Zscaler and the GDPR

Introduction

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which became effective May 25, 2018, is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the transfer of personal data outside of the EU. The primary objectives of the GDPR are (i) to enhance the protection of EU personal data and (ii) to simplify the regulatory environment for international business by imposing uniform data protection requirements on all EU members.

The GDPR replaced the Data Protection Directive (officially Directive 95/46/EC) adopted in 1995. The GDPR is a significant change in the data privacy landscape in the EU and more clearly allocates responsibility between the data controller (Zscaler’s customers and partners) and the data processor (Zscaler) with respect to the processing of personal data. Under the GDPR, both the data controller and data processor have additional duties and obligations to protect personal data, and both face liability for any failures to comply with the GDPR requirements.

Zscaler is committed to our customers’ success, including compliance with the GDPR. The GDPR will require a closer partnership between Zscaler and our customers in their use of our services and products. Zscaler has closely analyzed the requirements of the GDPR, and has made enhancements to our services, products, documentation, and contracts to support our own compliance with the GDPR. In addition, Zscaler is dedicated to assisting our customers with their GDPR compliance efforts.

To assist our Customers in complying with the GDPR, we have compiled a comprehensive, side-by-side “Controller vs Processor Responsibility Chart of the customer’s obligations as the data controller vs. Zscaler’s obligations as the data processor. This chart is a helpful tool for our customers to better understand what exactly they need to do to comply with the GDPR and what they can expect from Zscaler.

Zscaler Compliance with the GDPR

As a security-as-a-service provider, data protection is at the core of Zscaler’s business and something Zscaler takes very seriously. Zscaler remains committed to protecting personal data in compliance with the highest standards of privacy and security. Below is a high-level summary of Zscaler’s compliance with several of the key areas of the GDPR.

