Security Measures
Last Updated: August 8, 2024
Capitalized terms not defined herein shall have the meanings assigned to such terms in the Data Processing Agreement here: https://www.zscaler.com/legal/data-processing-agreement.
Secure Files. Throughout the Subscription Term, Personal Data in Zscaler’s possession or control shall be subject to safeguarding and disaster recovery protection and shall be stored at secure physical or electronic facilities operated under Zscaler’s control.
Data Availability. Zscaler shall adhere to appropriate technical and organizational measures that represent the best industry practices in the storage, safeguarding, and preservation of any Personal Data in Zscaler’s possession or control, including performing real-time backups to regional geographically disperse locations and ensuring the security (i.e., both physical and unauthorized remote access) of all hardware and equipment used to host or store such Personal Data pursuant to the provisioning of the SaaS.
Safeguards and Controls. Zscaler agrees that during the Subscription Term, and continuing as long as Zscaler controls, possesses, stores, transmits, or processes Personal Data, Zscaler and its subcontractors/sub-processors shall employ and maintain reasonable security measures. to ensure that all Personal Data in Zscaler’s possession or control is protected from unauthorized use, alteration, access or disclosure (a “Security Incident”), and to protect and ensure the confidentiality, integrity and availability of such Personal Data, consistent with all applicable laws and regulations relating to the security and/or privacy of Personal Data (“Data Protection Legislation”). Such security measures shall include, but not be limited to, the following:
implementing reasonable restrictions regarding physical and electronic access to such Personal Data, including, but not limited to, physical access controls, secure user authentication protocols, secure access control methods, firewall protection, malware protection, anonymization, tokenization, and use of encryption where appropriate or required by applicable Data Protection Legislation;
maintaining a reasonable and appropriate written data security policy that includes technological, physical, administrative, and procedural controls to protect the confidentiality, integrity, and availability of such Personal Data, that encompasses access, retention, transport, and destruction of such Personal Data, and that provides for disciplinary action in the event of its violation;
preventing terminated employees from accessing such Personal Data by terminating without undue delay their physical and electronic access to Zscaler’s Products;
employing assessment, monitoring and auditing procedures to ensure internal compliance with these safeguards;
conducting an independent security assessment of these safeguards at least annually, and, upon Customer’s reasonable written request not more than once annually, providing certification to demonstrate compliance with all such applicable security requirements.
Reporting. Zscaler shall maintain records, logs and reports concerning its compliance with Data Protection Legislation and/or relevant industry standards, security breaches, storage, processing, and transmission of Personal Data in its possession or control.
As a condition of providing the Products to Customer under the Agreement, no less than once each calendar year, Zscaler will undergo, at its sole cost and expense, a Statement on Standards for Attestation Engagements (SSAE) No. 18 for Reporting on Controls at a Service Organization, Service Organization Controls (SOC) 2 Type 2 audit (or industry equivalent as the standard may progress). Upon Customer’s written request, Zscaler will provide Customer with a copy of its most recent SSAE No. 18 SOC 2 Type 2 report on an annual basis, resulting from such audit and such other evidence, information, and documentation as is reasonably necessary to demonstrate compliance with these Security Measures.Security Incident Response. Zscaler shall maintain policies and procedures for responding to Security Incidents. In the event of a Security Incident involving unauthorized disclosure, loss, or destruction of Personal Data in Zscaler’s possession or control, Zscaler shall:
promptly and without undue delay investigate the reasons for and circumstances surrounding such Security Incident;
use best efforts and take all necessary actions to contain and mitigate the impact of such Security Incident;
provide written notice to Customer after Zscaler confirms a Security Incident;
provide a written report to Customer concerning such Security Incident detailing Zscaler’s findings, and update such report periodically thereafter as necessary;
collect and preserve all evidence concerning the cause, remedial actions, and impact related to such Security Incident, which shall meet reasonable expectations of forensic admissibility;
document the Security Incident response and remedial actions taken in detail; and
so long as Zscaler is not required to violate the confidentiality obligations with any of its other customers, partners, or vendors, provide Customer with any relevant documents related to such Security Incident, including, any security assessment and security control audit reports, relevant logs, and/or any forensic analysis of such Security Incident.
Destruction. Zscaler shall take all reasonable steps to ensure proper destruction (such that Personal Data is rendered unusable and unreadable) after the expiration or earlier termination of the Agreement, subject to the applicable retention period for the Product.
