The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which became effective May 25, 2018, is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the transfer of personal data outside of the EU. The primary objectives of the GDPR are (i) to enhance the protection of EU personal data and (ii) to simplify the regulatory environment for international business by imposing uniform data protection requirements on all EU members.
The GDPR replaced the Data Protection Directive (officially Directive 95/46/EC) adopted in 1995. The GDPR is a significant change in the data privacy landscape in the EU and more clearly allocates responsibility between the data controller (Zscaler’s customers and partners) and the data processor (Zscaler) with respect to the processing of personal data. Under the GDPR, both the data controller and data processor have additional duties and obligations to protect personal data, and both face liability for any failures to comply with the GDPR requirements.
Zscaler is committed to our customers’ success, including compliance with the GDPR. The GDPR will require a closer partnership between Zscaler and our customers in their use of our services and products. Zscaler has closely analyzed the requirements of the GDPR, and has made enhancements to our services, products, documentation, and contracts to support our own compliance with the GDPR. In addition, Zscaler is dedicated to assisting our customers with their GDPR compliance efforts.
Assisting our Customers in Complying with the GDPR
- Controller vs. Processor Responsibility Chart: Zscaler has compiled a comprehensive, side-by-side chart of the customer’s obligations as the data controller vs. Zscaler’s obligations as the data processor. This chart is a helpful tool for our customers to better understand what exactly they need to do to comply with the GDPR and what they can expect from Zscaler.
- Updated Data Processing Agreement (DPA): Zscaler has also updated its DPA to align with GDPR requirements. This updated DPA contains revised or additional contractual provisions in order to assist our customers in their compliance with the GDPR. You may download the pre-signed DPA here and follow the instructions on page 1 for executing. In addition, we have put together a useful DPA Cover Letter which should assist in your review of our DPA.
Zscaler Compliance with the GDPR
As a security-as-a-service provider, data protection is at the core of Zscaler’s business and something Zscaler takes very seriously. Zscaler remains committed to protecting personal data in compliance with the highest standards of privacy and security. Below is a high-level summary of Zscaler’s compliance with several of the key areas of the GDPR.
- When acting as a data processor, Zscaler will only process personal data on behalf of the data controller and on written authorization from the data controller (i.e., through a contract or order).
- Zscaler expects that its customers and partners, as the data controllers, will notify their employees and users (i.e., the data subjects) of the processing carried out by Zscaler and will obtain their consent for Zscaler to do so.
- Zscaler ensures the confidentiality and availability of the personal data that it processes and that appropriate technical and organizational measures are taken to protect such personal data.
- Zscaler processes and stores a limited amount of personal data (e.g., IP Addresses, URLs, user IDs, user groups and departments from corporate directory). In addition:
- For the majority of Zscaler’s services and products, HTTP, HTTPS and non-HTTP transaction content is never stored by Zscaler or written to disk - all inspection takes place in memory.
- For customers who order Zscaler’s cloud sandbox product, Zscaler records malicious content to a storage disk; however, customers can decide what files to send to Zscaler’s sandbox (based on file type, URL category, user/group, etc.).
- For Zscaler Client Connector software, customers can globally enable or disable the packet capture through policies with Zscaler, and delete the packet capture logs from the applicable laptop, desktop, or personal mobile device.
- Enabling SSL inspection does not change the limited amount of data that Zscaler processes or stores. Rather, it provides an added layer of security protection for those threats concealed behind encrypted traffic and provides additional protection for our customers’ employees and other users.
- Customers have the option to obfuscate their user IDs from ever being seen by Zscaler Operations and Support teams or their own administrators.
- Customer Transaction Logs (Customer Logs) are indexed, compressed, and tokenized at the point of generation – ensuring a single Customer Log is meaningless without a complete string of historic Customer Logs and access to the indexes stored in Zscaler’s Central Authority (CA). Hence, even with access to stored data, personal data cannot be derived without Zscaler’s user interface bringing together information from the Customer Logs and information from the CA.
- The Customer Logs are never stored in clear text.
- During the deployment process, Customers may choose to have their Customer Logs stored in the EU and Switzerland only. Further, for an additional fee, customers can store their Customer Logs in Zscaler-managed servers on customer’s own premises.
- Zscaler only allows access to personal data by personnel who are authorized administrators with appropriate privileges.
- Zscaler does not process or store any personal data that is not needed to perform the contracted services on behalf of the data controller.
- The personal data that Zscaler processes on behalf of the data controller will be accurate, complete, and kept up-to-date as much as technically possible.
