Zoho's data centers are located in the following regions:
Each of these DCs serve a specific set of countries. For detailed information on the countries they service, please visit our Know Your Data Center page.
We host your data in best-in-class data centers across the globe. Each of these facilities holds a distinct set of compliance certifications. The certifications listed below are as of June 2025, and we continually work to expand our compliance to meet evolving industry standards.
Country | Location | Compliance Standards |
USA | Quincy (primary) | SOC 1 Type II, SOC 2 Type II, ISO 27001 |
Dallas (secondary) | SOC 1 Type II, SOC 2 Type II | |
India | Mumbai (primary) | ISO 27001, ISO 20000-1:2018, SOC 1 Type II, SOC 2 Type II |
Chennai (secondary) | ISO 27001 | |
Australia | Sydney (primary) | SOC 1 Type II, SOC 2 Type II, ISO 27001 |
Melbourne (secondary) | SOC 1 Type II, SOC 2 Type II, ISO 27001 | |
Europe | Amsterdam (primary) | ISO 27001, ISO 22301, SOC 2 Type II |
Dublin (secondary) | ISO 9001, ISO 27001, SOC 1 Type II, SOC 2 Type II, ISO 22301 | |
China | Shanghai (primary) | ISO 27001, ISO 22301 |
Beijing (secondary) | ISO 9001, ISO 27001, ISO 22301 | |
Japan | Tokyo (primary) | ISO 27001, SOC 1 Type II (ISAE 3402) |
Osaka (secondary) | ISO 27001, SOC 2 Type II | |
Canada | Toronto (primary) | ISO 27001, SOC 1 Type II, SOC 2 Type II |
Montreal (secondary) | ISO 27001, SOC 1 Type II, SOC 2 Type II | |
Saudi Arabia | Riyadh (primary) | ISO 27001 |
Jeddah (secondary) | ISO 27001 |
No, there are no restrictions on concurrent usage. To ensure high availability and scalability, Zoho utilizes a shared cluster model supported by multiple application servers. These servers are organized into Application Groups, with each group handling specific functionalities. The platform auto-scales workloads within each cluster, both horizontally and vertically, to handle high traffic across all customers efficiently.
We control access to our resources (buildings, infrastructure, and facilities), where accessing includes consumption, entry, and utilization, with the help of access cards. We provide employees, contractors, vendors, and visitors with different access cards that restrict access specifically to the purpose of their entrance into the premises. The Human Resource (HR) team establishes and maintains the purposes specific to roles. We maintain access logs to spot and address anomalies.
At our data centers, a co-location provider takes responsibility for the building, cooling, power, and physical security, while we provide the servers and storage. Access to the data centers is restricted to a small group of authorized personnel. Any other access is raised as a ticket and allowed only after the approval of respective managers. Additional two-factor authentication and biometric authentication are required to enter the premises. Access logs, activity records, and camera footage are available in case an incident occurs.
We monitor all entry and exit movements throughout our premises in all our business centers and data centers through CCTV cameras deployed according to local regulations. Back-up footage is available up to a certain period, depending on the requirements for that location.
We have implemented various physical and environmental controls at our facility, including temperature regulation, continuous monitoring, energy management, and physical security.
As a proactive measure, we have also established a secondary data center to minimize the impact on operations in the event of severe environmental hazards—such as floods, tornadoes, earthquakes, hurricanes, or similar events—affecting the primary data center.
Application data is stored on resilient storage that is replicated across data centers. Data in the primary DC is replicated in the secondary in near real time. In case of failure of the primary DC, the secondary DC takes over and the operations are carried on smoothly with minimal or no loss of time. Both the centers are equipped with multiple ISPs.
We have power back-up, temperature control systems, and fire-prevention systems as physical measures to ensure business continuity. These measures help us achieve resilience. In addition to the redundancy of data, we have a business continuity plan for our major operations, such as support and infrastructure management.
Yes. Our data centers are equipped with industry-standard fire suppression systems, redundant power backup, and climate control measures to ensure operational resilience and business continuity. Our data centers can operate for up to 72 hours using a Genset generator in the event of a power outage
These systems are regularly tested and maintained as part of our Business Continuity and Disaster Recovery (BC/DR) strategy. We also conduct periodic DR drills to validate the effectiveness of these measures and ensure compliance with best practices for infrastructure safety and reliability.
