Zoom AI Companion for Contact Center and AI Expert Assist Security and Privacy

This Whitepaper relates to two AI-powered features available for Zoom Contact Center (ZCC) – Zoom AI Companion for Contact Center and Zoom AI Expert Assist – not to other AI products or services offered by Zoom. It describes security and privacy features as of the date of publication. The features described herein may evolve as we further develop AI capabilities.

Zoom CX

In this whitepaper, we’ll cover

AI features in Zoom Contact Center

Jump to

Our commitment to responsible AI

Jump to

Data flow and transmission to third parties

Jump to

Data processing, storage, and retention

Jump to

Zoom Contact Center features

Jump to

Putting you in control of AI capabilities

Jump to

Data protection

Jump to

Secure development of generative AI features

Jump to

AI features in Zoom Contact Center

Zoom Contact Center (ZCC) includes two levels of AI designed to provide improved productivity and actionable intelligence for agents and supervisors. AI Companion for Contact Center helps your team work smarter and faster and is included with every ZCC license. AI Expert Assist delivers additional AI actions and insights for complex issue resolution and is included with Elite ZCC plans or as an add-on for others.

Our commitment to responsible AI

Zoom is committed to developing AI responsibly, with security and privacy at the core of the generative AI capabilities it provides to its customers. Zoom recognizes that generative AI presents an evolving set of risk considerations for its customers, and the company is committed to prioritizing transparency and customer choice as it brings generative AI features to market.

 

In line with these commitments, Zoom has announced that it does not use any customer audio, video, chat, screen sharing, attachments, or other communications-like customer content (such as poll results, whiteboard, and reactions) to train Zoom’s or its third-party artificial intelligence models.

 

Zoom provides controls at the account, group, and user levels, allowing administrators to select which AI Companion features or capabilities they wish to enable for specific Zoom product offerings and which users have access. For example, for Zoom Meetings, administrators can enable the AI Companion features at the account level and meeting hosts can choose whether to activate them for specific meetings. To provide transparency, meeting participants will see an in-product notification describing the generative AI Companion capabilities that are activated for that meeting. 

Data Flow

Data Flow and transmission to third parties

Data used by AI Companion for Contact Center and AI Expert Assist is sent from the user to Zoom-hosted and/or third-party generative artificial intelligence models.  Customer data in transit is encrypted between customers and Zoom, Zoom internal services, and between Zoom and its third-party models.  Customer data is also encrypted at rest within Zoom’s platform. Communications sent over the Public Switched Telephone Network (PTSN) are not encrypted until reaching a Zoom gateway.



The following diagram is an example of the general flow through Zoom systems and, where relevant, to third-party models:

Data Flow

Third-party subprocessors

As part of Zoom’s federated approach to AI, artificial intelligence models from third parties, such as Anthropic and OpenAI, may be used for certain AI Companion features alongside Zoom’s artificial intelligence models to provide high-quality results. Zoom uses the Perplexity service to provide web content search results for AI Companion.

 

Zoom requires its subprocessors to satisfy obligations equivalent to those outlined in Zoom’s Data Processing Agreement. Zoom’s subprocessors are subject to security assessments on at least an annual basis as part of Zoom’s third-party risk management program. Zoom’s third-party risk management controls are assessed by independent audit firms in many of its security certifications and attestations, which are available to customers on Zoom’s Trust Center.

Data Processing, Storage, and Retention

Zoom does not use any customer audio, video, chat, screen sharing, attachments, or other communications-like customer content (such as recordings, transcripts, and survey results) to train Zoom’s or its third-party artificial intelligence models.

 

Zoom AI Companion for Contact Center and Zoom AI Expert Assist must use certain content in order to provide the services. For instance, Zoom AI Companion for Contact Center and Zoom AI Expert Assist process chat messages or transcripts to provide engagement summaries.

Consistent with Zoom’s Privacy Statement, Zoom employees do not access or use customer content including audio, video, files, messaging, or email contents, or content generated by Zoom AI Companion for Contact Center and Zoom AI Expert Assist, unless authorized by the account owner hosting the Zoom product or service where the Customer Content was generated, or as required for legal, safety, or security reasons.

AI Companion for Contact Center and AI Expert Assist are two distinct AI products available for Zoom Contact Center: 

 

Zoom Contact Center licenses include Zoom AI Companion for Contact Center at no additional cost to the paid Zoom Contact Center services assigned to your Zoom account. This provides Zoom Contact Center users with a baseline level of individual AI-powered tools that are aimed at improving productivity. For Zoom Contact Center users, AI Companion for Contact Center summarizes customer conversations, generates follow-up tasks following engagements, and highlights live customer sentiment and speech analytics.

