Zoom Video Communications Inc Global Data Processing

Summary

Zoom Video Communications, Inc

Global Data Processing Addendum
This Data Processing Agreement, including its Exhibits, (“Addendum”) forms part of the Master Subscription
Agreement, Terms of Service, Terms of Use or any other agreement about the delivery of the contracted services
(the “Agreement”) between Zoom Video Communications, Inc. (“Zoom”) and the Customer named in such
Agreement or identified below to reflect the parties' agreement about the Processing of Customer Personal Data (as
those terms are defined below)

In the event of a conflict between the terms and conditions of this Addendum, or the Agreement, an Order Form, or
any other documentation, the terms and conditions of this Addendum shall prevail with respect to the subject matter
of Processing of Customer Personal Data

All capitalized terms not defined herein shall have the meaning set forth in the Agreement

1 Definitions
1.1 “Affiliate” means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is
under common control with that party. For purposes of this Addendum, “control” means an economic or
voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power
to direct or cause the direction of the management and set the policies of such entity

1.2 “Anonymised Data” means, having regard to the guidance published by the European Data Protection Board,
Personal Data which does not relate to an identified or identifiable natural person or rendered anonymous in
such a manner that the data subject is not or no longer identifiable

1.3 “Applicable Data Protection Law” means any applicable legislative or regulatory regime enacted by a
recognized government, or governmental or administrative entity with the purpose of protecting the privacy
rights of natural persons or households consisting of natural persons, in particular the General Data Protection
Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member
States, the United Kingdom's Data Protection Act 2018 and the GDPR as saved into United Kingdom law by
virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR"), the Swiss
Federal Data Protection Act ("Swiss DPA"), Canada’s Personal Information Protection and Electronic
Documents Act (“PIPEDA”) S.C. 2000, ch. 5, and any provincial legislation deemed substantially similar to
PIPEDA under the procedures set forth therein, and the California Consumer Privacy Act ("CCPA”) of 2018, the
Brazilian Law No. 13,709/2018 – Brazilian General Data Protection Law (“LGPD”), the ePrivacy Directive
2002/58/EC (the “Directive”), together with any European Union Member national implementing the
Directive

1.4 “Authorized Subprocessor” means a subprocessor engaged by Zoom to Process Customer Personal Data on
behalf of the Customer per the Customer’s Instructions under the terms of the Agreement and this
Addendum. Authorized Subprocessors may include Zoom Affiliates but shall exclude Zoom employees,
contractors and consultants
1.5 “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and
means of the Processing of Personal Data

1.6 “Customer Personal Data” means the Personal Data, including but not limited to:
(a) Content Data: All text, sound, video, or image files that are part of profile and End User information
and/or exchanged between End Users (including guest users participating in Customer-hosted
meetings and webinars) and with Zoom via the Services;
Zoom Global Data Processing Addendum (February 2022) Page 1 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
(b) Account Data (name, screen name and email address);
(c) Support Data (as defined in Annex I to the Standard Contractual Clauses);
(d) Website access Data (including cookies); and
(e) Diagnostic Data including but not limited to: Data from applications (including browsers) installed
on End User devices (“Telemetry Data”), Service generated server logs (with for example meeting
metadata and End User settings) and Zoom internal security logs,
that are generated by, or provided to, Zoom by, or on behalf of, Customer through use of the Services as
further defined in Annex I of the Standard Contractual Clauses

1.7 “Data Subject” means the identified or identifiable person to whom Personal Data relates

1.8 “Legitimate Business Purposes” means the exhaustive list of specific purposes for which Zoom is allowed to
process some personal data as Controller as specified in Section 2.4

1.9 “Personal Data” means any information relating to a Data Subject; an identifiable natural person is one who
can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes any
special categories of Personal Data defined in Art. 9 of the GDPR, data relating to criminal convictions and
offences or related security measures defined in Art. 10 of the GDPR and national security numbers defined
in Art. 87 of the GDPR and national supplementing law

1.10 “Processor” means the entity that processes personal data on behalf of the Controller

1.11 “Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction,
loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Zoom or
Zoom’s Authorized Subprocessor

