Encryption can be used in two situations:
- Encryption in transit
- Encryption at rest (EAR)
Encryption in transit
This refers to data that is encrypted when it is moving from one place to another—including from your browser to a web server, or other third parties via integrations. Encrypting data in transit protects your data from man-in-the-middle attacks.
Encryption at rest
This refers to data that is encrypted when it is stored (not moving)—either on a disc, in a database, or in some other form of media. In addition to the encryption of data during transit, encryption of data when stored in servers provides an even higher level of security. EAR protects against any possible data leak due to server compromise or unauthorized access.
Encryption is done at the application layer using the AES-256 algorithm, which is a symmetric encryption algorithm that uses 128-bit blocks and 256-bit keys.The key used to convert the data from plain text to cipher text is called the data encryption key (DEK). The DEK is further encrypted using the KEK (key encryption key), thus, providing yet another layer of security. In the case of Zoho, the keys are generated and maintained by our in-house Key Management Service (KMS).
What data do we encrypt in Zoho Flow?
The data encrypted in Zoho Flow includes, but is not limited to:
- Audit trail
- Flow history logs
- Connection tokens and user credentials
- Personally identifiable information
Personally identifiable information includes the verified From email addresses when using the Send Email
action, the email addresses of pending user invites
to a Zoho Flow organization, and lead data from marketing, such as name, email address, and country.
Full disk encryption
Besides application-layer encryption, full disk encryption is available in our EU (Europe), IN (India), and AU (Australia) data centers.