Zscaler adheres to rigorous security, availability, and privacy standards so customers can adopt our services with confidence.
Our compliance team works to ensure all Zscaler products are aligned and certified against internationally recognized government and commercial standards—frameworks to build customers' confidence by providing pertinent solutions. Zscaler compliance enablers are built on foundational programs focusing on data protection and regulatory requirements, including ISO 27001, ISO 27701, SOC 2, FedRAMP and various others, depending on the specific Zscaler product and customer needs.
We are committed to ensuring that our global customers and partners can meet diverse compliance requirements. To download any compliance certification reports for IT standards Zscaler complies with, please submit this request form.
Zscaler has achieved the ISO 27001 certificate, following the ISO/IEC 27002: 2013 best practice, attesting that our services are based on internationally recognized best practices for information security management and comprehensive security controls. Read the full report.
Zscaler has achieved the ISO 27001 certificate, including the ISO 27701 extension, attesting that our services are based on internationally recognized best practices for both information security management and privacy information management systems. Read the full report.
ISO/IEC 27018:2014 is a code of practice that focuses on protection of personal data in the cloud. Based on ISO/IEC information security standard 27002, it provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud personally identifiable information (PII). Read the full report.
Zscaler has achieved the ISO 27017 certificate for addressing cloud-specific information security risks and threats referring to the controls from clauses 5-18 in the ISO/IEC 27002: 2013 and ISO/IEC 27001 standards. This certification attests that our services are based on internationally recognized best practices for both cloud service providers and cloud service customers. Read the full report.
The SOC 2, Type II report provides independent validation that our security controls are in accordance with the American Institute of Certified Public Accountants’ applicable Trust Services Principles and Criteria. Read the full report.
Zscaler System and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how Zscaler achieves key compliance controls and objectives. The SOC 3 is a public report depicting internal controls over security, availability, processing integrity, and confidentiality. SSAE 18 / ISAE 3402 Type II. Read the full report.
Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) are both JAB-High authorized. What’s more, ZIA is currently the only Secure Access Service Edge (SASE) Trusted Internet Connections (TIC) 3.0 solution that has achieved FedRAMP’s highest authorization.
Government agencies such as the DoD can leverage our market-leading zero trust platforms to take on the user experience and cost challenges of securing cloud-based application access for remote and hybrid users.
Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) have maintained the FedRAMP Moderate level authorization since 2018, allowing federal agencies, DoD commands, and federal contractors to take full advantage of the Zscaler Zero Trust Exchange.
With ZIA and ZPA in hand, agencies can reap the benefits of zero trust security to reduce overhead, streamline operations, and lower costs.
Internal Revenue Service Publication 1075 (“IRS 1075”) sets standards for information security, guidelines, and agreements for protecting US government agencies and their agents that access federal tax information (FTI). While the IRS does not publish an official designation or certification for compliance with Pub 1075, Zscaler supports organizations to protect FTI managed on the Zscaler Platform by aligning our implementations of NIST 800-53 and FedRAMP security controls with the respective IRS Pub 1075 security requirements. Zscaler has worked closely with the IRS to ensure that our GovClouds (US) meet Pub 1075 requirements for storing and processing FTI.
Zscaler Private Access (ZPA) has achieved a Provisional Authorization to Operate (P-ATO) at Impact Level 5 (IL5), as published in the Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG). This allows government agencies and their contractors to the Zscaler Zero Trust Exchange platform for systems that manage their most sensitive Controlled Unclassified Information (CUI) as well as unclassified National Security Systems (NSSs). Zscaler Internet Access (ZIA) has achieved Authorization to Operate (ATO) at Impact level 2 (IL2). The DoD’s Defense Innovation Unit (DIU) has selected Zscaler to prototype ZPA and ZIA as secure access technologies.
Zscaler is compliant with the Federal Information Processing Standard (FIPS 140-2), meeting NIST requirements for cryptographic modules. View certificates #3154 for Zscaler Mobile Cryptographic Module, #3159 for Zscaler Crypto Module, and #3188 for Zscaler Java Crypto.