1.12 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data
or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization,
storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure, or destruction. For the avoidance
of doubt: this includes processing of personal data to disclose, aggregate, pseudonymise, de-identify or
anonymize Personal Data, and to combine personal data with other personal data, or to derive any data or
information from such Personal Data

1.13 “Services” means the Zoom Services as set forth in the Agreement or associated Zoom order form

1.14 “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the
European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for
the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European
Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data
protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where
Zoom Global Data Processing Addendum (February 2022) Page 2 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise
recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)(the “Swiss SCCs“)

1.15 “Supervisory Authority” means an independent public authority responsible for monitoring the application
of Applicable Data Protection Law, including the Processing of Personal Data covered by this Addendum

2 Processing of Personal Data: Roles, Scope and Responsibility
ii) The Parties acknowledge and agree to the following: Customer is the Controller of Customer Personal Data

Zoom is the Processor of Customer Personal Data, except where Zoom or a Zoom affiliate acts as a Controller
processing Customer Personal Data in accordance with the exhaustive list of Legitimate Business Purposes in
Section 2.4

2.2 Only to the extent necessary and proportionate, Customer as Controller instructs Zoom to perform the
following activities as Processor on behalf of Customer:
(a) Provide and update the Services as licensed, configured, and used by Customer and its users,
including through Customer's use of Zoom settings, administrator controls or other Service
functionality;
(b) Secure and real-time monitor the Services;
(c) Resolve issues, bugs, and errors;
(d) Provide Customer requested support, including applying knowledge gained from individual customer
support requests to benefit all Zoom customers but only to the extent such knowledge is anonymized;
and
(e) Process Customer Personal Data as set out in the Agreement and Annex I to the Standard Contractual
Clauses (subject matter, nature, purpose, and duration of Personal Data Processing in the controller
to processor capacity and any other documented instruction provided by Customer and
acknowledged by Zoom as constituting instructions for purposes of this Addendum

(collectively, the “Instructions”)

2.3 Zoom shall immediately notify the Customer, if, in Zoom’s opinion, an Instruction of the Customer infringes
Applicable Data Protection Law and request that Customer withdraw, amend, or confirm the relevant
Instruction. Pending the decision on the withdrawal, amendment, or confirmation of the relevant Instruction,
Zoom shall be entitled to suspend the implementation of the relevant Instruction

2.4 Zoom may Process some Customer Personal Data for its own Legitimate Business Purposes, as an independent
Controller, solely when the Processing is strictly necessary and proportionate, and if the Processing is for one
of the following exhaustive list of purposes:
(a) Directly identifiable data (name, screen name, profile picture and email address and all Customer
Content Data directly connected to such directly identifiable data) may be Processed for:
Zoom Global Data Processing Addendum (February 2022) Page 3 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
(i) billing, account, and Customer relationship management (marketing communication with
procurement/sales officials), and related Customer correspondence (mailings about for
example necessary updates);
(ii) complying with and resolving legal obligations, including responding to Data Subject
Requests for Personal Data processed by Zoom as data Controller (for example website
data), tax requirements, agreements and disputes;
(iii) abuse detection, prevention and protection (such as automatic scanning for matches with
identifiers of known Child Sexual Abuse Material (“CSAM”), virus scanning and scanning
to detect violations of terms of service (such as copyright infringement, SPAM, and actions
not permitted under Zoom’s Community Standards (also known as an acceptable use
policy);
(b) Pseudonymized and/or aggregated data (Zoom will pseudonymise and/or aggregate as much as
possible and pseudonymized and/or aggregated data will not be processed on a per-Customer level);
for:
(i) improving and optimizing the performance and core functionalities of accessibility,
privacy, security, and the IT infrastructure efficiency of the Services, including zoom.us,
explore.zoom.us, and support.zoom.us;
(ii) internal reporting, financial reporting, revenue planning, capacity planning, and
forecast modeling (including product strategy);
(iii) receiving and using Feedback for Zoom’s overall service improvement; and
When acting as an independent Controller, Zoom will not process Customer Personal Data for any purposes
other than the above list of Legitimate Business Purposes

