Thank you very much!

You’re subscribed

Effective 28 July 2023
See change log

What is a Third-Party Subprocessor?

A subprocessor is a vendor Zoom uses to process data on behalf of our customers, who are the data controllers of that data.

Zoom’s Process for Contracting with Subprocessors

Zoom requires its subprocessors to satisfy equivalent obligations as those required from Zoom (as a Data Processor) as outlined in Zoom’s Data Processing Agreement (DPA), including but not limited to the requirements to:

  • process personal data following data controller’s (i.e., Customer’s) instructions (as communicated to the relevant subprocessor by Zoom);
  • in connection with the subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, under applicable data protection laws;
  • promptly inform Zoom about any security breach; and
  • cooperate with Zoom to address requests from data controllers, data subjects, or data protection authorities, as applicable.

Except for as provided below, Zoom owns or controls access to the infrastructure that hosts real-time and stored personal data (should the Customer choose to store such content, e.g., recordings and transcripts). Personal data may be shifted among data centers within a region to ensure Zoom’s performance and availability. Zoom also works with the listed service subprocessors below to provide the noted functionality.

The following table describes the countries and legal entities engaged in the processing and storage of personal data by Zoom acting as a data processor on behalf of its customers, the data controllers.

Zoom Authorized Subprocessors

Name

Purpose 

Data Shared with Subprocessor

Location

International Transfer Mechanism 

Additional Safeguards

(links to subprocessor resources)

Amazon Web Services

Cloud Service Provider  

  • Real-time meeting and webinar traffic
  • Meeting and call recordings (if saved to the cloud by Customer
  • Transcriptions of meeting or call recordings (if meeting recorded and saved to the cloud by Customer) 
  • Uploaded files

Australia, Brazil, Canada, Europe, India, Japan, Singapore, Taiwan, United States

SCCs

Risk and Compliance whitepaper and AWS Security Center

Anthropic

Intelligent Features Service Provider

Intelligent Features Service Provider Anthropic will process the following data only if an Admin separately enables this feature:

  • Customer Content and context

United States

SCCs

Privacy Policy

Apple

Send push notifications on iOS phones. Customers can choose not to use this service. 

  • Chat Message Notification
  • SMS Message Notification
  • PBX (Phone Call) Message Notification

United States 

SCCs

Apple Push Notification Service Overview

Cloudflare

Security

  • IP address

European Union, United States 

SCCs


Cloudflare Compliance Page
,

GDPR Compliance Page

Google Cloud Platform

Cloud Service Provider

  • Real-time meeting and webinar traffic

Taiwan

SCCs

Privacy Resource Center

Google Firebase

Send push notifications on Android phones. Customers can choose not to use this service.

  • Chat Message Notification
  • SMS Message Notification
  • PBX (Phone Call) Message Notification

United States

SCCs

Privacy and Security in Firebase

MaestroQA

Support Quality Assurance

Support related Communications Content such as cloud recordings or in-meeting chat transcripts MAY be shared with MaestroQA but only if Customer chooses to provide it directly to a Zoom support agent through a support interaction, i.e., as an attachment to a support ticket.

Ireland, United States

SCCs

Privacy Policy

Microsoft

Cloud Service Provider.

  • Real-time meeting and webinar traffic
  • Meeting and call recordings (if saved to the cloud by Customer
  • Transcriptions of meeting or call recordings (if meeting recorded and saved to the cloud by Customer)
  • Uploaded files

Switzerland

SCCs

Microsoft Privacy Statement

OneTrust

Data Subject Requests Portal, Cookie Preference Center

  • Name
  • Email address
  • Account type
  • Country
  • IP address
  • DSAR reports
  • User cookie preferences

United States

SCCs

Trust Page

OpenAI

Intelligent Features Service Provider

    OpenAI will process the following data only if an Admin separately enables this feature:

  • Customer Content and context

United States

SCCs

OpenAI Privacy Statement

Oracle

Cloud Service Provider

  • Real-time meeting and webinar traffic
  • Meeting and call recordings address
  • Transcriptions of meeting or call recordings

United States

Binding Corporate Rules (BCRs)

Technical Brief Whitepaper

Qualtrics

Feedback, Reviews, and Survey Responses

    If a customer chooses to provide feedback, reviews, or survey responses to Zoom, then Qualtrics may process:

  • Email address
  • IP address
  • Account information
  • Customer Content or any data the customer chooses to provide in the feedback, survey, or review

Germany, United States

SCCs

Data Protection & Privacy

SendSafely

Encrypted file transfer service

Communications Content such as attachments MAY be shared with SendSafely but only if Customer chooses to provide it directly to a Zoom support agent through a support interaction (i.e., as an attachment to a support ticket).

United States

SCCs

Privacy Policy | SendSafely | End-to-End Encryption

ServiceNow

Cloud-based Customer Service Platform

Communications Content such as cloud recordings or in-meeting chat transcripts MAY be shared with ServiceNow but only if Customer chooses to provide it directly to a Zoom support agent through a support interaction.