Zscaler Private Access (ZPA) and Zscaler Internet Access (ZIA) have been audited by a certified IRAP auditor. The report demonstrates that Zscaler complies with related Australian government standards. Read the full report.
Zscaler maintains compliance with Criminal Justice Information Services, ensuring the protection of information as required by CJIS Security Policy. Read the full report.
In recognition and support of the “Electronic and Information Accessibility Standards” defined by Section 508 of the Rehabilitation Act, we publish accessibility self-assessments of Zscaler products using Voluntary Product Accessibility Templates (VPATs). Section 508 was enacted to eliminate barriers in information technology, to make new opportunities available for people with disabilities, and encourage the development of technologies that will help achieve these goals.
Zscaler has achieved the National Cyber Security Centre (NCSC) Cyber Security Essentials certification in the UK. The NCSC certification enables us to be a provider on the Commercial Crown Services contract supporting UK government agencies. The NCSC certification has been required for suppliers to UK government agencies that handle certain types of sensitive and personal information.
Zscaler completed the Trusted Internet Connection (TIC) 3.0 Overlay review with the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). TIC is a federal cybersecurity initiative intended to enhance network and perimeter security across the federal government. The goal of TIC 3.0 is to secure federal data, networks, and boundaries while providing visibility into agency traffic, including cloud communications.
National Institute of Standards and Technology (NIST) Special Publication 800-63C provides requirements to identity providers (IdPs) and relying parties (RPs) of federated identity systems. Federation allows a given IdP to provide authentication attributes and (optionally) subscriber attributes to a number of separately administered RPs through the use of assertions. Similarly, RPs may use more than one IdP.
The National Institute of Standards and Technology (NIST) 800-53 creates standards and guidelines pertaining to information security, that are generally applicable to US Federal Information Systems. Zscaler adheres to the Nist 800-53 ensuring sufficient protection of confidentiality, integrity, and availability of information and information systems.
StateRAMP is a cybersecurity program that addresses the needs of procurement and security officials with state and local governments (SLGs) in the United States. Zscaler Internet Access (ZIA) Moderate Cloud has achieved the StateRAMP AUTHORIZED status demonstrating Zscaler’s commitment towards securing state and local government employees and data.
The Texas Risk and Authorization Management Program (TX-RAMP)provides a standardized approach for security assessment, continuous monitoring, and authorization of third-party vendors that process the data of a state agency or public higher education institution in the State of Texas (agencies). Zscaler has achieved the TX-RAMP Level-2 Authorisation that enables Zscaler to operate with confidential/regulated data in moderate or high-impact systems.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to individually identified health information that relates to an individual’s past, present, or future physical or mental health condition or any other identifying information that can be used to identify the individual. HIPAA was expanded in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. As stated by the U.S. Department of Health and Human Services, the HIPAA Privacy Rule establishes national standards for the protection of certain health information. View Zscaler Whitepaper for HIPAA.
The Payment Card Industry Data Security Standard (PCI DSS) exists to protect against credit card fraud, security threats, and vulnerabilities. PCI is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International, and Discover Financial Services.
The European Union’s General Data Protection Regulation (GDPR) protects EU data subjects' fundamental right to privacy and the protection of personal data. It introduces robust requirements that aim to raise and harmonize standards for data protection, security, and compliance.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law applying to private sector organizations across Canada that collect, use or disclose personal information in the course of a “commercial activity.” The law defines a “commercial activity” as any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character.
Japan’s general data protection law, the Act on the Protection of Personal Information (APPI), was enacted in 2003 and amended in 2017, with further amendments to become effective April 1, 2022. APPI is a comprehensive, cross-sectoral framework that regulates private businesses using personal information databases. APPI incorporates the eight basic principles under the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data from the Organisation for Economic Co-operation and Development.
The California Consumer Privacy Act (CCPA) grants certain privacy rights to California residents. The CCPA is a landmark piece of legislation that signifies a substantial change in how businesses collect, store, and process the personal information of California residents as well as how they share, disclose, or make available this personal information to third parties. Although the CCPA went into effect on January 1, 2020, the California legislature is continuing to suggest amendments and additions to the CCPA.
