Third Party Vendor Relations

Vendor Onboarding

Vendor Onboarding

Zoom partners with third-party vendors to meet customer and business needs. These third party companies may be referred to as suppliers, vendors, or third party vendors. The Third Party Risk Management (TPRM) Program provides advisory and assessment activity for many of these third party vendors. TPRM partners with Legal, Procurement, Technology Compliance, Privacy, IT, and the Business Units to provide comprehensive governance and management of Zoom’s vendor population.

The TPRM Program has been established to ensure that vendors providing technology or services to Zoom, and accessing Zoom sensitive data, are following key security principles, meeting compliance, and regulatory requirements. As part of the TPRM Program, risk assessments will be conducted.

TPRM drives compliance to these requirements through a risk based review cycle. For any new vendors, work cannot start until this process is complete.

Frequently Asked Questions

Vendor Risk Management Portal

  • You must change your password upon the first log in
  • You will have the option to change your username after the first log in
  • Note: Your username is initially auto generated and does not default to your email address. Type username and/or password rather than copy/paste to avoid copying a space at the end which will result in a failed login.
  • Note: Multi-factor authentication (MFA) will be required.

You can reset yourself by utilizing the ‘forgot password’ feature on the portal, reach out to or and we can resend a link with a new temporary password.

The primary vendor contact from your company can add additional contacts in the vendor portal as needed.

  • Email
  • Vendor portal notifications

Program Scope

All vendors are in scope for an inherent risk questionnaire (IRQ). Based on the results of the IRQ, some vendors may require additional risk assessments. Some services which are identified as low risk, may not require a detailed assessment.

The TPRM team will schedule a kick off meeting with you at the onset of a new engagement. During this time, assessment activities and timelines will be communicated to you. The goal is not to exceed 90 calendar days.

  • Preparation
  • Kickoff
  • Assessment Work
  • Meetings and Analysis
  • Engagement Closure
  • Continuous Monitoring
  • Customer Content Data
  • Customer Data
  • Employee Data
  • Prospective Employee Data
  • Event Logs
  • Configuration Data
  • Meeting Metadata

Risk Assessments

Risk assessments are advisory and assessment services related to regulatory compliance or information security. The goal is to provide guidance to project teams and leadership to manage technology risk introduced by new solutions.

  • Inherent Risk Questionnaire (IRQ)
  • Due diligence risk assessments to be conducted by Subject Matter Expert (SME) Teams which may include Third Party Risk Management, Privacy, Compliance, IT, Security Architecture, Offensive Security, or Open Source Security.

The IRQ consists of questions about the vendor service that are used to determine the potential risk posed to Zoom and the inherent risk tier.

An inherent risk tier refers to the potential risk an engagement presents to Zoom before any controls are applied or taken into account. The risk tier is measured on a scale of low, medium, and high. The inherent risk tier is the driving factor in determining what risk assessment work is required.

  • IRQs are required for any new vendor engagement.
  • Risk assessment requirements are based on inherent risk tier.
  • Below are the general timelines that will be followed for continuous monitoring:
    • Critical: Annual
    • High: Annual to Biennial
    • Medium: Biennial to Triennial
    • Low: Ad Hoc 
  • If any security issues are identified, the Zoom business owner is responsible for ensuring that the vendor provides a risk response plan for the issue and may incorporate the plan into legal agreements as needed.
  • Risk response plans may include remediation or acceptance of the issues.

Incident Management

  • The incident can be reported by reaching out directly to your Zoom Vendor Manager or emailing TPRM (
  • Be sure to include:
    • Incident Date
    • Vendor Name
    • Product/Application Name (if applicable)
    • Zoom Contact(s) Notified
    • Associated PO (if applicable/available)
    • Summary of the Incident


Security Addendum

Learn more Learn more

POC Agreement

Learn more Learn more

Evidence Request List

Learn more Learn more