Security at ZoomInfo

ZoomInfo, headquartered in Vancouver, Washington, is a pioneering data company offering subscription-based SaaS solutions to over 35,000 businesses globally. For two decades, ZoomInfo has been instrumental in driving profitable growth for companies by enabling them to identify key prospects and decision-makers within their target markets.

ZoomInfo prioritizes security, dedicating itself to the safeguarding of information against both intentional and unintentional misuse. This commitment extends to protecting the information of customers, partners, vendors, and other third parties. Proudly, we have implemented a comprehensive Information Security Management System (ISMS) that aligns with the rigorous standards of ISO 27002:2022, ISO 27701, and ISO 27017. These certifications underscore the effectiveness of our control framework. Additionally, we have achieved the AICPA’s SOC 2 Type II attestation, highlighting our commitment to security, availability, and confidentiality controls surrounding our services.

Our security strategy is bolstered by a combination of expert security personnel, top-tier tools, and third-party services encompassing assessments, control reviews, technical evaluations, and testing. Continuous control monitoring across our environment is enhanced by additional security measures to counteract exploitation attempts. We rigorously evaluate our service providers’ security practices, requiring them to hold relevant certifications and conducting control analyses to effectively manage third-party risks.

Our comprehensive risk management and compliance framework underpins our information security program. Central to this program is our ISMS, which facilitates the assessment, management, monitoring, and mitigation of our information security risks through:

• Context of the Organization
• Leadership
• Planning
• Support
• Security Operations
• Performance Evaluation
• Continuous Improvement

The ISMS comprises policies and procedures for managing sensitive information, addressing access, handling processes, and the technology used. This systematic approach not only affects how individuals work but also helps cultivate a security-aware corporate culture at ZoomInfo.

Our information security team is a diverse collective of experienced professionals specializing in data governance, compliance, risk management, cyber threat intelligence, breach preparedness, security operations, and offensive security. Team members hold prestigious certifications, and we maintain strong ties with academic and governmental sectors, ensuring continuous adoption of best practices through ongoing education and training.

The ISMS ensures security processes and controls are integrated into both existing and new processes, making security an inherent part of our operations. We adhere to the ISO 31000 Risk Management Standard, conducting continuous risk assessments in collaboration with risk owners across ZoomInfo’s business units.

All employees and contractors undergo thorough vetting, including background checks, to ensure compatibility with our corporate culture. Continuous, dynamic security awareness training is mandated to nurture a security-focused mindset, embedding security into both professional and personal practices.

Our preventative security measures form a critical component of our layered security strategy, encompassing:

• Critical Assets: Identifying valuable business intelligence, customer data, and access credentials, ensuring access is appropriately provisioned.
• Data Protection: Implementing Multi-Factor Authentication (MFA) and/or Single Sign-On (SSO), encrypting customer data at rest with AES256, and securing browser-client communications minimally with TLS 1.2.
• Application Protection: Hosting services across major cloud providers with comprehensive security controls and employing automated operations to minimize human interaction with critical systems.
• Cloud Security: Utilizing multi-layered security provided by cloud architecture and firewall functionalities, augmented by third-party Web Application Firewalls and DDOS protection services.
• Network Security: Protecting our corporate and cloud environments with advanced gateway devices and employing robust access control mechanisms and processes to limit unauthorized access to network resources.
• End Point Devices: Ensuring devices operate with state-of-the-art malware protection, incident detection, and response capabilities, alongside regular patching and updates.
• Perimeter Defense: Employing a robust network infrastructure with limited access to minimize vulnerabilities.
• Physical Protection: Implementing stringent physical security measures at corporate offices and relying on cloud service providers for physical security of cloud infrastructure.

Our detection strategies employ leading-edge endpoint protection systems and sophisticated threat detection techniques, including:

• Threat Detection and Analysis: Utilizing comprehensive endpoint protection that reports to a central monitoring portal, allowing for the immediate disconnection of compromised systems.
• Network and Infrastructure Security: Defending against DDOS, employing Web Application Firewalls (WAFs), and implementing firewalls and intrusion detection systems to monitor and manage threats efficiently.
• Logging and Monitoring: Maintaining logs for performance, operations, and security events, with dedicated teams responsible for monitoring and promptly addressing anomalies or security incidents.
• Fraud and Abuse Detection: Operating a dedicated fraud and abuse team to monitor application activity, employing custom-built tools to detect and respond to anomalous actions in real-time.

ZoomInfo has developed a comprehensive response framework to effectively address and manage security events, ensuring swift and efficient resolution.

Our incident response and crisis management procedures are well-defined, enabling swift and effective action in various scenarios. We prioritize assessment, containment, eradication, and recovery, supported by ongoing training and simulation exercises.

ZoomInfo holds ISO 27001, ISO 27701, ISO 27017 certifications and has earned a comprehensive SOC 2 Type II attestation.

ZoomInfo proactively addresses security risks, conducting regular vulnerability assessments and maintaining a risk register for comprehensive risk tracking. Our approach ensures timely remediation based on the impact of identified risks.

For security-related inquiries or concerns, please reach out to us at security@zoominfo.com. Our team is dedicated to addressing your questions and ensuring the security of your information.