Building a secure, reliable, and robust low-code application platform that complies with ISO, SOC, HIPAA, and other international standards is our top priority at Zoho Creator. While we strive towards providing you with an uncompromised cloud experience, we also take the utmost care to protect your security and privacy, as we strongly believe we share this responsibility with our users.
The Shared Responsibility Model is a security and compliance framework that defines the distribution of security obligations and responsibilities between Zoho Creator and our customers to ensure comprehensive security in the cloud. It highlights that while Creator provides a secure foundation, customers also have a critical role to play in securing their data and applications in our cloud environment. By understanding and fulfilling their respective security responsibilities, both Creator and our customers can work together to mitigate risks and ensure the overall security of our cloud-based systems and your data.
While the Shared Responsibility Model is based on the notion that two or more parties have a part to play in guaranteeing the security of various components within the public cloud environment, it is crucial to note that that few security aspects which are completely under the direct control of either the CSP or the customer, should be supervised by them.
For example, the customer will always have responsibility for data security and access, whereas we at Zoho Creator are responsible for areas for which we possess direct control. These typically include security of the following:
- The physical layer and all associated hardware and infrastructure
- The virtualization layer
- Network controls and provider services
- Servers that run on our cloud resources
Why is the Shared Responsibility Model important?
According to
Gartner’s latest forecast, “through 2025, 99% of cloud security failures will be the customer’s fault”. Although this might sound worrisome, the great news is that a large portion of those cloud failures is actually preventable when the customers understand their roles and responsibilities in cloud security. This is where the
Shared Responsibility Model comes into the picture.
The following chart shows the shared responsibility model and depicts how the various responsibilities are shared and controlled by Zoho Creator and its customers.
The controls/responsibilities are segregated into three types:
- Zoho Creator specific controls - The controls that are the complete responsibility of Zoho Creator.
- Customer-specific controls - The areas of responsibility that are solely owned, maintained and controlled by you, the customer.
- Shared controls - Here, Zoho Creator provides the necessary support for security requirements. The customer should implement the guardrails in a way that suits their organizational requirements, including security, compliance, privacy, IT requirements, and applicable laws and regulations.
Zoho Creator's Responsibilities
- Hardware/hosting infrastructure: We are responsible for securing the complete infrastructure required for cloud hosting purpose. This infrastructure is composed of the hardware, software, operating system (including updates and security patches), networking, and firewall. All servers provisioned in the production network are hardened according to the standards. OS patch management, baseline configuration, and host intrusion detection technologies are adopted to maintain a secure hosting infrastructure.
- Physical security: We are responsible for ensuring that our infrastructure is protected from unauthorized physical access, suspicious intrusions, and disasters and trigger appropriate incident responses.
- Network controls: We are responsible for operating a secure production network. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Access to production networks is also strictly controlled.
- Software: Zoho Creator is a low code application platform that helps customers build powerful and scalable custom apps to be seamlessly deployed to organizations of all sizes, thereby reducing friction. Its simple drag-and-drop interface lets anyone design applications easily and quickly, collect data, automate business processes or workflows, analyze the data in reports, and collaborate with your application users. To learn more about what Zoho Creator offers, refer here.
- Business Continuity: We are responsible for having a business continuity plan in place for our major operations, such as support and infrastructure management, to ensure that critical business operations can continue to operate with minimal disruption under unforeseen circumstances. We will ensure that the application data stored on resilient storage is replicated across data centers. Data in the primary DC is replicated in the secondary DC in near real-time, and we can switch to the secondary in case of any disaster.
- Availability: We are responsible for ensuring that our services are available as per our uptime SLA of 99.9% by handling hardware and software failures, as well as threats like denial of service attacks. As a customer, you can visit status.zoho.com at any time to view the current site status, as well as past disruptions.
- Application Platform Security: Zoho Creator is responsible for providing a secure product free of any security vulnerabilities, and protecting your applications from unauthorized access, data breaches, malware attacks, and other security threats that could compromise the confidentiality, integrity, and availability of your data.
- Client-side & Server-side security: We prioritize security in our products by design. Our robust security framework based on OWASP standards is implemented in the application layer, and provides functionalities to mitigate threats such as SQL injections, cross-site scripting, and application layer DOS attacks, thereby taking care of the client-side as well as server-side security. All software changes are authorized before being provided to our customers. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as a screening of code changes for potential security issues with our code analyzer tools, vulnerability scanners, and manual review processes.
