Zoom is able to meet its Customer and user's needs through its own global network of seventeen colocated data centers, as well as through public cloud data centers, which are predominately operated through Amazon Web Services (“AWS”). The Services are designed to work in a way that any information entering our ecosystem is routed through the data center that is nearest to the user sending or receiving the data. For example, for a US user, Zoom's systems first try to connect to one of our five US data centers for the best connection. If there is no response within a specific time-period (usually 5.5 seconds) from any of the five US data centers, then additional back-up bridge servers around the world are pinged.
During normal operations, Zoom clients attempt to connect to a series of primary datacenters in or near a user’s region, and if those multiple connection attempts fail due to network congestion or other issues, clients will reach out to two secondary datacenters off of a list of several secondary datacenters as a potential backup bridge to the Zoom platform. In all instances, Zoom clients are provided with a list of datacenters appropriate to their region. This system is critical to Zoom’s trademark reliability, particularly during times of massive internet stress.
Even during these periods of high traffic, Zoom’s systems are designed to maintain geo-fencing around China for both primary and secondary datacenters — ensuring that users outside of China do not have their meeting data routed through Zoom’s mainland China datacenters (which consist of infrastructure in a facility owned by Telstra, a leading Australian communications provider, as well as Amazon Web Services).
However, in April, as we deepened our security reviews in response to the dramatic increase of use during the pandemic, we realized that we had mistakenly added our two Chinese data centers to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them (namely when the primary non-Chinese servers were unavailable). We then removed these data centers from the whitelist.
Importantly:
- Upon learning of the oversight yesterday, we immediately took the mainland China datacenters off of the whitelist of secondary backup bridges for users outside of China.
- This situation had no impact on our Zoom for Government cloud, which is a separate environment available for our government customers and any others who request the specifications of that environment.
- Zoom has layered safeguards, robust cybersecurity protection, and internal controls in place to prevent unauthorized access to data, including by Zoom employees — regardless of how and where the data gets routed.