Germany

SCCs

Complying with the General Data Protection Regulation (GDPR)

TaskUS

Support Providers

Communications Content such as cloud recordings or in-meeting chat transcripts MAY be shared with TaskUS  but only if Customer chooses to provide it directly to a Zoom support agent through a support interaction.

Philippines

SCCs

Content Security

Twilio

Sends notification emails to customers’ invitees

    If customers choose to send notification emails to invitees via Zoom, then Twilio will process the following data:

  • Name
  • Email address
  • Meeting or webinar subject
  • Meeting/webinar ID
  • Meeting date and start time

United States

SCCs

Twilio GDPR Whitepaper

Zendesk

Cloud-based Customer Service Platform

Communications Content such as cloud recordings or in-meeting chat transcripts MAY be shared with Zendesk but only if Customer chooses to provide it directly to a Zoom support agent through a support interaction.

United States

BCRs

Compliance Certifications and Memberships

For additional subprocessors specific to Zoom Events, please see below. For more information about Zoom Events, please see the Zoom Events Privacy Statement.

Zoom Events Authorized Subprocessors

Name

Purpose 

Data Shared with Subprocessor

Location

International Transfer Mechanism 

Additional Safeguards

(links to subprocessor resources)

Stripe

Payment Processing

Payment and transaction information such as name, email, bank account details, payment card details, date/time/amount of transaction, and merchant name.

United States

SCCs

Stripe Privacy Center

Updates

As our business grows and evolves, the Subprocessors we utilize may also change. We will provide the owner of Customer’s account with notice of any new Subprocessors to the extent required under contractual agreement, along with posting such updates here.

You may also use the form below to subscribe to updates.

 

 

What is a Zoom Affiliate?

A Zoom affiliate is any entity that Zoom directly or indirectly controls. Together with Zoom Video Communications, Inc., these affiliates form the Zoom Group.

International Transfers within the Zoom Group

All parties of the Zoom Group have entered a data transfer agreement that sets out the data protection requirements and incorporates the appropriate EU Standard Contractual Clauses (“SCCs”).

Zoom Affiliates

Entity Name

Registered Location

ZOOM VIDEO COMMUNICATIONS, INC.

Delaware, USA

ZVC JAPAN K.K.

Japan

ZVC Netherlands B.V.

Amsterdam, Netherlands

Norway (Branch Office)

ZVC- Australia Pty Ltd. 

New South Wales, Australia

ZVC UK Ltd. 

England
Wales

Zoom Voice Communications, Inc. 

Delaware, USA

Hong Kong (Bus. Registration)

ZVC France SAS

Paris, France

ZVC India Pvt. Ltd. 

Mumbai, India

ZVC Canada, Ltd. 

Registered In:
New Brunswick, Canada

Extra Provincial Registrations:
Alberta
British Columbia
Manitoba
Ontario
Quebec

Keybase, LLC

Delaware, USA

ZVC Singapore Pte. Ltd. 

Singapore

ZVC Germany GmbH

Germany

Zoom Video Communications (Hong Kong) Limited

Hong Kong

Zoom Video Communications (Shanghai) Co., Ltd. 

China

Saasbee Inc. (Hefei) Ltd. 

China

Saasbee Software (Hangzhou) Co., Ltd.

China

Zoom Video Communications (Suzhou) Inc. 

China

 

 

Date of Change 

Change

Notes

28 July 2023

Added Anthropic as a subprocessor.

10 May 2023

Removed CSS Corps from the Subprocessor list.

Added OpenAI, Qualtrics, and ServiceNow as subprocessors.

Updated Cloudflare, MaestroQA, and Twilio for accuracy.

Added Stripe as a subprocessor for Zoom Events.

CSS Corps is no longer a vendor of Zoom.

05 October 2022

Added Taiwan as a processing location for Amazon Web Services.

Added Google Cloud Platform for processing in Taiwan only.

Added SendSafely as a subprocessor.

25 April 2022

Added Microsoft as a subprocessor.

17 February 2022

Removed Karlsruhe Information Technology Solutions from Affiliates list.

Added MaestroQA, OneTrust, and Cloudflare to the list of Subprocessors for accuracy.

Updated list of AWS locations for accuracy.

Karlsruhe Information Technology Solutions was merged with ZVC Germany GmbH.

Following an internal assessment, we identified the absence of three vendors. Zoom has always used these vendors for that purpose; they are not new subprocessors.

30 December 2021

Added Twilio, CSS Corp, TaskUS for accuracy.

Added Zoom Affiliates for transparency.

Following an internal assessment, we identified the absence of four vendors. Zoom has always used these vendors for that purpose; they are not new subprocessors. 

11  February 2021

Updated regional locations of cloud service infrastructure providers

Updated regional locations of cloud service infrastructure providers for accuracy

14  October 2020

Removed vendors erroneously classified as subprocessors.

Following an internal assessment, we identified some vendors previously listed that did not, in fact, process any customer data for which Zoom is the data processor. For that reason, we removed them. 

14 October 2020

Added Apple and Google Firebase for accuracy. 

Following an internal assessment, we identified the absence of two vendors for mobile phone push notifications. Zoom has always used these vendors for that purpose; they are not new subprocessors.