- Vulnerability Management: We have a dedicated vulnerability management process that actively scans for security threats using a combination of certified third-party scanning tools and in-house tools, and with automated and manual penetration testing efforts. We continually reassess our risk posture in order to reduce the risk of security breaches.
- Data Security
- Data Isolation: We are responsible for the isolation of your data stored with us. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework.
- Data Confidentiality: We are responsible for the confidentiality of your data stored with us at rest, in transmission, and during processing.
- Data Integrity: We are responsible for the integrity of both your data and system data such as logs and configuration data. To ensure this, we apply encryption at transit. This refers to data that is encrypted when it is in transit — including from your browser to the web server and other third parties via integrations. Encrypting data in transit protects your data from man-in-the-middle-attacks.
- Data Traceability: We are responsible for traceability and control of your data, such that at any given time, the physical location and processing of data can be known.
Customer's Responsibilities
Our customer have specific responsibilities that must be understood and handled appropriately in ensuring the security of their data and assets in Creator.
In general, a customer's responsibility falls into the following categories.
- Client and end-point security: You are responsible for your end-point security and are expected to keep your browser services, mobile OS, and mobile applications updated to the latest version and patched against vulnerabilities. The compromise of one of your endpoints (whether your laptop, desktop, or smart phone) will render all other controls ineffective.
- Data Accountability: You are responsible for the following.
- Ensuring that sensitive data has not been inadvertently made accessible to the public or would-be attackers. You must implement strong authorized mechanisms for users who log in to your apps and ensure that only authorized users can access your app data.
- Maintaining the accuracy of the data that you process in your system
- Ensuring that your Zoho Creator account is not used by you or others on your behalf for spamming or illegal activities, that our services are only used for their intended purposes
- Passwords : You are responsible for creating a strong password and safeguarding it when you use it to log in and access Creator.
Shared Responsibilities
Security and compliance are two of the major shared responsibilities between Creator and the customer.
- Application design and security: While we take care of the application platform's security, we also provides various defense mechanisms to protect your data from unauthorized access. However, it's your responsibility to define the security needs of your application, analyze and implement the various modes of security mechanisms, and design and build your applications in a secure way. This includes keeping the application free of any hard-coded sensitive information, enabling Encryption at Rest (EAR) properties for fields that contain sensitive information, defining strict permissions to users, adding users to your application only on a need-to-know basis, using appropriate data-validation techniques for inputs, and so on.
- Encryption
- Encryption in Transit: Customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers for all connections including web access, API access, our mobile apps, and IMAP/POP/SMTP access.
- Encryption at Rest:
- EAR refers to data that is encrypted when it is stored, thereby providing a higher level of security. Zoho Creator supports EAR within the product. If you enable encryption for a field, the data of the particular field in the database is encrypted. You must always ensure to encrypt your sensitive data to protect against any possible data leak due to server compromise or unauthorized access.
- When the data from our cloud is downloaded or exported into your application or synced within integrations in Zoho or with any other third-party integration, you need to ensure that relevant encryption controls are applied. For example, enable disk encryption on your devices and use the export feature with password protection enabled.
- Identity and Access Management
- Our responsibilities: We provide the infrastructure for managing user accounts through Identity and Access Management (IAM) services by facilitating:
- Management of access rights of your cloud users — Users and Permissions, Roles, Data Sharing, Domain Restriction, Customer Portal.
- Strong authentication techniques such as Multi-Factor Authentication and IP address restrictions.
- Your responsibilities: As a customer, you are responsible for:
- Implementing strong user access management controls.
- Configuring strong passwords based on your organization's policy and protecting them.
- Enabling Multi-Factor Authentication for your organization's users.
- Periodically reviewing the list of users with access to data and removing access for anyone who should not have it.
- Frequently reviewing devices linked to the organization's user accounts and removing unused or unauthorized devices.
- Monitoring your organization's user accounts for malicious access or usage.
- Notifying Zoho Creator of any unauthorized use of your organization’s accounts.
- Educating your users on the importance of good password management, the risks on credential reuse, social logins, and phishing attacks.
- Backups:
- Our responsibilities: We are equipped with a robust system to:
- Maintain system-level backups encrypted with AES-256 bit algorithm and stored securely.
- Automatically run integrity and validation checks of the full backups.
- Enable requests for data restoration and provide secure access to it within the retention period.
- Enable customers to export and take a backup of their applications with data and restore them whenever required.
- Your responsibilities: From your end, you can:
- Schedule a backup for your data, export it from Creator, and store it locally in your infrastructure, if necessary. You are responsible for storing it in a secure manner.
