// Trust & Security Report

    Zoom Communications, Inc. logo

    Zoom Communications, Inc.

    Zoom AI Companion and related AI products (ZoomMate agentic AI, My Notes AI note taker, AI Productivity Suite, Healthcare Clinical Notes, Zoom AI Studio) built on the Zoom Workplace unified communications platform

    Certifications held

    18

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 Type 2 report covering Security, Availability, Confidentiality, and Privacy. Audit period 10/16/2024 to 10/15/2025.

    Verify on zoom.com
    SOC 2 + HITRUST
    HELD

    SOC 2 Type 2 report that includes controls relevant to HITRUST. Available to provide healthcare customers assurance over the controls in place to support HIPAA requirements.

    Verify on zoom.com
    ISO 27001
    HELD

    Certificate #1407508-7, issued February 17, 2026 by Schellman. Covers 35+ Zoom Unified Communications products including Zoom Meetings, Chat, Phone, Webinars, Rooms, Contact Center, Zoom AI Studio, Customer Managed Key Service, and Healthcare Clinical Notes.

    Verify on zoom.com
    ISO 27017
    HELD

    ISO 27017 / 18 listed as a globally recognized certification on privacy and cloud computing under Commercial certifications and attestations.

    Verify on zoom.com
    ISO 27018
    HELD

    ISO 27017 / 18 listed under Commercial certifications and attestations as a globally recognized certification on privacy and cloud computing.

    Verify on zoom.com
    ISO 27701
    HELD

    ISO 27701 listed as a data privacy framework guiding with GDPR and other regulations. Certificate issued February 17, 2026.

    Verify on zoom.com
    CSA STAR Level 2
    HELD

    CSA STAR Level 2 listed as 'Registry of security and compliance controls for cloud service offerings' under Commercial certifications. Also listed as 'CSA STAR Attestation' on trust.zoom.com.

    Verify on zoom.com
    GDPR
    HELD

    Zoom incorporates its Data Processing Addendum into the Zoom Terms of Service. Zoom is a registered active participant in the EU-US Data Privacy Framework (DPF) as of July 10, 2023. SCCs implemented. EU data residency available for eligible paid accounts.

    Verify on zoom.com
    HIPAA (via BAA)
    HELD

    Zoom enables HIPAA-compliant programs by executing a Business Associate Agreement (BAA) and safeguarding protected health information (PHI). Zoom aligns controls to HITRUST CSF and provides SOC 2 + HITRUST report for healthcare customers. NOTE: explicit confirmation that AI Companion features are within BAA scope requires direct verification with Zoom.

    Verify on zoom.com
    PCI DSS
    HELD

    PCI DSS listed under Commercial certifications as 'PCI compliant solution for Zoom Phone and Zoom Contact Center leveraging an integration with PCIpal.' PCI DSS v4.0.1 listed on trust.zoom.com.

    Verify on zoom.com
    FedRAMP Moderate
    HELD

    FedRAMP Moderate listed under Zoom for Government certifications. trust.zoom.com notes 'FedRAMP JAB Authorization' for Zoom AI Companion as a JAB Moderate system.

    Verify on zoom.com
    UK Cyber Essentials Plus
    HELD

    UK Cyber Essentials Plus listed as 'UK Government information security assurance scheme' under Commercial certifications.

    Verify on zoom.com
    BSI C5 (Germany)
    HELD

    BSI C5 listed as 'Security of cloud services that leverages internationally recognized security standards' under Commercial certifications.

    Verify on zoom.com
    iRAP (Australia)
    HELD

    iRAP listed as 'Security controls assessment for Australian Government customers' under Commercial certifications.

    Verify on zoom.com
    ISMAP (Japan)
    HELD

    ISMAP listed as evaluating cloud service providers against Japanese government security requirements under Commercial certifications.

    Verify on zoom.com
    HDS (France)
    HELD

    HDS (Hébergeur de Données de Santé) listed as a French certification framework for secure hosting of health data under Commercial certifications.

    Verify on zoom.com
    DoD IL4
    HELD

    DODIL4 listed under Zoom for Government certifications as 'Cloud computing security requirements for the US Department of Defense.'

    Verify on zoom.com
    CJIS
    HELD

    CJIS listed under Zoom for Government certifications as 'Compliance Assessment Report.'

    Verify on zoom.com
    > Show 2 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence found. ISO 42001 is not listed on the Zoom compliance page, trust center, or any vendor-domain blog post. Not mentioned in the AI Whitepaper security framework section.

    source: zoom.com
    CSA STAR for AI
    NOT CONFIRMED

    No public evidence found. Not listed on the Zoom compliance page or trust center.

    source: trust.zoom.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US default; EU data centers available for eligible paid accounts for meeting and webinar processing. AI Companion offers ZMO, ZM+, and Federated processing modes to support local hosting and data sovereignty requirements.

