Zoom · Zoom Sub-Processors · View original document ↗

Customer Objection Rights via Data Processing Agreement

Medium severity Medium confidence Inferredfromcontext Unique · 0 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Zoom recorded 2 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Zoom Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The document indicates that customers who have executed a Data Processing Agreement with Zoom may have rights to receive advance notice of subprocessor changes and to object to those changes, with the specific mechanism and timeline governed by that separate agreement rather than by this list.

This analysis describes what Zoom's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision establishes that the operationalization of subprocessor objection rights is contingent on the terms of the customer's individual Data Processing Agreement with Zoom, meaning the right to object is not uniformly available to all users and depends on whether a qualifying agreement has been executed. Under GDPR Article 28(2), controllers are entitled to object to subprocessor changes, and the mechanism for doing so must be clearly defined in the processor agreement.

Interpretive note: The specific notice period, objection deadline, and procedural mechanism for subprocessor objections are not stated in this document and depend on the terms of the individual Data Processing Agreement executed between Zoom and the customer.

Consumer impact (what this means for users)

Under this framework, business customers with a signed Data Processing Agreement with Zoom may have contractual rights to receive notice of and object to new or changed subprocessors. Customers without such an agreement, or those whose agreements do not include an explicit objection mechanism, may not have a clearly defined procedural path to exercise this right.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Review the subprocessor list at Zoom's trust portal for any newly added or changed subprocessors. If a change is identified that requires an objection, submit the objection through the mechanism specified in your executed Data Processing Agreement with Zoom.

Cross-platform context

See how other platforms handle Customer Objection Rights via Data Processing Agreement and similar clauses.

Compare across platforms →

Monitoring

Zoom has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
A subprocessor is a vendor Zoom uses to process data on behalf of our customers.

— Excerpt from Zoom's Zoom Sub-Processors

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: GDPR Article 28(2) requires processors to inform controllers of intended subprocessor changes and permit controllers to object. This provision engages that requirement by deferring the objection mechanism to the Data Processing Agreement. Enforcement authorities include EU supervisory authorities and the UK ICO. The document does not specify the notice period Zoom provides before adding new subprocessors, which is a material detail for GDPR compliance. 2. GOVERNANCE EXPOSURE: Medium. The absence of a stated notice period or objection window in this public document means customers cannot assess from this disclosure alone whether Zoom's process meets their GDPR obligations. The adequacy of the objection mechanism is only assessable by reviewing the executed Data Processing Agreement. 3. JURISDICTION FLAGS: EU and EEA customers face heightened exposure given the explicit GDPR Article 28 requirement. UK customers face equivalent obligations under UK GDPR. Multi-national organizations with data subjects in multiple jurisdictions should assess whether a single Data Processing Agreement covers all relevant jurisdictions. 4. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should review their executed Data Processing Agreement to confirm the objection notice period, the method for submitting objections, and what remedies are available if Zoom proceeds with a subprocessor change over a customer's objection, including whether termination for cause is available. 5. COMPLIANCE CONSIDERATIONS: Organizations should establish an internal process to monitor Zoom's subprocessor list for changes and act within any contractual objection window. This may require assigning ownership of vendor notification monitoring within the compliance or privacy function.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over representations made by US-based companies regarding data processing practices and consumer or business customer rights
    File a complaint →

Provision details

Document information
Document
Zoom Sub-Processors
Entity
Zoom
Document last updated
July 6, 2026
Tracking information
First tracked
July 6, 2026
Last verified
July 6, 2026
Record ID
CA-P-013431
Document ID
CA-D-00930
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
8fd5028a6a70d970b01aff7e574b1ac598f580f953416e9617e7464c57820321
Analysis generated
July 6, 2026 23:07 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Zoom
Document: Zoom Sub-Processors
Record ID: CA-P-013431
Captured: 2026-07-06 23:07:54 UTC
SHA-256: 8fd5028a6a70d970…
URL: https://conductatlas.com/platform/zoom/zoom-sub-processors/customer-objection-rights-via-data-processing-agreement/
Accessed: July 7, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Zoom's Customer Objection Rights via Data Processing Agreement clause do?

This provision establishes that the operationalization of subprocessor objection rights is contingent on the terms of the customer's individual Data Processing Agreement with Zoom, meaning the right to object is not uniformly available to all users and depends on whether a qualifying agreement has been executed. Under GDPR Article 28(2), controllers are entitled to object to subprocessor changes, and the …

How does this clause affect you?

Under this framework, business customers with a signed Data Processing Agreement with Zoom may have contractual rights to receive notice of and object to new or changed subprocessors. Customers without such an agreement, or those whose agreements do not include an explicit objection mechanism, may not have a clearly defined procedural path to exercise this right.

Is ConductAtlas affiliated with Zoom?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Zoom.