How does Zscaler contractually ensure its compliance with GDPR?
  • Updated Data Processing Agreement (DPA): Zscaler has updated its DPA to align with GDPR requirements. This updated DPA contains revised or additional contractual provisions in order to assist our customers in their compliance with the GDPR. You may download the pre-signed DPA at the link below and follow the instructions on page 1 for executing. In addition, below you will also find a useful DPA Cover Letter that we have put together to assist in your review of our DPA.
  • When acting as a data processor, Zscaler will only process personal data on behalf of the data controller and on written authorization from the data controller (i.e., through a contract or order, with the DPA providing details of such instructions).
  • In addition, we have entered into written agreements in accordance with the requirements of Article 28(4) of the GDPR with all sub-processors and we remain liable for the acts and omissions of these sub-processors. Our due diligence efforts also involve ensuring that all of our sub-processors maintain their compliance with data protection laws.
Zscaler Pre-Signed Data Processing Agreement (DPA) and DPA Cover Letter
What processes does Zscaler have in place to protect personal data?
  • Zscaler ensures the confidentiality and availability of the personal data that it processes and that appropriate technical and organizational measures are taken to protect such personal data. 
  • Zscaler expects that its customers and partners, as the data controllers, will notify their employees and users (i.e., the data subjects) of the processing carried out by Zscaler and will obtain their consent for Zscaler to do so.
  • Zscaler only processes and/or stores a limited amount of personal data (e.g., IP Addresses, URLs, user IDs, user groups and departments from corporate directory). Please see the section below for some security measures that we implement to protect that data. 
  • With the data minimization objective in mind, Zscaler does not process or store any personal data that is not needed to perform the contracted services on behalf of the data controller. In addition, personal data will not be disclosed, made available, or otherwise used for purposes other than to perform the contracted services on behalf of the data controller, except as required by law.
  • During the deployment process, Customers may choose to have their Customer Logs stored in the EU (Germany and Netherlands) and Switzerland only. Zscaler retains Customer Logs in its cloud infrastructure for rolling periods of six months or less, depending on the product, after which the Customer Logs are securely deleted. Further, for an additional fee, customers can store their Customer Logs in Zscaler-managed servers on customer’s own premises (Nanolog Streaming Service), for however long they choose. At contract termination or expiration, the Customer Logs are deleted pursuant to the six month (or earlier) retention cycle, or as earlier requested in writing by the data controller.
  • All transfers of personal data outside of the European Economic Area (EEA) will only be done for the purposes of providing the contracted services to the data controller and will be subject to EU Standard Contractual Clauses, unless the data is transferred to a country recognized by European Commission as providing adequate level of data protection (currently these are: Andorra, Argentina, Canada (commercial organizations only), Faroe Island, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay – for updates please see  https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). 
  • Zscaler will obtain the consent of the data controller before engaging any sub-processors, which may include contractual consent or general consent. Zscaler will be responsible and liable for the performance of such sub-processors. Zscaler will maintain an up-to-date sub-processor list at https://www.zscaler.com/legal/subprocessors.
  • Zscaler will make available to the data controller all information reasonably necessary for the data controller to demonstrate its compliance with the GDPR.
  • Zscaler will be accountable and responsible to ensure its own compliance under the GDPR.
  • Zscaler will assist the data controller in meeting the data controller’s compliance obligations under the GDPR, taking into account the nature of the processing and the information available to Zscaler.
  • With prior written notice, and subject to certain Zscaler requirements and controls being put in place, Zscaler will permit its customers and partners to perform annual audits and automated inspections of its cloud.
  • Zscaler will notify the data controller without undue delay after becoming aware of a personal data breach and will assist the data controller in reporting to supervisory authorities and affected EU data subjects any personal data breaches.
What security measures does Zscaler implement to protect personal data?
  • Zscaler protects personal data through security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure.Zscaler encrypts all traffic communications on its cloud, in addition to anonymizing, pseudonymizing, or obfuscating data where technically possible. Here are some of the ways in which we assist our customers with minimizing the extent of the data processing Zscaler will carry out and ensure that the data that we do process is secured with the state-of-the-art technology:
    • For the majority of Zscaler’s services and products, HTTP, HTTPS and non-HTTP transaction content is never stored by Zscaler or written to disk - all inspection takes place in memory.
    • For customers who order Zscaler’s cloud sandbox product, Zscaler records malicious content to a storage disk; however, customers can decide what files to send to Zscaler’s sandbox (based on file type, URL category, user/group, etc.).
    • For Zscaler Client Connector software, customers can globally enable or disable the packet capture through policies with Zscaler and delete the packet capture logs from the applicable laptop, desktop, or personal mobile device.
    • Enabling SSL inspection does not change the limited amount of data that Zscaler processes or stores. Rather, it provides an added layer of security protection for those threats concealed behind encrypted traffic and provides additional protection for our customers’ employees and other users.
    • Customers have the option to obfuscate their user IDs from ever being seen by Zscaler Operations and Support teams or their own administrators.
    • Customer Transaction Logs (Customer Logs) are indexed, compressed, and tokenized at the point of generation – ensuring a single Customer Log is meaningless without a complete string of historic Customer Logs and access to the indexes stored in Zscaler’s Central Authority (CA). Hence, even with access to stored data, personal data cannot be derived without Zscaler’s user interface bringing together information from the Customer Logs and information from the CA.
    • The Customer Logs are never stored in clear text.
  • Since Zscaler operates a multi-tenant cloud, it has certified to the ISO 27001 information security framework in order to maintain consistent and robust security controls and procedures for all customers on its cloud. In addition, Zscaler adheres to System and Organization Controls (SOC) 2, Type II standards, as well as several other certifications, such as FedRAMP ISO 27018 or FIPS 140-2 (see https://www.zscaler.com/privacy-compliance/compliance for more details).
  • In addition to adhering to ISO 27001 principles, the top tier global data centers that Zscaler uses take security just as seriously as Zscaler – through, among other protections, sophisticated entry control systems, dual power feeds with backup generators, and video surveillance.
  • Zscaler performs robust security measures on its cloud such as antivirus, firewalls, scheduled vulnerability scanning, penetration testing and security code peer reviews.
  • Zscaler’s cloud infrastructure is hardened against DDoS attacks and monitored 24x7x365.
  • Zscaler only allows access to personal data by personnel who are authorized administrators with appropriate privileges.
  • All Zscaler personnel who are authorized to process personal data have committed themselves (through employment and confidentiality agreements) to the confidentiality and security of personal data.
  • Through Zscaler’s global network of data centers and fail-over capabilities, Zscaler is able to ensure ongoing confidentiality, integrity, availability and resilience of its processing systems and services, in addition to restoring real-time availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • Zscaler has an internal process for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures for ensuring the security of the processing of personal data.
  • The personal data that Zscaler processes on behalf of the data controller will be accurate, complete, and kept up-to-date as much as technically possible.
GDPR FAQ

We have put together the below FAQs in order to address the most common questions that we receive from customers and partners regarding our platform. 