2.5 Except for Zoom’s free Service, Zoom will not Process Customer Personal Data for advertising purposes or
serve advertising in the Services and Zoom will not process Customer Personal Data for direct marketing,
profiling, research or analytics purposes except where such processing is necessary (i) to comply with
Customer’s instructions as set out in Section 2.2 of this DPA or (ii), only for the purposes of reporting, planning,
modeling and analytics, in accordance with the Legitimate Business Purposes described in Section 2.4

2.6 Zoom shall not ask for consent from End Users for new types of data processing, nor shall Zoom process
Customer Personal Data for any “further” or “compatible” purposes (within the meaning of Articles 5(1)(b)
and 6(4) GDPR) other than those specified in this Addendum or enabled by the Zoom account administrator

2.7 With regard to content scanning for Child Sexual Abuse Material (“CSAM”) and reporting ‘hits’ to The National
Center for Missing & Exploited Children (“NCMEC”), Zoom shall comply with applicable regulatory guidance
from the European Data Protection Board (“EDPB”). Zoom will conduct human review of matched content
before it is reported. Except as otherwise provided in the Master Subscription Agreement, Zoom will
immediately suspend the account of the End User and will notify the End User thereafter of the suspension
and the possibility to appeal this decision

2.8 Zoom will publish centrally accessible, exhaustive, and comprehensible documentation about the types of
Customer Personal Data it collects, in particular about the Diagnostic Data. For dynamic types of data
processing, Zoom will regularly update the list

Zoom Global Data Processing Addendum (February 2022) Page 4 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
2.9 Regardless of its role as Processor or Controller, Zoom shall process all Customer Personal Data in compliance
with Applicable Data Protection Laws, the “Security Measures” referenced in Section 6 of this Addendum and
Annex I to the Standard Contractual Clauses .Zoom will follow European Data Protection Board guidance on
completing a data transfer impact assessment (“DTIA”) and maintain an up-to-date DTIA applicable to the
Services

2.10 Customer shall ensure that its Instructions to Zoom comply with all laws, rules, and regulations applicable to
the Customer Personal Data, and that the Processing of Customer Personal Data per Customer's Instructions
will not cause Zoom to be in breach of Applicable Data Protection Law. Customer is solely responsible for the
accuracy, quality, and legality of (i) the Customer Personal Data provided to Zoom by or on behalf of Customer;
(ii) how Customer acquired any such Customer Personal Data; and (iii) the Instructions it provides to Zoom
regarding the Processing of such Customer Personal Data. Customer shall not provide or make available to
Zoom any Customer Personal Data in violation of the Agreement, this Addendum, or otherwise in violation of
Zoom’s Community Standards (currently published at https://explore.zoom.us/en/community-standards/, as
updated from time to time) and shall indemnify Zoom from all claims and losses in connection therewith

2.11 Following the completion of the Services, at Customer's choice, to the extent that Zoom is a Processor, Zoom
shall either enable Customer to delete some of Customer’s Personal Data (for example an End User’s personal
data) or all of Customer’s Personal Data, shall return to Customer the specified Customer Personal Data, or
shall delete the specified Customer Personal Data, and delete any existing copies in compliance with its data
retention and deletion policy. If return or destruction is impracticable or incidentally prohibited by a valid legal
order law, Zoom shall take measures to inform the Customer and block such Customer Personal Data from
any further Processing (except to the extent necessary for its continued hosting or Processing required by
applicable law) and shall continue to appropriately protect the Customer Personal Data remaining in its
possession, custody, or control and, where any Authorized Subprocessor continues to possess Customer
Personal Data, require the Authorized Subprocessor to take the same measures that would be required of
Zoom

3 Privacy by design and by default
3.1 Zoom will comply with the privacy by design and data minimisation principles from the GDPR

3.2 Zoom agrees to minimize Processing to the extent strictly necessary to provide the Services. This includes
minimization of Telemetry Data, Support Data and feedback functionality, minimization of data retention
periods, collection of pseudonymised identifiers when necessary, but immediate effective (irreversible)
anonymization when the Service can be performed without Personal Data, offer end to end encryption when
technically feasible, and the implementation and control of strict access controls to the Customer Personal
Data

