The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which became effective May 25, 2018, is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the transfer of personal data outside of the EU. The primary objectives of the GDPR are (i) to enhance the protection of EU personal data and (ii) to simplify the regulatory environment for international business by imposing uniform data protection requirements on all EU members.
The GDPR replaced the Data Protection Directive (officially Directive 95/46/EC) adopted in 1995. The GDPR is a significant change in the data privacy landscape in the EU and more clearly allocates responsibility between the data controller (Zscaler’s customers and partners) and the data processor (Zscaler) with respect to the processing of personal data. Under the GDPR, both the data controller and data processor have additional duties and obligations to protect personal data, and both face liability for any failures to comply with the GDPR requirements.
Zscaler is committed to our customers’ success, including compliance with the GDPR. The GDPR will require a closer partnership between Zscaler and our customers in their use of our services and products. Zscaler has closely analyzed the requirements of the GDPR, and has made enhancements to our services, products, documentation, and contracts to support our own compliance with the GDPR. In addition, Zscaler is dedicated to assisting our customers with their GDPR compliance efforts.
Assisting our Customers in Complying with the GDPR
- Controller vs. Processor Responsibility Chart: Zscaler has compiled a comprehensive, side-by-side chart of the customer’s obligations as the data controller vs. Zscaler’s obligations as the data processor. This chart is a helpful tool for our customers to better understand what exactly they need to do to comply with the GDPR and what they can expect from Zscaler.
- Updated Data Processing Agreement (DPA): Zscaler has also updated its DPA to align with GDPR requirements. This updated DPA contains revised or additional contractual provisions in order to assist our customers in their compliance with the GDPR. You may download the pre-signed DPA here and follow the instructions on page 1 for executing.
Zscaler Compliance with the GDPR
As a security-as-a-service provider, data protection is at the core of Zscaler’s business and something Zscaler takes very seriously. Zscaler remains committed to protecting personal data in compliance with the highest standards of privacy and security. Below is a high-level summary of Zscaler’s compliance with several of the key areas of the GDPR.
- When acting as a data processor, Zscaler will only process personal data on behalf of the data controller and on written authorization from the data controller (i.e., through a contract or order).
- Zscaler expects that its customers and partners, as the data controllers, will notify their employees and users (i.e., the data subjects) of the processing carried out by Zscaler and will obtain their consent for Zscaler to do so.
- Zscaler ensures the confidentiality and availability of the personal data that it processes and that appropriate technical and organizational measures are taken to protect such personal data.
- Zscaler stores a limited amount of personal data (e.g., IP Addresses, URLs, user IDs, user groups and departments from corporate directory) and does not process or store any special categories of personal data (i.e., “sensitive” data). In addition:
- For the majority of Zscaler’s services and products, HTTP, HTTPS and non-HTTP transaction content is never stored by Zscaler or written to disk - all inspection takes place in memory.
- For customers who order Zscaler’s cloud sandbox product, Zscaler records malicious content to a storage disk; however, customers can decide what files to send to Zscaler’s sandbox (based on file type, URL category, user/group, etc.).
- For Zscaler App (Z App) software, customers can globally enable or disable the packet capture through policies with Zscaler, and delete the packet capture logs from the applicable laptop, desktop, or personal mobile device.
- Enabling SSL inspection does not change the limited amount of data that Zscaler processes or stores. Rather, it provides an added layer of security protection for those threats concealed behind encrypted traffic and provides additional protection for our customers’ employees and other users.
- Customers have the option to obfuscate their user IDs from ever being seen by Zscaler Operations and Support teams or their own administrators.
- Customer Transaction Logs (Customer Logs) are indexed, compressed, and tokenized at the point of generation – ensuring a single Customer Log is meaningless without a complete string of historic Customer Logs and access to the indexes stored in Zscaler’s Central Authority (CA). Hence, even with access to stored data, personal data cannot be derived without Zscaler’s user interface bringing together information from the Customer Logs and information from the CA.
