Zoom · Zoom Sub-Processors · View original document ↗

Multi-Region Data Processing Location Disclosure

Medium severity Medium confidence Explicitdocumentlanguage Unique · 0 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Zoom recorded 2 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Zoom Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The document discloses the country or region in which each listed subprocessor processes data, identifying processing locations including the United States, countries within the European Union, and other regions, establishing the geographic scope of Zoom's subprocessor data processing chain.

This analysis describes what Zoom's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision is operationally significant for GDPR Chapter V compliance, as personal data transfers to third countries without an adequacy decision require a valid transfer mechanism such as Standard Contractual Clauses or Binding Corporate Rules. The disclosure of US-based subprocessors is particularly relevant given ongoing regulatory scrutiny of EU-to-US data transfers following the Schrems II decision, though the document does not detail the specific transfer mechanisms Zoom applies to each subprocessor.

Interpretive note: The document discloses processing locations but does not specify the transfer mechanism applied to each subprocessor in non-adequate third countries, so full GDPR Chapter V compliance assessment requires review of the Data Processing Agreement and supplementary documentation.

Consumer impact (what this means for users)

Under this disclosure, customer data may be processed by subprocessors located in the United States and other non-EEA countries, which under GDPR requires that appropriate transfer safeguards are in place. Business customers are responsible for assessing whether Zoom's transfer mechanisms satisfy their own GDPR or UK GDPR obligations for international data transfers.

Cross-platform context

See how other platforms handle Multi-Region Data Processing Location Disclosure and similar clauses.

Compare across platforms →

Monitoring

Zoom has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
A subprocessor is a vendor Zoom uses to process data on behalf of our customers.

— Excerpt from Zoom's Zoom Sub-Processors

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: International data transfers to third countries engage GDPR Chapter V, including Article 46 (Standard Contractual Clauses) and Article 45 (adequacy decisions). The EU-US Data Privacy Framework provides a current adequacy mechanism for transfers to certified US organizations, but its ongoing validity is subject to legal challenge. UK GDPR imposes analogous transfer restrictions. Enforcement authorities include EU supervisory authorities and the UK ICO. 2. GOVERNANCE EXPOSURE: High for organizations subject to GDPR or UK GDPR that process data of EU or UK data subjects. The identification of US-based subprocessors requires confirmation of applicable transfer mechanisms and documentation in Article 30 records. 3. JURISDICTION FLAGS: EU and EEA customers face the highest exposure given GDPR Chapter V obligations. UK customers face equivalent obligations under the UK GDPR international transfer framework. Swiss customers should assess compliance with the revised Swiss Federal Act on Data Protection. Organizations with data subjects in multiple jurisdictions should map each subprocessor's processing location against applicable transfer requirements. 4. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request from Zoom documentation of the specific transfer mechanisms applied to each non-EEA subprocessor, and confirm whether Standard Contractual Clauses or other safeguards are incorporated by reference in the Data Processing Agreement. 5. COMPLIANCE CONSIDERATIONS: Data mapping and Article 30 records should be updated to reflect subprocessor processing locations. Transfer impact assessments may be required for high-risk processing activities involving US-based subprocessors. Organizations should monitor for changes in adequacy decisions or transfer mechanism validity that may affect the lawfulness of ongoing transfers.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over representations regarding international data transfer practices and cross-border data sharing by US-based companies
    File a complaint →

Provision details

Document information
Document
Zoom Sub-Processors
Entity
Zoom
Document last updated
July 6, 2026
Tracking information
First tracked
July 6, 2026
Last verified
July 6, 2026
Record ID
CA-P-013432
Document ID
CA-D-00930
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
8fd5028a6a70d970b01aff7e574b1ac598f580f953416e9617e7464c57820321
Analysis generated
July 6, 2026 23:07 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Zoom
Document: Zoom Sub-Processors
Record ID: CA-P-013432
Captured: 2026-07-06 23:07:54 UTC
SHA-256: 8fd5028a6a70d970…
URL: https://conductatlas.com/platform/zoom/zoom-sub-processors/multi-region-data-processing-location-disclosure/
Accessed: July 7, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Zoom's Multi-Region Data Processing Location Disclosure clause do?

This provision is operationally significant for GDPR Chapter V compliance, as personal data transfers to third countries without an adequacy decision require a valid transfer mechanism such as Standard Contractual Clauses or Binding Corporate Rules. The disclosure of US-based subprocessors is particularly relevant given ongoing regulatory scrutiny of EU-to-US data transfers following the Schrems II decision, though the document does …

How does this clause affect you?

Under this disclosure, customer data may be processed by subprocessors located in the United States and other non-EEA countries, which under GDPR requires that appropriate transfer safeguards are in place. Business customers are responsible for assessing whether Zoom's transfer mechanisms satisfy their own GDPR or UK GDPR obligations for international data transfers.

Is ConductAtlas affiliated with Zoom?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Zoom.