This page covers data security, encryption, access controls, and incident management for Zoho Creator.
Data Security
How secure is my data?
We prioritize data security with a secure-by-design approach, implementing data isolation, adhering to a proper data retention and disposal policy, and encryption measures to safeguard your information.
- Data isolation
Our framework distributes and maintains the cloud space for our customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's service data becomes accessible to another customer.
The service data is stored on our servers. Your data is owned by you, and not by Zoho. We do not share this data with any third-party without your consent. - Encryption
- In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, our mobile apps, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection and by encrypting data to be transferred. Additionally for email, our services leverages opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. Additionally, on the web, we flag all our authentication cookies as secure. - At rest: Encryption is done at the application layer using the AES-256 algorithm. AES-256 is a symmetric key encryption algorithm that uses 128-bit blocks and 256-bit keys. The key used to convert the data from plain text to cipher text is called Data Encryption Key(DEK). The DEK is further encrypted using the KEK (Key Encryption Key), providing yet another layer of security. The keys are generated and maintained by our in-house Key Management Service(KMS).
- Data retention and disposal
We hold the data in your account. Once you terminate your Zoho user account, your data will get deleted from the active database during the next clean-up that occurs once every 6 months. The data deleted from the active database will be deleted from backups after 3 months. If your unpaid account is inactive for a continuous period of 120 days, we reserve the right to terminate it after giving you prior notice and the option to back up your data.
A verified and authorized vendor carries out the disposal of unusable devices. Until such time, we categorize and store them in a secure location. Any information contained inside the devices is formatted before disposal. We degauss failed hard drives and then physically destroy them using a shredder. We crypto-erase and shred failed Solid State Devices (SSDs).
For further details, visit our security whitepaper.
Additional Encryption Options in Zoho Creator
Field-Level Encryption
- Certain fields in Zoho Creator allow an additional layer of encryption to protect sensitive, confidential, or personally identifiable information (PII).
- You can enable Encrypt Data in the Field Properties to secure fields capturing sensitive data. Learn more about data encryption for fields
Handling Protected Health Information (ePHI)
- ePHI (Electronic Protected Health Information) refers to protected health data that is created, stored, transmitted, or received electronically.
- In Zoho Creator, you can enable Contains Health Info in Field Properties within the Form Builder to classify fields as ePHI.
- Permissions can be controlled to determine which users can view or access ePHI fields within the application settings.
Report-Level Data Masking
- Encrypted fields in Zoho Creator can be masked in reports, ensuring sensitive data remains hidden from unauthorized users.
- Role-based access control (RBAC) and permission sets allow admins to manage visibility of encrypted fields for different users.
Encryption adds a strong layer of security to prevent unauthorized access, ensuring that even if data is intercepted, it remains unreadable.
How does Zoho Creator ensure network security?
Zoho Creator employs a robust and multi-layered approach to network security, incorporating advanced tools and processes to safeguard user data and ensure uninterrupted service. Here’s an overview:
Firewalls
- Firewalls prevent unauthorized access and undesirable traffic.
- Firewall access is regularly monitored, with changes reviewed daily by network engineers.
- A comprehensive rule review is conducted every six months to ensure updates and revisions are in place.
Intrusion Detection and Prevention Systems (IDS/IPS)
- Host-based signals from devices and network-based signals from monitoring points are logged and analyzed.
- Administrative access, privileged commands, and system calls in the production network are monitored.
- A proprietary Web Application Firewall (WAF) operates on whitelist and blacklist rules at the application layer.
- At the ISP level, a multi-layered security system uses scrubbing, network routing, rate limiting, and filtering to mitigate threats, ensuring clean traffic and prompt attack reporting.
DDoS Protection
- We use tools provided by reputed service providers to protect against Distributed Denial of Service (DDoS) attacks, allowing legitimate traffic while blocking disruptive traffic to ensure the high availability of websites, applications, and APIs.
Network Segmentation
- Sensitive data is protected by segregating systems into trusted and untrusted networks.
- Firewalls, access control lists (ACLs), and VLAN segmentation are used to enforce this separation.
