Use the username and password you receive from the Zoom Vendor Risk Management portal to log in for the first time:

You must change your password upon the first log in You will have the option to change your username after the first log in Note: Your username is initially auto generated and does not default to your email address. Type username and/or password rather than copy/paste to avoid copying a space at the end which will result in a failed login. Note: Multi-factor authentication (MFA) will be required.

How will TPRM send communications to my company for required actions?

Email Vendor portal notifications

What are the TPRM engagement steps?

Preparation Kickoff Assessment Work Meetings and Analysis Engagement Closure Continuous Monitoring

What is considered sensitive data?

Customer Content Data Customer Data Employee Data Prospective Employee Data Event Logs Configuration Data Meeting Metadata

What risk assessments may be in scope?

Inherent Risk Questionnaire (IRQ) Due diligence risk assessments to be conducted by Subject Matter Expert (SME) Teams which may include Third Party Risk Management, Privacy, Compliance, IT, Security Architecture, Offensive Security, or Open Source Security.

How often are risk assessments required?

IRQs are required for any new vendor engagement. Risk assessment requirements are based on inherent risk tier. Below are the general timelines that will be followed for continuous monitoring: Critical: Annual High: Annual to Biennial Medium: Biennial to Triennial Low: Ad Hoc

What happens if potential risks or issues are identified?

If any security issues are identified, the Zoom business owner is responsible for ensuring that the vendor provides a risk response plan for the issue and may incorporate the plan into legal agreements as needed. Risk response plans may include remediation or acceptance of the issues.

What should my company do if a privacy or security incident occurs?

The incident can be reported by reaching out directly to your Zoom Vendor Manager or emailing TPRM ( tprm@zoom.us ). Be sure to include: Incident Date Vendor Name Product/Application Name (if applicable) Zoom Contact(s) Notified Associated PO (if applicable/available) Summary of the Incident

Third Party Vendor Relations

Vendor Onboarding

Zoom partners with third-party vendors to meet customer and business needs. These third party companies may be referred to as suppliers, vendors, or third party vendors. The Third Party Risk Management (TPRM) Program provides advisory and assessment activity for many of these third party vendors. TPRM partners with Legal, Procurement, Technology Compliance, Privacy, IT, and the Business Units to provide comprehensive governance and management of Zoom’s vendor population.

The TPRM Program has been established to ensure that vendors providing technology or services to Zoom, and accessing Zoom sensitive data, are following key security principles, meeting compliance, and regulatory requirements. As part of the TPRM Program, risk assessments will be conducted.

TPRM drives compliance to these requirements through a risk based review cycle. For any new vendors, work cannot start until this process is complete.

Frequently Asked Questions

Vendor Risk Management Portal

You must change your password upon the first log in
You will have the option to change your username after the first log in
Note: Your username is initially auto generated and does not default to your email address. Type username and/or password rather than copy/paste to avoid copying a space at the end which will result in a failed login.
Note: Multi-factor authentication (MFA) will be required.

You can reset yourself by utilizing the ‘forgot password’ feature on the portal, reach out to TPRM@zoom.us or TPRM_Assessments@zoom.us and we can resend a link with a new temporary password.

The primary vendor contact from your company can add additional contacts in the vendor portal as needed.

Email
Vendor portal notifications

Program Scope

All vendors are in scope for an inherent risk questionnaire (IRQ). Based on the results of the IRQ, some vendors may require additional risk assessments. Some services which are identified as low risk, may not require a detailed assessment.

The TPRM team will schedule a kick off meeting with you at the onset of a new engagement. During this time, assessment activities and timelines will be communicated to you. The goal is not to exceed 90 calendar days.

Preparation
Kickoff
Assessment Work
Meetings and Analysis
Engagement Closure
Continuous Monitoring

Customer Content Data
Customer Data
Employee Data
Prospective Employee Data
Event Logs
Configuration Data
Meeting Metadata

Risk Assessments

Risk assessments are advisory and assessment services related to regulatory compliance or information security. The goal is to provide guidance to project teams and leadership to manage technology risk introduced by new solutions.

Inherent Risk Questionnaire (IRQ)
Due diligence risk assessments to be conducted by Subject Matter Expert (SME) Teams which may include Third Party Risk Management, Privacy, Compliance, IT, Security Architecture, Offensive Security, or Open Source Security.

The IRQ consists of questions about the vendor service that are used to determine the potential risk posed to Zoom and the inherent risk tier.

An inherent risk tier refers to the potential risk an engagement presents to Zoom before any controls are applied or taken into account. The risk tier is measured on a scale of low, medium, and high. The inherent risk tier is the driving factor in determining what risk assessment work is required.

IRQs are required for any new vendor engagement.
Risk assessment requirements are based on inherent risk tier.
Below are the general timelines that will be followed for continuous monitoring:
- Critical: Annual
- High: Annual to Biennial
- Medium: Biennial to Triennial
- Low: Ad Hoc

If any security issues are identified, the Zoom business owner is responsible for ensuring that the vendor provides a risk response plan for the issue and may incorporate the plan into legal agreements as needed.
Risk response plans may include remediation or acceptance of the issues.

Incident Management

The incident can be reported by reaching out directly to your Zoom Vendor Manager or emailing TPRM (tprm@zoom.us).
Be sure to include:
- Incident Date
- Vendor Name
- Product/Application Name (if applicable)
- Zoom Contact(s) Notified
- Associated PO (if applicable/available)
- Summary of the Incident