Yes, we conduct planned Disaster Recovery (DR) drills annually to validate data center recoverability.
Yes. We use a hot-site (active-active) configuration, allowing seamless failover and minimal service disruption in the event of a failure at the primary site. Data from the primary data center is continuously replicated to the secondary data center, which serves a read-only version to ensure availability during disruptions.
Yes. We have implemented green data center practices by designing our infrastructure to maximize energy efficiency and minimize environmental impact.
Our systems include energy-efficient cooling, power management, and hardware optimization strategies. Wherever possible, we also source renewable energy and adhere to sustainable operational practices to reduce our carbon footprint.
To learn more about our commitment to sustainability, visit our ESG page.
We take proactive measures to ensure the safety of user data and prevent the spread of malicious content. Our proprietary anti-malware engine, enhanced with machine learning capabilities, provides robust protection by adapting to emerging threats in real-time. All user files are scanned using our automated malware detection system, which is regularly updated with threat intelligence from external sources. This system checks files against known malicious signatures and suspicious patterns.
To combat spam and email spoofing, Zoho supports Domain-based Message Authentication, Reporting, and Conformance (DMARC), which works in conjunction with SPF and DKIM to verify the authenticity of messages. Additionally, we use our in-house detection engine to monitor and prevent abuse, including phishing and spam activities.
A dedicated anti-spam team continuously monitors system signals and responds to abuse reports to maintain the integrity of our platform.
We use a centralized patching tool within our corporate network to deploy relevant patches, hotfixes, and security updates to all laptops and workstations. Our production instances are updated in accordance with our established patch management policy, ensuring timely application of security and system patches.
We have a well-defined access control policy that aligns with business needs and information security/privacy requirements. Technical controls and internal policies are in place to prevent unauthorized access to customer data by employees. Access is governed by the principles of Need-to-Know and Need-to-Use, ensuring data is accessible only to those who require it for their roles.
We enforce the principle of least privilege and implement role-based access controls (RBAC) to minimize data exposure risks. All access to information systems requires proper approval from authorized personnel. Access rights are promptly revoked in cases of role changes or employee termination.
Additionally, multi-factor authentication (MFA) is required for remote access and access to critical systems, enhancing the overall security posture.
Strict access control policies are enforced, ensuring that permissions to access or modify sensitive data are granted only to authorized personnel, in accordance with the principle of least privilege. All sensitive operations are logged in an audit trail, which helps detect and alert on potential data leaks or exfiltration attempts. Additionally, sensitive information and user-uploaded files are encrypted at rest to ensure robust data protection.
All customer data transmitted over public networks to our servers is secured using strong encryption protocols. We enforce the use of Transport Layer Security (TLS 1.2/1.3) with strong ciphers across all connections, including web access, API calls, mobile apps, and IMAP/POP/SMTP email client access.
This ensures high levels of security by authenticating both parties involved in the connection and encrypting all data in transit.
For email communications, our services leverage opportunistic TLS by default. This allows encrypted email transmission between mail servers that support the protocol, effectively mitigating the risk of eavesdropping during delivery.
Yes. Privileged access rights are reviewed every six months and additionally on an as needed basis.
Yes. VPN access is required to securely access production workloads hosted in our cloud or data center environments.
Yes, Zoho Creator is available in both cloud and on-premise versions.For detailed information, visit our on-premise page.
We also support hybrid deployment, where you can build and manage your applications in the cloud while hosting them in your preferred environment. For detailed information, visit our hybrid hosting page.
Data Storage:
Zoho hosts your data in state-of-the-art data centers around the world. When you sign up for Zoho, you can select your preferred country, which helps determine the location of your data center. The country is automatically selected based on your IP address to make the process easier. Based on this selection, your account is hosted in the corresponding data center, ensuring localized storage for better compliance and performance.
Data Protection:
Zoho ensures a high level of data protection by encrypting data at rest using AES-256 encryption. Sensitive data is further safeguarded through Zoho’s in-house Key Management Service (KMS). To enhance security, master and encryption keys are stored separately, maintaining the confidentiality and integrity of your data. This multi-layered approach helps make Zoho’s data storage both secure and reliable.