Zoning
- Infrastructure is organized with VLAN segmentation, isolating network zones.
- Only authorized users and devices have access to specific zones.
- Services and ports are strictly controlled and monitored, with access restricted to essential services.
For more detailed information about infrastructure security, please refer to our
security policy.
Do you have Encryption Key Management Procedures?
Yes, we own and maintain the keys using our in-house Key Management Service (KMS). Our in-house Key Management Service (KMS) creates, stores and manages keys across all services. We own and maintain the keys using KMS.
By default, Zoho Creator encrypts stored data using Data Encryption Keys (DEK), which are further protected using a Key Encryption Key (KEK) managed by Zoho. Upon adding your own key (BYOK), you can replace Zoho’s default KEK with your own, allowing you to retain control over the encryption and decryption process.
How does Zoho Creator ensure security during the development process?
Zoho Creator follows a Secure by Design approach, embedding security at every stage of our Software Development Life Cycle (SDLC). All changes and new features are subject to a strict change management process, ensuring proper authorization and review before deployment.
Our SDLC includes clear segregation of development, testing, and production environments to minimize risk and ensure stability. All developers follow secure coding guidelines, and code changes undergo rigorous review through automated code analyzers, vulnerability scanners, and manual checks.
We implement OWASP-based security controls at the application layer to guard against common threats like SQL injection, Cross-Site Scripting (XSS), and application-layer Denial of Service (DoS) attacks.
Do you have a change management system?
Yes, Zoho follows a comprehensive change management system to ensure that any changes to our service environment are carefully planned, tested, reviewed, and authorized before being implemented in production.
Key elements of our change management process include:
- Impact Assessment: We assess the potential impacts of each change, including its effects on information security, privacy, and overall system performance.
- Fall-back Procedures: Detailed fall-back procedures are in place, outlining responsibilities and steps to be taken in the event of unsuccessful changes or unforeseen issues. This ensures that we can quickly recover and minimize disruptions.
- Communication: Proposed changes are communicated to all relevant stakeholders, ensuring transparency throughout the process.
- Audit Logs: We maintain an audit log that tracks all relevant details related to each change, ensuring accountability and providing a historical record for reference.
This structured approach helps us maintain service integrity and security, providing reliable and predictable performance for our customers.
What code security measures do you have in place to protect against vulnerabilities and breaches?
At Zoho, we adhere to OWASP-based security methodologies throughout the development and deployment of both web and mobile applications. Our Web Application Firewall (WAF) operates on a combination of whitelist and blacklist filtering to mitigate OWASP Top 10 threats. We enforce secure coding practices, leverage Static and Interactive Application Security Testing (SAST & IAST), and perform rigorous security reviews on all code changes before deployment to production.
Applications built and deployed on the Zoho Creator platform inherit its robust security framework, ensuring the code and infrastructure are continuously protected.
Do you conduct vulnerability assessment and penetration testing (VAPT)?
Penetration Testing
We conduct rigorous penetration testing to identify and address potential security vulnerabilities. Internal penetration tests are carried out every six months to evaluate and fortify our internal systems. Additionally, external penetration tests are performed annually to ensure comprehensive security validation and safeguard against external threats.
Vulnerability Assessment
Our dedicated vulnerability management process actively scans for security threats using a combination of certified third-party scanning tools and in-house tools. Vulnerability assessments are conducted weekly on internet-facing IP endpoints using industry-standard external third-party tools. This ensures consistent monitoring and early identification of potential security risks.
Vulnerability Remediation
Once a vulnerability is identified, it is logged, prioritized based on severity, and assigned to an owner. We assess the associated risks and track the issue until resolution, either by patching the vulnerable systems or applying relevant controls.
Collaborative Security Reporting
We actively review inbound security reports and monitor public mailing lists, blog posts, and wikis to detect potential security incidents that may impact our infrastructure. Our
Bug Bounty program enables collaboration with the community of security researchers, recognizing and rewarding their contributions. We are committed to verifying, reproducing, responding to, and implementing solutions for all reported vulnerabilities.
Do you have a bug bounty?
To what standard is the ISMS aligned?
