We have put together the below FAQs in order to address the most common questions that we receive from customers and partners regarding our platform.
(1) What personal data does Zscaler store and/or process?
Zscaler stores a limited amount of personal data (e.g., IP Addresses, URLs, user IDs, user groups and departments from corporate directory) and does not process or store any special or sensitive categories of personal data (e.g. credit card or protected health information). Additionally, customers have the option to obfuscate their user IDs from ever being seen by their own administrators.
Zscaler Support personnel will not access any customer personal data unless explicitly authorized to do so by such customer.
For the majority of Zscaler’s services and products, HTTP, HTTPS and non-HTTP transaction content is never stored by Zscaler or written to disk - all inspection takes place in memory.
For customers who order Zscaler’s cloud sandbox product, Zscaler records malicious content to a storage disk; however, customers can decide what files to send to Zscaler’s sandbox (based on file type, URL category, user/group, etc.).
For Zscaler Client Connector, customers can globally enable or disable the packet capture through policies with Zscaler and delete the packet capture logs from the applicable laptop, desktop, or personal mobile device.
Customer Transaction Logs (Customer Logs) are never stored in clear text and are indexed, compressed, and tokenized at the point of generation – ensuring a single Customer Log is meaningless without a complete string of historic Customer Logs and access to the indexes stored in Zscaler’s Central Authority (CA). Hence, even with access to stored data, personal data cannot be derived without Zscaler’s user interface bringing together information from the Customer Logs and information from the CA.
(2) How does Zscaler contractually ensure its compliance with GDPR?
When acting as a data processor, Zscaler will only process personal data on behalf of the data controller and on written authorization from the data controller (i.e., through a contract or order, with the DPA providing details of such instructions).
For further information about Zscaler DPA please visit www.zscaler.com/privacy/dpa
In addition, we have entered into written agreements in accordance with the requirements of Article 28(4) of the GDPR with all sub-processors and we remain liable for the acts and omissions of these sub-processors. Our due diligence efforts also involve ensuring that all of our sub-processors maintain their compliance with data protection laws.
(3) How does Zscaler protect the personal data that it processes and/or stores?
Zscaler implements the physical, technical, and organizational security measures to ensure a level of security appropriate to the risk in accordance with the standards of Article 32 of the GDPR. Zscaler is certified under ISO 27001 and System and Organization Controls (SOC) 2, Type II standards and is audited annually by a third party to ensure its ongoing compliance with these certifications. Zscaler regularly tests, assesses and evaluates the effectiveness of its security measures. Upon written request, and subject to appropriate confidentiality protections being in place, Zscaler can provide Customer with a copy of its most recent ISO 27001 certificate and/or SOC 2, Type II report. For more information, please visit [link to compliance page]
(4) Can Zscaler only provide its services from the European Union (EU)?
No. Since Zscaler is a U.S. based company providing a global cloud platform, Zscaler processes personal data around the globe through its network of 150+ data centers in order to provide our services.
Zscaler will process personal data at the data center that is the closest to where our customer’s users are located (i.e. EU data centers for EU users, U.S. data centers for U.S. users). In the event an EU user travels to the U.S., then Zscaler would process their personal data from the closest data center which would be in the U.S..
Even if our customer only has users in the EU, Zscaler provides global support services not only from the EU, but also from the U.S., India, and Costa Rica (for some U.S. based companies only) in order to ensure 24x7x365 coverage. This is a common practice among most cloud vendors.
Notwithstanding the above, and unlike most other cloud vendors, Zscaler does offer our customers the option to store their Customer Logs in the EU and Switzerland only, no matter where the global data processing may occur. Our customers can set this up with Zscaler during the deployment process.
(5) Does Zscaler access or transfer personal data outside of the EU?
Yes. Zscaler processes personal data around the globe through its network of 150+ data centers in order to provide our services.
The GDPR requires that transfers of personal data outside of the EU must be covered by an approved legal framework, such as the EU Standard Contractual Clauses. Zscaler adheres to EU Standard Contractual Clauses for transfers of personal data outside of EEA, Switzerland or the United Kingdom.
This is addressed in more detail in our Data Processing Agreement (DPA) which is available at www.zscaler.com/privacy/dpa for customers to download and sign.
(6) How is Zscaler affected by the CJEU C-311/18 (“Schrems II”) judgement invalidating the EU-US Privacy Shield framework?
In light of the Schrems II judgement, Zscaler confirms that it continues to provide its products and services in full compliance with applicable data protection legislation.
