Compliance at Zoho

Certifications

 

IS 642819

ISO/IEC 27001

Steps to download

Valid Upto : 21-Aug-2025

ISO/IEC 27001 is one of the most widely recognized independent international security standards. This certificate is awarded to organizations that comply with ISO's high global standards. Zoho has earned ISO/IEC 27001:2013 certification for Applications, Systems, People, Technology, and Processes

Applicable to - All cloud services and on-premise products of Zoho, ManageEngine, Site24x7, Qntrl, TrainerCentral and GSP Solution.

 

PM 732705

ISO/IEC 27701

Steps to download

Valid Upto : 21-Aug-2025

ISO/IEC 27701 is an extension to the ISO/IEC 27001 and ISO/IEC 27002 standards for privacy management within the context of the organization. The certification standard is designed to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). This standard enables organisations to demonstrate compliance with the various privacy regulations around the world that are applicable to them.

Applicable to - All business units, cloud services and on-premise products of Zoho, ManageEngine, Site24x7, TrainerCentral and Qntrl which function in the capacity of a PII controller and/or as a PII Processor.

 

CLOUD 714132

ISO/IEC 27017

Steps to download

Valid Upto : 21-Aug-2025

ISO/IEC 27017 gives guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002 and additional controls with implementation guidance that specifically relate to cloud services.

Zoho is certified with ISO/IEC 27017:2015 - Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services.

Applicable to - All Cloud services of Zoho, ManageEngine, Site24x7, TrainerCentral and Qntrl.

 

PII 714133

ISO/IEC 27018

Steps to download

Valid Upto : 21-Aug-2025

ISO/IEC 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures on safeguarding the PII that is processed in a public cloud. These controls are an extension of ISO/IEC 27001 and ISO/IEC 27002, ISO/IEC 27018 which provide guidance to organizations concerned about how their cloud providers are handing personally identifiable information (PII).

Applicable to - All Cloud services of Zoho, ManageEngine, Site24x7, TrainerCentral and Qntrl.

 

FS 724104

ISO 9001

Steps to download

Valid Upto : 02-Feb-2026

ISO 9001:2015 is defined as the international standard that specifies requirements for a Quality Management System (QMS). Organizations use the standard to demonstrate the ability to consistently provide quality products and services that meet customer and regulatory requirements.

Applicable to - All cloud services of Zoho,Service Desk Plus Cloud,UEMS Cloud Solution and UEMS On-premise solutions of ManageEngine, Zakya.

 

0116286

ISO/IEC 20000-1:2018

Valid Upto : 29-July-2027

ISO/IEC 20000-1:2018 is the leading international IT Service Management System (SMS) standard, with the objective to ensure the quality of the IT services. It specifies requirements for an organization to establish, implement, maintain and continually improve a service management system and it supports the management of the service lifecycle, including the planning, design, transition, delivery and improvement of services to meet the service requirements and deliver value.

Applicable to - Network Operations Center (NOC) and Data Center (DC) Operations of Zoho Corporation.

 

BCMS 689185

ISO 22301

Steps to download

Valid Upto :20-Nov-2026

ISO 22301:2019 BCMS (Business Continuity Management System) is an international standard offering guidelines to protect and sustain our business from potential disruptions. It helps us identify, assess, and managing threats relevant to our operations and critical business functions that could impact our service to customers. By setting up recovery plans and strategies to ensure our business doesn’t come to a standstill during disruptions and any unexpected disruptions in the future.

Applicable to - Zoho Workplace suite of products (ZohoMail, Zoho Writer, Zoho Sheet, Zoho Show, Zoho Workdrive, Zoho Meeting, Zoho Cliq, Zoho Connect, Zoho Calendar, Zoho Search)ZeptoMail,Zoho TeamInbox, ManageEngine Mobile Device Manager Plus, ManageEngine Endpoint Central products along with the Support functions,Global Network Operation Center (NOC), Global DC Operations, HR, IT Support, Legal, Physical Security and Admin.

 

SOC 2 Type II

Steps to download

Audit period : 01-Dec-2022 to 30-Nov-2023

Zoho is SOC 2 Type II compliant. SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the AICPA's Trust Services Principles criteria.

Applicable to - All cloud services and on-premise products of Zoho, ManageEngine, Qntrl, TrainerCentral and Zakya.

Note: Our annual SOC (System and Organization Controls) audit is conducted to assess the operating effectiveness for the previous audit period and Zoho will hold the report for the same. Please note that the SOC 1, SOC 2 and SOC 2+HIPAA audit period at Zoho runs from December to November annually. Following the conclusion of this period, it typically takes approximately three months to receive the final audit report from the audit firm.
 

SOC 1 (SSAE 18 & ISAE 3402 - TYPE 2 )

Steps to download

Audit period : 01-Dec-2022 to 30-Nov-2023

Zoho is SOC 1 Type II compliant as per AICPA's SSAE18 standard and IAASB's ISAE 3402 standards. SOC 1 reports are primarily concerned with examining controls that are relevant for the financial reporting of customers.

