FAQ
Introduction
On this page, you’ll find answers to our customers’ common questions about Zscaler’s data privacy practices.
For more information about our data privacy practices, please see our Data Privacy and Protection Overview site.
Data Processing
1. Where can I find Zscaler’s Data Processing Agreement (DPA)?
Zscaler is a data processor that processes personal data on behalf of our customers. Our DPA serves as written instructions from our customer in regards to the processing of personal data and our commitment to process the data in compliance with applicable data protection legislation.
You can find the Zscaler DPA here, and it is incorporated in the Zscaler End User Subscription Agreement (EUSA). If you have any questions about the DPA, please reach out to your Zscaler contact or privacy@zscaler.com.
2. Why does Zscaler collect and use my personal data?
Our products enable our customers to grant their authorized users direct, secure access to the internet or specific applications from anywhere and from any device. Therefore, our products use personal data like context-based identity to ensure that our customers can guard against intruders and authenticate their authorized users’ access requests.
3. What personal data does Zscaler collect?
For a list of the types and descriptions of the personal data Zscaler processes, please see Exhibit A of our DPA. The types of personal data Zscaler processes are limited (e.g., IP addresses, URLs, user IDs, user groups and departments from corporate directory). Zscaler does not store any special or sensitive categories of personal data (e.g., credit card or protected health data).
4. Does Zscaler use sub-processors to provide its services?
Yes. Like every cloud vendor, Zscaler engages sub-processors to provide its services. However, none of the data shared with sub-processors is used for secondary purposes such as third-party advertising. Zscaler performs due diligence on the security and privacy practices of its sub-processors to ensure sub-processors provide a level of security and privacy appropriate to their access to customer data (which may include Personal Data) and the scope of the services they provide.
Zscaler requires sub-processors to enter into written contractual commitments to provide adequate data protection and confidentiality according to Zscaler privacy policies. Our due diligence efforts also involve ensuring that all of our sub-processors maintain compliance with data protection laws.
You can see a current list of our sub-processors here.
5. Does Zscaler store personal data?
Yes, but the types of personal data Zscaler processes are limited. For a list of the types and descriptions of the personal data Zscaler processes, please see Exhibit A of our DPA.
For the majority of Zscaler’s services and products, transaction content (which includes any substantive part of the request, such as messages, files, etc.) is never stored by Zscaler or written to disk. All inspection of transactions takes place in memory.
6. How long does Zscaler store personal data?
Depending on the product, Zscaler offers customers the option to select the log storage location. Any personal data will be retained by Zscaler in accordance with the applicable log retention policy for each Product at https://help.zscaler.com/logs-fair-use.
7. How is personal data processed by Zscaler?
Zscaler operates a globally deployed security cloud. It processes data, which may include personal data, sent to Zscaler in one of our 150+ global data centers depending on where the customer’s users are located (e.g., EU data centers for EU users, US data centers for US users). For example, if an EU user travels to the US, Zscaler will process the user’s personal data from the closest data center, which would be in the US. Please note that Zscaler data centers are not sub-processors; they are co-located facilities (i.e., rented rackspace) where Zscaler controls the processing at all times.
Even if a customer only has users in the EU, Zscaler provides global support services not only from the EU, but also from the US, India, and Costa Rica (for some US-based companies only) to ensure 24/7/365 coverage. This is a common practice among most cloud vendors.
8. How do data subjects exercise their right to access, correct, and delete their personal data?
Zscaler has an internal process for responding to data subjects’ requests. However, it is important to remember that as the data controller, our customer is responsible for reviewing and validating the request and submitting a support ticket to Zscaler. A data rights request should only be made if a data subject (usually a customer employee, contractor, or authorized user) makes such a request to our customer. If Zscaler receives a data rights request directly, we will redirect the person to our customer to validate and respond.
Security
9. How does Zscaler protect personal data?
Zscaler adheres to rigorous security, availability, confidentiality, and privacy standards so customers can adopt our services with confidence.
Our compliance team works to ensure all Zscaler products are aligned with and certified against internationally recognized government and commercial standards—frameworks to build customers’ confidence by providing pertinent solutions.
