Zoom
Enterprise-Ready
The vendor is rated Enterprise-Ready with a score of 89 out of 100. This readiness is supported by confirmed SOC 2 and ISO certifications via their trust portal, with audit reports available under NDA. A material security finding notes CVE-2025-46789 (MEDIUM) with no fix listed. The most useful next step is to ask for the remediation timeline for this vulnerability and confirm your exposure.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, ISO 27017, ISO 27018, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure 11 known CVE(s); none currently in CISA KEV.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 11 legal/policy documents publicly tracked.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://www.zoom.com/en/industry/healthcare/ |
| GDPR | Stated by vendor | https://zoom.us/gdpr |
| HIPAA | Stated by vendor | https://zoom.us/trust/security |
| ISO 27001 | Stated by vendor | https://zoom.us/trust/security |
| SOC 2 | Stated by vendor | https://zoom.us/trust/security |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Arbitration / Dispute Resolution key clause |
True
“READ THIS AGREEMENT CAREFULLY, AS IT PROVIDES, AMONG OTHER THINGS: (i) in Section 27, that you and Zoom will arbitrate certain claims instead of going to court and that you will not bring class-action claims against Zoom;”vendor's exact wording |
https://www.zoom.com/en/trust/terms/ |
| IP / Content Ownership key clause |
True
“You retain all ownership rights in your Customer Content subject to any license or other rights granted herein.”vendor's exact wording |
https://www.zoom.com/en/trust/terms/ |
| Sub-processors |
Amazon Web Services, Anthropic, Authzed, Inc., Cloudflare, Eleven Labs Inc., Google Cloud Platform, MaestroQA, Microsoft, MongoDB, OneTrust, OpenAI, Oracle, Perplexity, Qualtrics, Sendbird, SendSafely, ServiceNow, Suki AI, Sumit-AI, TaskUS, Twilio, Stripe
“Zoom also works with the listed service subprocessors below to provide the noted functionality.”vendor's exact wording |
https://www.zoom.com/en/trust/subprocessors/ |
| Sub-processors (published list) | View document → | https://explore.zoom.us/en/subprocessors/ |
| Trains on Customer Data key clause |
Free / Pro:
does not train
Zoom does not use any customer audio, video, chat, screen-sharing, attachments or content to train Zoom's or third-party (OpenAI/Anthropic) AI models — codified in ToS Section 10.
cited →
Enterprise:
does not train
Applies to all AI Companion deployment options including Zoom-hosted third-party models on AWS Bedrock. Feedback you submit is used to improve the product, not for training.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Security & Compliance Timeline authoritative · dated
- 2025-07-10 CVE CVE-2025-46789 disclosed (MEDIUM · no fix listed)
- 2023-06-30 CVE CVE-2023-36539 disclosed (MEDIUM · no fix listed)
- 2021-03-18 CVE CVE-2021-28133 disclosed (MEDIUM · no fix listed)
- 2020-06-08 CVE CVE-2020-6110 disclosed (HIGH · no fix listed)
- 2020-06-08 CVE CVE-2020-6109 disclosed (CRITICAL · no fix listed)
- 2020-04-17 CVE CVE-2020-11877 disclosed (HIGH · no fix listed)
- 2020-04-17 CVE CVE-2020-11876 disclosed (HIGH · no fix listed)
- 2020-04-03 CVE CVE-2020-11500 disclosed (HIGH · no fix listed)
- 2020-04-01 CVE CVE-2020-11470 disclosed (LOW · no fix listed)
- 2020-04-01 CVE CVE-2020-11469 disclosed (HIGH · no fix listed)
- 2019-07-09 CVE CVE-2019-13450 disclosed (MEDIUM · no fix listed)
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://explore.zoom.us/en/trust/ |
| ISO 27017 | Available via Trust Center | https://explore.zoom.us/en/trust/ |
| ISO 27018 | Available via Trust Center | https://explore.zoom.us/en/trust/ |
| SOC2 TYPE2 | Available via Trust Center | https://explore.zoom.us/en/trust/ |
Common compliance questions
Tracked Legal & Policy Documents
| Document | URL |
|---|---|
| Cookie | https://zoom.us/cookie-policy |
| Dpa | https://zoom.us/docs/gdpr/ |
| Eula | https://explore.zoom.us/en/eula-terms-of-service/ |
| Gdpr Compliance | https://zoom.us/gdpr |
| Pricing | https://zoom.us/pricing |
| Privacy | https://explore.zoom.us/en/privacy/ |
| Security | https://www.zoom.com/en/trust/security/ |
| Subprocessors | https://explore.zoom.us/en/subprocessors/ |
| Tos | https://explore.zoom.us/en/terms/ |
| Trust | https://www.zoom.com/en/trust/ |
| Vuln Mgmt | https://zoom.us/.well-known/security.txt |
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
7 legal & policy documents under change-monitoring since 2026-05-31. 23 tracked changes detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-28 | CVE / Security Incident |
11 new CVEs (published from 2019-07-09): CVE-2019-13450, CVE-2020-11469, CVE-2020-11470, CVE-2020-11500, CVE-2020-11876, CVE-2020-11877 (+5 more). 11 of these h
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
| 2026-06-22 | CVE / Security Incident |
25 new CVEs (published from 2022-02-09): CVE-2022-22780, CVE-2022-22781, CVE-2022-22782, CVE-2022-22784, CVE-2022-22785, CVE-2022-22786 (+19 more). 1 of these h
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
| 2026-06-20 | ToS Clause Change |
The Eula was re-published with only formatting changes — no clause change.