    Zoom explicitly commits to not training on customer content. Privacy Statement states twice: 'Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train Zoom's or its third-party artificial intelligence models.' During AI Companion use, content is processed by third-party LLM providers (including OpenAI and Anthropic) encrypted in transit; customers can opt into Zoom-hosted Model Only (ZMO) mode to avoid third-party LLM processing entirely. No tier difference in no-training commitment; applies to all account types.

    // Security controls

    Encryption in transit

    TLS 1.2 minimum or AES-256 GCM between customers and Zoom, between Zoom services, and between Zoom and third-party AI model providers (OpenAI, Anthropic)

    zoom.com

    Encryption at rest

    AES-256 minimum for all customer content including AI Companion-generated data

    zoom.com

    Customer Managed Key (CMK)

    Available as enterprise option; customers may supply own encryption key for content stored by Zoom

    zoom.com

    End-to-end encryption

    Available for Zoom Email (native email service) by default between Zoom Email users; optional for Zoom Meetings for paid accounts

    zoom.com

    Multi-factor authentication

    Supported; referenced in trust center security pillar

    zoom.com

    Penetration testing

    Third-party penetration test reports available via the Trust Center

    zoom.com

    Subprocessor oversight

    Subprocessors contractually obligated to meet Zoom DPA requirements and subject to annual security assessments as part of third-party risk management program

    zoom.com

    Employee data access controls

    Zoom employees may not access or use Customer Content without authorization from the account owner or as required for legal, safety, or security purposes

    zoom.com

    // Products & data scope

    Zoom AI CompanionAI Meeting Assistant / Conversational AI

    data: Meeting audio, video, transcripts, chat messages, whiteboards; processed by Zoom and optionally third-party LLM providers (OpenAI, Anthropic) for summarization, action items, and Q&A

    Included at no extra cost for most paid Zoom plans. Covered under SOC 2 Type 2, ISO 27001, ISO 27701. HIPAA coverage requires BAA; explicit AI Companion scope under BAA should be confirmed with Zoom. FedRAMP JAB Moderate authorization for government use.

    ZoomMateAgentic AI / AI Productivity

    data: Meeting content, documents, calendar context; generates assets such as decks and documents using AI

    Newer agentic product. Falls under Zoom AI Whitepaper security framework. Third-party LLM processing applies unless ZMO mode selected.

    My NotesAI Note Taker

    data: Virtual and in-person meeting audio, transcripts, and context

    Available for virtual and in-person meetings and third-party platforms. No-training commitment applies. Encryption standards same as AI Companion.

    Healthcare Clinical NotesHealthcare AI

    data: Clinical conversation audio and transcripts for healthcare settings

    Explicitly listed in ISO 27001 certificate scope. HDS certification relevant for French healthcare. BAA required for HIPAA compliance.

    Zoom AI StudioAI Development Platform

    data: Customer-defined AI configurations and prompts

    Listed in ISO 27001 certificate scope. Enterprise-tier product.

    // What to watch

    • HIPAA/AI Companion scope ambiguity: Zoom's HIPAA page confirms BAA availability and SOC 2 + HITRUST alignment but does not explicitly enumerate which AI Companion features are within BAA scope. Healthcare organizations must confirm AI feature coverage directly with Zoom before deploying in PHI contexts.
    • Third-party LLM data flow: Customer content is routed to third-party AI model providers (OpenAI, Anthropic) during AI Companion processing. Although encrypted in transit (TLS 1.2 minimum / AES-256 GCM), customers who require data to remain exclusively on Zoom infrastructure must opt into ZMO mode, which is not the default.
    • No ISO 42001 or CSA STAR AI: Despite a significant AI product portfolio, Zoom holds no publicly evidenced AI-specific governance certification (ISO 42001, CSA STAR AI). This is a gap compared to some competitors and relevant for AI-risk-conscious procurement.
    • Terms of Service date: The base ToS shown is effective August 11, 2023. AI terms and the no-training commitment have been updated since then (Privacy Statement last updated February 2, 2026 contains the explicit no-training language). Procurement teams should confirm the current governing ToS version is signed.

    // At a glance

    Pricing model

    Subscription (SaaS); AI Companion included at no extra cost for most paid Zoom Workplace plans. Free tier does not include AI Companion.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Zoom Communications, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.zoom.com

    > Browse all vendor trust reports