Yes, we have implemented a robust Information Security Management System (ISMS) aligned with the ISO/IEC 27001 standard.. Additionally, we are compliant with ISO/IEC 27701, the internationally recognized standard for Privacy Information Management, ensuring the highest level of security, confidentiality, and integrity of customer data.
Do you have a server hardening process?
Yes, all servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is provisioned in the servers to ensure consistency across servers.
Encryption
What is encryption and why is it important in Zoho Creator?
Encryption is a method of converting readable data into unreadable form to prevent unauthorized access. In Zoho Creator, encryption helps protect your data from theft or interception, ensuring only intended recipients can access it.
What types of encryption are used in Zoho Creator?
Zoho Creator uses two types of encryption:
- Encryption in Transit: Protects data as it moves between your browser, Zoho servers, and third-party services.
- Encryption at Rest (EAR): Protects stored data (e.g., in databases or disks) on Zoho's servers.
Is my data encrypted at rest?
Yes. At rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). The data that is encrypted at rest varies with the services you opt for. We own and maintain the keys using our in-house Key Management Service (KMS). We provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.
Is my data encrypted during transmission?
Yes, your data is encrypted during transmission. We follow the latest TLS protocol version 1.2/1.3 and use certificates issued by SHA 256 and ciphers (AES_CBC/AES_GCM 256 bit/128 bit keys for encryption, SHA2 for message authentication and ECDHE_RSA as the key exchange mechanism). We also implement perfect forward secrecy and enforce HTTPS Strict Transport Security (HSTS) across all sites. The sensitive data you input in the application, or the service data, is stored in our database as tables. Data in these tables is encrypted according to AES 256 standard with AES/CBC/PKCS5Padding mode. Our in-house Key Management Service (KMS) creates, stores and manages keys across all services. We own and maintain the keys using KMS.
What data is encrypted by default, and what data can I encrypt manually additionally?
By default, every record, image, and file stored within your Zoho Creator application is encrypted to ensure robust protection against unauthorized access. This encryption applies to data at rest, safeguarding sensitive information in the database and stored files.
Additionally, Zoho Creator offers the flexibility to enhance the security of specific fields containing sensitive or confidential information. Using the "Encrypt Data" field property, you can manually configure an additional layer of encryption for such fields. This feature is particularly useful for safeguarding data like personally identifiable information (PII), financial details, or any other critical data that requires stricter security measures. Learn more about the
encrypt data field.
What encryption algorithms and keys are used?
Zoho Creator uses AES-256, a symmetric encryption algorithm with 256-bit keys. Data is encrypted with a Data Encryption Key (DEK), which is further encrypted using a Key Encryption Key (KEK) managed by Zoho's in-house Key Management Service (KMS).
Visit our document to learn more about
our KMS.
Is full-disk encryption used in Zoho data centers?
Yes. In addition to application-layer encryption, full-disk encryption is implemented at Zoho’s India (IN), Australia (AU), and Europe (EU) data centers.
Visit our help document to learn more about
full-disk encryption in Zoho.Access Controls
Does your system support role-based access control and data permissions?
/Can we define granular access controls based on user roles and responsibilities?
Zoho Creator provides granular access controls, allowing users to interact with specific parts of the application based on their roles. This ensures secure and efficient application usage. Key components include:
- Users
Zoho Creator applications support three primary user types: - Super Admin: Has complete control over the application, including managing users and permissions.
- Admin: Assists the super admin by managing specific administrative tasks.
- Developer: Builds and customizes application solutions.
- Solution-Specific Users: Regular users who interact with the application based on their assigned roles.
- Permissions
User permissions enable fine-grained control over data access in your applications. This feature allows admins to specify: - Who can edit the application
- Who can access the application
- Which components or modules users can interact with
- The specific data users are allowed to view or modify
- Roles
Roles in Zoho Creator are primarily used to establish a hierarchy, which then enables the setup of restricted access mechanisms for users. Each role represents a specific function within your organization, determining the level of access and the responsibilities assigned to users in that role. This helps define who can access, modify, or view specific data, ensuring that users only interact with the information relevant to their position.