 (1) What personal data does Zscaler store and/or process?

Zscaler stores a limited amount of personal data (e.g., IP Addresses, URLs, user IDs, user groups and departments from corporate directory) and does not process or store any special or sensitive categories of personal data (e.g. credit card or protected health information). Additionally, customers have the option to obfuscate their user IDs from ever being seen by their own administrators. 

Zscaler Support personnel will not access any customer personal data unless explicitly authorized to do so by such customer. 

For the majority of Zscaler’s services and products, HTTP, HTTPS and non-HTTP transaction content is never stored by Zscaler or written to disk - all inspection takes place in memory. 

For customers who order Zscaler’s cloud sandbox product, Zscaler records malicious content to a storage disk; however, customers can decide what files to send to Zscaler’s sandbox (based on file type, URL category, user/group, etc.).

For Zscaler Client Connector, customers can globally enable or disable the packet capture through policies with Zscaler and delete the packet capture logs from the applicable laptop, desktop, or personal mobile device.

Customer Transaction Logs (Customer Logs) are never stored in clear text and are indexed, compressed, and tokenized at the point of generation – ensuring a single Customer Log is meaningless without a complete string of historic Customer Logs and access to the indexes stored in Zscaler’s Central Authority (CA). Hence, even with access to stored data, personal data cannot be derived without Zscaler’s user interface bringing together information from the Customer Logs and information from the CA. 

(2) How does Zscaler protect the personal data that it processes and/or stores?

Zscaler implements the physical, technical, and organizational security measures to ensure a level of security appropriate to the risk in accordance with the standards of Article 32 of the GDPR. Zscaler is certified under ISO 27001 and System and Organization Controls (SOC) 2, Type II standards and is audited annually by a third party to ensure its ongoing compliance with these certifications. Zscaler regularly tests, assesses and evaluates the effectiveness of its security measures. Upon written request, and subject to appropriate confidentiality protections being in place, Zscaler can provide Customer with a copy of its most recent ISO 27001 certificate and/or SOC 2, Type II report. For more information, please visit https://www.zscaler.com/privacy-company/compliance

(3) Can Zscaler only provide its services from the European Union (EU)?

No. Since Zscaler is a U.S. based company providing a global cloud platform, Zscaler processes personal data around the globe through its network of 150+ data centers in order to provide our services. 

Zscaler will process personal data at the data center that is the closest to where our customer’s users are located (i.e. EU data centers for EU users, U.S. data centers for U.S. users). In the event an EU user travels to the U.S., then Zscaler would process their personal data from the closest data center which would be in the U.S..

Even if our customer only has users in the EU, Zscaler provides global support services not only from the EU, but also from the U.S., India, and Costa Rica (for some U.S. based companies only) in order to ensure 24x7x365 coverage. This is a common practice among most cloud vendors.

Notwithstanding the above, and unlike most other cloud vendors, Zscaler does offer our customers the option to store their Customer Logs in the EU and Switzerland only, no matter where the global data processing may occur. Our customers can set this up with Zscaler during the deployment process. 

(4) Does Zscaler access or transfer personal data outside of the EU?

Yes.  Zscaler processes personal data around the globe through its network of 150+ data centers in order to provide our services.

The GDPR requires that transfers of personal data outside of the EU must be covered by an approved legal framework, such as the EU Standard Contractual Clauses. Zscaler adheres to EU Standard Contractual Clauses for transfers of personal data outside of EEA, Switzerland or the United Kingdom. 

This is addressed in more detail in our Data Processing Agreement (DPA) which is available at www.zscaler.com/gdpr for customers to download and sign.

(5) How is Zscaler affected by the CJEU C-311/18 (“Schrems II”) judgement invalidating the EU-US Privacy Shield framework?