Zscaler is certified under a number of certifications which include ISO 27001 and System and Organization Controls (SOC) 2 Type II standards. Zscaler is audited annually by a third party to ensure ongoing compliance with these certifications. Zscaler regularly tests, assesses, and evaluates the effectiveness of its security measures. Upon written request, and subject to appropriate confidentiality protections being in place, Zscaler can provide customers with a copy of its most recent ISO 27001 certificate and/or SOC 2 Type II report.
Click here to learn more about our numerous privacy and security certifications.
10. Does Zscaler notify customers about data breaches?
Yes, Zscaler will notify affected customers without undue delay, in accordance with applicable law, after confirming the incident. Zscaler will take reasonable steps to (a) identify the cause of the security incident and (b) take any actions necessary and reasonable to remediate the cause of such security incident to the extent such remediation is within Zscaler’s reasonable control.
11. How does enabling TLS/SSL inspection fall within security requirements and compliance with privacy laws?
Enabling TLS/SSL inspection does not change the limited amount of data Zscaler processes or stores. Rather, it helps our customers meet their obligations under Article 32 of the GDPR by providing the appropriate level of security for processing of personal data. Although there are business, privacy, and security implications in using TLS/SSL inspection that our customers must consider, this must be balanced against the obligation to ensure the rights of each customer employee are protected from threats and attacks. As such, rather than a threat to privacy, TLS/SSL inspection should be viewed as a tool supporting an organization’s privacy compliance.
Zscaler offers comprehensive TLS/SSL inspection capabilities to protect customers from threats hidden in encrypted traffic. Once data inspection is complete, the data flow continues unimpeded, with no record of the source data preserved beyond the log of the transaction itself.
International Data Transfers
12. What appropriate safeguards does Zscaler rely on to transfer personal data outside of the EU?
Zscaler adheres to EU Standard Contractual Clauses and appropriate addenda for transfers of personal data outside of the EU, Switzerland, or the United Kingdom. Additionally, Zscaler complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), (collectively the “Data Privacy Framework” or “DPF”).
For more information, please see our Data Processing Agreement or visit https://www.dataprivacyframework.gov to search for our DPF certification.
13. What measures does Zscaler implement to protect personal data that is transferred outside of the EU?
We implement the technical and organizational security measures specified in our Security Measures, which forms a part of the DPA, to safeguard and protect the confidentiality and security of the personal data that is transferred.
14. Does Zscaler maintain a transfer impact assessment for its products and services?
Please see Zscaler’s Transfer Impact Assessment White Paper.
Governance
15. How does Zscaler comply with privacy legislation around the globe?
Zscaler is committed to maintaining compliance and carefully monitors the development of privacy legislation and regulations in various countries. For more information about how Zscaler complies with various privacy laws, please visit zscaler.com/privacy/global-privacy-laws.
16. Does Zscaler have a compliance and data protection/privacy officer?
Yes, our Privacy Team is tasked with ensuring that Zscaler complies with data protection laws and avoids the risks organizations face when processing personal data. Members of the Privacy Team are experts in the organization, forming the link between the public and Zscaler in relation to the processing of personal data. The Privacy Team acts as the body to which data protection queries are directed. Members of the Privacy Team are Certified Information Privacy Professionals (CIPP).
17. Does Zscaler have an executive body responsible for privacy and data security risks?
Yes, the Zscaler board of directors has oversight responsibilities for all enterprise risks, including privacy. The Board delegates some of that responsibility to standing committees that report back to the full Board. The Audit Committee and the Nominating and Corporate Governance Committee are each tasked with overseeing privacy risks and cybersecurity threats.
19. Does Zscaler maintain and provide transparency reports of government requests for personal data?
Yes. Zscaler takes trust and transparency very seriously, particularly when related to the use and disclosure of the personal data of a customer’s user. Zscaler publishes annually the number of requests it received in the previous year from government agencies, regulatory bodies, and other law enforcement authorities to disclose data relating to Zscaler customers’ use of Zscaler products.
To access our full report on government requests, see our Transparency Report.
To learn about Zscaler’s policy for handling government access requests, see Zscaler’s Transfer Impact Assessment White Paper.
20. Who do I contact if I have more questions?
You can email us at privacy@zscaler.com.