Supporting Zoho's EEA Clientele

Introduction

The advent of the new Standard Contract Clauses (SCC) released by the EU Commission brings with it a higher degree of expectation from EU users on data storage, access, and the onward transfer of data across borders. It also requires careful evaluation of each transfer scenario, taking into account the laws of the land from where such access originates or where data is transferred to, and requires organizations to adopt adequate technical and organizational measures.

Zoho has undertaken a detailed assessment of all its transfer scenarios and implemented supplemental measures for the protection of data. We have conducted and documented Transfer Impact Assessments (TIA) considering the legal framework of the countries EU data is transferred to or accessed from. You may refer to our previous post on Zoho's response to the new SCCs.

One such scenario which is often asked about is regarding the provision of technical support from outside the EEA (especially from India) for customers whose organizational account is in our EU datacenter. We understand this concern would like to briefly address them to ease everyone's minds. This blog post ends with our request to customers, that is, what we expect from them while they request support from us.

Tools we use

We use our own products (applications) for our corporate needs. This includes applications such as Zoho Desk, Zoho CRM, Zoho Marketing Automation, Zoho Assist, Zoho Meeting, Zoho Mail, Zoho Creator, Zoho Forms, Zoho Survey, and Zoho SalesIQ, among others.

Where does the data reside?

Our primary corporate account is hosted on our US datacenter. However, for catering to our EU clientele, we use our corporate account hosted on our EU datacenter. If your organizational account is in our EU datacenter, the contents of this blog post are applicable to you. Learn more about where your service data is stored.

What types of access are made?

There are two major types of access.

The first is access to our corporate account (A1) that holds data related to our EU clientele such as support tickets, accounting tools, CRM records, remote assistance software, marketing tools, and the like.

The other is access to the customer database, administrative tools, and logging servers containing log data (A2), which is granted to a very limited set of employees, particularly to developers, for debugging complex issues.

The table below provides more details about A1 and A2 access types.

Type of access

Access to

A1 (corporate account)

CRM records, support tickets, remote assistance and marketing tools, accounting tools, webform records, emails and chat conversations, internal analytics and reporting tools.

A2 (admin access)

User database, log servers, and administrative tools.

Note: If you use an on-premise version of Zoho's software (such as ManageEngine On-premise), service data resides completely within your deployment and, thus, access A2 is not possible.

What type of data is viewable to the support representatives?

  • If you are on a remote assist session or share your screen over a meeting, whatever you see on your screen (depending on which type of screen sharing you choose) will be viewable to us. You may choose to share the entire screen, a particular application, a particular window or a specific tab.

  • If you send us screenshots, screen recordings, or similar data, whatever is in the footage is what we will see.

  • If you send us files, logs, attachments, etc., whatever is in the content of these would be viewable to us. Note that we limit the amount of personal or confidential data that is printed in the logs.

  • Queries on administrative tools (A2) primarily provide us with information such as your contact information, subscription information, some parameters pertaining to your use of the application, and certain internal metadata.

  • If you grant access to support, such as through options like "Allow access to support", data within that specific form or application will be viewable by us.

  • User agent, IP address, request URLs and parameters are viewable from the logging servers. However, secrets such as tokens and passwords are redacted permanently and can never be viewed by support personnel.

  • If you add any of our support personnel to your organizational account, whatever permission is granted for that role assigned to that support personnel's ID defines the level of access.

  • Whatever data you submit through our webforms will be viewable to personnel based on the permissions granted to them for that form's report.

  • If any data is encrypted in storage, any query on that data (A2) would not decrypt it, and thus will not be viewable to us.

In summary:

Type of access

Access to

Data viewable

A1 (corporate account)

CRM records, support tickets, remote assistance and marketing tools, accounting tools, webform records, emails and chat conversations, internal analytics and reporting tools.

Contact information, subscription information, application metadata, content of support email threads, attachments and files, invoices, internal parameters regarding your use of a given Zoho application, basic device information such as Device IDs, data submitted via webforms

A2 (admin access)

User database, log servers, and administrative tools.

Service data (unencrypted data only), user agent, IP address, URLs accessed within Zoho applications and their parameters, application metadata

Do Indian employees have access to EU data?