 

Zoom AI Expert Assist intelligently draws information from third-party systems, knowledge bases, and more to deliver real-time assistance, empowering your agents to provide their best support and resolve more complex issues. AI Expert Assist surfaces personalized information from CRMs and other custom apps directly in agent desktop to help agents, intelligently retrieves best responses from knowledge bases, suggests next-best actions for agents to take, and automates wrap-up with a one-click, post-call summary to save time and ensure consistent quality.

In general, Zoom stores and retains customer content and personal data for as long as required to engage in the uses described in its Privacy Statement, unless a longer retention period is required by applicable law. 

After providing the AI Companion service, Zoom may retain the customer content (see tables below) for up to 30 days for support and debugging purposes* unless a longer retention period is required by applicable law, including for trust and safety purposes, or based on customer request or account settings. In the context of data retention and processing, “trust and safety purposes” refers to measures taken to protect the safety and integrity of a service and its users. This involves retaining certain data for a period of time to help prevent abuse and misuse. Additional information on Zoom’s Trust and Safety processes may be found in Zoom's Safety Center. In addition, certain content may be stored in accordance with the customer’s retention settings or policies, as described under “Customer Data Storage and Retention” and in the tables below.

If the AI Companion feature relies on a third-party artificial intelligence model, pursuant to Zoom’s contracts, the third-party model provider may retain the content used to provide the service for trust and safety purposes, within the U.S., for up to 30 days, unless a longer retention period is required by applicable law.

*IMPORTANT NOTE: Zoom offers a Zero Data Retention option with respect to Zoom’s retention of the temporary transcript, screen shared content via OCR, and in-meeting chat messages used to provide a Meeting Summary. When enabled, these inputs will be deleted by Zoom immediately after the summary is created. If a summary fails to be created these inputs will be retained for up to 24 hours to allow for retries. To enable this feature please reach out to your account team or log a support ticket.

In general, Zoom stores and retains customer content and personal data for as long as required to engage in the uses described in its Privacy Statement, unless a longer retention period is required by applicable law. Zoom retains the content used to provide the service — as described herein — for up to 30 days to provide the service and for debugging purposes, and Zoom may also retain for a longer period content that is flagged for trust and safety purposes. In the context of data retention and processing, “trust and safety purposes” refers to measures taken to protect the safety and integrity of a service and its users. This involves retaining certain data for a period of time to help prevent abuse and misuse. Additional information on Zoom’s Trust and Safety processes may be found in Zoom's Safety Center. In addition, certain outputs may be stored in accordance with the customer’s retention settings or policies, as described in the tables below.

 

If any Zoom AI Companion for Contact Center and Zoom AI Expert Assist feature relies on a third-party artificial intelligence model, pursuant to Zoom’s contracts, the third-party model provider may retain content used to provide the service for trust and safety purposes within the U.S. for up to 30 days, unless a longer retention period is required by applicable law.  

 

The next section summarizes the models used for Zoom AI Companion for Contact Center and Zoom AI Expert Assist as of the publication date of this whitepaper, and the specific storage and retention settings for the content used to provide each feature. 



 

IMPORTANT NOTE: Zoom offers a Zoom–hosted Models Only option, which means that data will not be sent to third-party models for processing. To enable this feature please reach out to your account team or log a support ticket.

AI Companion for Zoom Contact Center and Zoom AI Expert Assist are available to customers hosted in the U.S. and the EU. For customers provisioned outside of the U.S, in order to align with the data residency preferences for those accounts, AI Companion for Zoom Contact Center and Zoom AI Expert Assist are available with Zoom–hosted Models Only.

AI Companion for Contact Center

Engagement preview Engagement preview Engagement summary Engagement summary Sentiment analysis Sentiment analysis Follow-up task Follow-up task

Engagement preview

Uses generative AI to summarize the customer’s previous conversation before the agent accepts the engagement.

Minimum recommended client version

5.16.0

Zoom-hosted models only (ZMO) eligible

Content used or generated

  • Chat message text (input)
  • Audio transcript (input)
  • Engagement summary (output)

Model provider - Data processing/storage location

Engagement summary

Agents can see the AI-generated summary with keywords highlighted

Minimum recommended client version

N/A

Zoom-hosted models only (ZMO) eligible

Content used or generated

  • Chat message text (input)
  • Audio transcript (input)
  • Engagement summary (output)

Model provider - Data processing/storage location

Sentiment analysis

Analyze customer sentiment in real time.

