security of personal data. The GDPR became effective on May 25, 2018. All organizations working with the personal data of EU residents are required to comply with GDPR to protect their data.

Personal data protection at the forefront

GDPR is a legally binding regulation that mandates the protection of private data. Even before GDPR went into effect, right from our inception, privacy and data protection has been at the forefront of Zoho's applications. As an extension, ZeptoMail was built with a privacy-first approach. Zoho has always been and will always be ad free. We have never relied on advertising or data mining for advertising as a revenue source. All customer data belongs to the customer, and it’s only used for the functioning of our application, nothing more.

ZeptoMail's GDPR readiness

ZeptoMail has measures, rules, processes, and strategies in place to address and comply with each aspect of GDPR.

Data Security

ZeptoMail comes with many security features. As a testament to this, we’ve acquired multiple security compliance certificates like GDPR compliance, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 27017, ISO/IEC 27018, ISO 9001, SOC 2 Type II, SOC 1 Type II, and SOC 2 + HIPAA compliance. Also, Zoho Corporation participates in and has certified its compliance with the European Union and the United States.

Data Hosting (Locality)

Zoho servers are located in most secure data centers in the US, EU, CN, IN, and AU. The region in which we host your service data depends on the Zoho domain from which the admin registered the ZeptoMail account.

The following table lists the Zoho domains and their respective hosting locations.

Data Encryption

Emails are stored on ZeptoMail’s servers in an encrypted format. Data is split into fragments, and each fragment is then further encrypted before being stored on our disks. The keys that are used for encryption are managed with the utmost safety and reliability. The data transmissions when using ZeptoMail via SMTP are encrypted using the Transport Layer Security (TLS) protocol. We also use the latest and secure ciphers such as AES_CBC/AES_GCM 256 bit/128-bit keys for email encryption.

All data transfers on the web happen in secure mode (HTTPS). These ensure that your ZeptoMail data is protected from unauthorized access, disclosure, or modification both within and outside your organization's domain.

The service data stored in ZeptoMail is Encrypted At Rest(EAR). All data are encrypted in transit as well. The highly secure physical controls at our data centers and transit-level encryption ensure that your data stays well protected. You can find more information on our security page.

Data Access

ZeptoMail provides role-based access to all accounts. Postmaster, Engineer, and Viewer roles can be assigned to users to manage, create, view, edit, and delete permission on entities such as domains, Mail Agents, reports, and more. Users can also be provided access to specific Mail Agents (email groups) that they'll need access to, instead of giving everyone access to all of the emails.

Data Rectification

Users can edit their personal information in their profile, except the email address provided by the administrator. The organization administrator has permissions to edit email sending domains, email addresses, bounce addresses, and Mail Agents.

Data Deletion

The administrator of the account is allowed to delete multiple aspects of a ZeptoMail account. They can delete the added entities such as domains, email addresses, recipient lists, or Mail Agentswhenever necessary. They can also choose to delete the account entirely. When you delete your ZeptoMail account, the complete user data—including audits, logs, added domains, and reports—will be deleted permanently. It will take 48 hours to delete the account completely.

Data Portability

ZeptoMail provides features to export email data from user accounts. Users can export the entire email logs, logs of specific Mail Agents,or logs based on certain given conditions. The exported file will be provided as a ZIP file. Based on the role given to any particular user, their access to export can be restricted.

Data Retention

Users can choose to retain the content of the emails they send out. If they choose to save the content, it will be stored for 60 days from the date of the email. Email logs for the emails sent out are available inside the user's ZeptoMail account.

Once the account deletion is initiated, the user is given 48 hours to reverse the action. If no action is taken within that time, the account closure will be processed and all data will be deleted within 24 hours.

Data Disclosure

Data disclosure is the level of access within the service, where only authorized users can access, alter, or delete service data. In the organization setup, the administrator has permission to change some parts of user data, such as names, profile images, and more. Similarly, the administrator can delete the user, add them to Mail Agents or remove them from Mail Agents, add or remove domains, set up SMTP/API connections, and export user data for backup or compliance purposes.

Audit logs

Every account has an activity log section that allows users to track all of the actions performed by every user added to their account. Actions can be a newly created entity, modification of an entity, or deletion of an entity.

The activity log mentions the user’s details, actions performed by the user, the date and time of the action, and the entity the action was performed on. The activity log will be stored for a period of one year from the date of the action. The logs can be exported by user request. They can write to support@zeptomail.com to have the logs exported.