Introduction

Gofrugal is a digital-first company offering cloud and mobile ERP solutions to retail, restaurant, and distribution businesses. Security is one of the components in our offerings and is reflected in our people, processes, and products. This page outlines security practices, policies, and infrastructure for our cloud solutions. It covers topics like data security, operational security, and physical security to explain how we offer security to our customers.

Last updated on: 1st August 2024

Overview

  • Organizational security
  • Physical security
  • Infrastructure security
  • Data security
  • Identity and access control
  • Operational security
  • Incident management
  • Responsible disclosures
  • Customer controls for security

Organizational security

We have an Information Security Management System (ISMS) in place which takes into account our security objectives and the risks and mitigations concerning all the interested parties. We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.

Employee background checks

Each employee undergoes a process of background verification. We hire reputable external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.

Security awareness

Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security that they may require based on their roles.

We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.

Dedicated security and privacy teams

We have dedicated security and privacy teams that implement and manage our security and privacy programs. They engineer and maintain our defence systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They provide domain-specific consulting services and guidance to our engineering teams.

Internal audit and compliance

We have a dedicated compliance team to review procedures and policies in Zoho to align them with standards and to determine what controls, processes, and systems are needed to meet the standards.

Endpoint security

All workstations issued to the employees run up-to-date OS versions and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and tracked and monitored by Zoho's endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.

Physical security

At the workplace

We control access to our resources (buildings, infrastructure, and facilities), where accessing includes consumption, entry, and utilization, with the help of access cards. We provide employees, contractors, vendors, and visitors with different access cards that only allow strictly specific access for the purpose of their entrance into the premises. Our Human Resource (HR) team establishes and maintains the purposes specific to roles. We maintain access logs to spot and address anomalies.

Monitoring

We monitor all entry and exit movements throughout our premises in all our business centres through CCTV cameras deployed according to local regulations. Back-up footage is available up to a certain period, depending on the requirements for that location.

Infrastructure security

Network security

Our network security and monitoring techniques are designed to provide multiple layers of protection and defence. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from production.

We monitor firewall access with a strict, regular schedule. Our dedicated Network Operations Center team monitors the infrastructure and applications for any discrepancies or suspicious activities. All crucial parameters are continuously monitored using our proprietary tool and notifications are triggered in any instance of abnormal or suspicious activities in our production environment.

Intrusion detection and prevention

Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on servers in our production network are logged. At the application layer, we have our proprietary WAF which operates on both whitelist and blacklist rules.

Data security

Secure by design

Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as the screening of code changes for potential security issues with our code analyser tools, vulnerability scanners, and manual review processes.

Our robust security framework, based on OWASP standards is implemented in the application layer. It provides functionalities to mitigate threats such as SQL injection, cross-site scripting, and application layer DOS attacks.

Encryption

In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred.

We have enabled HTTP Strict Transport Security headers (HSTS) in all our web connections. This tells all modern browsers only to connect to us over an encrypted connection, even if you type in a URL to an insecure page at our site. Additionally, on the web, we flag all our authentication cookies as secure.

At rest: Sensitive customer data at rest is encrypted and varies with the services you opt for.

Data retention and disposal

Zoho retains the right to terminate your account and access to the services to prevent further use until payments for all charges on the account have been received. Please refer to this page for more information on our policy.

Identity and access control

Two-factor authentication

This provides an extra layer of security by demanding an additional verification that the user must possess in addition to the password. This can greatly reduce the risk of unauthorized access if a user's password is compromised.

Administrative access

We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.

Operational Security

Logging and monitoring

We monitor and analyse information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs.

These logs are automatically monitored and analyzed to a reasonable extent which helps us identify anomalies such as unusual activity in employees' accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access to manage access control centrally and ensure availability.

Vulnerability management

We have a dedicated vulnerability management process that actively scans for security threats using a combination of certified third-party scanning tools and in-house tools, with automated and manual penetration testing efforts. Furthermore, our security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to spot security incidents that might affect the company's infrastructure.

Once we identify a vulnerability requiring remediation, it is logged, prioritised according to severity, and assigned to an owner. We further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.

Business continuity

We have a business continuity plan for all our applicable products ensuring an organization's resilience during unexpected disruptions, such as natural disasters, cyberattacks, or economic downturns to help maintain essential functions and minimize downtime.

Incident management

Reporting

We have a dedicated security team to manage incidents. We notify our customers of the incidents in our environment that apply to them, along with suitable actions that they may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire, and provide customers with necessary evidence in the form of application and audit logs regarding incidents that apply to them. Furthermore, we implement controls to prevent the recurrence of similar situations.

We respond to the security or privacy incidents reported to us through incident@gofrugal.com with high priority.

Breach notification

As data controllers, we notify the concerned Data Protection Authority of a breach within 72 hours after we become aware of it. Depending on specific requirements, we notify the customers, too, when necessary. As data processors, we inform the concerned data controllers without undue delay.

Responsible disclosures

A vulnerability reporting program in "Bug Bounty" to reach the community of researchers is in place. This recognises and rewards the work of security researchers. We are committed to working with the community to verify, reproduce, respond to, and implement appropriate solutions for the reported vulnerabilities.

If you happen to find any, please submit the issues at www.gofrugal.com/bugbounty

Customer controls for security

So far, we have discussed what we do to offer security on various fronts to our customers. Here are the things our customers can do to ensure security on their end:

  • Choose a unique, strong password and protect it.
  • Use two-factor authentication wherever applicable.
  • Use the latest browser versions, mobile OS, and updated mobile applications to ensure they are patched against vulnerabilities; use the latest security features.
  • Exercise reasonable precautions while sharing data from our cloud environment.
  • Monitor devices linked to their accounts, active web sessions, and third-party access to spot anomalies in activities on their accounts, and manage roles and privileges to the accounts.
  • Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that may exploit sensitive information.

Conclusion

The security of data is a customer's right and a never-ending mission of Zoho. We will continue to work hard to keep customer data secure like we always have. For any further inquiries on this topic, please write to us at gofrugalsecurity@zohocorp.com.