In light of the Schrems II judgement, Zscaler confirms that it continues to provide its products and services in full compliance with applicable data protection legislation. 

Nothing has changed in relation to how Zscaler transfers personal data outside of the EU to provide our products and services. The European judge’s decision has no impact on how Zscaler provides its products and services, on our dataflows or on how we store Customer Logs. Historically, Zscaler has been providing its customers with protections under both the EU Standard Contractual Clauses and the Privacy Shield frameworks for international data transfers. The EU Standard Contractual Clauses remain valid and the judge has expressly confirmed that this mechanism can continue to be used by the business. 

Additionally, Zscaler maintains its certification to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Although, Zscaler does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, we are committed to upholding the data protection principles of the EU-U.S. Privacy Shield Framework.

(6) What additional assurances does Zscaler offer to support its use of the EU Standard Contractual Clauses when transferring personal data to the US?

We understand that the message the European judge has sent in the Schrems II case is that depending on a case-by-case assessment, taking into account the circumstances surrounding the specific data transfer, some supplementary measures may need to be implemented to ensure that the law of the country where the data is being transferred to does not impinge on the adequate level of protection guaranteed by the EU Standard Contractual Clauses.

Since Zscaler has been providing its customers with protections ensured by the EU Standard Contractual Clauses prior to the Schrems II ruling, we have already made such analysis and are confident that our processes and security measures continue ensuring adequate compliance. Of course, we continue monitoring any future guidelines and regulatory changes applicable to personal data and are awaiting further decisions from the European Commission, the European Data Protection Board and from individual Supervising Authorities. 

Here are some of the ways in which we ensure data protection as required by the EU Standard Contractual Clauses:

  • personal data is solely processed on behalf of our customers and according to their instructions;
  • we implement the technical and organisational security measures as specified in the DPA before processing the personal data. For instance, we apply tokenization as one of the methods to protect Customer Logs (see Question 1 for more details);
  • we would notify our customers about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited; 
  • we provide EU (Germany, Netherlands) and Switzerland-only log storage for our customers when first deploying our products;
  • we ensure that our customers provide consent for our use of data sub-processors and that those data sub-processors provide equivalent protection to the data they process on our behalf;
  • with prior written notice, and subject to certain Zscaler requirements and controls being put in place, we permit our customers and partners to perform annual audits and automated inspections of our cloud;
  • we commit to ensure our ongoing compliance with the EU Standard Contractual Clauses and will implement any additional legally required measures within a reasonable time.

(7) How does enabling SSL inspection fall within security requirements and compliance with privacy laws?

Enabling SSL inspection does not change the limited amount of data that Zscaler processes or stores. Rather, it helps our customers meet their obligations under Article 32 of the GDPR by providing the appropriate level of security for processing of personal data. Although there are business, privacy and security implications of using SSL inspection that our customers must consider, this needs to be balanced against the obligation to ensure the rights of each customer employee are protected from threats and attacks. As such, rather than a threat to privacy, SSL inspection should be viewed as a tool supporting an organization’s privacy compliance.

Zscaler offers comprehensive SSL/TLS inspection capabilities to protect customer data traffic from threats that are hidden in encrypted traffic. Once data inspection is complete, the data flow continues unimpeded, with no record of the source data preserved beyond the log of the transaction itself. 

(8) Does Zscaler use sub-processors to provide its services?

Yes. As is the case with every cloud vendor, Zscaler does use a limited number of sub-processors to provide its services. As required under the GDPR, Zscaler will obtain customer consent before engaging any sub-processors, which may include contractual consent or general consent. In addition, Zscaler will provide customers with advance written notice of any changes to its sub-processor list. Zscaler will be responsible and liable for the performance of its sub-processors. Zscaler maintains a current list of its sub-processors at https://www.zscaler.com/legal/subprocessors.

(9) Can Zscaler assist with a Right to be Forgotten (RTBF) Request?

Yes. Zscaler has an internal process for responding to RTBF requests. However, it’s important to remember that as the data controller, our customer is responsible for reviewing and validating the request and submitting a support ticket to Zscaler. A RTBF request should only be made if a data subject (usually a customer employee or user) makes such a request to our customer. If Zscaler receives a RTBF request directly from a customer employee or user, we will re-direct the person to our customer to validate and respond