On this page, you’ll find answers to our customers’ common questions about Zscaler data privacy practices.
For more information about our data privacy practices, please see our Data Privacy and Protection Overview site.
1. Where can I find Zscaler’s Data Processing Agreement (DPA)?
2. Why does Zscaler collect and use my personal information?
Our products enable our customers to grant their authorized users direct, secure access to the internet or specific applications from anywhere and from any device. Therefore, our products use personal information like context-based identity to ensure that our customers can guard against intruders and authenticate their authorized users’ access requests.
3. What personal data does Zscaler collect about me?
Zscaler stores a limited amount of personal data (e.g., IP addresses, URLs, user IDs, user groups and departments from corporate directory) and does not process or store any special or sensitive categories of personal data (e.g., credit card or protected health information).
For more information, please see Exhibit A of our DPA, which you can find here.
For Zscaler Internet Access (ZIA), user-level cookies are used for Remote Browser Isolation.
To learn more, see the Zscaler Cookies Policy.
5. How does Zscaler contractually uphold our responsibilities as a data processor under the GDPR?
When acting as a data processor, Zscaler will only process personal data on behalf of the data controller and with written authorization from the data controller (i.e., through a contract or order, with the DPA providing details of such instructions).
Additionally, we enter into written agreements with our sub-processors, and we remain liable for the acts and omissions of these sub-processors. Our due diligence efforts also involve ensuring that all of our sub-processors maintain compliance with data protection laws.
6. Does Zscaler use sub-processors to provide its services?
Yes. Like every cloud vendor, Zscaler engages sub-processors to provide its services. However, none of the data shared with sub-processors is used for secondary purposes such as third-party advertising. Zscaler performs due diligence on the security and privacy practices of its sub-processors to ensure sub-processors provide a level of security and privacy appropriate to their access to customer data (which may include Personal Data) and the scope of the services they provide. Zscaler requires sub-processors to enter into written contractual commitments to provide adequate data protection and confidentiality according to Zscaler privacy policies.
You can see a current list of our sub-processors here.
7. Does Zscaler store personal customer data?
For the majority of Zscaler’s services and products, HTTP, HTTPS, and non-HTTP transaction content (which includes any substantive part of the request, such as messages, files, etc.) is never stored by Zscaler or written to disk. All inspection takes place in memory.
For customers who order Zscaler Cloud Sandbox, Zscaler records malicious content to a storage disk. However, customers can decide which files to send to the Zscaler sandbox (based on file type, URL category, user/group, etc.).
For Zscaler Client Connector, customers can globally enable or disable the packet capture through policies with Zscaler and delete packet capture logs from the applicable laptop, desktop, or personal mobile device.
Customer Transaction Logs (Customer Logs) are never stored in cleartext and are indexed, compressed, and tokenized at the point of generation—meaning a token is used as the identifier in the log, not the username, and the only remaining identifiers in the log are more innocuous entries like AD group, IP address, or office location. This ensures that a single Customer Log is meaningless without a complete string of historic Customer Logs and access to the indexes stored in Zscaler’s Central Authority (CA). When a privileged user (such as a customer’s admin) wishes to deobfuscate the logs, our system transposes the username for the token again before displaying or providing the logs for download. Therefore, even with access to stored data, personal data cannot be derived without the Zscaler user interface bringing together information from the Customer Logs and information from the CA.
8. Where is my data processed?
Zscaler will process tokenized and encrypted user data in one of our 150+ global data centers located closest to the customer’s users, meaning the customer has control over which data centers to use or not, depending on where the customer has users (e.g., EU data centers for EU users, US data centers for US users). If an EU user travels to the US, Zscaler will process the user’s personal data from the closest data center, which would be in the US. Note that data centers are not sub-processors; they are co-located facilities (i.e., rented rackspace) where Zscaler controls the processing at all times.
Even if a customer only has users in the EU, Zscaler provides global support services not only from the EU, but also from the US, India, and Costa Rica (for some US-based companies only) to ensure 24/7/365 coverage. This is a common practice among most cloud vendors.
9. What are Customer Logs?
Customer logs are the records of network traffic metadata collected and stored for each transaction. Administrators can access and review customer logs via the Admin Portal to authenticate customers’ users web requests. Customer Logs have various fields that may contain personal data, like Device Owner, User, Hostname, etc.
Zscaler offers customers the option to store their Customer Logs in the EU and Switzerland only, no matter where the global data processing may occur. Customers can set this up with Zscaler during the deployment process.
10. Does Zscaler commit to notifying users in the case of policy changes?
11. Does Zscaler notify users about data breaches?
If Zscaler becomes aware of a data breach, Zscaler will notify affected customers without undue delay after confirming the incident. Zscaler will take reasonable steps to (a) identify the cause of the Security Incident and (b) take any actions necessary and reasonable to remediate the cause of such Security Incident to the extent such remediation is within Zscaler’s reasonable control.
12. What approved legal framework does Zscaler rely on to transfer personal data outside of the EU?
Zscaler processes personal data around the globe through its network of 150+ data centers to provide its services. The GDPR requires that transfers of personal data outside of the EU be covered by an approved legal framework, such as the EU Standard Contractual Clauses. Therefore, Zscaler adheres to EU Standard Contractual Clauses and appropriate addenda for transfers of personal data outside of the EU, Switzerland, or the United Kingdom.