Nothing has changed in relation to how Zscaler transfers personal data outside of the EU to provide our products and services. The European judge’s decision has no impact on how Zscaler provides its products and services, on our dataflows or on how we store Customer Logs. Historically, Zscaler has been providing its customers with protections under both the EU Standard Contractual Clauses and the Privacy Shield frameworks for international data transfers. The EU Standard Contractual Clauses remain valid and the judge has expressly confirmed that this mechanism can continue to be used by the business.
Additionally, Zscaler maintains its certification to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Although, Zscaler does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, we are committed to upholding the data protection principles of the EU-U.S. Privacy Shield Framework.
(7) What additional assurances does Zscaler offer to support its use of the EU Standard Contractual Clauses when transferring personal data to the US?
We understand that the message the European judge has sent in the Schrems II case is that depending on a case-by-case assessment, taking into account the circumstances surrounding the specific data transfer, some supplementary measures may need to be implemented to ensure that the law of the country where the data is being transferred to does not impinge on the adequate level of protection guaranteed by the EU Standard Contractual Clauses.
Since Zscaler has been providing its customers with protections ensured by the EU Standard Contractual Clauses prior to the Schrems II ruling, we have already made such analysis and are confident that our processes and security measures continue ensuring adequate compliance. Of course, we continue monitoring any future guidelines and regulatory changes applicable to personal data and are awaiting further decisions from the European Commission, the European Data Protection Board and from individual Supervising Authorities.
Here are some of the ways in which we ensure data protection as required by the EU Standard Contractual Clauses:
- personal data is solely processed on behalf of our customers and according to their instructions;
- we implement the technical and organisational security measures as specified in the DPA before processing the personal data. For instance, we apply tokenization as one of the methods to protect Customer Logs (see Question 1 for more details);
- we would notify our customers about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited;
- we provide EU (Germany, Netherlands) and Switzerland-only log storage for our customers when first deploying our products;
- we ensure that our customers provide consent for our use of data sub-processors and that those data sub-processors provide equivalent protection to the data they process on our behalf;
- with prior written notice, and subject to certain Zscaler requirements and controls being put in place, we permit our customers and partners to perform annual audits and automated inspections of our cloud;
- we commit to ensure our ongoing compliance with the EU Standard Contractual Clauses and will implement any additional legally required measures within a reasonable time.
(8) How does enabling SSL inspection fall within security requirements and compliance with privacy laws?
Enabling SSL inspection does not change the limited amount of data that Zscaler processes or stores. Rather, it helps our customers meet their obligations under Article 32 of the GDPR by providing the appropriate level of security for processing of personal data. Although there are business, privacy and security implications of using SSL inspection that our customers must consider, this needs to be balanced against the obligation to ensure the rights of each customer employee are protected from threats and attacks. As such, rather than a threat to privacy, SSL inspection should be viewed as a tool supporting an organization’s privacy compliance.
Zscaler offers comprehensive SSL/TLS inspection capabilities to protect customer data traffic from threats that are hidden in encrypted traffic. Once data inspection is complete, the data flow continues unimpeded, with no record of the source data preserved beyond the log of the transaction itself.
(9) Does Zscaler use sub-processors to provide its services?
Yes. As is the case with every cloud vendor, Zscaler does use a limited number of sub-processors to provide its services. As required under the GDPR, Zscaler will obtain customer consent before engaging any sub-processors, which may include contractual consent or general consent. In addition, Zscaler will provide customers with advance written notice of any changes to its sub-processor list. Zscaler will be responsible and liable for the performance of its sub-processors. Zscaler maintains a current list of its sub-processors at www.zscaler.com/privacy/sub-processors
(10) Can Zscaler assist with a Right to be Forgotten (RTBF) Request?
Yes. Zscaler has an internal process for responding to RTBF requests. However, it’s important to remember that as the data controller, our customer is responsible for reviewing and validating the request and submitting a support ticket to Zscaler. A RTBF request should only be made if a data subject (usually a customer employee or user) makes such a request to our customer. If Zscaler receives a RTBF request directly from a customer employee or user, we will re-direct the person to our customer to validate and respond.
(11) Does Zscaler comply with non-GDPR privacy regulations?
Zscaler is committed to maintain compliance and is carefully monitoring development of privacy legislation and regulations in various countries. For more information about how Zscaler complies with various privacy laws please visit www.zscaler.com/privacy/international-data-transfer-policy