Applicable to - Zoho Books, Zoho Invoice, Zoho Expense, Zoho Inventory, Zoho Billing, Zoho Checkout, Zoho Payroll, Zoho CRM, Zoho Mail, Zoho Projects and BugTracker , Zoho Creator, Zepto Mail, Zakya, Zoho People,Zoho Campaigns

Note: Our annual SOC (System and Organization Controls) audit is conducted to assess the operating effectiveness for the previous audit period and Zoho will hold the report for the same. Please note that the SOC 1, SOC 2 and SOC 2+HIPAA audit period at Zoho runs from December to November annually. Following the conclusion of this period, it typically takes approximately three months to receive the final audit report from the audit firm.
 

SOC 2 + HIPAA

Steps to download

Audit period : 01-Dec-2022 to 30-Nov-2023

SOC 2 + HIPAA - An independent third-party audit firm has examined the description of the system related to Application Development, Production Support and the related General Information Technology Controls for the services provided to customers, from Zoho offshore development centre, based on Security, Privacy and breach requirements set forth in the Health Insurance Portability and Accountability Act (“HIPAA”) Administrative Simplification. The responsibility of Zoho is limited to the extent it acts as a 'Business Associate'.

Applicable to - Zoho CRM, Zoho Bookings, Zoho Survey, Zoho Forms, Zoho Desk, Zoho Expense, Zoho Checkout, Zoho Creator, Zoho Analytics, Zoho Mail, Zoho Sheet, Zoho Workdrive, Zoho Sign, Zoho SalesIQ, Zoho Meeting & Webinar, Zoho Pagesense, Zoho Books, Zoho Inventory, Zoho People, Zoho Vault, Zoho Notebook, Zoho Show, Zoho Sprints, Zoho Connect, ZohoOne Engineering, Zoho Bigin, Zoho Campaigns, Zoho Sites, Zoho Assist, Zoho Invoice, Zoho Billing, Zoho Recruit, Zoho Flow, Zoho Writer, Zoho Learn, Zoho Projects and BugTracker, Zoho Marketing Automation, ManageEngine ServiceDesk Plus Cloud, ManageEngine ServiceDesk Plus On-Premises, ManageEngine Endpoint Central/MSP on-Premises, Qntrl, Zoho Lens, Zoho TeamInbox, Zoho Commerce, Zoho Contracts, Zoho Voice, Zepto Mail, ManageEngine ADManager Plus, Zoho Catalyst, Zoho DataPrep,Zoho Office Integrator,Zoho Calendar, Zoho LandingPage, Zoho Backstage.

Note: Our annual SOC (System and Organization Controls) audit is conducted to assess the operating effectiveness for the previous audit period and Zoho will hold the report for the same. Please note that the SOC 1, SOC 2 and SOC 2+HIPAA audit period at Zoho runs from December to November annually. Following the conclusion of this period, it typically takes approximately three months to receive the final audit report from the audit firm.

Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff (GoBD) - Germany are the Principles for properly maintaining, keeping and storing books, records and documents in electronic form and for data access, as provided by the German tax authorities.

Applicable to - Zoho Books, Zoho Invoice and Zoho Expense.

 

Cyber Essentials

Valid Upto : 24-June-2025

Cyber Essentials is a UK government-backed scheme designed to help organizations protect themselves against common cyber threats. It outlines a set of basic cybersecurity controls that all organizations can implement to mitigate risks and demonstrate a commitment to cybersecurity.

Applicable to - The UK and EU data centres of Zoho and ManageEngine cloud service offerings, and their corresponding administrative networks only, excluding all other networks.

 

Tx-Ramp

Valid Upto : 20-June-2027

TX-RAMP(Texas Risk and Authorization Management Program) is a certification process designed by the Texas Department of Information Resources (DIR) to ensure that cloud products and services meet stringent security and privacy standards. Cloud Service Providers (CSPs) intending to contract with Texas state agencies must adhere to TX-RAMP requirements.

By following the TX-RAMP certification and adhering to its requirements, cloud service providers can ensure they meet the security standards necessary to protect sensitive data and comply with Texas state regulations.

Applicable to - ManageEngine ServiceDesk Plus Cloud

 

ESQUEMA NACIONAL DE SEGURIDAD (ENS) - Spain

Steps to download

Valid Upto : 22-May-2025

ESQUEMA NACIONAL DE SEGURIDAD (ENS) - Spain also known as National Security Scheme is a regulation in Spain. The ENS refers to the National Security Framework in Spain. It is a set of regulations and guidelines established by the Spanish government to ensure the security of information and communication systems in public administrations. The ENS provides a framework for managing and protecting information assets, promoting risk management, and establishing security measures to safeguard sensitive information. It is applicable to all public entities in Spain, including government agencies, local administrations, and public organizations. Zoho is ENS certified with intermediate category(medium level).

Applicable to - All cloud services of Zoho, Cloud and on-premises solutions of ManageEngine, Site24x7, Qntrl and TrainerCentral.