Here are some of the ways in which we ensure data protection as required by the EU Standard Contractual Clauses:
- Personal data is solely processed on behalf of our customers and according to their instructions.
- We implement the technical and organizational security measures as specified in the DPA before processing the personal data. For instance, we apply tokenization as one of the methods to protect Customer Logs.
- We notify our customers about any legally binding request for disclosure of personal data by a law enforcement authority unless otherwise prohibited.
- We provide EU (Germany, Netherlands) and Switzerland-only log storage for our customers when first deploying our products.
- We ensure that our customers provide consent for our use of data sub-processors and that those data sub-processors provide equivalent protection to the data they process on our behalf.
- With prior written notice, and subject to certain Zscaler requirements and controls being put in place, we permit our customers and partners to perform annual audits and automated inspections of our cloud.
- We commit to ensuring ongoing compliance with the EU Standard Contractual Clauses and will implement any additional legally required measures within a reasonable time.
- We commit to and implement confidentiality measures to ensure personal data is protected.
For further detail, please see our Data Processing Agreement (DPA).
Although we rely on Standard Contractual Clauses in our standard DPA, Zscaler has elected to self-certify to the EU-US and Swiss-US Privacy Shield Frameworks administered by the US Department of Commerce (“Privacy Shield”). Zscaler complies with the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.
13. How does Zscaler protect my personal data?
Zscaler adheres to rigorous security, availability, confidentiality, and privacy standards so customers can adopt our services with confidence.
Our compliance team works to ensure all Zscaler products are aligned with and certified against internationally recognized government and commercial standards—frameworks to build customers’ confidence by providing pertinent solutions.
Zscaler is certified under ISO 27001 and System and Organization Controls (SOC) 2 Type II standards and is audited annually by a third party to ensure ongoing compliance with these certifications. Zscaler regularly tests, assesses, and evaluates the effectiveness of its security measures. Upon written request, and subject to appropriate confidentiality protections being in place, Zscaler can provide customers with a copy of its most recent ISO 27001 certificate and/or SOC 2 Type II report.
Click here to learn more about our numerous privacy and security certifications.
14. How does enabling TLS/SSL inspection fall within security requirements and compliance with privacy laws?
Enabling TLS/SSL inspection does not change the limited amount of data Zscaler processes or stores. Rather, it helps our customers meet their obligations under Article 32 of the GDPR by providing the appropriate level of security for processing of personal data. Although there are business, privacy, and security implications in using TLS/SSL inspection that our customers must consider, this must be balanced against the obligation to ensure the rights of each customer employee are protected from threats and attacks. As such, rather than a threat to privacy, TLS/SSL inspection should be viewed as a tool supporting an organization’s privacy compliance.
Zscaler offers comprehensive TLS/SSL inspection capabilities to protect customer data from threats hidden in encrypted traffic. Once data inspection is complete, the data flow continues unimpeded, with no record of the source data preserved beyond the log of the transaction itself.
15. How do I exercise my right to access, correct, and delete my personal data?
Zscaler has an internal process for responding to data subjects’ requests. However, it is important to remember that as the data controller, our customer is responsible for reviewing and validating the request and submitting a support ticket to Zscaler. A data rights request should only be made if a data subject (usually a customer employee or user) makes such a request to our customer. If Zscaler receives a data rights request directly, we will redirect the person to our customer to validate and respond.
Customers in need of additional support can reach out to [email protected].
16. How long will Zscaler retain my data?
We process and store Personal Data only for the period necessary to achieve the purpose of the storage, or as permitted by law. The criteria used to determine the period of storage of information is the respective statutory retention period. After expiration of that period, the corresponding information is routinely deleted as long as it is no longer necessary for the fulfillment of a contract.
17. Does Zscaler have an executive body responsible for privacy and data security risks?
Yes, the Zscaler board of directors has oversight responsibilities for all enterprise risks, including privacy. The Board delegates some of that responsibility to standing committees that report back to the full Board. The Audit Committee and the Nominating and Corporate Governance Committee are each tasked with overseeing privacy risks and cybersecurity threats.
18. Does Zscaler have a compliance and data protection/privacy officer?
Yes, our Privacy Team is tasked with ensuring that Zscaler complies with data protection laws and avoids the risks organizations face when processing personal data. Members of the Privacy Team are experts in the organization, forming the link between the public and Zscaler in relation to the processing of personal information. The Privacy Team acts as the body to which data protection queries are directed. Members of the Privacy Team are Certified Information Privacy Professionals (CIPP). At a high level, the VP of Cloud Operations is responsible for monitoring compliance with the policy.
19. Are employees and contractors trained on data security and/or privacy-related risks and procedures?
Privacy is paramount throughout Zscaler. We require our employees and contractors to complete privacy and security training during onboarding and refresh the training annually.
20. How does Zscaler comply with privacy legislation around the globe?
Zscaler is committed to maintaining compliance and carefully monitors the development of privacy legislation and regulations in various countries. For more information about how Zscaler complies with various privacy laws, please visit zscaler.com/privacy/global-privacy-laws.
For more information on international data transfers, please visit zscaler.com/privacy/international-data-transfer-policy.
21. Who do I contact if I have more questions?
You can email us at [email protected].