General Data Protection Regulation
Zuora offers centralized management of GDPR compliance, allowing organization-level control over PII handling across all connected applications in OneID UI.
Zuora is fully compliant with the General Data Protection Regulation (GDPR) and provides enhanced controls at the organization level. With OneID, you can centrally manage how Personally Identifiable Information (PII) is handled across all connected Zuora applications, without configuring each tenant individually. This centralized approach reduces configuration overhead and helps ensure consistent enforcement of your internal privacy policies across the Zuora product suite.
As an Organization Administrator, you can define whether user PII is retained or anonymized when user accounts are deactivated. These policies are enforced consistently in OneID and across all associated Zuora tenants, helping you align Zuora’s behavior with your organization’s privacy and compliance requirements.
However, PII may be retained in audit logs when it is necessary for these purposes. Zuora ensures that such data is handled securely, with appropriate access controls and retention policies in place.
Retention of personal data in audit logs under GDPR
Under the General Data Protection Regulation (GDPR), audit logs are considered legitimate and necessary processing when they are used to support the following purposes:
- Security monitoring
- Fraud detection
- Compliance and accountability
- Legal and regulatory obligations
This approach aligns with the following GDPR provisions:
- Article 6(1)(c) – Processing necessary for compliance with a legal obligation
- Article 6(1)(f) – Processing necessary for legitimate interests
- Article 32 – Security of processing
- Article 5(2) – Accountability
As a result, personally identifiable information (PII) may be retained in audit logs when it is required for these purposes. Zuora ensures that audit log data is handled securely, with appropriate access controls and data retention policies in place.