AI Vendor Security & Compliance Brief

Zoom logo Zoom

Independent due-diligence summary · every fact links to the vendor's official source
10 source-cited facts
0 independently verified certs
11 legal documents tracked
Generated 2026-07-03
89/100
AI Governance Readiness

Enterprise-Ready

The vendor is rated Enterprise-Ready with a score of 89 out of 100. This readiness is supported by confirmed SOC 2 and ISO certifications via their trust portal, with audit reports available under NDA. A material security finding notes CVE-2025-46789 (MEDIUM) with no fix listed. The most useful next step is to ask for the remediation timeline for this vulnerability and confirm your exposure.

Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.

Readiness Breakdown deterministic · evidence-only

  • Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, ISO 27017, ISO 27018, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
  • Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
  • Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
  • Data Processing Agreement A Data Processing Agreement is published and tracked.
  • Breach History No known breaches in Have I Been Pwned.
  • Vulnerability Exposure 11 known CVE(s); none currently in CISA KEV.
  • Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
  • Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
  • Web TLS Certificate Valid TLS certificate in place.
  • Legal Transparency 11 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Compliance Posture vendor-stated · cited

FrameworkStatusSource
BAA Available (HIPAA) Stated by vendor https://www.zoom.com/en/industry/healthcare/
GDPR Stated by vendor https://zoom.us/gdpr
HIPAA Stated by vendor https://zoom.us/trust/security
ISO 27001 Stated by vendor https://zoom.us/trust/security
SOC 2 Stated by vendor https://zoom.us/trust/security
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

AttributeValueSource
Arbitration / Dispute Resolution key clause True
“READ THIS AGREEMENT CAREFULLY, AS IT PROVIDES, AMONG OTHER THINGS: (i) in Section 27, that you and Zoom will arbitrate certain claims instead of going to court and that you will not bring class-action claims against Zoom;”vendor's exact wording
https://www.zoom.com/en/trust/terms/
IP / Content Ownership key clause True
“You retain all ownership rights in your Customer Content subject to any license or other rights granted herein.”vendor's exact wording
https://www.zoom.com/en/trust/terms/
Sub-processors Amazon Web Services, Anthropic, Authzed, Inc., Cloudflare, Eleven Labs Inc., Google Cloud Platform, MaestroQA, Microsoft, MongoDB, OneTrust, OpenAI, Oracle, Perplexity, Qualtrics, Sendbird, SendSafely, ServiceNow, Suki AI, Sumit-AI, TaskUS, Twilio, Stripe
“Zoom also works with the listed service subprocessors below to provide the noted functionality.”vendor's exact wording
https://www.zoom.com/en/trust/subprocessors/
Sub-processors (published list) View document → https://explore.zoom.us/en/subprocessors/
Trains on Customer Data key clause
Free / Pro: does not train Zoom does not use any customer audio, video, chat, screen-sharing, attachments or content to train Zoom's or third-party (OpenAI/Anthropic) AI models — codified in ToS Section 10. cited →
Enterprise: does not train Applies to all AI Companion deployment options including Zoom-hosted third-party models on AWS Bedrock. Feedback you submit is used to improve the product, not for training. cited →
see per-tier citations

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Found 11
Vulnerabilities are usually disclosed after the vendor ships a fix, so most carry a patch. What matters for your risk is whether any are actively exploited (CISA KEV) and whether you run a patched version — patched entries below are a normal sign of an active security-response process, not an open exposure.
Vulnerability Disclosure Policy (security.txt) Found 1
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) None found
Queried the authoritative source; no records.

Security & Compliance Timeline authoritative · dated

Dated, source-cited history from authoritative records (NVD, SEC, CISA KEV). Subscribe to get alerted the moment a new event lands.

Certifications Available Under NDA / Trust Center attested · report gated

CertificationStatusTrust Center
ISO 27001 Available via Trust Center https://explore.zoom.us/en/trust/
ISO 27017 Available via Trust Center https://explore.zoom.us/en/trust/
ISO 27018 Available via Trust Center https://explore.zoom.us/en/trust/
SOC2 TYPE2 Available via Trust Center https://explore.zoom.us/en/trust/
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.

Common compliance questions

Each answer is grounded in the cited evidence above — with an honest "no evidence on file" where nothing is published.

Tracked Legal & Policy Documents

DocumentURL
Cookie https://zoom.us/cookie-policy
Dpa https://zoom.us/docs/gdpr/
Eula https://explore.zoom.us/en/eula-terms-of-service/
Gdpr Compliance https://zoom.us/gdpr
Pricing https://zoom.us/pricing
Privacy https://explore.zoom.us/en/privacy/
Security https://www.zoom.com/en/trust/security/
Subprocessors https://explore.zoom.us/en/subprocessors/
Tos https://explore.zoom.us/en/terms/
Trust https://www.zoom.com/en/trust/
Vuln Mgmt https://zoom.us/.well-known/security.txt

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

DocumentAvailabilityHow to obtain
Business Associate Agreement (BAA) On request (HIPAA only) A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center →
Master Services Agreement (MSA) Negotiated per contract The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center →
Service Level Agreement (SLA) Enterprise tier A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center →

Continuous Monitoring change-tracking active

7 legal & policy documents under change-monitoring since 2026-05-31. 23 tracked changes detected since baseline.