3.3 Zoom shall implement policies whereby when Zoom collects new types of Diagnostic Data, such new collection
shall be supervised by a privacy officer. Zoom will perform regular checks on the contents of collected
Telemetry Data to verify that neither directly identifying data are collected nor Customer Content Data

3.4 With regard to Zoom’s use of cookies or similar tracking technology, Zoom shall ensure that only those cookies
which are strictly necessary shall be set by default for European Enterprise and Education Customers on
zoom.us, support.zoom.us and explore.zoom.us, including visits to these pages when the End User or system
administrator has signed into the Zoom account

Zoom Global Data Processing Addendum (February 2022) Page 5 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
3.5 When Zoom plans to introduce new features, or related software and services (“New Service”) which will
result in new types of data processing (i.e. new personal data and/or new purposes), Zoom will:
(a) Perform a data protection impact assessment

(b) Determine if the new types of data processing following a New Service are allowed within the scope of
this Addendum

(c) Ensure that the new data processing only occurs with the necessary Customer permissions

4 Authorized Persons
4.1 Zoom shall ensure that all persons authorized to Process Customer Personal Data and Customer Content are
made aware of the confidential nature of Customer Personal Data and Customer Content and have committed
themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory
obligation of confidentiality

5 Authorized Subprocessors
To the extent that Zoom is a Processor:
5.1 The Customer hereby generally authorizes Zoom to engage subprocessors in accordance with this Section 5

5.2 Customer approves the Authorized Subprocessors listed at https://explore.zoom.us/docs/en-
us/subprocessors.html;
5.3 Zoom may remove, replace, or appoint suitable and reliable further subprocessors in accordance with this
Section 5.3:
(a) Zoom shall at least thirty (30) business days before the new subprocessor starts processing any Customer
Personal Data notify Customer of the intended engagement (including the name and location of the
relevant subprocessor, and the activities it will perform and a description of the Personal Data it will
process). To enable such notifications, Customer shall visit https://explore.zoom.us/docs/en-
us/subprocessors.html and enter the email address to which Zoom shall send such notifications into the
submission field at the bottom of the page

(b) In an emergency concerning Service availability or security, Zoom is not required to provide prior
notification to Customer but shall provide notification within seven (7) business days following the change
in subprocessor

In either case, the Customer may object to such an engagement in writing within fifteen (15) business days of
receipt of the aforementioned notice by Zoom

5.4 If the Customer objects to the engagement of a new subprocessor, Zoom shall have the right to cure the
objection through one of the following options (to be selected at Zoom's sole discretion):
(a) Zoom cancels its plans to use the subprocessor with regard to Customer Personal Data

(b) Zoom will take the corrective steps requested by Customer in its objection (which remove Customer's
objection) and proceed to use the subprocessor with regard to Customer Personal Data

Zoom Global Data Processing Addendum (February 2022) Page 6 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
(c) Zoom may cease to provide or Customer may agree not to use (temporarily or permanently) the
particular aspect of the Service that would involve the use of such subprocessor with regard to
Customer Personal Data. Zoom provides Customer with a written description of commercially
reasonable alternative(s), if any, to such engagement, including without limitation modification to
the Services. If Zoom, in its sole discretion, cannot provide any such alternative(s), or if Customer
does not agree to any such alternative(s) if provided, Zoom and Customer may terminate the
Agreement including the Addendum with prior written notice. Termination shall not relieve Customer
of any fees or charges owed to Zoom for Services provided up to the effective date of the termination
under the Agreement

If Customer does not object to a new subprocessor's engagement within 15 business days of notice issuance
from Zoom, that new subprocessor shall be deemed accepted

5.5 Zoom shall ensure that Authorized Subprocessors have executed confidentiality agreements that prevent
them from unauthorized Processing of Customer Personal Data and Customer Content both during and after
their engagement by Zoom

