// Trust & Security Report
Zoho Corporation Pvt. Ltd.
Zoho Projects — cloud-based project management platform with collaboration, task tracking, time logging, Gantt charts, and AI-powered features (Zia). Available in multiple editions (free, standard, professional, business). Includes mobile apps and third-party integrations.
Certifications held
16
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on zoho.com“ISO/IEC 27001 — Valid: 21-Aug-2028. Widely recognized international security standard covering 'Applications, Systems, People, Technology, and Processes' across Zoho's cloud services”
Verify on zoho.com“SOC 2 Type 2 — Evaluates 'design and operating effectiveness of controls' meeting AICPA Trust Services Principles. Audit period: December-November annually; reports issued approximately three months post-completion. Security, Confidentiality, Processing Integrity, Availability, and Privacy.”
Verify on zoho.com“ISO/IEC 27701 — Valid: 21-Aug-2028. Privacy management extension enabling organizations to 'establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS)'”
Verify on zoho.com“ISO/IEC 27017 — Valid: 21-Aug-2028. Cloud-specific security controls providing 'implementation guidance for relevant controls' tailored to cloud service delivery”
Verify on zoho.com“ISO/IEC 27018 — Valid: 21-Aug-2028. Focuses on protecting personally identifiable information in public cloud environments, extending ISO/IEC 27001 and 27002 standards”
Verify on zoho.com“Zoho implements GDPR controls as baseline standard globally. Features include Data Processing Addendum (DPA) based on Model Contractual Clauses, Data Protection Impact Assessments, breach notification within 72 hours, and choice of data centers (EU and other regions)”
Verify on zoho.com“SOC 2 + HIPAA Type 2 — Third-party audit examining 'Security, Privacy and breach requirements' under HIPAA, with Zoho functioning as a Business Associate. Zoho Projects provides ePHI field marking, encryption, access control, and audit logging for healthcare compliance”
Verify on zoho.com“PCI DSS — Valid: 14-Oct-2026. Payment Card Industry compliance (Self-Assessment: SAQ-D) ensuring secure handling of card data across financial products”
Verify on zoho.com“ISO 9001 — Valid: 02-Feb-2029. Quality Management System demonstrating ability to 'consistently provide quality products and services'”
Verify on zoho.com“ISO 22301 — Valid: 20-Nov-2026. Business Continuity Management System protecting operations from disruptions”
Verify on zoho.com“Cyber Essentials Plus — Valid: 19-Sep-2026. UK government-backed certification with systems 'audited by approved assessors' for UK office and EU datacenters”
Verify on zoho.com“TX-RAMP — Valid: 20-June-2027. Texas compliance certification at Level 1 (ServiceDesk Plus) and Level 2 (Endpoint Central, Site24x7)”
Verify on zoho.com“ENS (Spain) — Valid: 15-May-2027. Spanish National Security Scheme certification at intermediate category for cloud and on-premises solutions”
Verify on zoho.com“CSA STAR Self-Assessment — Cloud Security Alliance compliance documenting adherence to Cloud Controls Matrix across all Zoho cloud services”
Verify on zoho.com“CCPA — California privacy law compliance. Zoho's features enable users to 'comply with the CCPA' requirements and processing of Californian customer data adheres to CCPA requirements”
Verify on zoho.com“SOC 1 (SSAE 18/ISAE 3402 - Type 2) — 'Primarily concerned with examining controls relevant for financial reporting' across multiple Zoho products”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multiple options including EU (via zoho.eu), US, and other regions. Choice of data center available at signup.
Zoho explicitly states: 'Zoho does not use customers' data to train the AI model or sell ads. As they have for more than 25 years, Zoho promises they will never monetize customers' data.' Customer content processed by Zia AI retains full customer ownership. No external vendor model exposure.
// Security controls
Role-Based Access Control
Fine-grained role and permission management with field-level controls
zoho.comGeographically Diverse Data Centers
Multiple geographically distributed data centers with replication for business continuity
zoho.comData Protection Impact Assessments
Conducts DPIAs as required by GDPR and other privacy regulations
zoho.com// Products & data scope
data: Basic project and task data; up to 3 users
Community edition with no cost. All certifications apply.
data: Full project collaboration, time tracking, resource management, custom fields with PII marking
Paid tiers with increasing feature sets. Support for GDPR, HIPAA, CCPA. Optional encryption of custom fields marked as PII.
data: Incorporates AI-powered features for task automation, insights, and recommendations
Customer data NOT used to train Zia models. AI processing stays within Zoho infrastructure. No model training on customer data.
// At a glance
Pricing model
Freemium subscription: Free, Standard ($45/month), Professional ($75/month), Business ($125/month). Per-user and per-project pricing options available.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Zoho Corporation Pvt. Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
zoho.com