Compliance Statement

Health Insurance Portability and Accountability Act (HIPAA)
Federal Financial Institutions Examination Council (FFIEC)
International Standards Organization (ISO) 17799
Gramm-Leach Bliley Act (GLBA)
Sarbanes-Oxley Act (SOA)
California SB-1386

THIS DOCUMENT IS INCORPORATED BY REFERENCE IN THE ZSENTRY MAIL TERMS OF SERVICE, BOTH FOR ZMAIL PREMIUM AND ZMAIL BASIC. ALL PROVISIONS OF THE ZSENTRY MAIL TERMS OF SERVICE APPLY TO THIS DOCUMENT.

NOTE: to avoid excessive capitalization, any letter case combination, including zmail, Zmail, ZMail, or ZMAIL is used to designate our ZMAIL product.

Zmail offers customers online access to registration and secure email services, as well as services enabled by the secure email service (e.g., voting, secure web access, bidding, and payments), and provides for the transmission of messages electronically (the "Services"). Each of these Services is web-based and utilizes an interface (the "Interface") accessed through a web-browser, email software or other compatible means.

HIPAA USE: The Interface and the data viewed or generated for transmission constitute fully compliant standard transactions under HIPAA. Compliance is provided on a technical level, guarding data integrity, confidentiality and availability. Each health organization utilizing these services must be HIPAA compliant if they are characterized as a Covered Entity (CE) under HIPAA. Other health organizations or persons may or may not be exempt from HIPAA. The Service protects Protected Health Information (PHI) and other sensitive information by using ZSENTRY technology and a variety of technologies and methods described herein. Further, the Service is not made aware of PHI and is, thus, not required to sign a Business Associate Agreement for its customers.

HIPAA AND ZMAIL PREMIUM USE: Zmail compliance with HIPAA includes modifications to the compliance deadlines that may be published in the future, and to maintain compliance from that point forward for as long as the HIPAA regulations are deemed to apply to the Service. When Zmail Premium users subscribe to the Service, we agree to maintain compliance with HIPAA regulations as they are modified.

FFIEC USE: The Service provides a proven anti-phishing solution with mutual authentication, two-factor authentication of users, and ID assurance for email communications, guarding data integrity, confidentiality and availability. Further, the Service provides layered security so that if security is breached, no user access data or personal data can be recognized or accessed.

CALIFORNIA SB-1386 USE: California Security Breach Information Act (SB-1386), which went into effect July 1 2003, requires all institutions and organizations that collect certain personal information to protect it against possible "identity theft." In addition, the Act stipulates that if there is a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained personal information. The Service protects personal information and other sensitive information by using ZSENTRY technology and a variety of technologies and methods described herein. Further, the Service is not made aware of personal information and has, thus, no personal information that might be affected by a security breach.

HIPAA, FFIEC, ISO 17799, GLBA, SOA, SB-1386, AND ZMAIL PREMIUM USE: Zmail free edition (Basic) is licensed only for personal, non-commercial use. For compliance, health organizations financial organizations, businesses and commercial use require Zmail Premium.

ZMAIL, CENTRALIZED ADMINISTRATION AND USER PRIVACY: Zmail Premium offers Services for centralized administration of users by an organization (e.g., a Health organization), while protecting user privacy. An organization may use the Interface with a Premium Manager account for directly and at any time invite, approve and unsubscribe their own users. Upon invitation by the organization, the user registers at zmail to define their own password and receive their own usercode. Upon approval by the organization, the user is granted a Premium User account linked to the organization's Premium Manager account; the user is identified online by a Premium Seal that includes the organization's name. Upon unsubscription by the organization, the user's Premium User account is immediately terminated and the Premium Seal revoked. At no moment is the organization made aware of any user's usercode or password.

Zmail employs the ZSENTRY technology for two factor authentication of users. Upon registration to the Service, the Service authenticates the user's mailbox by cryptographic challenge-response and issues directly to the user a digital certificate (the DTC™, or Digital Transaction Certificate). The DTC is compact, mnemonic and can be typed by the user for access authorization to use the Service, as if it is a username or usercode. The usercode (DTC) value is unpredictable and its use is protected by a user-defined password. Combined, the usercode and the password values are sufficiently unpredictable to prevent dictionary or brute-force attacks within the operational parameters. The Service does not have or maintain copies of the usercodes or passwords.