What this means: This change to the Eula touches fees, billing or refunds. Read 9 added and 9 removed passages in the current Eula to see whether it affects your obligations or risk.
Show exact changed textIn plain terms — verify against the exact changed text below: The document was updated to replace special characters like 'â€' and ' ' with standard punctuation marks such as double quotation marks and spaces. @@ -12,18 +12,18 @@ IMPORTANT, READ CAREFULLY: YOUR USE OF AND ACCESS TO THE WEBSITE AND PRODUCTS AND SERVICES AND ASSOCIATED SOFTWARE (COLLECTIVELY, THE “SERVICES”) OF ZOOM COMMUNICATIONS, INC. AND ITS AFFILIATES (“ZOOM”) IS CONDITIONED UPON YOUR COMPLIANCE AND ACCEPTANCE OF THESE RESELLER CUSTOMER TERMS OF SERVICE, WHICH INCLUDE YOUR AGREEMENT TO ARBITRATE CLAIMS. PLEASE REVIEW THOROUGHLY BEFORE ACCEPTING. System Requirements - . Use of the Services requires one or more compatible devices, Internet access (fees may apply), and certain software (fees may apply), and may require obtaining updates or upgrades from time to time. Because use of the Services involves hardware, software, and Internet access, Your ability to access and use the Services may be affected by the performance of these factors. High speed Internet access is recommended. You acknowledge and agree that such system requirements, which may be changed from time to time, are Your responsibility. +. Use of the Services requires one or more compatible devices, Internet access (fees may apply), and certain software (fees may apply), and may require obtaining updates or upgrades from time to time. Because use of the Services involves hardware, software, and Internet access, Your ability to access and use the Services may be affected by the performance of these factors. High speed Internet access is recommended. You acknowledge and agree that such system requirements, which may be changed from time to time, are Your responsibility. 1. DEFINITIONS. The following definitions will apply in this Agreement, and any reference to the singular includes a reference to the plural and vice versa. Service specific definitions are found in the Services Description located at www.zoom.us/services-description . -1.1 â +1.1 “ Affiliate -â means, with respect to a Party, any entity that directly or indirectly controls, is controlled by or is under common control with that Party. For purposes of this Agreement, âcontrolâ means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity. -1.2 â +” means, with respect to a Party, any entity that directly or indirectly controls, is controlled by or is under common control with that Party. For purposes of this Agreement, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity. +1.2 “ Agreement -â means these Zoom Reseller Customer Terms of Service and all content incorporated herein, including but not limited to exhibits, policies, notices, and terms. -1.3 â +” means these Zoom Reseller Customer Terms of Service and all content incorporated herein, including but not limited to exhibits, policies, notices, and terms. +1.3 “ End User -â means a Host or Participant (as defined in the +” means a Host or Participant (as defined in the Services Description ) who uses the Services. @@ -31,27 +31,27 @@ Initial Subscription Term ” means the initial subscription term for a Service as specified in the Reseller Customer Agreement. -1.5 â +1.5 “ Laws -â means all U.S. or non-U.S. national, regional, state, provincial or local laws, statutes, rules, regulations, ordinances, administrative rulings, judgments, decrees, orders, directives, policies, or treaties applicable to Zoomâs provision and Customerâs use of the Services. +” means all U.S. or non-U.S. national, regional, state, provincial or local laws, statutes, rules, regulations, ordinances, administrative rulings, judgments, decrees, orders, directives, policies, or treaties applicable to Zoom’s provision and Customer’s use of the Services. 1.6 “ Renewal Term ” means the renewal subscription term for a Service commencing after th |
| 2026-06-19 | CVE / Security Incident |
25 new CVEs (published from 2023-01-09): CVE-2022-36928, CVE-2023-22880, CVE-2023-22881, CVE-2023-22882, CVE-2023-28597, CVE-2023-28598 (+19 more). 1 of these h
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
| 2026-06-18 | Sub-processor Change |
2 sub-processor(s) removed: Apple, Google Firebase.
What this means: A new third party may now process your data — check it against your DPA's approved sub-processor list and your notification rights.
|
Fourth-Party Supply Chain deterministic · cited
Your data reaches these fourth parties through Zoom. Source: vendor's published sub-processor list.
If one of these fourth parties has a critical security event, you may be indirectly exposed even without a direct contract. Swanum flags this in your alerts.
Search the Legal Documents verbatim · cited
Search Zoom's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Zoom — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Zoom changes something that affects your risk. Built for procurement & security teams.