For example: - A Manager role may have access to team data but not to sensitive financial information.
- A Team Member role might only be able to view their own data and request approvals.
- An Admin role can have full access across the system to manage settings and permissions.
- Additionally, data sharing rules can be set to override the role hierarchy, allowing specific users or roles to access data outside their assigned hierarchy. For example, a team member might be granted access to a report from a higher-level department if explicitly permitted by a data sharing rule, even though they don't have hierarchical access.
- Role Hierarchy
The role hierarchy determines how roles are organized within your organization. It establishes access levels based on organizational structure, ensuring users can access only what is relevant to their responsibilities.
Does the system enforce MFA/2-FA?
Yes, the system can be configured to enforce MFA/2-FA. Single Sign-On (SSO) Zoho offers single sign-on (SSO) that lets users access multiple services using the same sign-in page and authentication credentials. When you sign in to any Zoho service, it only happens through our integrated Identity and Access Management (IAM) service.
We also support SAML for single sign-on that makes it possible for customers to integrate their company's identity provider like LDAP, ADFS. When they log in to Zoho services SSO simplifies login process, it ensures compliance,provides effective access control and reporting. It also reduces the risk of password fatigue, and hence weak passwords.
Multi-Factor Authentication provides an extra layer of security by demanding an additional verification that the user must possess, in addition to the password. This can greatly reduce the risk of unauthorized access if a user’s password is compromised. You can configure multi-factor authentication using Zoho One-Auth. Currently, different modes like biometric Touch ID or Face ID, Push Notification, QR code, and Time-based OTP are supported. We also support Yubikey Hardware Security Key for multi-factor authentication. For more details, visit
our help document.
Auditing and Logging
What logging capabilities are available?
What types of logs are maintained, and what is their retention period?
We monitor and analyze information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to help us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access in order to manage access control centrally and ensure availability. This logging is done internally.
Audit trail: The Audit Trail feature in Zoho Creator assists an organization by maintaining logs on the sequence of activities performed inside an application.
Logs: Logs are automatically produced. Time-stamped documentation of the history of actions, such as Form Actions, Schedules, Email Data, and Integration, are executed in an application. Application owners can refer to logs to check an application's performance, keep track of actions executed in an application, or in the event of action failure.
Compliance and Standards
What are the regulations you are compliant with?
Zoho Creator is compliant with several internationally recognized standards, including:
- ISO/IEC 27001
- ISO/IEC 27017
- ISO/IEC 27018
- ISO 9001:2015
- SOC 1 Type II
- SOC 2 Type II
- SOC 2 + HIPAA
- CSA STAR
- GDPR
- CCPA
- POPIA
- Cyber Essentials Plus
- ESQUEMA NACIONAL DE SEGURIDAD (ENS)
- Signal Spam
Incident Management
How do you manage incidents? Do you notify us when you encounter an incident? How long do you take to resolve incidents?
Incident Management
We have a dedicated incident management team that handles and tracks incidents within our environment. When an incident applies to you, we promptly notify you and provide the necessary actions you may need to take. We track and resolve incidents with corrective actions and implement controls to prevent recurrence. If applicable, we identify, collect, and provide necessary evidence, such as application and audit logs, regarding incidents that affect you.
We respond to security or privacy incidents you report to us via
incidents@zohocorp.com. For general incidents, notifications are sent through our blogs, forums, and social media. For incidents specific to an individual user or organization, we notify the concerned party through email (using their primary email address registered with us).
Vulnerability Management
Once a vulnerability is identified and requires remediation, it is logged, prioritized according to severity, and assigned to an owner. We track the vulnerability until it is addressed through patching or applying relevant controls.
Breach Notification
As data controllers, we promptly notify the relevant Data Protection Authority of any breach within 72 hours, as specified by GDPR and other applicable regional laws, after becoming aware of it. As data processors, we inform the concerned data controllers without undue delay.
Data Handling and Retention
What is the data retention policy at the end of the contract, and how is data retrieval managed for the client when the contract ends?