Mutual authentication is provided, with registered users authenticating the server first, in a two-phase process.

In the first authentication phase, the user submits the usercode (the DTC). Afterwards, but before the user inputs the password, the server using the ZSENTRY technology provides a Return Code (RC) for visual authentication by the user. The RC is previously known to the user but was not provided to or exists in the server. This is the second phase of the ZSENTRY authentication process and provides protection against server phishing and spoofing, as the ZSENTRY server must have the correct key to calculate the correct Return Code. If the RC displayed matches the RC known to the user, the user inputs the password. If the password is validated using the user's previously submitted usercode (DTC) and a Service-supplied key (the Service-supplied key does not depend on the user), then mutual authentication is completed to grant user access and the user access keys are calculated by ZSENTRY.

The ZSENTRY user authentication process is done under trusted third party server-authenticated SSL access, preventing man-in-the-middle attacks. Even though SSL cannot prevent spoofing, phishing and pharming attacks, the combination of SSL and ZSENTRY user authentication can.

With ZSENTRY technology, message security has to do more with server availability assurance (which the Service can mitigate by server replication according to the required service level for each use) rather than assurances on data confidentiality and data integrity at the server or the user's machine.

User authentication by zmail with usercode/password resembles the familiar username/password authentication, which largely avoids user education and directly supports usability. That the Service is actually usable by users, with no prior training required, is a very important factor to assure compliance to security requirements by all personnel involved.

Zmail uses the ZSENTRY technology to protect personal and other sensitive information against inappropriate and unauthorized use and disclosure. Usercodes, passwords and user access keys are provided by the ZSENTRY technology and are not stored. Audit trails, which are implemented for all Interface operations, and personal data storage, including email address book, are maintained with encrypted, de-identified numbers, which access keys are provided and secured by the ZSENTRY technology. Therefore, if security is breached, no user access data or personal data can be recognized or accessed.

ZSENTRY technology is also used to provide a proven anti-phishing solution and two-factor authentication to protect user passwords from someone trying to guess them, in dictionary or brute-force attacks, which protection works together with the additional user access protection methods described below.

In regard to additional technology used, zmail's networks are protected by the latest firewall technology and utilizes trusted third-party certified server-authenticated SSL (Secure Sockets Layer technology) with the highest commercially available data encryption level (128 bit) technology for transmission of all web-based transactions. Servers employ power-on and user passwords, virus protection, and battery backup systems. Authorized users have restricted access to files. Operating System and security patches are current. Servers are constantly monitored for break-in attempts or other illegal activity.

Server-authenticated SSL connections are required. Users trying to connect or access without using SSL will be redirected to an SSL access page. If the SSL connection fails, the user is denied access.

User access is disabled after excessive invalid login attempts. Brute-force attacks may be used to try and gain unauthorized access to a zmail account. To prevent such access the offending account will be automatically disabled after a defined number of invalid login attempts and shall remain in that state until reset. The user may request the access to be reinstated.

Internet Protocol (IP) number is blocked after excessive invalid login attempts. Denial of service and brute-force attacks may be used to try and slow down the server or gain unauthorized access to zmail accounts. To prevent this the offending client IP number will be automatically added to the IP Access list of blocked addresses after a defined number of invalid login attempts and shall remain in that state until reset. The user may request the access to be reinstated.

User access is disabled after excessive number of messages sent. Spam attacks may be tried to send to a large number of recipients a malevolent virus, a phishing request, or just an excessive number of messages using a zmail account. To prevent such access the offending account will be automatically disabled after a defined number of sent messages and shall remain in that state until the next day. Premium account users have a larger quota per day and may request access to be granted for an additional quota per day.

User access is denied for excessively large messages or attachments. Email-bomb attacks may be tried in a Denial-of-Service attempt to overflow a mailbox, to send a malevolent virus, to send a phishing request, or just to send excessively large messages or attachments using a zmail account. To prevent such access the offending account will be automatically blocked for that message. Premium account users have a larger size limit.