 

Web Content Accessibility Guidelines(WCAG)

FS 787516

Valid Upto : 22-Mar-2026

Web Content Accessibility Guidelines(WCAG) 2.2 AA level - is an international standard for web accessibility. It provides a set of guidelines that website and web product creators can follow to ensure that their content is accessible to everyone, regardless of their abilities. This helps to create a more inclusive and accessible digital environment for all users.

Zoho cares heavily about the customer experience. It has always sought to craft experiences that are inclusive and equitable for all its users. The WCAG implementation and compliance is a significant step in that direction.

Applicable to - Zoho CRM, Zoho Forms and Zoho Desk.

The Cloud Security Alliance is a non-profit organization formed to define and raise awareness of best practices to help ensure a secure cloud computing environment and to help potential cloud customers make informed decisions when transitioning their IT operations to the cloud.The Consensus Assessments Initiative Questionnaire(CAIQ) is submitted by the cloud providers to document compliance with the Cloud Controls Matrix (CCM) and helps cloud service customers to assess the security capabilities and practices of a cloud service provider.

Zoho has done a Self-Assessment for the cloud services. Download the CSA STAR Self-Assessment from CSA STAR Registry for Zoho Corporation Pvt Ltd

Applicable to - All Cloud services of Zoho, ManageEngine, Site24x7 and Qntrl.

 

Valid Upto : 30-SEP-2025

Payment card industry (PCI) compliance refers to the technical and operational standards that businesses must follow to ensure that card data provided by cardholders is protected. PCI compliance is enforced by the PCI Security Standards Council (SSC), to ensure that all businesses that store, process or transmit card data electronically do so in a secure manner that helps reduce the likelihood that cardholders would have sensitive account data stolen.

Zoho, being PCI compliant (Self-assessment : SAQ-D) consistently adheres to a set of guidelines set forth by PCI SSC.

Applicable to - All the Zoho finance Plus products (ie) Zoho Books, Zoho Invoice, Zoho Inventory, Zoho Billing, Zoho Expense, Zoho Checkout and Zoho Commerce

GDPR is a pan-European regulation that requires businesses to protect the personal data and privacy of EU citizens for processing of their personal data.

Zoho has always demonstrated its commitment to its user's data privacy by consistently exceeding industry standards. Zoho welcomes GDPR as a strengthening force of the privacy-consciousness that already exists in it. 

Zoho's offerings have privacy features that comply to GDPR, and Zoho's processing of its customer's data adheres to the data protection principles of the GDPR. To know more about how Zoho complies with GDPR, click here. 

CCPA is a data privacy law specific to the processing of personal information of California residents that requires businesses to protect their personal information and provides privacy.

Zoho has always demonstrated its commitment to its user's data privacy by consistently exceeding industry standards. Zoho welcomes CCPA as a strengthening force of the privacy-consciousness that already exists in it.

Zoho's offerings have privacy features that enable it's users to comply with the CCPA, and Zoho's processing of its Californian customer's data adheres to requirements of the CCPA. To know more about this, click here. 

 

CSA

Certified Since : 02-Aug-2018

Certified Senders Alliance (CSA) is a quality certification for mailbox service providers like Zoho Campaigns, making them enter the league of trusted senders. Zoho Campaigns is a CSA-certified service, giving you higher email open rates, improvement in deliverability with white listed IPs, and protection against any legal risk.

Applicable to - Zoho Campaigns

Signal spam reports help in providing FBL data, primarily technical information for identification of spammers and marketing abuse, from major ISPs like Orange.fr, SFR.fr, and so on. It has many spam reporting plugins for third-party browsers and email clients, focused at the French communities worldwide. It’s important for both Zoho corporation and our customers to know all the recipients who mark or report the emails they receive as ‘spam’, so that we can remove them from the lists. Hence, this certification protects our network reputation in the French region.

Applicable to - Zoho Corporation

21 CFR Part 11 and EudraLex Annex 11

The U.S. FDA enforces the 21 CFR Part 11 regulation to ensure that systems used to create, modify, maintain, or transmit electronic records are designed to safeguard the authenticity and integrity of those electronic records, including any electronic signatures applied to them.

In the European Union (EU), EudraLex is the collection of rules and regulations governing medicinal products for human and veterinary use. Under EudraLex rules, Volume 4 Annex 11 establishes the conventions for using computerized systems.

Zoho Sign offers controls that help healthcare and life science organizations comply with industry regulations like 21 CFR Part 11 and Annex 11 (EU).

Applicable to - Zoho Sign

The Compliance certificates/reports can be downloaded from the Zoho Accounts page.

1. Please go to https://accounts.zoho.com/home#compliance/certifications
2. Enter the Zoho Login credentials
3. Click on the Compliance tab.
4. Download the required compliance certificate/reports by agreeing to our online non-disclosure agreement.

NOTE: Only verified organisation admins can download the compliance reports/certificates.

Steps to download the certificate:

1. Go to the link: https://gobernanza.ccn-cert.cni.es/certificados
2. Click the second tab - Empresas Certificadas
3. Download the certificate under certificado.