Minimum recommended client version

N/A

Zoom-hosted models only (ZMO) eligible

Content used or generated

  • Chat message text (input)
  • Audio transcript (input)
  • Sentiment evaluation (output)

Model provider - Data processing/storage location

Follow-up task

Create action items for agents to follow up on after completing an engagement

Minimum recommended client version

N/A

Content used or generated

  • Chat message text (input)
  • Audio transcript (input)
  • Follow-up tasks (output)

Model provider - Data processing/storage location

Customer storage location

Customer’s provisioned data center

Customer retention controls and additional information

Follow up tasks are stored until the engagement history is purged by authorized users

AI Expert Assist

Automatically searches and displays the relevant knowledge base to the agent.

 

Minimum recommended client version: N/A

 

Zoom-hosted models only (ZMO) eligible

 

Content used or generated:

  • Chat message text (input)
  • Knowledge base (input)
  • Recommended knowledge article(s) (output)

 

Model provider - Data processing/storage location:

Retrieves relevant customer information from third-party systems.

 

Minimum recommended client version: N/A

 

Zoom-hosted models only (ZMO) eligible

 

Content used or generated:

  • Chat message text (input)
  • Audio transcript (input)
  • List of intents (input)

 

Model provider - Data processing/storage location:

Create a concise summary of the agent's engagement with the customer.

 

Minimum recommended client version: N/A

 

Zoom-hosted models only (ZMO) eligible

 

Content used or generated:

  • Chat message text (input)
  • Audio transcript (input)
  • Summary note draft (output)

 

Model provider - Data processing/storage location:

 

Customer storage location:

 

Customer retention controls and additional information:
Saved notes are stored until the engagement history is purged by authorized users.

Automatically set the disposition of the engagement

 

Minimum recommended client version: N/A

 

Content used or generated:

  • Chat message text (input)
  • Audio transcript (input)
  • List of disposition codes (input)
  • Recommended disposition (input)

 

Model provider - Data processing/storage location:

 

Customer storage location:

 

Customer retention controls and additional information:
Dispositions are stored until the engagement history is purged by authorized users.

Allow users automatically translate all inbound messages to their language and translate all outbound messages to consumers language

 

Minimum recommended client version: N/A

 

Zoom-hosted models only (ZMO) eligible

 

Content used or generated:

  • Chat message text (input)
  • Chat message text (output)

 

Model provider - Data processing/storage location:

Provides recommended actions to guide the Agents to maximizing business outcomes during customer interactions

 

Minimum recommended client version: N/A

 

Zoom-hosted models only (ZMO) eligible

 

Content used or generated:

  • Chat message text (input)
  • Audio transcript (input)
  • List of intents (input)
  • Identified intent(s) (output)
Putting you in control of AI capabilities

Putting you in control of AI capabilities

Zoom is committed to providing transparency and choice when it comes to enabling and using ZCC features. Account administrators and users are provided with controls for both AI Companion for Contact Center and AI Expert Assist features. Zoom is continually working to enhance its platform and educate users on its new features. Currently, users will see certain in-product notifications, which may be updated over time.

  • Account administrator controls

    For AI Companion for Contact Center, account owners and administrators can control each feature at the account and queue levels. When enabled at the account level, all agents will have access to AI Companion for Contact Center features. If set at the queue level, only agents belonging to that queue will have access. 

    Similarly, AI Expert Assist can be controlled at the account and queue levels. Because AI Expert Assist is an add-on package requiring an additional license for Essentials and Premium plans, it can also be controlled at the user level on those accounts. Account owners and administrators can select which users can use AI Expert Assist by assigning licenses to individual agents.

Data protection

Customer data, including customer content, is encrypted in transit between customers and Zoom, where supported by the user’s connection method and as stated in Zoom's support articles, between Zoom services, and between Zoom and its third-party subprocessors, including its third-party AI model providers (e.g., OpenAI and Anthropic), using Transport Layer Security (TLS) 1.2 or AES 256-bit GCM. Customer data, including customer content, that is either generated by or used to provide the AI Companion for Contact Center and AI Expert Assist features are encrypted at rest using a minimum Advanced Encryption Standard (AES) 256-bit encryption.

 

Access to customer data and content used to provide AI capabilities is role-based and restricted based on least privilege, in accordance with Zoom’s access control policies and standards. Controls are in place to prevent Zoom employees from accessing customer content, including meeting, webinar, chat, or email content (specifically, audio, video, files, in-meeting whiteboards, messaging, or email content), or any content generated or shared as part of other collaborative features (such as out-of-meeting whiteboards), unless authorized by the account owner or administrator of the account hosting the Zoom product or service where the customer content was generated, or as required for legal, safety, or security reasons. Zoom’s access to customer data and content is logged and monitored for suspicious activity or unauthorized access. Zoom’s data access controls are assessed by independent audit firms where indicated in our security certifications and attestations, available to our customers on Zoom’s Trust Center.