Auto logoff is enforced. After user login, in case the access is left idle for a defined number of minutes, the user is logged off automatically.

Zmail messages are time-stamped using a time reference synchronized to atomic clocks certified by the National Institute of Standards and Technology (NIST) and US Naval Observatory (USNO). The time-stamp is visible in plaintext and is also tamper-proof, being digitally signed and encrypted with the message itself. The combination of the time-stamp evidence provided by Zmail acting as a trusted third-party with the ZSENTRY two factor authentication technology provide for non-repudiation, which is to prevent a party from falsely denying an act.

Message senders can control the validity period of messages, both before and after reading is allowed, allowing senders to remotely enforce their document retention policy and copyright restrictions. Message senders can set an expiration date for their messages, forcing the zmail to "self-destruct" after the expiration period set by the sender, and thereby protecting the message from future decryption. Message senders can also set a release date for their messages, disabling recipient access until the release date is reached.

The mailbox of message recipients and message senders are authenticated by cryptographic challenge-response prior to the communication, allowing the online identity of the communicating parties to be positively verified.

Messages sent by zmail are encrypted end-to-end using the highest commercially available data encryption level (128 bit) technology and can only be read by the authenticated sender and recipients, within the message's validity period.

Message senders may allow unregistered recipients to read their messages, but only once. Because the message can be read only once, the recipient can self-verify that no one else read the message before. The unregistered recipient's mailbox is authenticated by cryptographic challenge-response before reading is allowed. The recipient can register to access the message more than once and reply using the Service.

Message senders may allow registered but not logged in recipients to read their messages, but only once. Because the message can be read only once, the recipient can self-verify that no one else read the message before. The recipient's mailbox is authenticated by cryptographic challenge-response before reading is allowed. The recipient can log in to access the message more than once and reply using the Service.

Messages can be digitally signed by senders, using a signing key solely under their control, to convey the benefits of a personal signature to recipients, which benefits depend on the jurisdictions involved.

Messages are not stored locally (in the user's computer) unless the user specifically commands the Interface to do so, either when read using the decryption Services, or as a draft being edited, or to be sent using the encryption Services. Messages can be stored locally in plaintext or encrypted.

By sender's choice, after a zmail message is sent using the encryption Services, an encrypted zmail message copy may also be sent to the sender (Bcc) for secure storage, either automatically for all messages or by selection.  Bcc zmail messages are immediately released for reading and do not expire, preserving the sender's access while controlling recipients' access.

Senders can, automatically for all messages or by selection, prevent disclosure of the message subject in the plaintext headers, making it available only after decryption.

Senders may preserve the privacy of multiple recipients on the Internet (before decryption), and also to one another (after decryption). This is done by requesting the Service, respectively, to supress the list of copied recipients in the email headers, and to send messages individually even if addressed to multiple recipients. These choices can be performed automatically for all messages or by selection.

Senders can request a Return Receipt from the recipient, showing the "Who, What, When, Where and How" regarding recipient information at the time the message was decrypted and read. Recipients have a choice to deny sending back the Return Receipt but only by not reading the message.

To preserve user privacy, the Services do not store cookies in the user's computer, except for session-only cookies that exist in computer memory for a defined number of days and only during that web-browser session. After the web-browser is shut down and restarted, or if the web-browser session is used past a number of days defined by each Service, there are no Service cookies present. All Service session cookies are encrypted and/or present only de-identified numbers.

Zmail is a zero-footprint application. The Services do not install software, plugins, ActiveX plugins, Java, drivers, or store data in the user's computer. The Interface works using technologies already built into the web-browser, email software or other compatible means.

Additional privacy and security enhancements are described in the ZSENTRY MAIL TERMS OF SERVICE.

THIS DOCUMENT IS INCORPORATED BY REFERENCE IN THE ZSENTRY MAIL TERMS OF SERVICE, BOTH FOR ZMAIL PREMIUM AND ZMAIL BASIC. ALL PROVISIONS OF THE ZSENTRY MAIL TERMS OF SERVICE APPLY TO THIS DOCUMENT.