- Personal data will not be disclosed, made available, or otherwise used for purposes other than to perform the contracted services on behalf of the data controller, except as required by law.
- All transfers of personal data outside of the European Economic Area (EEA) will only be done for the purposes of providing the contracted services to the data controller and will be subject to EU-US and Swiss-US Privacy Shield principles and/or EU Standard Contractual Clauses.
- Zscaler retains Customer Logs in its cloud infrastructure for rolling periods of six months or less, depending on the product, after which the Customer Logs are securely deleted. In addition, customers can order Zscaler’s Nanolog Streaming Service (NSS) in order to retain such Customer Logs for however long they choose.
- Zscaler will obtain the consent of the data controller before engaging any sub-processors, which may include contractual consent or general consent. Zscaler will be responsible and liable for the performance of such sub-processors. Zscaler will maintain an up-to-date sub-processor list at https://www.zscaler.com/legal/subprocessors.
- At contract termination or expiration, the Customer Logs will be deleted pursuant to the six month (or earlier) retention cycle, or as earlier requested in writing by the data controller.
- Zscaler will make available to the data controller all information reasonably necessary for the data controller to demonstrate its compliance with the GDPR.
- Zscaler will be accountable and responsible to ensure its own compliance under the GDPR.
- Zscaler will assist the data controller in meeting the data controller’s compliance obligations under the GDPR, taking into account the nature of the processing and the information available to Zscaler.
- Zscaler protects personal data through reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure.
- Since Zscaler operates a multi-tenant cloud, it has certified to the ISO 27001 information security framework in order to maintain consistent and robust security controls and procedures for all customers on its cloud. In addition, Zscaler adheres to System and Organization Controls (SOC) 2, Type II standards.
- Zscaler performs robust security measures on its cloud such as antivirus, firewalls, scheduled vulnerability scanning, penetration testing and security code peer reviews.
- Zscaler’s cloud infrastructure is hardened against DDoS attacks and monitored 24x7x365.
- All Zscaler personnel who are authorized to process personal data have committed themselves (through employment and confidentiality agreements) to the confidentiality and security of personal data.
- Zscaler encrypts all traffic communications on its cloud, in addition to anonymizing, pseudonymizing, or obfuscating data where technically possible.
- In addition to adhering to ISO 27001 principles, the top tier global data centers that Zscaler uses take security just as seriously as Zscaler – through, among other protections, sophisticated entry control systems, dual power feeds with backup generators, and video surveillance.
- Through Zscaler’s global network of data centers and fail-over capabilities, Zscaler is able to ensure ongoing confidentiality, integrity, availability and resilience of its processing systems and services, in addition to restoring real-time availability and access to personal data in a timely manner in the event of a physical or technical incident.
- Zscaler has an internal process for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures for ensuring the security of the processing of personal data.
- With prior written notice, and subject to certain Zscaler requirements and controls being put in place, Zscaler will permit its customers and partners to perform annual audits and automated inspections of its cloud.
- Zscaler will notify the data controller without undue delay after becoming aware of a personal data breach and will assist the data controller in reporting to supervisory authorities and affected EU data subjects any personal data breaches.
We have put together the below FAQs in order to address the most common questions that we receive from customers and partners regarding our platform.
1. What personal data does Zscaler store and/or process?
Zscaler processes and stores a limited amount of personal data (e.g., IP Addresses, URLs, user IDs, user groups and departments from corporate directory).
Zscaler Support personnel will not access any customer personal data unless explicitly authorized to do so by such customer. Additionally, customers have the option to obfuscate their user IDs from ever being seen by their own administrators.
For the majority of Zscaler’s services and products, HTTP, HTTPS and non-HTTP transaction content is never stored by Zscaler or written to disk - all inspection takes place in memory.
For customers who order Zscaler’s cloud sandbox product, Zscaler records malicious content to a storage disk; however, customers can decide what files to send to Zscaler’s sandbox (based on file type, URL category, user/group, etc.).
For Zscaler Client Connector software, customers can globally enable or disable the packet capture through policies with Zscaler and delete the packet capture logs from the applicable laptop, desktop, or personal mobile device.
Customer Transaction Logs (Customer Logs) are never stored in clear text and are indexed, compressed, and tokenized at the point of generation – ensuring a single Customer Log is meaningless without a complete string of historic Customer Logs and access to the indexes stored in Zscaler’s Central Authority (CA). Hence, even with access to stored data, personal data cannot be derived without Zscaler’s user interface bringing together information from the Customer Logs and information from the CA.