Enterprise IT leaders must employ comprehensive SSL/TLS inspection methodologies to mitigate the risks hidden in encrypted traffic. This white paper examines the risk posed by encrypted threats; considers the business, privacy, and security implications of managing that risk; and presents constructive measures for balancing security needs with employee privacy rights. In the end, the best way for IT leadership to ensure the rights of the individual employee is to protect the organization from threats and attacks.
As a security-as-a-service provider, Zscaler takes data protection seriously. Zscaler remains committed to protecting personal data in compliance with the highest standards of privacy and security. Zscaler has a high-level summary of our compliance with the key areas of the Privacy Act (including each of the 13 APPs) as well as the key areas of the Act (including each of the 12 IPPs).
Zscaler is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Framework managed by the U.S. Department of Commerce. Zscaler complies with the commitments for each framework but does not rely on the EU-U.S. nor the Swiss-U.S. Privacy Shield Framework as a legal basis for cross-border transfers of Personal Data outside of the EU.
Zscaler is committed to handling our global customers' and partners' data in accordance with security and privacy best practices. We have created this assessment for informational purposes only to help organizations understand how we handle sensitive data with respect to Zscaler services and products.
The Australian Prudential Regulation Authority (APRA) is the primary financial regulator in Australia that describes its purpose as the prudential regulation of Australia’s financial institutions. APRA oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurance, friendly societies, and most members of the superannuation industry promoting the financial safety of institutions and the stability of the Australian financial system. This white paper outlines general information for financial institutions looking to use Zscaler services. Read the full APRA report here.
Zscaler is committed to acting ethically and with integrity in all our business relationships and to promoting a workplace and supply chain free from modern slavery and human trafficking, where workers are treated with respect and dignity.
The Standard Information Gathering (SIG) Lite questionnaire is a standardized questionnaire developed by Shared Assessments and used by organizations to provide information surrounding their control environment.
Zscaler runs the world’s largest cloud security platform. The Zscaler cloud operations team strives to ensure the platform's resilience in the face of any natural or manmade disaster or other unplanned emergency.
Zscaler ensures that millions of employees at thousands of enterprise and government organizations worldwide are protected against cyberattacks and data breaches. Each organization faces unique regulatory challenges based on industry, geography, and more, and the Zscaler platform is designed to simplify compliance and reporting globally. Each day, Zscaler secures more than 25% of the Forbes Global 2000 across 185 countries.
Security is at the heart of our services, and we also rely on Zscaler security to protect against attacks and data loss. Security is central to our company and culture. For more information about our compliance practice, email us at [email protected].
At Zscaler, we follow industry best practices and require all employees to undergo extensive annual security training. We continuously strive to improve our security programs and controls, and we seek feedback from customers, auditors, and internal teams. Because we believe that security and strategic initiatives should be closely aligned, our CISO reports to the chief strategy officer.
Secure product development and maintenance
We have implemented security checks across our development lifecycle, and internal security teams and external auditors continuously evaluate our products. Our cloud platform is monitored in real time, and we provide publicly available insight into the performance and health of our service, globally. In addition, we perform regular vulnerability scans, risk assessments, and penetration tests to maintain the highest standards of security and availability.
Securing customer information
Customer information is protected in accordance with best-of-breed frameworks and standards like ISO 27001. We guarantee that the customer transaction content we inspect as part of our service offering is never written to disk and logs are never stored in clear text.
Our dedicated research team analyzes threats we see across our security cloud and investigates the global threat landscape. We share our research and cloud data with the industry at large to help promote a safer internet.
Our customers entrust us with securing their internet connections, and we take that responsibility seriously. That’s why we offer a window into the health of the platform to anyone at any time, showing operational status, upcoming maintenance windows, incidents, and security advisories, along with historical data.
Data protection and privacy in a cloud-enabled world
Zscaler is committed to our customers’ success, including compliance with global privacy regulations, and will assist our customers in satisfying their privacy compliance obligations.
Learn how Zscaler supports your privacy compliance efforts.