US State Law Privacy Addendum

This US State Law Privacy Addendum (“Addendum”) supplements the terms of your Master Subscription Agreement, Terms of Service, or Reseller Customer Terms of Service (as applicable, the “Agreement”), and sets forth certain data privacy rights and obligations in connection with certain US state Laws. Capitalized terms used but not otherwise defined herein have the meaning ascribed to them in the Agreement.

Section A – General Provisions. This Section A of the Addendum applies to Zoom’s provision of and Customer’s use of the Services to the extent that Customer is a Business or a Controller and Zoom Processes or is Processing Customer’s Personal Information or Personal Data pursuant to CCPA or other Applicable State Data Protection Laws.

1. Definitions. As used throughout this Addendum, “Customer” means a Business or Controller that subscribes to Zoom Services. Capitalized terms used in this Section A, but not otherwise defined, have the meaning ascribed to them in Sections B(1) and C(1), below.
2. Audits and Assessments.
   1. Zoom will conduct third-party audits to attest to the ISO 27001 and SOC 2 Type II frameworks as follows:
      1. Zoom will, on an annual basis, audit the Security, Availability, and Privacy Criteria in the SOC-2 audit.
      2. Audits will be performed according to the standards and rules of the regulatory or accreditation body for the applicable control standard or framework.
      3. Audits will be performed by qualified, independent, third-party security auditors at Zoom’s selection and expense.
      4. Each audit will result in the generation of a customer-facing audit report (“Zoom Audit Report”), which Zoom will make available to Customer upon request on an annual basis. The Zoom Audit Report will be Zoom’s Confidential Information.
3. Restrictions on Receipt of Information. Nothing under this Addendum shall require Zoom to disclose: (a) any data or information of any other customer of Zoom, or any third party; (b) any internal accounting or financial information; (c) any trade secret of Zoom; or (d) any information that, in Zoom’s reasonable opinion could: (i) compromise the security of Zoom’s networks, systems, or premises; (ii) cause Zoom to breach its security or privacy obligations to any third party; or (iii) any information sought for any reason other than the reasons outlined in this Addendum. Zoom may require Customer’s agreement to reasonable Zoom (or its third-party auditor or assessor’s) terms and conditions prior to providing the Zoom Audit Report to Customer.
4. Deletion of Data. Zoom will (a) as required by Applicable State Data Protection Laws applicable to Customer and at Customer’s direction, delete or return all Personal Data to the Customer at the end of the provision of Services or (b) as required by the CCPA, not retain, use, or disclose Personal Information upon termination or expiration of the relationship between the Customer and Zoom. Nothing in this Section A(4) (Deletion of Data) will require Zoom to (i) delete or return data that it must retain pursuant to applicable Laws or (ii) return instead of destroying Personal Data to the extent that return is not technically feasible, or return would impose substantial burdens, costs, or both upon Zoom.

Section B – California.  This Section B of the Addendum applies to Zoom’s provision of and Customer’s use of the Services to the extent that Customer is a Business and Zoom is Processing Personal Information on Customer’s behalf pursuant to CCPA.

1. Definitions. As used in this Section B of the Addendum: (a) “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder; (b) “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Processing” “Sell,” “Service Provider,” and “Share” have the respective meanings given in the CCPA; and (c) “Personal Information” means “personal information” as defined in the CCPA, but only to the extent the personal information is collected, accessed, obtained, received, used, disclosed, or otherwise processed by Zoom as a result of Zoom’s provision of Services to Customer in its capacity as a Business under the Agreement.
2. Acknowledgments and Obligations. Zoom (a) acknowledges that Personal Information is disclosed by Customer only for the limited and specified purposes of providing the Services described in an Order Form and for the purposes described in the Agreement; (b) shall comply with obligations applicable to Service Providers under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA, including the same privacy protection required to be provided by Businesses; (c) agrees that Customer may take reasonable and appropriate steps consistent with Section A(2) herein to help to ensure that Zoom’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer promptly of any determination made by Zoom that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information, consistent with and in accordance with applicable regulations, by requesting reasonable documentation from Zoom that verifies Zoom no longer retains or uses Personal Information that is subject to a valid deletion request.
3. Restrictions. Zoom shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the purpose(s) described in Section B(2)(a), above, or as otherwise permitted by the CCPA, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than such purpose(s) or the servicing of a different Business; (c) retain, use or disclose Personal Information outside of the direct business relationship between Zoom and Customer, except to the extent permitted by CCPA; or (d) combine the Personal Information received pursuant to the Agreement with Personal Information received from another party, or Zoom’s own interactions with the Consumer to whom the Personal Information pertains, except to the extent a Service Provider is permitted to do so under the CCPA. Zoom hereby certifies that it understands its obligations under this Addendum and will comply with them.
4. Audits, Reviews, and Assessments. Customer, subject to reasonable requirements and written agreements as required by Zoom and consistent with the CCPA, and at Customer’s sole cost and expense, may audit, review, or assess Zoom not more than once every 12 months, in accordance with Section A(2) (Audits and Assessments), above.
5. Consumer Requests. Customer will promptly notify Zoom and provide all necessary information to Zoom after receiving and verifying a Consumer request, and Zoom shall promptly take such actions and provide such information as Customer may reasonably request pertaining to a Consumer’s Personal Information in order to help Customer fulfill requests of individuals to exercise their rights under the CCPA, including, without limitation, requests to access, correct, delete, opt out of the Sale or Sharing of, or receive information about Personal Information pertaining to them. If Zoom receives any request directly from Customer’s Consumer(s), then Zoom may either (i) advise the Consumer to contact Customer directly with such request or (ii) contact Customer to respond directly to the Consumer.

