In addition to third-party vendors, the document discloses Zoom-affiliated entities that act as processors of customer data, identifying the corporate group members through which Zoom delivers its services and within which customer data may flow.
This analysis describes what Zoom's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The inclusion of Zoom affiliates alongside third-party subprocessors is relevant for GDPR intra-group data transfer analysis, as transfers between Zoom's corporate group entities located in different jurisdictions require the same transfer safeguards as transfers to independent third parties unless a specific intra-group arrangement such as Binding Corporate Rules is in place. Customers should assess whether their Data Processing Agreement covers intra-group transfers as well as third-party subprocessing.
Interpretive note: The document identifies Zoom affiliates as processors but does not specify which affiliates are located in which jurisdictions, making it difficult to fully assess intra-group transfer requirements without additional information.
Customer data may be processed by Zoom-affiliated entities in addition to third-party subprocessors, as disclosed in this document. Intra-group transfers between Zoom entities in different jurisdictions are subject to the same GDPR Chapter V transfer restrictions as transfers to independent third-party subprocessors.
Cross-platform context
See how other platforms handle Zoom Affiliates as Data Processors and similar clauses.
Compare across platforms →Monitoring
Zoom has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"A subprocessor is a vendor Zoom uses to process data on behalf of our customers.— Excerpt from Zoom's Zoom Sub-Processors
1. REGULATORY LANDSCAPE: Intra-group data transfers between entities in different jurisdictions engage GDPR Chapter V and may require Standard Contractual Clauses or other approved mechanisms even where both entities are part of the same corporate group, unless Binding Corporate Rules are in place. The UK GDPR imposes analogous requirements. Enforcement authorities include EU supervisory authorities and the UK ICO. 2. GOVERNANCE EXPOSURE: Medium. Organizations relying on Zoom for processing of EU or UK personal data should confirm that intra-group transfers between Zoom affiliates are covered by appropriate transfer mechanisms documented in the Data Processing Agreement or in supplementary transfer documentation. 3. JURISDICTION FLAGS: EU and EEA customers face direct exposure under GDPR Chapter V for intra-group transfers to Zoom entities outside the EEA, particularly to Zoom's US parent. UK customers face equivalent obligations. Swiss customers should assess compliance with the revised Swiss Federal Act on Data Protection. 4. CONTRACT AND VENDOR IMPLICATIONS: Data Processing Agreement review should confirm whether Zoom's affiliates are specifically listed as authorized subprocessors and whether the agreement addresses intra-group transfer mechanisms. Procurement teams should request confirmation of whether Standard Contractual Clauses or Binding Corporate Rules cover intra-group processing. 5. COMPLIANCE CONSIDERATIONS: Article 30 records and transfer impact assessments should reflect intra-group processing by Zoom affiliates. Organizations should assess whether their privacy notices accurately disclose international transfers to Zoom's corporate group entities.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The inclusion of Zoom affiliates alongside third-party subprocessors is relevant for GDPR intra-group data transfer analysis, as transfers between Zoom's corporate group entities located in different jurisdictions require the same transfer safeguards as transfers to independent third parties unless a specific intra-group arrangement such as Binding Corporate Rules is in place. Customers should assess whether their Data Processing Agreement covers …
Customer data may be processed by Zoom-affiliated entities in addition to third-party subprocessors, as disclosed in this document. Intra-group transfers between Zoom entities in different jurisdictions are subject to the same GDPR Chapter V transfer restrictions as transfers to independent third-party subprocessors.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Zoom.