Zoho is one of India’s brightest stars in the tech sky. Headquartered in Chennai, bootstrapped, profitable, and proudly independent, it has never bent to foreign capital or advertising dollars.
Recently, Union IT Minister Ashwini Vaishnaw not only endorsed Zoho, praising it as “totally bootstrapped and 100 per cent Swadeshi”, but also announced that he had personally switched to this indigenous application. That is the kind of applause that instantly warms an Indian heart—combining national pride with the reassurance that India can produce globally competitive, home-grown technology.
But here’s the uncomfortable truth: patriotism may win applause, but it doesn’t stop hackers.
Key questions
A recent Office Memorandum from the Ministry of Education (S&S Section, 3 October 2025) advised officials to adopt the Zoho Office Suite—already integrated with the NIC mail system—for creating and managing official documents, spreadsheets, and presentations. Staff are encouraged to familiarise themselves with the suite’s features, and the CMIS/NIC divisions have been tasked with providing support and on-site assistance.
The spirit is clear: align with the Swadeshi drive and strengthen “digital sovereignty”. Yet, this is precisely where sober due diligence matters. Has the suite’s security been independently vetted—say, by a CERT-In empanelled auditor or another competent government body—with a published assurance report? Is there a formal risk assessment covering identity and access management, data residency, incident response, and breach notification?
Some solitary voices have also raised governance concerns: Are we promoting and adopting a private company’s product—however capable—without transparent, competitive tendering? If this becomes a de facto standard across departments, the public deserves clarity on procurement method, cost comparisons, lock-in risks, and mandatory security recertification. While Swadeshi pride is important, process and proof are non-negotiable.
Also read: India doesn’t want to rely solely on HAL for fighter jets. AMCA project is the first step
NIC weak link
The NIC email system—used by Union ministers, senior civil servants, and MPs—is officially recommended for reasons of data security and confidentiality of sensitive government communications. In practice, however, many officials still prefer Google’s Gmail for everyday use. The reason is awkward but simple: NIC servers sometimes go down. It happens rarely, but often enough, and sometimes at critical moments, leaving senior officers red-faced in the middle of important briefings or presentations.
Coupling Zoho with NIC may add functionality, but it won’t magically fix this structural reliability gap. Without SLA-backed uptime guarantees, redundancy, and tested disaster recovery, the integration risks inheriting NIC’s weakest link.
Zoho’s track record
Behind the celebratory headlines for Zoho lies a history we cannot ignore. The company’s ManageEngine products have been repeatedly exploited, often by highly sophisticated attackers.
The most dramatic attack was the Red Cross hack, where attackers used a Zoho vulnerability to compromise the records of over 5 lakh people. The same flaw was exploited in a broader campaign against defence, healthcare, and energy organisations, leaving thousands of servers compromised.
As recently as 2025, new critical vulnerabilities—such as SQL injection flaws in Zoho Analytics—were surfacing, drawing top severity ratings from global security trackers.
This isn’t a one-off stumble; it’s a recurring pattern. And the problem isn’t Zoho’s intent—it does patch the bugs quickly—but the fact that enterprise-grade tools are irresistible targets. And when those servers sit inside India, the fallout lands squarely at home.
A ministerial pat on the back may reassure us that Indian tech can compete—and it can—but endorsement must follow vigilance and robust security measures. Calling Zoho “Swadeshi” won’t make it unhackable. Hosting data in India improves sovereignty, but it doesn’t stop a zero-day attack written in Shanghai or St Petersburg from being deployed against Indian servers. In fact, concentrating sensitive data locally may simply create a shinier target.
There are other factors to consider. Several political figures once shifted to Koo, the Indian alternative to Twitter (now X), and Prime Minister Narendra Modi appreciated the effort. But when celebrities and global leaders stayed on Twitter, the platform never took off. The lesson is clear: campaigns and endorsements don’t beat architecture, user adoption, or threat models.
Also read: China unveils F-35-like stealth fighter jets. It’s the ‘nimble disruptor’
Signal’s safety protocol
Consider Signal. Developed in the US, it doesn’t have the patriotic label or Swadeshi glow. What it does have, however, is a relentless focus on privacy and security. The app offers:
- End-to-end encryption by default for every chat and call
- Minimal metadata (essentially just your phone number), leaving little to hand over, even under compulsion
- An open-source protocol that was even adopted by WhatsApp
The difference is structural. Signal’s safety rests on protocol guarantees; it’s not an afterthought.
Zoho must do more
None of this is to dismiss Zoho. It is a genuine Indian success story, and for business productivity—documents, spreadsheets, collaboration—it deserves applause.
But if Zoho wants to evolve from being a Swadeshi alternative for sarkari babus to becoming the default office suite for Indian corporates as well, it must go beyond slogans and endorsements. The suite will have to provide independent security certifications and audits, back uptime claims with contractual service-level agreements, and embrace rapid patch cycles. It must adopt zero-trust principles, ensure interoperability with global platforms, and guarantee procurement transparency with clear exit clauses.
Above all, Zoho will have to pair these assurances with Made-for-India usability. This includes Indic language support, offline-first features for patchy connectivity, and robust desktop clients for air-gapped or low-bandwidth setups.
Only by demonstrating these qualities visibly—through contracts, dashboards, and disclosures—can Zoho shift from being a patriotic option to a true enterprise default.
Also read: Capital spending is up—but the quality of Modi govt’s capex surge raises tough questions
Respect Zoho, trust Signal
For government workflows, Zoho’s adoption can be a meaningful step in reducing foreign dependence. But for confidential messaging, India must not let patriotism cloud its judgement.
Ministries must prove security through independent audits, address NIC uptime shortcomings, and procure transparently. And Zoho must raise the bar for its security architecture.
Until then, the choice remains simple: respect Zoho, but rely on Signal.
KBS Sidhu is a former IAS officer who retired as Special Chief Secretary, Punjab. He tweets @kbssidhu1961. Views are personal.
(Edited by Prasanna Bachchhav)