Management Direction for Information Security. Zscaler will assign a qualified member of its workforce with expertise in information security to be responsible for the development, implementation, and maintenance of Zscaler’s enterprise information security program.
Organization of Information Security.
Zscaler will ensure that the responsibilities of their workforce are appropriately segregated to reduce opportunities for unauthorized or unintentional access, modification, or misuse of the organization’s assets.
Zscaler will maintain contact with the governing regulatory authorities to ensure ongoing compliance with the mandated regulatory requirements.
Zscaler will maintain appropriate contact with special interest groups, specialist security forums, and/or professional associations to remain abreast of evolving information security threats and trends.
As applicable, Zscaler will ensure that information security is addressed within its internal project management processes.
Human Resources Security.
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations, and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Zscaler will train new and existing employees and subcontractors to comply with relevant data security and data privacy obligations. Ongoing training is to be provided at least annually and more frequently as appropriate.
To the extent applicable, Zscaler will ensure that employees, contractors, sub-contractors, or vendors are required to sign an agreement that contains confidentiality requirements at least as protective as those in the Agreement.
Asset Management.
Zscaler will maintain an inventory of assets associated with information and information processing facilities.
Assets maintained in the inventory are assigned to an individual or group that is accountable and responsible for the assigned asset(s).
Acceptable use of assets is defined within a formal policy or standard.
The return of assets is clearly communicated, via policies and/or training, to all employees and external party users upon termination of their employment, contract, or agreement. Return of assets is documented and tracked.
Zscaler classifies data in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Procedures for handling assets are developed and implemented in accordance with this information.
Media Handling. Procedures are implemented for the management of removable media in accordance with the information classification.
Access Control.
Zscaler will ensure that Customer’s Confidential Information and Personal Data will be accessible only by authorized personnel with appropriate user identification, two-factor authentication, and access controls commensurate with information classification.
Two-factor authentication is required for remote connectivity.
Each authorized personnel shall have unique access credentials and shall receive training which includes a prohibition on sharing access credentials with any other person.
Zscaler will have a formal user access provisioning process to assign or revoke access rights for all user types to all systems and services.
The allocation and use of privileged access rights will be restricted and controlled.
The allocation of secret authentication information is controlled through a formal management process.
User access rights are reviewed at regular intervals but at a minimum on an annual basis.
The access rights of all employees and external party users to information and information processing facilities are removed upon termination of their employment, contract, or agreement, or adjusted as appropriate upon change in role or responsibilities.
Password management systems are interactive and ensure strong passwords.
Cryptography.
Zscaler has a formal policy on the use of cryptographic controls for protection, including the use, protection, and lifecycle of cryptographic keys.
Zscaler agrees that all Personal Data will be protected and, where encrypted, will use a Federal Information Processing Standard (FIPS) compliant encryption product, also referred to as 140-2 compliant. Symmetric keys will be encrypted with a minimum of 128-bit key and asymmetric encryption requires a minimum of 1024 bit key length. Encryption will be utilized in the following instances:
Personal Data that is stored on any portable computing device or any portable storage medium.
Personal Data that is transmitted or exchanged over a public network.
Physical and Environmental Security.
A clear desk policy for papers and a clear screen policy for facilities processing Personal Data is adopted and adhered to.
Systems are located in co-location facilities and are maintained by Zscaler personnel.
Only individuals on the approved access list can access Zscaler equipment and systems.
All facilities require badge and/or biometric access and have 24x7 security guards and CCTV.
Some facilities include the use of man-traps, which prevent unauthorized individuals from tailgating authorized individuals into the facility.
Access is created and maintained by Zscaler and only authorized to Zscaler personnel with a business need.
Visitors to the facility are required to be escorted at all times and are not allowed in caged areas.
Operations Security.
Changes to the organization, business processes, information processing facilities, and systems that affect information security shall be formally controlled.
Zscaler agrees that development and testing environments shall be separated from operational or production environments to reduce the risks of unauthorized access or changes to the operational or production environment.
Zscaler’s software development processes and environment must protect against malicious code being introduced into its Product(s), future releases thereof, and/or updates thereto.
Zscaler shall have a dedicated team responsible for performing security audits, vulnerability scans, evaluating results and monitoring the remediation of technical vulnerabilities to ensure measures are taken to address the associated risk.
Zscaler software that controls access to Confidential Information or Personal Data must log and track all access to the information.
Logging facilities and log information shall be protected against tampering and unauthorized access.
