Security in the UK: Certifications, Features, and Programmes Designed to Help Protect Organisations

As our customer base broadened in the wake of the COVID-19 pandemic, people used our platform to connect in more ways, with schools, enterprises, healthcare organisations, and more adapting and modernising their services. This new scale was only compounded by the global nature of Zoom, which is used by customers around the world, including those located in the United Kingdom (UK). In fact, according to Ofcom, over 13 million adult internet users were using Zoom in the UK in April 2020 alone. 

As we evolved our strategy to keep pace with this rapid change, we expanded the way we approach security and privacy — improving our products and programmes, as well as achieving relevant certifications and standards, all to enable the secure exchange of information around the world. And these efforts continue to expand, as we’ve recently gained a new certification and addressed standards that help affirm our commitment to providing seamless and secure collaboration to UK organisations.

Let’s take a look at some of the exciting new announcements, as well as relevant features and programmes that can help our British users remain secure.

At Zoom, third-party certifications and standards are integral to our security programme’s foundation. While we’ve recently expanded our list of industry-recognised certifications and standards with ISO/IEC 27001:2013, SOC 2 + HITRUST, and Common Criteria, we are also adding UK Cyber Essentials Plus to this list. This achievement is also complemented by our work to align to the National Health Service (NHS) Digital Technology Assessment Criteria (DTAC) and DCB0129.

UK Cyber Essentials Plus

Cyber Essentials Plus is a UK government-backed, industry-supported certification scheme designed to help organisations demonstrate operational security against common cyber threats.

Zoom’s achievement of the Cyber Essentials Plus certification demonstrates our commitment to the UK by achieving a security scheme, which makes it easier for local customers to assess our IT systems.

Match fit for use in the NHS

To support the NHS as they work to provide patients with effective and secure digital care, we are now DTAC and DCB0129 ready, with a DSP Toolkit in place.

• DTAC: The DTAC helps provide staff and patients with confidence that the digital health tools they use, such as Zoom, meet clinical safety, data protection, technical security, interoperability, usability, and accessibility standards. Healthcare organisations can use it to assess suppliers at the point of procurement to make sure new digital technologies meet minimum baseline standards.

• DCB0129: The DCB0129 is a clinical risk management standard that enables manufacturers of health IT software to demonstrate the clinical safety of their products and provides a set of requirements suitably structured to ensure the effective application of clinical risk management.

• DSP toolkit: We’ve also put a DSP toolkit in place, which is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

With these initiatives, we hope to support NHS staff with the tools they need to provide effective digital care and protect crucial patient data. 

Whether you’re leveraging the Zoom platform for virtual teaching and learning, telehealth appointments with your healthcare provider, or to engage with citizens as a government organisation, we’ve designed unique security and privacy features to help protect vital information. While these features are designed for any Zoom customer who has the ability to enable them, they’re helpful for UK users who want to have better control of their data, for example:

Data routing control: Zoom lets customers make choices about the Zoom data center that will be used for processing certain customer data when a customer with a paid account hosts a meeting or webinar. Account owners and admins on paid accounts can, at the account, group, or user level, opt in or out of specific Zoom data centers that will be used for the processing of participants’ real-time meeting and webinar video, audio, and shared content during the hosting of meetings and webinars.

End-to-end encryption (E2EE): When enabled, this feature uses the same 256-bit AES-GCM encryption that supports standard Zoom Meetings to help encrypt communication between all meeting participants using the Zoom client. The difference is that the cryptographic keys are known only to the devices of the meeting participants. This means that third parties — including Zoom — do not have access to the meeting’s private keys. Our E2EE offering will also be extended to Zoom Phone this year for one-on-one, intra-account phone calls that occur via the Zoom client. 

Advanced chat encryption: This Zoom Team Chat feature allows for a secured communication where only the intended recipient can read the secured message. Once enabled by account administrators, users can deploy it when communicating about particularly sensitive information in a one-to-one or group chat. When advanced chat encryption is enabled, data at rest is encrypted by keys generated and operated on chat participants' devices. Chat data in transit, however, is encrypted in transit using Transport Layer Security (TLS) encryption.

To meet the growing needs of our global customer base, Zoom established programmes that bring in expertise and skills from around the world to inform security innovation and identify potential threats. A few of these programmes include:

CISO council: To foster a strategic feedback loop for upcoming security and privacy innovation, we organise regular meetings of a CISO council, which is composed of dozens of CISOs from a variety of industries around the globe and led by our Deputy CIO Gary Sorrentino. These interactive discussions between CISO customers and our security team leaders help inform the measures we take to continue to evolve the security and privacy of our platform.

Enhancing our bug bounty programme: While the Zoom Security Team routinely tests our solutions and infrastructure, we augment this testing by tapping into the “white hat” hacker community and building a skilled, global team of security researchers across the globe via HackerOne’s “Private Bug Bounty” platform. As of January 2022, Zoom has recruited over 800 security researchers on the HackerOne platform. Their collective work has resulted in the submission of numerous bug reports and awards.

Our dedication to these UK standards, as well as the ongoing evolution of our products and programmes, helps demonstrate our commitment to data protection and user security.

Our unified communications experience is built with security in mind, and our users’ safety, security, and privacy help guide new platform updates we make. We’re committed to being a platform users can trust — with their online interactions, information, and business.

To learn more about Zoom privacy and security, explore our Trust Center.

Editor’s note: This blog post was revised on 4/20/2023 to include the most up to date information on our data routing control feature.