Yes, but access is provisioned only to a limited set of employees (from India) who work with EU clientele, to select developers, and select product managers. Access is provided subject to an internal approval mechanism where the reason for requesting access must be justified and validated by a team of members. Permissions granted are reviewed periodically and access is logged automatically. As mentioned above, A2 access is provided only for a very limited set of employees, especially to developers for debugging complex issues.

Do employees from countries other than India have access to  EU data?

In certain situations, yes, employees from Mexico are granted provisional access to our EU corporate account (A1) for reasons such as for handling support in Spanish.


What security measures taken by Zoho for such access?

  • Written procedures are made available to all support personnel, who are required to (and are trained to) follow protocol.

  • Employees who are granted access to the EU datacenter (both A1 and A2) are subject to background verification

  • Those with A2 access are required to take special training courses periodically.

  • All access is logged.

  • Permissions granted are reviewed regularly.

  • A2 access to service data can be done only via a separate login and a completely separate virtual network which is independent of the corporate network.

  • A2 access to administrative tools and log servers can be done only via a separate login over our corporate network.
  • A1 access is done via a separate corporate account on the EU datacenter.
  • All data accessed is encrypted during transit.

  • Devices used to access are updated with the latest version of antimalware software and the disk is encrypted.

  • Export of data from the respective datacenter application systems is highly restricted.

  • Zoho is certified against industry standards such as ISO 27001 (ISMS), ISO 27701 (PIMS). Data protection controls are implemented based on extensive risk assessment. Read here to learn more about compliance at Zoho.

What is the legal mechanism that facilitates this access?

An intra-company agreement which is based on the SCCs and is signed by the participating Zoho entities, captures the various data transfer (and access) scenarios, roles of each participating entity for the provision of the service, and the controls implemented.

Does Zoho have an EU-only support team?

We are working to staff up resources who will work from within the EEA. However, it may take some time to fully scale to our large EU clientele.

Whom should I contact for more information related to the TIA, or to request the Data Processing Addendum (DPA)?

You can reach out to legal@eu.zohocorp.com quoting your Zoho-registered-email ID, and the services and applications that you use or plan to use.

How long does Zoho retain the data shared with them for support purposes?

Zoho stores this information for as long as it is required to fulfil any obligations we have, to keep a consistent track of previous requests from you (such as to help us solve future requests), to resolve any disputes that may arise, and to assess and enhance the quality of support. Zoho does not use the data shared for any other purpose. However as stated in our Privacy Policy, we may use the support interaction (threads and conversations) to build our automation tools and AI capabilities.


As an EU customer of Zoho, what should I do?

While requesting for any type of support:

  • Redact any personal or sensitive or confidential information before sharing screenshots, recordings, or files.

  • Ensure you contact our support team or our employees through the dedicated support IDs that are on the form  {support/employeeusername}@eu.{zohocorp/zoho<product>}.com

  • Less is more. Share only the relevant or requested information. Avoid sharing your data in large sizes.

  • If you have shared inaccurate data as part of your support ticket, you may request the support representative to delete the ticket entirely before you resend another one.

  • Always use your Zoho-registered email ID for support communications to avoid unintended processing of your personal details.

  • Verify remote session links before joining. Scammers are everywhere. Always check with the support representative when in doubt.

  • Instead of attaching files to an email, you may choose to upload the requested information to a cloud drive such as your corporate cloud folder and share the link (password protected and with access expiry) in the support email.

  • While participating in a remote session with us, remember that you are still in control. If you're not okay with an action that the agent is performing on your device or account, you have the right to terminate the session. If at any time you are hesitant to share your screen, you can reject the session invitation as well. 

  • If you suspect any unauthorized processing in your account, notify us immediately at privacy@eu.zohocorp.com.


Additional resources

  1. Zoho Privacy FAQ

  2. Zoho Security Whitepaper

  3. Zoho welcomes the new SCCs

  4. Zoho's ISO 27701 (PIMS) compliance

  5. How the ISO 27701 helps Zoho demonstrate continued compliance with the GDPR

Comments

Related Posts