Zscaler shall maintain access logs relevant to Personal Data for the time period stated in the Agreement depending on the Product being used.
Rules governing the installation of software by Zscaler personnel are established and implemented on operational systems.
Network Security. Zscaler agrees to implement and maintain network security controls that conform to industry standards, including but not limited to the following:
Zscaler will appropriately segment its network to only allow authorized hosts and users to traverse areas of the network and access resources that are required for their job responsibilities.
Zscaler will ensure that publicly accessible servers are placed on a separate, isolated network segment typically referred to as the Demilitarized Zone (DMZ).
Zscaler will ensure that its wireless network(s) only utilize strong encryption, such as WPA2.
Zscaler will have an IDS and/or IPS in place to detect inappropriate, incorrect or anomalous activity and determine whether Zscaler’s computer network and/or server(s) have experienced an unauthorized intrusion.
As appropriate, groups of information services, users and information systems shall be segregated on networks.
Data Transfers. Zscaler may transfer Personal Data to provide our Products. The transfers of data may involve movement between jurisdictions and crossing international borders. Zscaler will ensure Personal Data cannot be read, copied, modified, or deleted without authorization during electronic transport or storage and that the transmission facilities receiving any Personal Data can be established and verified. Practices implemented and maintained by Zscaler include, but are not limited to, the following:
All management connections to the servers occur over encrypted Secure Shell (SSH), Transport Layer Security (TLS) or Virtual Private Network (VPN) channels and remote access always requires multi-factor authentication.
Unless the connection originates from a list of trusted IP addresses, Zscaler does not allow management access from the Internet.
Zscaler maintains a change management system to submit, authorize, and review any changes made in the production environment.
Zscaler maintains a dedicated Network Operations Center (NOC), which is staffed 24/7.
Communications Security.
Formal data transfer policies, procedures and controls shall be in place to protect the transfer of sensitive Confidential Information or Personal Data within electronic messaging.
Zscaler will execute a data protection and information security agreement with electronic communication service providers to ensure that security controls meeting Zscaler’s requirements have been implemented.
System Acquisition, Development, and Maintenance.
Applicable information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.
Confidential Information or Personal Data involved in application services passing over public networks shall be protected from fraudulent activity, unauthorized disclosure, and modification.
Zscaler shall have policies that govern the development of software and systems and how information security and integrity are established and applied during development. Zscaler shall have a policy that outlines a governing framework to validate that security controls are present in the solution to ensure confidentially, integrity, and availability. Additionally, the policy will outline the processes, procedures, and standards to ensure no known security flaws have been introduced intentionally or unintentionally at any point in the Product’s lifecycle or such time as the Product has formally reached end of life.
Upon initial hire or engagement of software developers, Zscaler shall provide them with secure software development training. Thereafter, Zscaler shall provide supplemental training periodically as necessary to address changing industry conditions and vulnerabilities. Any such training shall occur at least every two (2) years.
Principles for engineering secure systems are established, documented, maintained, and applied to any information system implementation efforts.
Zscaler does not currently outsource system development responsibilities; however, should this change in the future, Zscaler shall supervise and monitor the activity of any such outsourced system development.
Service Provider Due Diligence.
Zscaler will conduct due diligence reviews on our service providers who may have impact on Zscaler’s ability to meet the requirements of the Agreement and these Security Measures.
Due diligence of such service providers shall include, but is not limited to, determining the appropriate information security requirements that should be included in agreements between Zscaler and its service providers.
Application and Software Security. Zscaler agrees that its Product(s) will, at a minimum, incorporate the following:
Zscaler uses third party auditors at least annually, to conduct automated (i.e., SAST, DAST and SCA) and manual security (i.e., penetration testing) assessments to ensure the Product codebase contains no known exploitable conditions classified as ‘Critical/Very High’ or ’High’, or otherwise captured on the OWASP Top 10 or SAN Top 25 lists.
Zscaler agrees to provide, maintain and support its software and subsequent updates, upgrades, and bug fixes, such that the software is, and remains secure from Common Software Vulnerabilities in accordance with its product end of life (EOL) and end of sale (EOS) policy.
Zscaler agrees to provide updates and patches to remediate security vulnerabilities based on severity by CVSSv3 score and will work to remediate any known zero-day exploits without undue delay. In case of critical vulnerabilities, Zscaler will deploy mitigation with urgency upon discovering the issue and push out a patch without undue delay thereafter depending on risk level post mitigation.