5.6 Zoom shall, by way of contract or other legal act, impose on the Authorized Subprocessor the equivalent data
protection obligations as set out in this Addendum and detailed in the GDPR. The Parties acknowledge and
agree that notice periods shall be deemed equivalent regardless of disparate notification periods. If personal
data are transferred to an Authorized Subprocessor in a third country, Zoom will ensure the transferred data
are processed with the same GDPR transfer guarantees as agreed with Customer (such as Standard
Contractual Clauses and BCRs). Zoom will also perform a case by case assessment if supplementary measures
are required in cases of onward transfers to third countries in order to bring the level of protection of the
transferred data up to the EU standard of essential equivalence

5.7 Zoom shall be fully liable to Customer where that Authorized Subprocessor fails to fulfil its data protection
obligations for the performance of that Authorized Subprocessor’s obligations to the same extent that Zoom
would itself be liable under this Addendum had it conducted such acts or omissions

6 Security of Personal Data
6.1 Zoom may not update the Services in a way that would remove Customer's choice to apply end to end
encryption to Meetings, introduce any functionality that would purposefully allow anyone not authorized by
the Customer to gain access to Customer encryption keys or Customer content, or remove the ability to store
recordings locally

6.2 Zoom certifies that it has not purposefully created any “back doors” or similar programming in the Services
that could be used by third parties to access the system and/or personal data. Zoom has not purposefully
created or changed its business processes in a manner that facilitates such third party access to personal data
or systems. Zoom certifies there is no applicable law or government policy that requires Zoom as importer to
create or maintain back doors or to facilitate access to personal data or systems or for the importer to be in
possession of or to hand over the encryption key

6.3 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and
purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of
natural persons, Zoom shall maintain appropriate technical and organizational measures with regard to
Customer Personal Data and to ensure a level of security appropriate to the risk, including, but not limited to,
the “Security Measures” set out in Annex II to the Standard Contractual Clauses (attached here as EXHIBIT B)

Zoom Global Data Processing Addendum (February 2022) Page 7 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
Customer acknowledges that the Security Measures are subject to technical progress and development and
that Zoom may update or modify the Security Measures from time to time, provided that such updates and
modifications do not degrade or diminish the overall security of the Services

7 International Transfers of Personal Data
7.1 Zoom may not update the Services in a way that would remove Customer's ability to choose to store certain
Personal Data at rest within the European Economic Area (“EEA”)

7.2 Customer acknowledges and agrees that Zoom may transfer and process Customer Personal Data to and in
the United States. Zoom may transfer Customer Personal Data to third countries (including those outside of
the EEA without an adequacy statement from the European Commission) to Affiliates, its professional advisors
or its Authorized Subprocessors when a Zoom End User knowingly connects to data processing operations
supporting the Services from such locations (such as when the End user travels outside of the territory of the
EU). Zoom shall ensure that such transfers are made in compliance with Applicable Data Protection Law and
this Addendum

7.3 Any transfer of Customer’s Personal Data made subject to this Addendum from member states of the
European Union, the European Economic Area (Iceland, Liechtenstein, Norway), Switzerland or the United
Kingdom to any countries where the European Commission, the FDIPC or the UK Information Commissioner's
Office has not decided that this third country or more specified sectors within that third country in question
ensures an adequate level of protection, shall be undertaken, in particular, through the Standard Contractual
Clauses, in connection with which the Parties agree the following:
(a) EU SCCs (Controller to Controller Transfers). In relation to Personal Data that is protected by the EU
GDPR and processed in accordance with Section 2.4 of this Addendum, the EU SCCs shall apply,
completed as follows:
(i) Module One will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 11, the optional language will not apply;
(iv) in Clause 17, Option 1 will apply, and the New EU SCCs will be governed by Irish law;
(v) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vi) Annex I of the New EU SCCs shall be deemed completed with the information set out in
EXHIBIT A to this Addendum; and
(vii) Subject to Section 6.3 of this Addendum, Annex II of the EU SCCs shall be deemed completed
with the information set out in EXHIBIT B to this Addendum

