The document discloses the country or region in which each listed subprocessor processes data, identifying processing locations including the United States, countries within the European Union, and other regions, establishing the geographic scope of Zoom's subprocessor data processing chain.
This analysis describes what Zoom's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision is operationally significant for GDPR Chapter V compliance, as personal data transfers to third countries without an adequacy decision require a valid transfer mechanism such as Standard Contractual Clauses or Binding Corporate Rules. The disclosure of US-based subprocessors is particularly relevant given ongoing regulatory scrutiny of EU-to-US data transfers following the Schrems II decision, though the document does not detail the specific transfer mechanisms Zoom applies to each subprocessor.
Interpretive note: The document discloses processing locations but does not specify the transfer mechanism applied to each subprocessor in non-adequate third countries, so full GDPR Chapter V compliance assessment requires review of the Data Processing Agreement and supplementary documentation.
Under this disclosure, customer data may be processed by subprocessors located in the United States and other non-EEA countries, which under GDPR requires that appropriate transfer safeguards are in place. Business customers are responsible for assessing whether Zoom's transfer mechanisms satisfy their own GDPR or UK GDPR obligations for international data transfers.
Cross-platform context
See how other platforms handle Multi-Region Data Processing Location Disclosure and similar clauses.
Compare across platforms →Monitoring
Zoom has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"A subprocessor is a vendor Zoom uses to process data on behalf of our customers.— Excerpt from Zoom's Zoom Sub-Processors
1. REGULATORY LANDSCAPE: International data transfers to third countries engage GDPR Chapter V, including Article 46 (Standard Contractual Clauses) and Article 45 (adequacy decisions). The EU-US Data Privacy Framework provides a current adequacy mechanism for transfers to certified US organizations, but its ongoing validity is subject to legal challenge. UK GDPR imposes analogous transfer restrictions. Enforcement authorities include EU supervisory authorities and the UK ICO. 2. GOVERNANCE EXPOSURE: High for organizations subject to GDPR or UK GDPR that process data of EU or UK data subjects. The identification of US-based subprocessors requires confirmation of applicable transfer mechanisms and documentation in Article 30 records. 3. JURISDICTION FLAGS: EU and EEA customers face the highest exposure given GDPR Chapter V obligations. UK customers face equivalent obligations under the UK GDPR international transfer framework. Swiss customers should assess compliance with the revised Swiss Federal Act on Data Protection. Organizations with data subjects in multiple jurisdictions should map each subprocessor's processing location against applicable transfer requirements. 4. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request from Zoom documentation of the specific transfer mechanisms applied to each non-EEA subprocessor, and confirm whether Standard Contractual Clauses or other safeguards are incorporated by reference in the Data Processing Agreement. 5. COMPLIANCE CONSIDERATIONS: Data mapping and Article 30 records should be updated to reflect subprocessor processing locations. Transfer impact assessments may be required for high-risk processing activities involving US-based subprocessors. Organizations should monitor for changes in adequacy decisions or transfer mechanism validity that may affect the lawfulness of ongoing transfers.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision is operationally significant for GDPR Chapter V compliance, as personal data transfers to third countries without an adequacy decision require a valid transfer mechanism such as Standard Contractual Clauses or Binding Corporate Rules. The disclosure of US-based subprocessors is particularly relevant given ongoing regulatory scrutiny of EU-to-US data transfers following the Schrems II decision, though the document does …
Under this disclosure, customer data may be processed by subprocessors located in the United States and other non-EEA countries, which under GDPR requires that appropriate transfer safeguards are in place. Business customers are responsible for assessing whether Zoom's transfer mechanisms satisfy their own GDPR or UK GDPR obligations for international data transfers.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Zoom.