Track 3 platforms and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is Zoom's public disclosure of the third-party companies and Zoom-affiliated entities that process customer data in connection with Zoom's services. The document identifies each subprocessor by name, the processing purpose, and the country or region where data processing occurs, covering infrastructure, support, analytics, security, and AI functions. Zoom states that customers who have signed a Data Processing Agreement with Zoom may be entitled to object to new subprocessors through a notification and objection process described in that agreement.
This document is Zoom's Third-Party Subprocessors and Zoom Affiliates list, published on Zoom's trust portal, which discloses the vendors and Zoom-affiliated entities that process personal data on behalf of Zoom's customers, operating under Zoom's customer data processing agreements and applicable data protection law including GDPR. The document states that Zoom engages subprocessors to assist in delivering its services and that each subprocessor is bound by obligations no less protective than those Zoom commits to customers under its Data Processing Agreement. The list identifies subprocessors by name, purpose, and data processing location, covering categories including cloud infrastructure, customer support tooling, analytics, security operations, and AI-related processing, with processing locations spanning the United States, European Union, and other regions. This disclosure structure engages GDPR Article 28 requirements governing controller-to-processor and processor-to-subprocessor relationships, as well as analogous obligations under the UK GDPR, the Swiss Federal Act on Data Protection, and various state-level privacy frameworks including the California Consumer Privacy Act. Organizations subject to GDPR or UK GDPR that rely on Zoom as a processor should evaluate whether this list and its update notification mechanism satisfy their own downstream subprocessor management obligations, including whether contractual objection rights are operationally preserved.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Get ComplianceMonitoring
Zoom has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Get ComplianceCross-platform context
See how other platforms handle AI-Function Subprocessor Inclusion and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.