AI Vendor Security & Compliance Brief

Zoom

Independent due-diligence summary · every fact links to the vendor's official source

5 source-cited facts

0 independently verified certs

13 legal documents tracked

Generated 2026-06-05

Compliance Posture vendor-stated · cited

Framework	Status	Source
GDPR	Stated by vendor	https://zoom.us/gdpr
HIPAA	Stated by vendor	https://zoom.us/trust/security
ISO 27001	Stated by vendor	https://zoom.us/trust/security
SOC 2	Stated by vendor	https://zoom.us/trust/security

As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

Attribute	Value	Source
Sub-processors	Amazon Web Services, Anthropic, Authzed, Inc., Cloudflare, Eleven Labs Inc., Google Cloud Platform, MaestroQA, Microsoft, Microsoft, MongoDB, OneTrust, OpenAI, Oracle, Perplexity, Qualtrics, Sendbird, SendSafely, ServiceNow, Suki AI, Sumit-AI, TaskUS, Twilio, Stripe	https://www.zoom.com/en/trust/subprocessors/

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Found 93

CVE-2020-11469 (HIGH)

CVE-2020-11470 (LOW)

CVE-2020-11500 (HIGH)

CVE-2020-11876 (HIGH)

CVE-2020-11877 (HIGH)

CVE-2021-33907 (CRITICAL)

CVE-2021-34408 (HIGH)

CVE-2021-34409 (HIGH)

CVE-2021-34412 (HIGH)

CVE-2021-34423 (CRITICAL)

CVE-2021-34424 (HIGH)

CVE-2021-34425 (MEDIUM)

CVE-2022-22780 (MEDIUM)

CVE-2022-22781 (HIGH)

CVE-2022-22782 (HIGH)

CVE-2022-22784 (HIGH)

CVE-2022-22785 (MEDIUM)

CVE-2022-22786 (HIGH)

CVE-2022-22787 (MEDIUM)

CVE-2022-22788 (HIGH)

CVE-2022-28756 (HIGH)

CVE-2022-28751 (HIGH)

CVE-2022-28757 (HIGH)

CVE-2022-28762 (HIGH)

CVE-2022-28763 (HIGH)

Vulnerability Disclosure Policy (security.txt) Found 1

valid

Email Spoofing Protection (DMARC) Protected

DMARC enforced and SPF present — spoofing well mitigated.

DMARC enforced (p=reject/quarantine) · SPF present · checked @zoom.us

Web TLS Certificate Valid

Certificate valid · 208d to expiry · DigiCert Inc

Data Breach History (HIBP) None found

Queried the authoritative source; no records.

Supply-Chain Security (OpenSSF Scorecard) Not determinable

Could not map this vendor to a software identity — abstained rather than guess.

OFAC Sanctions Screening None found

Queried the authoritative source; no records.

SEC Cyber Incident Disclosures (8-K 1.05) Not determinable

Could not map this vendor to a software identity — abstained rather than guess.

Tracked Legal & Policy Documents

Document	URL
Cookie	https://explore.zoom.us/de/cookie-policy/
Dpa	https://explore.zoom.us/en/gdpr/dpa/
Eula	https://explore.zoom.us/de/eula-terms-of-service/
Gdpr Compliance	https://zoom.us/gdpr
Msa	https://explore.zoom.us/docs/doc/ZOOM_-_MSA_98000-GTADirect-CONTRACT-4666-ZOO.pdf
Pricing	https://zoom.us/pricing
Privacy	https://zoom.us/privacy
Security	https://zoom.us/compliance
Sla	https://explore.zoom.us/en/legal/zoom-api-license-and-tou/
Subprocessors	https://zoom.us/subprocessors
Tos	https://zoom.us/legal
Trust	https://zoom.us/trust
Vuln Mgmt	https://zoom.us/.well-known/security.txt

Monitor Zoom — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Zoom changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.

Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.