Zoom Security and Compliance FAQ

In the event your company needs assistance completing a security or compliance assessment or questionnaire, the Zoom Trust Center provides you with self-service access to the resources you need to complete your assessment, including responses to the most common industry standard questionnaires, third-party certifications and attestations, and other artifacts and validated assessments. The resources most frequently used by our customers to complete the security and compliance assessments include:

• Zoom Trust Center - Compliance: Your go-to resource for security and compliance-related certifications and attestations. On Zoom’s Trust Center, you can find details about our security certifications, attestation reports, and pre-filled industry standard questionnaires. Customers will need to create a Whistic account using their company email address to access and/or download Zoom’s security and compliance documentation.
• CSA CAIQ Questionnaire: The CSA Consensus Assessments Initiative Questionnaire (CAIQ) provides a set of responses to standard cloud provider security assessments with over 250 questions. This document is available on the Zoom Trust Center.
• SIG Questionnaire: The Standardized Information Gathering (SIG) questionnaire is intended for use by customers using Shared Assessments’ SIG Questionnaire Tools to standardize their process for third-party risk assessments. Zoom has completed the SIG Core questionnaire, which has over 800 answers to questions around access control, compliance, privacy, application, and network security (among many other sections) that should assist customers with their due diligence processes. Zoom’s SIG questionnaire can be found on Zoom’s Trust Center.
• CyberGRX Validated Assessment: Zoom has partnered with CyberGRX to answer over 1,000 security questions – and CyberGRX, utilizing their strategic partners Deloitte and KPMG, has validated and reported on Zoom’s assessment.
• Best Practices for Securing Zoom Meetings: Whitepaper providing customers with details on how to implement best practices for securing Zoom Meetings.
• Zoom Encryption Whitepaper: Provides customers with details about the encryption methods available on Zoom’s platform.
• Privacy at Zoom and Privacy Resources - Zoom’s privacy pages contain  privacy statements and whitepapers, along with other global and industry specific privacy resources.

Whistic is a third-party tool Zoom uses to distribute our security and compliance documentation to customers. Customers will need to create a Whistic account using their company email address to access and/or download Zoom’s security and compliance documentation.

Zoom maintains a robust set of security certifications and attestations to help meet the collective needs of our customers in various geographies and industries. For the current list of certifications and attestations maintained by Zoom, please visit the Compliance page on the Zoom Trust Center.

Zoom makes certain third-party audit and attestation reports available to customers through the Zoom Trust Center; these reports can be accessed through the Compliance page.

The SOC 2 Type 2 bridge letter can be accessed on Zoom’s Trust Center via the SOC 2 Type 2 page.

This document can be accessed through Zoom’s security profile maintained on Zoom’s third-party service provider’s platform, Whistic. Zoom customers can access Zoom’s security profile via Whistic here. Customers will need to create a Whistic account using their company email address to access and/or download this information.

Zoom’s Privacy Statement is available on Zoom’s Trust Center via the Privacy at Zoom page. Additional privacy resources can be found here.

Zoom’s Global Data Processing Addendum (DPA) can be accessed here.

Zoom makes information available about its data processing in the privacy data sheets and Global Data Processing Addendum located here.

A list of Zoom-authorized subprocessors and affiliates — including the names, type(s) of data shared, and location of each subprocessor — is located on the Zoom Third-Party Subprocessors & Zoom Affiliates page. Please note customers can sign up to receive notifications of any new subprocessors on this page.

If you think you have found a security vulnerability in a Zoom product or service, please visit our Vulnerability Disclosure Policy for details on how to report the potential vulnerability to Zoom’s Security team.

The Zoom Security Bulletin page provides information related to Zoom’s Security Bulletins.We recommend that users update to the latest version of Zoom software to get the latest fixes and security improvements. Please note that customers can sign up to receive notifications of future Zoom Security Bulletins on this page.

There is currently no regulatory-backed certification available for HIPAA compliance; however, Zoom helps customers enable HIPAA compliant programs by executing a Business Associate Agreement (BAA) and safeguarding protected health information (PHI). Zoom aligns its controls to the Healthcare Industry Trust Alliance Common Security Framework (HITRUST CSF). To provide our healthcare customers assurance over the controls we have in place to support HIPAA requirements, Zoom makes available a  SOC 2 + HITRUST report, which aligns with AICPA Trust Services Principles and Criteria and the HITRUST CSF.

Yes, Zoom has a standard BAA that can be entered into when required by our customers. Please see the Zoom for Healthcare page for more information.