Secure development of generative AI features

Zoom’s secure software development lifecycle (SDLC) is a set of practices and processes designed to integrate security into each phase of the software development lifecycle. Zoom’s secure software development controls are assessed by independent audit firms as indicated in Zoom’s security certifications and attestations, which are available to customers on Zoom’s Trust Center. Zoom Contact Center AI features follow Zoom’s standard secure SDLC process, which includes the following:

Zoom’s Engineering Security team is engaged during the design phase when a feature is being conceptualized so that key security controls can be built into the requirements. Security design reviews, which include threat analysis, are performed to identify potential threats and mitigations. Zoom maintains vulnerability remediation standards governing the remediation or mitigation of security vulnerabilities identified during the security design review.

Peer code reviews are a key element of Zoom’s secure software development lifecycle and are enforced in Zoom’s software development platform. In addition to peer code reviews, high-risk areas identified during the security design review require secure code reviews.

Zoom utilizes static analysis security testing (SAST) tools to scan its source code for coding errors and common security vulnerabilities, including Open Web Application Security Project’s (OWASP) Top 10 and National Vulnerability Database (NVD). Zoom maintains vulnerability remediation standards governing the remediation or mitigation of security vulnerabilities identified through static analysis testing.

Zoom utilizes dynamic analysis security testing (DAST) tools to identify common security vulnerabilities, including OWASP’s Top 10 and NVD. Zoom maintains vulnerability remediation standards governing the remediation or mitigation of security vulnerabilities identified through dynamic analysis testing.

Where open source software (OSS) is used, the OSS package must undergo Zoom’s third-party code review process, which includes a set of OSS evaluation criteria and scanning for common security vulnerabilities. Zoom maintains vulnerability remediation standards governing the remediation or mitigation of security vulnerabilities identified through third-party OSS scanning tools.

Security approval is required for deployment of new products and features, including Zoom AI Companion for Contact Center and Zoom AI Expert Assist. Zoom has a dedicated Release Security Assurance function responsible for scanning Zoom client builds prior to release. The final Zoom client build scans are designed to identify potential vulnerabilities or malicious content, and the build is digitally signed to maintain its integrity and authenticity.

Generative AI model security

In addition to the steps outlined in Zoom’s secure SDLC above, models hosted by Zoom are subject to security reviews to assess security threats specific to generative AI models. The generative AI model review includes commonly known LLM model vulnerabilities, in line with OWASP’s Top 10 for LLMs and other secure AI frameworks. Vulnerabilities identified in the generative AI security reviews must be remediated in accordance with Zoom’s vulnerability remediation standards.

 

Zoom’s third-party subprocessors are subject to security assessments on at least an annual basis as part of Zoom’s third-party risk management program. Zoom’s third-party risk management controls are assessed by independent audit firms as indicated in Zoom’s security certifications and attestations, which are available to customers on Zoom’s Trust Center.

Security assessments

Zoom has a dedicated offensive security team that performs ongoing vulnerability research and red team exercises across Zoom’s platform, including Zoom AI Companion for Contact Center and Zoom AI Expert Assist features. In addition to Zoom’s dedicated offensive security team, penetration tests are performed by an independent third party on at least an annual basis.

Vulnerability disclosure program

Zoom believes that the independent security research community can provide key contributions to the security of Zoom’s products. Zoom maintains a vulnerability disclosure program as well as a Bug Bounty program through HackerOne that incentivizes security researchers to responsibly report potential security vulnerabilities so Zoom can fix them and help keep its users safe.

Zoom Contact Center AI compliance

Zoom AI Companion for Contact Center and Zoom AI Expert Assist adhere to the same security and compliance requirements as the primary Zoom Contact Center product within which it is incorporated. Both Zoom Contact Center and AI Companion are ISO 27001, ISO 27701, and ISO 27017/18 certified and are also included within the scope of Zoom’s SOC 2 Type 2 report, available on Zoom’s Trust Center.

Changelog

Version

Published on

Change type

Change

V. 1.0

8/23/2024

Updated

Table of contents

V. 1.0

8/23/2024

Add

Features

V. 1.0

7/23/2024

Updated

AIC+EA feature table

V. 1.0

7/08/2024

Add

Regional availability

V. 1.0

7/12/2024

Updated

Data flow diagram