- Logging & Monitoring
- Our responsibilities:
- We capture application logs for statistical, security, and debugging purposes.
- We maintain audits on the sequence of activities performed inside your applications.
- Your responsibilities:
- Application owners must refer to the application logs to check your application's performance and keep track of actions executed in the event of action failure.
- You must review the history of changes made to your application records for any security discrepancy and take appropriate actions.
- You must ensure to export your audit trail data within the audit trail retention period to satisfy your compliance/legal requirements such as HIPAA, SCC, and so on.
- Data Management
- Our responsibilities:
- We process your data only as per your instructions and provide features in the product for you to control your data. We also limit employees from accessing customer data and ensure that they can only do so if there is a specific reason.
- Audit features on customer data to provide transparency on important activities and to track changes.
- Data interoperability: The option to take a complete backup of data and configurations to migrate all or a part of your data to another SaaS provider.
- Data retention and disposal: We hold the data in your account as long as you choose to use our services. Once you terminate your Creator account, your data will get deleted from the active database during the next cleanup that occurs once every six months. The data deleted from the active database will be deleted from backups after three months.
- Your responsibilities: You are accountable for:
- Due diligence while processing information belonging to special categories (for example, personal/sensitive data) by applying appropriate controls to comply with the requirements of applicable legislation.
- Configuring proper sharing and viewing permissions of user data.
- Regularly reviewing audit reports to identify any suspicious activity.
- Maintaining up-to-date contact information with Zoho Creator.
- Taking your data out of the system once you stop using our services. Otherwise it will be subjected to permanent deletion without any scope for recovery.
- Managing data to other parties
- Our responsibilities: We work towards having secure integrations and extensions to our applications by reviewing the privacy policy and terms of service of our vendors and ensure that their operations stick to it. We also evaluate the security and privacy practices of sub-processors whom we wish to contract to ensure that they are in line with Zoho Creator's information security and privacy standards. We then execute appropriate data protection agreements with them.
- Your responsibilities:
- We expect you to carefully review the terms and the privacy policy of third-party services regarding the collection, use, or disclosure of data to make sure that they do not compromise on your data and security.
- You must assess the suitability of Marketplace Apps and the reasonableness of the requested permissions prior to their installation. Also, you must notify Creator of any malicious behavior identified in the those apps.
- Incident Management
- Our Responsibilities:
- We make sure to report all incidents of breach that we are aware of and that applies to you along with impact details and suitable actions. For incidents specific to an individual user or an organization, we will notify the concerned party through email registered with us.
- We track such incidents till closure and implement controls to prevent recurrence. If requested, we will provide additional evidence related to the incident that applies to you.
- Your responsibilities:
- You must report security and privacy incidents that you are aware of to incidents@zohocorp.com.
- Ensure that you meet your data breach disclosure and notification requirements, such as notifying your end users and data protection authorities when relevant.
- You must take actions suggested by Zoho and Creator in general, in case of a breach.
- Awareness & Training
- Our responsibilities: Educate our employees about data-handling requests raised from the customers. We regularly conduct security and privacy training for all employees to ensure they adhere to our security and privacy standards, in addition to receiving regular security awareness training via informational emails, presentations, and resources available on our intranet.
- Your responsibilities: Educate your users on the following.
- Risks related to a cloud environment.
- Standards and procedures for the use of our services.
- Applicable legal and regulatory considerations.
- Policy & Compliance
- Our Responsibilities:
- We operate within the law of various jurisdictions and provide evidence of compliance with applicable legislations, based on our contractual requirements.
- We have a comprehensive risk management program in place and will assist in DPIA (Data Protection Impact Assessments) of our customers to the extent allowed by the applicable laws.
- Your Responsibilities:
- Understand our policies, policy assessment methods, compliance with regulations and standards, and how we process data, to ensure they are sufficient to meet your compliance needs.
- Understand the risk profile and sensitivity of the data hosted in Creator and apply appropriate controls.
- Conduct DPIA as required by the data protection laws applicable to your organization before or while processing data.
- Before you process any personal/sensitive data, assess your lawful basis. In case your lawful basis is consent, ensure you obtain the consent from your customers.
- Data subject rights
- Our Responsibilities: We are accountable for:
- Providing features that enable customers to cater to and protect the rights of your users.
- Notifying you of requests from your customers when they contact us directly for exercising their rights.
- Your responsibilities: You are obliged to:
- Honor and handle requests from your users for data access, rectification, deletion, and restrictions in processing of their personal information. To know more about GDPR in Zoho Creator, refer this page.