18.1 Compliance Certifications
Zoho Corporation holds the following compliance certifications applicable to Creator (Zoho Compliance):
- ISO/IEC 27001: Information security management
- ISO/IEC 27107: Cloud security management
- ISO/IEC 27018: Personal data management on cloud
- SOC 2 Type 2: Trust Services Principles (evaluated design and operating effectiveness)
- HIPAA: HIPAA-ready with features enabling compliant PHI handling
- GDPR: Compliant data processing practices
18.2 HIPAA in Zoho Creator
Zoho Creator provides features enabling HIPAA-compliant use:
- Fields can be designated as ePHI (electronic Protected Health Information) to enable special access controls.
- Audit Logs maintained for 1 year for record changes and 3 months for export/print actions.
- Audit logs exportable as CSV.
- A Business Associate Agreement (BAA) template is available upon request (email [email protected]).
- Zoho Creator itself does not collect, use, store, or maintain ePHI for its own purposes; the responsibility lies with the app owner (HIPAA Compliance Guide).
18.3 Security Features
| Feature | Plans |
|---|---|
| Data Encryption at rest (Zoho-managed DEK/KEK) | Standard, Professional, Enterprise |
| TLS encryption in transit | All plans |
| Multi-Factor Authentication (MFA) | Standard, Professional, Enterprise |
| Password Policy | Standard, Professional, Enterprise |
| SAML-based Single Sign-On (SSO) | Enterprise; add-on for Standard/Professional |
| Active Directory Integration | Standard, Professional, Enterprise |
| Audit Trail (365 days for record changes) | Standard, Professional, Enterprise |
| Data Backup | Standard, Professional, Enterprise |
| Permission Sets | Standard (10/app), Professional (50/app), Enterprise (250/app) |
| Roles | Standard (50/app), Professional (200/app), Enterprise (1000/app) |
| Domain Authentication | Standard (1), Professional (3), Enterprise (5) |
| BYOK Encryption | Enterprise; request-only |
| PII and ePHI field controls | Standard, Professional, Enterprise |
| Multi-lingual support | Standard, Professional, Enterprise |
| Security Policies | Available in Governance section |
| Custom Authentication | Available |
18.4 Payload Encryption
Payload encryption (end-to-end encryption for form data in transit) was included in the 2025 H2 Release Projection, aimed at enhanced compliance scenarios where data must be encrypted even within the application layer beyond TLS.