We hold the data in your account as long as you choose to use Zoho Services. If you terminate your Zoho user account, your data will get deleted from the active database during the next clean-up that occurs once every 6 months. The data deleted from the active database will be deleted from backups after 3 months. If your unpaid account is inactive for a continuous period of 120 days, we reserve the right to terminate it after giving you continuous reminders and the option to back-up your data.
A verified and authorized vendor carries out the disposal of unusable devices. Until such time, we categorize and store them in a secure location. Any information contained inside the devices is formatted before disposal. We degauss failed hard drives, then physically destroy them using a shredder. We crypto-erase and shred failed Solid State Devices (SSDs).
Do you have a policy to prevent production data from being used in development?
Yes, we segregate Development, Testing, and Production Environments. Developers deploy their builds in restricted environments and use them for development and unit testing purposes. Once the change/behavior is confirmed, the developers update a protected build to perform testing on their module functionalities along with the other integrated testing. These local environments are fully internal and are not related to production servers, which are left undisturbed during the testing and development stages. This also ensures that production data is not used for testing purposes. It remains completely untouched and secure, maintaining data integrity and confidentiality.
What are your policies for sharing data with external vendors?
Zoho Creator does not rely on external vendors to process customers' sensitive data, as all modules powering the platform are built in-house. However, we do utilize certain sub-processors to enhance our services. We have strict Data Processing Agreements (DPAs) in place with all our sub-processors to ensure they adhere to our privacy and security standards.
The only sub-processor used by Zoho Creator is Google Translate, which facilitates localization. It does not interact with user data but only processes the meta information of the application. All sub-contractors and vendors are involved in the processing of service data are listed here:
https://www.zoho.com/privacy/sub-processors.html
Is there a limit on concurrent usage, and how does Zoho Creator handle scalability?
No, there are no restrictions on concurrent usage in Zoho Creator. To ensure high availability and scalability, we use a shared cluster model with multiple application servers grouped into Application Groups, where each group hosts different codes and functionalities.
Zoho Creator's architecture is designed to auto-scale both horizontally and vertically, distributing the load dynamically within the cluster for optimal performance. This scalability is managed automatically by the platform, ensuring seamless operation even during high usage.
Architecture Overview:
Zoho Creator achieves horizontal scalability by deploying additional front-end servers, which increases throughput and enables the platform to process more requests efficiently. We also utilize an independent asynchronous scheduler engine that handles non-interactive actions and processes large data volumes in batches, optimizing system performance. In periods of reduced demand, downward scaling is automatically applied by removing instances, thereby optimizing operational costs.
For vertical scalability, key metrics such as memory usage, data size per user, and CPU consumption are continuously monitored. When these parameters approach their thresholds, the system automatically scales up. Additionally, for database servers, we increase the number of processing threads to handle additional connections as necessary.
Zoho Creator also employs hybrid scaling, a combination of horizontal and vertical scaling strategies, to allocate resources optimally based on the specific needs of the application. This scalability is fully automated and managed by the platform itself, ensuring smooth and uninterrupted operation.
User and Pricing Overview:
Zoho Creator provides a variety of pricing plans tailored to your specific requirements.
Additional users can be purchased as add-ons to scale your usage.
Miscellaneous
Do you use any third-party services in your systems? Does any third party have access to my data?
Your data is owned by you, not by Zoho. We protect it, limit access to it, and only process it according to your instructions. It remains secure and is never shared with third parties, except in the following cases:
When you choose to integrate your app with a third-party service using Zoho Creator’s integration tools (like APIs, custom functions, or widgets).
When required by law, in response to valid legal requests or regulatory obligations.
We design our systems to minimize reliance on third-party services, especially for handling your data.
However, for specific features like translation, we may use trusted sub-processors such as Google Translate. These services are engaged solely for their intended purpose and operate under strict data protection agreements to ensure your information remains secure. Visit our
sub-processors page to learn more.
- Know Your Datacenter
- Security
- Privacy Policy
- Encryption Whitepaper
Related FAQ Pages
- Zoho Creator - Starter Guide
- Basic Privacy and Security
- Infrastructure FAQs
- Security FAQs
- Privacy FAQs