2. How does Zscaler protect the personal data that it processes and/or stores?
Zscaler implements the physical, technical, and organizational security measures to ensure a level of security appropriate to the risk in accordance with the standards of Article 32 of the GDPR. Zscaler is certified under ISO 27001 and System and Organization Controls (SOC) 2, Type II standards and is audited annually by a third party to ensure its ongoing compliance with these certifications. Zscaler regularly tests, assesses and evaluates the effectiveness of its security measures. Upon written request, and subject to appropriate confidentiality protections being in place, Zscaler can provide Customer with a copy of its most recent ISO 27001 certificate and/or SOC 2, Type II report. For more information, https://www.zscaler.com/company/compliance.
3. What is pseudonymization versus anonymization of data? And can I elect to have my company’s data fully anonymized instead of pseudonymized?
Pseudonymization of data makes it so that the data can be reattributed to a system, individual, or organization. In contrast, anonymization of data makes it so the data can never be reattributed to a system, individual, or organization.
For cyber security, organizations need the ability to reattribute data in the event the organization must conduct an investigation, remediation, or recovery after a security vulnerability or breach (such as isolating a targeted phishing attack). In providing our products to customers, we give customers the option to obfuscate or pseudonymize their personal data so that our customers have the option to report on what devices should be remediated after a security breach or vulnerability. Zscaler uses the “tokenization” methodology to perform pseudonymization of personal data.
4. Can Zscaler only provide its services from the European Union (EU)?
No. Since Zscaler is a U.S. based company providing a global cloud platform, Zscaler processes personal data around the globe at its network of 150+ data centers in order to provide its services.
Zscaler processes personal data at its closest data centers to where customer users are located (i.e. EU data centers for EU users, U.S. data centers for U.S. users). In the event an EU user travels to the U.S. for example, then Zscaler would process personal data from its closest U.S. data center.
Even if our customer only has users in the EU, Zscaler provides global support services from the U.S., India, and Costa Rica (TAM Support Services only) in order to ensure 24x7x365 coverage. This is the case with most cloud vendors.
Notwithstanding the above, and unlike most other cloud vendors, Zscaler does offer our customers the option to store their Customer Logs in the EU and Switzerland only, no matter where the global data processing may occur. Our customers can set this up with Zscaler during the deployment process.
5. Does Zscaler access or transfer personal data outside of the EU?
Yes. As stated above, Zscaler is a U.S. based company providing a global cloud platform.
The GDPR does not prohibit the access or transfer of personal data outside of the EU – it simply requires that any such transfers be covered by an approved legal framework, such as the Privacy Shield or EU Model Clauses.
Zscaler adheres to EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and also the EU Model Clauses. Both frameworks are addressed in our Data Processing Agreement (DPA) which is available at www.zscaler.com/gdpr for customers to download and sign.
6. Does enabling SSL inspection change the types of personal data that Zscaler processes or store?
No. Enabling SSL inspection does not change the limited amount of data that Zscaler processes or stores. Rather, it provides an added layer of security protection for those threats concealed behind encrypted traffic and provides additional protection for our customers’ employees and other users. It could be argued that the data controller’s obligation under Article 32 of the GDPR (Data Security) should include performing SSL inspection because so many threats are now hidden behind encrypted traffic.
7. Does Zscaler use sub-processors to provide its services?
Yes. As is the case with every cloud vendor, Zscaler does use a limited number of sub-processors to provide its services. As required under the GDPR, Zscaler will obtain customer consent before engaging any new sub-processors, which may include contractual consent or general consent. In addition, Zscaler will provide customers with advance written notice of any changes to its sub-processor list. Zscaler will be responsible and liable for the performance of its sub-processors. Zscaler maintains a current list of its sub-processors at https://www.zscaler.com/legal/subprocessors.
7. Can Zscaler assist with a Right to be Forgotten (RTBF) Request?
Yes. Zscaler has an internal process for responding to RTBF requests. However, it’s important to remember that as the data controller, our customer is responsible for reviewing and validating the request and submitting a support ticket to Zscaler. A RTBF request should only be made if a data subject (usually a customer employee or user) makes such a request to our customer. If Zscaler receives a RTBF request directly from a customer employee or user, we will re-direct the person to our customer to validate and respond.
NOTE: While this site is designed to help organizations understand the GDPR in connection with Zscaler's services and products, the information contained herein may not be construed as legal advice and organizations should consult with their own legal counsel with respect to interpreting their unique obligations under the GDPR.