For specific details on how data is encrypted and protected in Zoho Creator, please refer to the Zoho Creator Encryption Page.
Data Center Security and Access Control:
Our data centers are managed by a co-location provider who handles the building infrastructure, cooling, power, and physical security. We are responsible for providing the servers and storage.
Monitoring:
We actively monitor all entry and exit movements within our data centers and business premises. This is done through CCTV cameras installed in compliance with local regulations. Backup footage is retained for a specified period based on location requirements, ensuring thorough monitoring and swift incident resolution.
For more details, visit Zoho's Datacenter and Security pages.
Yes, Zoho Creator uses encryption both at rest and in transit, ensuring that your data remains protected at all times.
All customer data transmitted over public networks to Zoho servers is secured using strong encryption protocols. Zoho mandates the use of Transport Layer Security (TLS 1.2/1.3) with strong ciphers for all connections, including:
This ensures secure communication by authenticating both parties and encrypting transferred data.
Additional Security Measures:
Sensitive customer data stored in Zoho Creator is encrypted using the 256-bit Advanced Encryption Standard (AES). The encryption at rest varies depending on the services used.
Zoho maintains encryption keys through its in-house Key Management Service (KMS). Additional layers of security are provided by encrypting data encryption keys with master keys, which are physically separated and stored on different servers with limited access.
BYOK for Encryption
Zoho Creator supports BYOK, allowing you to use your own Key Encryption Key (KEK) instead of Zoho’s default KEK. You can integrate keys from an external Key Management System (KMS) such as Thales, or use your own custom key.
Learn more about BYOK in Zoho Creator.
For detailed information, visit our encryption page and the encryption in Zoho Creator.
Sensitive data stored in Zoho Creator, including Personally Identifiable Information (PII), such as names and email addresses, as well as Electronic Protected Health Information (ePHI) like health-related data, is thoroughly masked to protect privacy and ensure security.
This comprehensive approach to masking guarantees the confidentiality and integrity of user information, ensuring that only authorized users have access to sensitive data when needed.
Zoho ensures that your data is stored within the region relevant to you. When you sign up, you are automatically assigned to the data center (DC) that serves your country. Both the primary and secondary locations of your assigned data center are within the same region, ensuring that your data remains within the region you selected.
During sign-up, you will be asked to choose your country, and the field is pre-populated based on your IP address for your convenience.
For more information about data center locations and how your data is handled regionally, please visit our Know Your Data Center page.
Yes, we maintain regular backups of your data. The backup data is securely stored within the same data center and encrypted using the AES-256 bit algorithm to ensure its protection. The backups are saved in tar.gz format and retained for a period of three months.
Zoho Creator also provides in-product backup capabilities, allowing users to manually generate and download backups of their applications and data. These backups can be stored locally for additional security and recovery options.
For detailed information, visit our backup and restoration page.
Yes, all backed-up data is encrypted to ensure security and confidentiality. We use AES-256 encryption to protect backup data stored in our data centers, preventing unauthorized access.
We run incremental backups daily and full backups weekly for our databases using the Zoho Admin Console (ZAC) across Zoho's data centers. Backup data is stored in the same location in tar.gz format and is retained for three months. If a customer requests data recovery within this retention period, we restore the data and provide secure access. The timeline for restoration depends on the size of the data and the complexity of the request.
To further enhance data safety, we utilize a Redundant Array of Independent Disks (RAID) on backup servers, ensuring reliability and fault tolerance. All backups are scheduled and tracked regularly. In the event of a failure, an automatic re-run is initiated and immediately resolved. The ZAC tool also performs integrity and validation checks on full backups to maintain data consistency.
For additional protection, we strongly recommend that customers schedule regular backups by exporting their data and storing it in their own infrastructure. Learn more about application backup here.
Zoho operates on a multi-tenant architecture, where your data is stored alongside other customers' data. However, we ensure your data remains securely isolated through logical segregation within our service data storage. Our infrastructure efficiently distributes and manages cloud resources while employing secure protocols to maintain the logical separation of each customer's data.
Even though multiple customers share the same physical infrastructure, robust access controls and logical partitioning ensure your data is exclusive to you. Encryption, user authentication, and strict access policies prevent unauthorized access, ensuring that no customer can view or modify another's data.
