A Project by Meridian Bridge Strategy
Book Consultation
SaaS & IT

Zoho

Ready Score 72/100
Moderate Risk vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 9 Feb 2026

Executive Summary

Zoho scores the second highest at 72/100, reflecting its genuinely privacy-first culture. The company famously rejected advertising-based models, uses no third-party trackers, and publishes transparent sub-processor lists. The gaps are primarily around adapting its GDPR-centric framework to DPDP-specific requirements.

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference — GDPR-focused
  • India-specific provisions not separated from global policy
  • Data Protection Board not referenced — references EU/US authorities
  • DPDP Section 14 nomination mechanism absent
  • Indian user data localization not explicitly guaranteed

✅ Strengths

  • Industry-leading privacy practices — certified privacy-first company
  • No third-party advertising trackers on any Zoho product
  • Comprehensive data processing agreements with enterprise customers
  • Transparent sub-processor list published
  • Strong data portability and deletion mechanisms
  • Regular privacy audits and SOC 2 compliance
  • Data centers in India operational for local data storage

Overview

Zoho is India’s most prominent SaaS company, offering 55+ business applications to 100M+ users globally. Uniquely among Indian tech companies, Zoho has built its brand around privacy — refusing advertising models, rejecting third-party trackers, and investing in data centers across India. While its privacy practices are among the best, specific DPDP alignment is needed.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ✅

Zoho’s consent framework is strong:

  • Clear, layered privacy notices for each product
  • Purpose-specific data collection with transparent explanations
  • Most processing based on contractual necessity (B2B SaaS)
  • Cookie consent with granular controls

Minor gap: DPDP’s specific consent language not adopted — Zoho uses GDPR terminology.

Section 7 — Certain Legitimate Uses ✅

Zoho’s B2B model means most processing is:

  • Contractual necessity (providing the software service)
  • Customer instruction (B2B data processing agreement)
  • Legal compliance

This aligns well with DPDP’s legitimate use framework.

Section 8 — Obligations of Data Fiduciary ✅

Gold standard:

  • SOC 2 Type II certified
  • ISO 27001 compliance
  • Annual privacy audits
  • No third-party data brokers or advertising trackers
  • Zero advertising business model
  • Documented incident response procedures

Section 9 — Data Retention ✅

Well-documented retention with clear policies:

  • Account data: retained during subscription + 30 days post-cancellation
  • Backup data: purged within 90 days of account closure
  • Audit logs: defined retention periods
  • Marketing data: consent-based with easy opt-out

Minor gap: India-specific retention requirements not called out separately.

Section 11 — Rights of Data Principal ✅

Strong rights implementation:

  • Data export available for all products
  • Account deletion with defined timelines
  • Data portability in standard formats
  • Access requests handled through documented process

Gap: No DPDP Section 14 nomination mechanism.

Section 12 — Right of Grievance Redressal ⚠️

Zoho has a global privacy team reachable by email. However:

  • India-specific grievance officer not designated
  • Data Protection Board not referenced (references EU/US authorities)
  • No India-specific escalation path

Section 16 — Cross-Border Data Transfer ⚠️

Zoho has India data centers and offers India data residency to customers. However:

  • Default data location for Indian users may include US/EU data centers
  • Cross-border transfer is managed through GDPR-aligned Standard Contractual Clauses
  • DPDP’s cross-border framework (government-notified countries) may differ from GDPR’s adequacy decisions

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineLowStrong baseline practices
Security and privacyVery LowIndustry-leading practices
DPDP-specific complianceMediumNeeds GDPR-to-DPDP mapping
Cross-border dataLow-MediumIndia data centers available
Data principal rightsLowAlready comprehensive

Why Zoho Is the Benchmark

Zoho demonstrates what privacy-first actually means:

PracticeZohoIndustry Typical
Third-party trackersZero10-50+ per page
Advertising modelNoneCore revenue for many
Sub-processor transparencyPublished listHidden or vague
Data portabilityAll productsLimited or none
Privacy auditsAnnual, third-partyRare

Recommendations

  1. Create DPDP-specific addendum — Map existing GDPR compliance to DPDP requirements for Indian users
  2. Designate India Grievance Officer — DPDP requires a specific grievance redressal mechanism
  3. Reference Data Protection Board — Include DPB as escalation alongside EU/US privacy authorities
  4. Implement Section 14 nomination — Add nomination mechanism for data principal rights
  5. Guarantee India data residency — Make India data center the default for Indian users/customers

How Does Your Policy Compare?

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation