General Safe Harbor Notice

Effective Date: January 1, 2014

Notice and Scope of Safe Harbor Certification

Zimbra, Inc., ("Zimbra") adheres to the Safe Harbor Privacy Principles published by the U.S. Department of Commerce ("Safe Harbor Principles") with respect to personal data relating to residents in the European Economic Area and Switzerland ("EEA/CH Data") that we receive in the United States from our subsidiaries, enterprise customers, consumer customers, our customers' end users distributors, suppliers, and other business partners in Europe. In this notice, we explain how we collect and use EEA/CH Data except data relating to employees of our subsidiaries (which is covered by a separate notice that we distribute to such employees). Additional information on the Safe Harbor Principles and Zimbra’s scope of participation is available at

Categories of EEA/CH Data

Zimbra develops software and delivers solutions for business IT infrastructure to business customers. We receive mostly business-related information from Europe, but also contact information related to individual representatives of customers, distributors, resellers, suppliers, and other business partners (including, without limitation, names, job titles, addresses, work phone numbers, work email addresses, etc.) in connection with commercial and corporate transactions and other business relationships. Some of our customers are not incorporated and may provide their home address when they acquire software licenses from our authorized online store or when they register their products and service subscriptions with us. Zimbra also receives and processes EEA/CH Customer Data in connection with its ethics hotline including details of the reporter, the data subject of the report, the alleged misconduct, investigation, and any misuse of the ethics hotline program.

Zimbra also provides hosting services for customers where Zimbra provides the physical infrastructure onto which customers can deploy their virtual infrastructures. A customer or its end users or their agents place data into their cloud environments, which data might include personal data ("Hosted Content Information"). The customer is responsible for its Hosted Content Information, and Zimbra does not directly access this information except when acting on behalf of the customer. Zimbra merely acts as the data processor for its customers (the data controllers) with respect to Hosted Content Information. Zimbra's obligations with respect to personal data for which Zimbra is a data processor, are set forth in Zimbra's agreements with its customers. The customer remains responsible for the personal data that it collects and processes and for the compliance with applicable law, including compliance with any obligation to provide notice and obtain consents from a data subject. Zimbra's adherence to the Safe Harbor Principles may be limited by its role as a data processor or by applicable law.


Zimbra collects and uses EEA/CH Data (except for Hosted Content Information) for purposes of managing, improving, expanding and communicating regarding software license sales, supply, distribution and customer relationships, delivering software, services and related information (including, without limitation, promotional information on new products), managing its whistleblower hotline program, and conducting related tasks for legitimate business purposes and corporate development opportunities. Hosted Content Information is processed by Zimbra for the purpose of enabling or monitoring the functionality of the customer’s hosted service, and for providing the service.


Zimbra shares EEA/CH Data with corporate affiliates. We also make EEA/CH Data available to service providers and other contractors, which process EEA/CH Data on our behalf and subject to confidentiality restrictions. We also share EEA/CH Data with other third parties for the purposes for which we receive the data (e.g., performance of contractual obligations) and as required or permitted by law.


Recipients of marketing e-mails in Europe may opt-out of receiving further e-mail marketing communications from Zimbra by unsubscribing at, or by following opt-out instructions that are contained in each marketing e-mail. Requests to opt-out of transfers to third parties will also be considered, but limitations on data sharing may make it difficult or impossible for Zimbra to provide certain requested services. Zimbra may also have to disclose EEA/CH Customer Data where it is legally required to disclose (e.g., under statutes, contracts or otherwise) or the disclosure is permitted by law and Zimbra has a legitimate business interest in such disclosure.

Access and Review

Residents of the EEA and Switzerland whose EEA/CH Data Zimbra has directly collected may request access to, and the opportunity to correct, amend, or delete that information where it is inaccurate. To submit such requests or raise any other questions, please contact the Zimbra Safe Harbor Contact as described below. We will respond to your requests within thirty (30) days. Zimbra reserves the right to take appropriate steps to authenticate an applicant’s identity, charge an adequate fee before providing access and deny requests, except as required by the Safe Harbor Principles.


Zimbra will take reasonable measures including technical, physical and administrative measures to protect EEA/CH Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction.

Safe Harbor Contact

If you have questions, please contact our If you have a comment or concern that cannot be resolved with Zimbra directly, you may contact the competent local data protection authority in your EEA/CH Member State.