These measures align with industry best practices, ensuring privacy, security, and compliance in a multi-tenant environment.
Yes, we implement a robust access control policy, grounded in business, information security, and privacy requirements. The primary goal of these controls is to protect sensitive information by ensuring that access to data and resources is granted only to those who need it for their specific role while preventing unauthorized access.
Our access control policy is based on two key principles: the Need-to-Know and Need-to-Use concepts. These principles help ensure that employees only have access to the information necessary for their job functions.
We employ a combination of technical access controls and internal policies that are periodically reviewed to strictly limit access to user data, following the principle of least privilege and utilizing role-based permissions. This helps reduce the risk of unauthorized data exposure and ensures that only authorized individuals can access sensitive information.
We store your data as long as you remain a Zoho customer. Once your subscription ends, your data will be handled in accordance with our data retention policy. Your data is securely stored on our servers for a period of three months after subscription termination. During this retention period, we prioritize your privacy and security, protecting all stored data with industry-standard encryption and stringent access controls.
At the end of the retention period, your data is securely disposed of using industry best practices to prevent unauthorized access or retrieval. For detailed information, visit our privacy policies page.
We host your data in our best-in-class datacenters across the globe. Our data centers feature state-of-the-art infrastructure with robust security measures in place, ensuring a highly secure environment for your data. Here are some key points that indicate the security measures in place:
Overall, the infrastructure has robust security measures in place to protect sensitive customer data.
For detailed information, visit our security whitepaper.
Yes, At the workplace, we control access to our resources (buildings, infrastructure, and facilities), where accessing includes consumption, entry, and utilization, with the help of access cards. We provide employees, contractors, vendors, and visitors with different access cards that only allow access strictly specific to the purpose of their entrance into the premises. Human Resource (HR) team establishes and maintains the purposes specific to roles. We maintain access logs to spot and address anomalies.
Yes, we use industry-standard firewalls to safeguard our network against unauthorized access and undesirable traffic. Our systems are carefully segmented into separate networks to ensure sensitive data is well-protected. For added security, testing and development environments are hosted in a network distinct from the production infrastructure supporting Zoho's core operations.
Firewall access is closely monitored on a strict, regular schedule. Our network engineers review all changes made to the firewall daily, and these changes undergo a comprehensive review every six months to update and refine firewall rules. In addition, our dedicated Network Operations Center (NOC) team continually monitors both infrastructure and applications for any discrepancies or suspicious activities. Using proprietary monitoring tools, we track all critical parameters, with immediate notifications triggered in the event of any abnormal or suspicious behavior within our production environment.
These layered firewall and monitoring measures help ensure the security and integrity of our systems.
Our network security is designed to be robust, well-managed, and continuously monitored to ensure the highest levels of protection for your data. Here are some of the key security measures in place:
These measures ensure that your data remains secure at all times, with our team constantly monitoring and improving our network security to prevent unauthorized access and ensure the integrity of your information.
Yes, we implement industry-standard from trusted and reputable service providers to prevent DDoS attacks on our servers. These solutions offer robust DDoS mitigation capabilities, effectively filtering out malicious traffic while allowing legitimate traffic to pass through. This ensures that our websites, applications, and APIs remain highly available and perform optimally, even during potential attack attempts.
Yes, We have our own internal proprietary SIEM tools to monitor and detect abnormal behavior. We monitor and analyze information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in accounts or attempts to access customer data.
We have a robust disaster recovery plan in place that enables us to respond quickly and recover from disasters, minimizing downtime and ensuring business continuity. In case of failure of the primary DC, the secondary DC takes over and the operations are carried on smoothly with minimal or no loss of time. Both the centers are equipped with multiple ISPs.
We have power back-up, temperature control systems, and fire-prevention systems as physical measures to ensure business continuity. These measures help us achieve resilience. In addition to the redundancy of data, we have a business continuity plan for our major operations, such as support and infrastructure management. The DR drills are performed periodically in order to ensure business continuity.
Application data is stored on resilient storage that is replicated across data centers. Data from the primary data center (DC) is replicated in near real-time to a secondary DC. In the event of a failure at the primary DC, the secondary DC seamlessly takes over, ensuring minimal or no downtime.