- The Customer Logs are never stored in clear text.
- During the deployment process, Customers may choose to have their Customer Logs stored in the EU and Switzerland only. Further, for an additional fee, customers can store their Customer Logs in Zscaler-managed servers on customer’s own premises.
- Zscaler only allows access to personal data by personnel who are authorized administrators with appropriate privileges.
- Zscaler does not process or store any personal data that is not needed to perform the contracted services on behalf of the data controller.
- The personal data that Zscaler processes on behalf of the data controller will be accurate, complete, and kept up-to-date as much as technically possible.
- Personal data will not be disclosed, made available, or otherwise used for purposes other than to perform the contracted services on behalf of the data controller, except as required by law.
- All transfers of personal data outside of the European Economic Area (EEA) will only be done for the purposes of providing the contracted services to the data controller and will be subject to EU-US and Swiss-US Privacy Shield principles and/or EU Standard Contractual Clauses.
- Zscaler retains Customer Logs in its cloud infrastructure for rolling periods of at least six months, after which the Customer Logs are securely purged. In addition, customers can order Zscaler’s Nanolog Streaming Service (NSS) in order to retain such Customer Logs for however long they choose.
- Zscaler will obtain the consent of the data controller before engaging any sub-processors, which may include contractual consent or general consent. Zscaler will be responsible and liable for the performance of such sub-processors. Zscaler will maintain an up-to-date sub-processor list at https://www.zscaler.com/legal/subprocessors.
- At contract termination or expiration, the Customer Logs will be purged pursuant to the six month retention cycle, or as earlier requested in writing by the data controller.
- Zscaler will make available to the data controller all information reasonably necessary for the data controller to demonstrate its compliance with the GDPR.
- Zscaler will be accountable and responsible to ensure its own compliance under the GDPR.
- Zscaler will assist the data controller in meeting the data controller’s compliance obligations under the GDPR, taking into account the nature of the processing and the information available to Zscaler.
- Zscaler protects personal data through reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure.
- Since Zscaler operates a multi-tenant cloud, it has certified to the ISO 27001 information security framework in order to maintain consistent and robust security controls and procedures for all customers on its cloud. In addition, Zscaler adheres to System and Organization Controls (SOC) 2, Type II standards.
- Zscaler performs robust security measures on its cloud such as antivirus, firewalls, scheduled vulnerability scanning, penetration testing and security code peer reviews.
- Zscaler’s cloud infrastructure is hardened against DDoS attacks and monitored 24x7x365.
- All Zscaler personnel who are authorized to process personal data have committed themselves (through employment and confidentiality agreements) to the confidentiality and security of personal data.
- Zscaler encrypts all traffic communications on its cloud, in addition to anonymizing, pseudonymizing, or obfuscating data where technically possible.
- In addition to adhering to ISO 27001 principles, the top tier global data centers that Zscaler uses take security just as seriously as Zscaler – through, among other protections, sophisticated entry control systems, dual power feeds with backup generators, and video surveillance.
- Through Zscaler’s global network of data centers and fail-over capabilities, Zscaler is able to ensure ongoing confidentiality, integrity, availability and resilience of its processing systems and services, in addition to restoring real-time availability and access to personal data in a timely manner in the event of a physical or technical incident.
- Zscaler has an internal process for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures for ensuring the security of the processing of personal data.
- With prior written notice, and subject to certain Zscaler requirements and controls being put in place, Zscaler will permit its customers and partners to perform annual audits and automated inspections of its cloud.
- Zscaler will notify the data controller without undue delay after becoming aware of a personal data breach and will assist the data controller in reporting to supervisory authorities and affected EU data subjects any personal data breaches.
NOTE: While this site is designed to help organizations understand the GDPR in connection with Zscaler's services and products, the information contained herein may not be construed as legal advice and organizations should consult with their own legal counsel with respect to interpreting their unique obligations under the GDPR.