BaaCookieDpaEulaPrivacySubprocessorsTos
DetectedChangeDetail
2026-06-28 CVE / Security Incident 11 new CVEs (published from 2019-07-09): CVE-2019-13450, CVE-2020-11469, CVE-2020-11470, CVE-2020-11500, CVE-2020-11876, CVE-2020-11877 (+5 more). 11 of these h
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
2026-06-22 CVE / Security Incident 25 new CVEs (published from 2022-02-09): CVE-2022-22780, CVE-2022-22781, CVE-2022-22782, CVE-2022-22784, CVE-2022-22785, CVE-2022-22786 (+19 more). 1 of these h
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
2026-06-20 ToS Clause Change The Eula was re-published with only formatting changes — no clause change.
What this means: This change to the Eula touches fees, billing or refunds. Read 9 added and 9 removed passages in the current Eula to see whether it affects your obligations or risk.
Show exact changed text

In plain terms — verify against the exact changed text below: The document was updated to replace special characters like 'â€' and ' ' with standard punctuation marks such as double quotation marks and spaces.

@@ -12,18 +12,18 @@ IMPORTANT, READ CAREFULLY: YOUR USE OF AND ACCESS TO THE WEBSITE AND PRODUCTS AND SERVICES AND ASSOCIATED SOFTWARE (COLLECTIVELY, THE “SERVICES”) OF ZOOM COMMUNICATIONS, INC. AND ITS AFFILIATES (“ZOOM”) IS CONDITIONED UPON YOUR COMPLIANCE AND ACCEPTANCE OF THESE RESELLER CUSTOMER TERMS OF SERVICE, WHICH INCLUDE YOUR AGREEMENT TO ARBITRATE CLAIMS. PLEASE REVIEW THOROUGHLY BEFORE ACCEPTING.
 System Requirements
- . Use of the Services requires one or more compatible devices, Internet access (fees may apply), and certain software (fees may apply), and may require obtaining updates or upgrades from time to time. Because use of the Services involves hardware, software, and Internet access, Your ability to access and use the Services may be affected by the performance of these factors. High speed Internet access is recommended. You acknowledge and agree that such system requirements, which may be changed from time to time, are Your responsibility.
+. Use of the Services requires one or more compatible devices, Internet access (fees may apply), and certain software (fees may apply), and may require obtaining updates or upgrades from time to time. Because use of the Services involves hardware, software, and Internet access, Your ability to access and use the Services may be affected by the performance of these factors. High speed Internet access is recommended. You acknowledge and agree that such system requirements, which may be changed from time to time, are Your responsibility.
 1. DEFINITIONS.
 The following definitions will apply in this Agreement, and any reference to the singular includes a reference to the plural and vice versa. Service specific definitions are found in the Services Description located at
 www.zoom.us/services-description
 .
-1.1 “
+1.1 “
 Affiliate
-” means, with respect to a Party, any entity that directly or indirectly controls, is controlled by or is under common control with that Party. For purposes of this Agreement, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity.
-1.2 “
+” means, with respect to a Party, any entity that directly or indirectly controls, is controlled by or is under common control with that Party. For purposes of this Agreement, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity.
+1.2 “
 Agreement
-” means these Zoom Reseller Customer Terms of Service and all content incorporated herein, including but not limited to exhibits, policies, notices, and terms.
-1.3 “
+” means these Zoom Reseller Customer Terms of Service and all content incorporated herein, including but not limited to exhibits, policies, notices, and terms.
+1.3 “
 End User
-” means a Host or Participant (as defined in the
+” means a Host or Participant (as defined in the
 Services Description
 ) who uses the Services.


@@ -31,27 +31,27 @@ Initial Subscription Term
 ” means the initial subscription term for a Service as specified in the Reseller Customer Agreement.
-1.5 “
+1.5 “
 Laws
-” means all U.S. or non-U.S. national, regional, state, provincial or local laws, statutes, rules, regulations, ordinances, administrative rulings, judgments, decrees, orders, directives, policies, or treaties applicable to Zoom’s provision and Customer’s use of the Services.
+” means all U.S. or non-U.S. national, regional, state, provincial or local laws, statutes, rules, regulations, ordinances, administrative rulings, judgments, decrees, orders, directives, policies, or treaties applicable to Zoom’s provision and Customer’s use of the Services.
 1.6 “
 Renewal Term
 ” means the renewal subscription term for a Service commencing after th
2026-06-19 CVE / Security Incident 25 new CVEs (published from 2023-01-09): CVE-2022-36928, CVE-2023-22880, CVE-2023-22881, CVE-2023-22882, CVE-2023-28597, CVE-2023-28598 (+19 more). 1 of these h
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
2026-06-18 Sub-processor Change 2 sub-processor(s) removed: Apple, Google Firebase.
What this means: A new third party may now process your data — check it against your DPA's approved sub-processor list and your notification rights.

View full Zoom change history →

Fourth-Party Supply Chain deterministic · cited

Your data reaches these fourth parties through Zoom. Source: vendor's published sub-processor list.

Zoom Amazon Web Services Anthropic Authzed, Inc. Cloudflare Eleven Labs Inc. Google Cloud Platform MaestroQA Microsoft MongoDB OneTrust OpenAI Oracle Perplexity ↗ Qualtrics Sendbird SendSafely ServiceNow Suki AI Sumit-AI TaskUS Twilio Stripe
Sub-processor source →

If one of these fourth parties has a critical security event, you may be indirectly exposed even without a direct contract. Swanum flags this in your alerts.

Search the Legal Documents verbatim · cited

Search Zoom's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.

Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.

Monitor Zoom — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Zoom changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.