Zoho's disaster recovery sites are strategically located in the same country but in a different geographical location from the primary data center. This ensures redundancy while maintaining compliance with regional data residency requirements.
For additional safety, data in the secondary (recovery) site is maintained in a read-only format, preventing unauthorized modifications while ensuring business continuity. Both primary and secondary data centers are equipped with multiple ISPs for enhanced reliability.
For more details, visit Zoho's Datacenter
In case of failure of the primary DC, the secondary DC takes over and the operations are carried on smoothly with minimal or no loss of time. Incase of database failure, Recovery Point Objective (RPO) is 30 minutes and Recovery Time Objective (RTO) is 60 minutes.
Recovery Point Objective (RPO) is 30 minutes and Recovery Time Objective (RTO) is 60 minutes.
Zoho ensures high availability of your data through multiple layers of redundancy and robust infrastructure. Here’s how:
These measures are designed to provide consistent and reliable access to your data, even in the event of unforeseen disruptions.
To ensure the optimal performance of our system, we have a comprehensive approach that includes proactive maintenance, monitoring, and continuous optimization.
Through this combination of monitoring, timely updates, and performance benchmarks, we maintain a high standard of system reliability and user experience.
Our Service Level Agreement (SLA) commitment guarantees 99.9% monthly uptime. We have implemented redundancies at various levels, from infrastructure to ISPs, to ensure uninterrupted service. Data from the primary data center is replicated to a secondary data center, where a read-only version of Zoho apps is always available. This ensures seamless access even in the event of an issue at the primary data center. You can track the service availability across all Zoho services at https://status.zoho.com/.
This uptime guarantee excludes any downtime caused by scheduled maintenance or updates, which will always be announced in advance on our online platforms. We prioritize transparency and work to ensure that any necessary maintenance does not disrupt your experience.
We utilize advanced industry standard third-party monitoring tools that analyze customer usage trends and capture essential data to assess system performance. These tools help us proactively identify and troubleshoot any performance issues reported by customers. Additionally, if degraded performance is detected, the system automatically notifies our team, allowing us to take immediate action to resolve the issue and maintain optimal performance.
Zoho Creator applications, designed for the web, ensure seamless access across a range of devices including iPhones, iPads, and Android devices. The platform automatically takes care of responsiveness, whether users access a rebranded mobile app or access the application through Creator's native app or a mobile browser. This comprehensive approach ensures consistent usability and functionality across diverse devices, enhancing user experience. Every business or organization, when considering its mobile presence, comes across the question of whether to build a mobile app, a mobile website, or both. The answer to this primarily depends on factors such as the purpose of the mobile presence, the desired end-user experience, and the budget. The advantage of building your custom applications using Zoho Creator is that you get all this out of the box, and for free. Creator offers extensive accessibility support, compatible with the majority of web browsers, android, and iOS versions.
Access App on Web: Zoho Creator applications can be accessed seamlessly through a web browser on a desktop or laptop. Users simply need to log in to their accounts to begin working from any location.
Access app on iOS: The Zoho Creator native app for iPhone offers mobile access to all your Zoho Creator applications. The app is available for download from the App Store.
Access App on iPad: The Zoho Creator native app for iPad offers mobile access to all your Zoho Creator applications. The app is available for download from the App store.
Access app on android: The Zoho Creator native app for Android offers mobile access to all your Zoho Creator applications. The app is available for download from the Google Play Store.
Access app as Progressive Web App (PWA): PWA enables a native, app-like experience on a mobile browser. Users will be able to access your apps from any mobile device that supports browsing the internet. The minimum supported versions are Android app requires 5.1 and later version and iOS app requires 11 or later version, ensuring compatibility with most modern devices.
Rebranded mobile apps: Zoho Creator enables you to download your creator application as a separate mobile app for iOS and Android devices. This feature helps morph the functionality of Zoho Creator into an app representing the organization of the admin.
Zoho Creator is a cloud-based platform, meaning it is designed to be accessible from virtually anywhere on the go using a web browser or mobile app. To use Zoho Creator effectively, you need the following:
Zoho Creator’s cloud infrastructure ensures you don’t need to worry about maintaining servers, updates, or backups, making it a versatile and user-friendly platform for businesses of all sizes.
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.