Section C – Virginia, Colorado, Utah & Other States. This Section C of the Addendum applies to Zoom’s provision of and Customer’s use of the Services to the extent that Customer is a Controller of Personal Data and Zoom Processes Customer’s Personal Data under Applicable State Data Protection Laws.

1. Definitions. As used in this Section C of the Addendum: (a) “Applicable State Data Protection Laws” means (i) the Colorado Privacy Act of 2021, the Virginia Consumer Data Protection Act of 2021, or the Utah Consumer Privacy Act of 2022, as amended, or (ii) any other applicable US state Law enacted for the purpose of protecting Personal Data whereby Customer is a Controller and Zoom is a Processor and the terms and conditions of this Addendum meet the requirements of such state Laws; (b) “Controller, ” “Personal Data,” “Process,” and “Processor” shall have the respective meanings given to them in the Applicable State Data Protection Laws; and (c) “Instructions” has the meaning given below.
2. Processing of Personal Data: Roles, Scope, and Responsibility.
   1. The parties acknowledge and agree to the following: Customer is the Controller of Customer Personal Data. Zoom is the Processor of Customer Personal Data.
   2. Only to the extent necessary and proportionate, Customer as Controller instructs Zoom to perform the following activities as Processor on behalf of Customer (collectively, the “Instructions”):
      1. Provide and update the Services as licensed, configured, and used by Customer and its users, including through Customer’s use of Zoom settings, administrator controls or other Service functionality;
      2. Secure and real-time monitor the Services;
      3. Resolve issues, bugs, and errors;
      4. Provide Customer requested support, including applying knowledge gained from individual customer support requests to benefit all Zoom customers but only to the extent such knowledge is anonymized; and
      5. Process Customer Personal Data as set out in the Agreement (including this Addendum and Exhibit A hereto), as well as any other documented instruction provided by Customer and acknowledged by Zoom as constituting instructions.
   3. To the extent that Zoom acts as a Processor of Customer Personal Data, Zoom shall Process Customer Personal Data only in accordance with Customer’s Instructions. Customer shall ensure that its Instructions to Zoom comply with all Laws, rules, and regulations applicable to the Customer Personal Data, and that the Processing of Customer Personal Data per Customer’s Instructions will not cause Zoom to be in breach of Applicable State Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Customer Personal Data provided to Zoom by or on behalf of Customer; (ii) how Customer acquired any such Customer Personal Data; and (iii) the Instructions it provides to Zoom regarding the Processing of such Customer Personal Data. Customer shall not provide or make available to Zoom any Customer Personal Data in violation of the Agreement or this Addendum.
   4. Customer authorizes Zoom to conduct scanning and reporting of Personal Data in limited circumstances (e.g., to detect and report Child Sexual Abuse Material; to comply with other applicable Laws; to ensure compliance with Zoom’s Acceptable Use Guidelines).
3. Authorized Persons. Zoom shall ensure that all persons authorized to Process Customer Personal Data are made aware of the confidential nature of Customer Personal Data and are subject to a duty of confidentiality with respect to the data.
4. Subcontractors and Subprocessors. To the extent that Zoom is a Processor, Customer hereby generally authorizes Zoom to engage subcontractors and subprocessors in accordance with this Section C(4).
   1. Customer approves Zoom’s use of the providers located at https://explore.zoom.us/en/subprocessors/ to Process Customer’s Personal Data.
   2. Zoom may remove, replace or appoint additional providers. Provided Customer subscribes to updates at https://explore.zoom.us/en/subprocessors/, Zoom shall notify Customer of any changes to these provider engagements. Where required by Applicable State Data Protection Laws, Zoom shall also provide an opportunity for Customer to object to the engagement in accordance with Sections C(4)(d) and C(4)(e) herein.
   3. In an emergency concerning availability or security of the Services, Zoom is not required to provide prior notification to Customer of the removal, replacement, or appointment of subcontractors, but shall provide notification within seven (7) business days following the change in a subcontractor.
   4. In either case, the Customer may object to such an engagement of a subcontractor in writing within fifteen (15) business days of receipt of the aforementioned notice by Zoom.
   5. If the Customer objects to the engagement of a new subcontractor, Zoom shall have the right to cure the objection through one of the following options (to be selected at Zoom’s sole discretion):
      1. Zoom may cancel its plans to use the subcontractor with regard to Customer Personal Data.
      2. Zoom may take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the subcontractor with regard to Customer Personal Data.
      3. Zoom may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such a subcontractor with regard to Customer Personal Data. Zoom shall provide Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Zoom, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, Zoom and Customer may terminate the Agreement including this Addendum with sixty (60) days prior written notice. Termination shall not relieve Customer of any fees or charges owed to Zoom for Services provided up to the effective date of the termination under the Agreement.
      4. If Customer does not object to a new subcontractor’s engagement within 15 business days of notice issuance from Zoom, that new subcontractor shall be deemed accepted.
   6. Zoom shall engage any subcontractor that Processes Customer’s Personal Data only pursuant to a written contract and require the subcontractor to meet any obligations of Zoom that are subcontracted with respect to such Personal Data. Zoom remains liable to Customer where that subcontractor fails to fulfill its data protection obligations for the performance of that subcontractor’s obligations to the same extent that Zoom would itself be liable under this Addendum had it conducted such acts or omissions.
5. Information Security. Taking into account the context of Processing, Zoom shall maintain appropriate technical and organizational measures with regard to Customer Personal Data to ensure a level of security appropriate to the risk in accordance with this Addendum and as otherwise expressly stated in the Agreement.
6. Compliance Information. Upon the reasonable request of Customer, Zoom shall make available to Customer reasonable information, consistent with and in accordance with applicable Laws, in Zoom’s possession necessary to demonstrate Zoom’s compliance with Zoom’s obligations in this Addendum.