(b) EU SCCs (Controller to Processor/Processor to Processor Transfers). In relation to Personal Data that
is protected by the EU GDPR and processed in accordance with Sections 2.2 of this Addendum, the
EU SCCs shall apply, completed as follows:
(i) Module Two or Module Three will apply (as applicable);
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes
shall be as set out in Section 5.3 of this DPA;
(iv) in Clause 11, the optional language will not apply;
Zoom Global Data Processing Addendum (February 2022) Page 8 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
(v) in Clause 17, Option 1 will apply, and the New EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in EXHIBIT A
to this Addendum; and
(viii) Subject to Section 6.3 of this Addendum, Annex II of the EU SCCs shall be deemed completed
with the information set out in EXHIBIT B to this Addendum

(c) Transfers from the UK. In relation to Personal Data that is protected by the UK GDPR, the EU SCCs
will apply in accordance with Sections 7.3(a)-(b) above, with the following modifications:
(i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be
interpreted as references to the UK GDPR; references to specific Articles of “Regulation (EU)
2016/679” are replaced with the equivalent Article or Section of UK GDPR;
(ii) references to “EU”, “Union” and “Member State law” are all replaced with “UK”; Clause 13(a)
and Part C of Annex I of the EU SCCs are not used; references to the “competent supervisory
authority” and “competent courts” shall be interpreted as references to the Information
Commissioner and the courts of England and Wales;
(iii) Clause 17 of the EU SCCs is replaced to state that “The Clauses are governed by the laws of
England and Wales” and Clause 18 of the EU SCCs is replaced to state “Any dispute arising
from these Clauses shall be resolved by the courts of England and Wales. A data subject may
bring legal proceeding against the data exporter and/or data importer before the courts of any
country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”,
unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal
Data in compliance with the UK GDPR, in which event the UK SCCs shall instead be
incorporated by reference and form an integral part of this Addendum and shall apply to such
transfers. Where this is the case, the relevant Annexes of the UK SCCs shall be populated using
the information contained in EXHIBITS A and B

(d) Transfers from Switzerland. In relation to Personal Data that is protected by the Swiss DPA, the EU
SCCs will apply in accordance with Sections 7.3(a) -(b), with the following modifications:
(i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be
interpreted as references to the Swiss DPA;
(ii) references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as
references to Switzerland and Swiss law, as the case may be; and
(iii) references to the “competent supervisory authority” and “competent courts” shall be
interpreted as references to the FDIPC and competent courts in Switzerland, unless the EU
SCCs as implemented above cannot be used to lawfully transfer such Personal Data in
compliance with the Swiss DPA, in which event the Swiss SCCS shall instead be incorporated by
reference and form an integral part of this Addendum and shall apply to such transfers. Where
this is the case, the relevant Annexes of the Swiss SCCs shall be populated using the
information contained in EXHIBITS A and B

Zoom Global Data Processing Addendum (February 2022) Page 9 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
7.4 It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard
Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any
provision of the Agreement (including this Addendum) the Standard Contractual Clauses shall prevail to the
extent of such conflict

7.5 Zoom may adopt a replacement data export mechanism (including any new version of or successor to the
Standard Contractual Clauses or alternative mechanisms adopted pursuant to Applicable Data Protection Law)
(“Alternative Transfer Mechanism”). So long as the Alternative Transfer Mechanism complies with Applicable
Data Protection Law and extends to the territories to which Customer Personal Data is transferred on behalf
of the Customer, Customer agrees to execute documents and take other reasonably necessary actions to give
legal effect to such Alternative Transfer Mechanism

8 Rights of Data Subjects
To the extent that Zoom is a Processor:
8.1 Zoom shall promptly notify Customer upon receipt of a request by a Data Subject to exercise Data Subject
rights under Applicable Data Protection Law. Zoom will advise the Data Subject to submit his or her request
to Customer, and Customer will be responsible for responding to such request

8.2 Zoom shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and
organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond
to requests for exercising the Data Subject’s rights (regarding information, access, rectification and erasure,
restriction of Processing, notification, data portability, objection and automated decision-making) under
Applicable Data Protection Law

9 Disclosure of Personal Data
9.1 Zoom will not disclose or provide access to any Customer Personal Data except:
(a) as Customer directs;
(b) as described in this Addendum; or
(c) as required by law

9.2 If a court, law enforcement authority or intelligence agency contacts Zoom with a demand for Customer
Personal Data, Zoom will first assess if it is a legitimate order consistent with Zoom’s Government Requests
Guide. If so, Zoom will attempt to redirect this third party to request those data directly from Customer. If
compelled to disclose or provide access to any Customer Personal Data to law enforcement, Zoom will
promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so, for
example, through a so-called gagging order. If Zoom is prohibited by law from fulfilling its obligations under
Section 9.2, Zoom shall represent the reasonable interests of the Controller. This is in all cases understood to
mean:
(a) Zoom shall document a legal assessment of the extent to which: (i) Zoom is legally obliged to comply
with the request or order; and (ii) Zoom is effectively prohibited from complying with its obligations
in respect of the Controller under this Addendum

Zoom Global Data Processing Addendum (February 2022) Page 10 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
(b) Zoom shall only cooperate with the US issued request or order if legally obliged to do so and, where
possible, Zoom shall judicially object to the request or order or the prohibition to inform the
Controller about this or to follow the instructions of the Controller

(c) Zoom shall not provide more Customer Personal Data than is strictly necessary for complying with
the request or order

(d) If Zoom becomes aware of a situation where it has reason to believe that the laws and practices in
the third country of destination applicable to the processing of the personal data by Zoom, its
Affiliates and Authorized Subprocessors, including any requirements to disclose personal data or
measures authorizing access by public authorities, will prevent Zoom from fulfilling its obligations
under this Addendum, Zoom will inform Customer without undue delay after Zoom becomes aware
of such a situation

(e) Zoom will publish a transparency report twice a year

10 Compliance Auditing
10.1 Zoom will conduct third-party audits to attest to the ISO 27001 and SOC 2 Type II frameworks as follows:
(a) Zoom will conduct at least one audit annually. Starting in 2022, Zoom will audit the Security,
Availability and Privacy Criteria in the SOC-2 audit

(b) Audits will be performed according to the standards and rules of the regulatory or accreditation body
for the applicable control standard or framework

(c) Audits will be performed by qualified, independent, third-party security auditors at Zoom’s selection
and expense

10.2 Each audit will result in the generation of an audit report (“Zoom Audit Report”), which Zoom will make
available to Customer upon request. The Zoom Audit Report will be Zoom’s Confidential Information. Zoom
will promptly remediate issues raised in any Zoom Audit Report to the satisfaction of the auditor

10.3 At its request and cost, the Controller is entitled to have an audit carried out by a mutually agreed upon
auditor to demonstrate that Zoom complies with the provisions of this Data Processing Agreement and Clause
8.9 “Documentation and compliance” (EU SCCs) for the processing of Personal Data. The Controller may
exercise the right no more than once a year, except in respect of an additional audit following (i) a Zoom data
breach or (ii) if specifically ordered by Customer’s national Supervisory Authority

10.4 The costs of the periodic audits are borne by the Processor. The costs of the audit at the request of the
Controller are borne by the Controller

10.5 Following receipt by Zoom of a request for an audit under Section 10.4, Zoom and Customer will discuss and
agree in advance on
(a) the identity of an independent and suitably qualified third-party auditor to conduct the audit;
(b) the reasonable start date and duration (not to exceed two weeks in respect of any on premise audits)
of any such audit;
Zoom Global Data Processing Addendum (February 2022) Page 11 of 34
Zoom Video Communications, Inc

Global Data Processing Addendum
(c) the scope, process and normative framework of the audit, including: (i) the data processing
outcomes, information, and control requirements to be in scope of the audit evidence requirements;
and (ii) the nature and process for satisfactory audit evidence; and
(d) the security and confidentiality controls applicable to any such audit. All audits must be conducted in
accordance with recognized international auditing standards

10.6 Nothing in this Addendum will require Zoom to provide Personal Data of other Zoom customers or access to
any Zoom systems or facilities that are not involved in the provision of the contracted Services

11 Cooperation
11.1 Zoom shall provide the Controller with all required assistance and cooperation in enforcing the obligations of
the Parties under Applicable Data Protection Law. To the extent that such assistance relates to the Processing
of Customer Personal Data for the purpose of the performance of the Agreement, the Processor shall in any
event provide the Controller with such assistance relating to:
(a) The security of Customer Personal Data;
(b) Performing checks and audits;
(c) Performing Data Protection Impact Assessments (“DPIA”);
(d) Prior consultation with the Supervisory Authority;
(e) Responding to requests from the Supervisory Authority or another government body;
(f) Responding to requests from Data Subjects;
(g) Reporting Customer Personal Data Breaches

12 Security incidents and data breaches
12.1 In the event of a confirmed Personal Data Breach (at Zoom or at a subprocessor of Zoom), Zoom shall, without
undue delay, inform Customer of the Personal Data Breach and take such steps as Zoom in its sole discretion
deems necessary and reasonable to remediate such violation. In the event of such a Personal Data Breach,
Zoom shall, taking into account the nature of the Processing and the information available to Zoom, provide
Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations
under Applicable Data Protection Law with respect to notifying (i) the relevant Supervisory Authority and/or
(ii) Data Subjects affected by such Personal Data Breach without undue delay

12.2 In the event of a large scale, as determined by Zoom, confirmed Personal Data Breach (with Zoom or an
Authorized Subprocessor of Zoom), Customer allows Zoom to independently alert and consult the relevant
Supervisory Authorities in order to better inform Customer what steps the Supervisory expect

12.3 The obligations described in Sections 13.1 and 13.2 shall not apply if a Personal Data Breach results from the
actions or omissions of Customer, except where required by Applicable Data Protection Law. Zoom’s
obligation to report or respond to a Personal Data Breach under Sections 13.1 and 13.2 will not be construed
as an acknowledgement by Zoom of any fault or liability with respect to the Personal Data Breach

Zoom Global Data Processing Addendum (February 2022) Page 12 of 34

1.13 “Services” means the Zoom Services as set forth in the Agreement or associated Zoom order form. 1.14 “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for

Download Now

Documemt Updated

Popular Download

• › Zebra Gx420d Gx420t And Printer Specifications
• › Zt400 Series Industrial Printers Spec Sheet Zebra Technologies
• › Zt411 Industrial Printer Zebra Technologies
• › Zoom Background Size In Pdf Imgix
• › Z Fold Brochure 85 X 14 Bacchuspresscom
• › Zinfandel Crossing Brochure Front Page
• › Zebralink Solutions For Enhancing Zebra Printer Business
• › Zd420 Technical Specifications Zebra Technologies
• › Zox Racing Helmets Catalog Imagescaridcom
• › Z Fold Brochure 85 X 11 Bacchuspresscom
• › Z Fold Brochure V5 Chief Justice Of South Africa
• › Zane Dick Electrical Capability Statement Template
• › Zebra Qln420 Mobile Printer Labels Direct
• › Zoom Video Communications Inc Global Data Processing
• › Zt211 Industrial Printer User Guide Zebracom
• › Zebradesigner Version 3 User Guide Zebra
• › Zachary M Weinstein State Farm Insurance Agency Fbla Pbl
• › Zebra Zsb Series Label Printer User Guide Manuals
• › Z Ultimate 3000t Clear Zebra Technologies
• › Zinc Die Cast Conduit Fittings Eatoncomcn

Frequently Asked Questions

Is zoom the best way to communicate with fox employees?

« Zoom est probablement l’outil de collaboration le plus efficace que nous ayons utilisé chez la Fox ces 20 dernières années. Aucun autre outil n’a autant rendu la communication aussi facile que Zoom. » « Zoom est très facile d’utilisation : on le télécharge, on clique dessus, et c’est parti.

How do you use zoom?

« Zoom est très facile d’utilisation : on le télécharge, on clique dessus, et c’est parti. J’utilise Zoom absolument partout : en avion, bus, chez moi, au bureau... » « Tout le monde peut l’utiliser, même ceux en déplacement, et c’est ça que l’on apprécie.

Is zoom the best collaboration tool for you?

"Zoom is probably the most well-received collaboration tool that we've seen at Fox in 20 years. There is no other tool that has brought people closer together than Zoom.". "Zoom is super natural and easy to use - just download it, click, and you're in. I use Zoom on an airplane, in the car, in my house,...