The overall trust score of 54 reflects a mixed profile for enterprise procurement. Security scored 35/35 due to verified SOC 2 Type II, ISO 27001, and GDPR DPA availability, indicating a robust compliance posture. Legal risk, re-evaluated to 65, benefits from an explicit policy against using customer content for AI model training, but is tempered by undisclosed indemnification and liability terms. Financial health is strong at 78, reflecting Zoom's public company status. Community trust, at 60, is impacted by recent user complaints regarding UI usability, audio issues, and billing transparency. A key action to improve the score would be to publicly disclose comprehensive data export and deletion policies, and to offer clearer SLA terms.
Verified Compliance Facts
Cited and timestamped — every claim traceable to an official vendor source.
- Amazon Web Services
- Anthropic
- Authzed, Inc.
- Cloudflare
- Eleven Labs Inc.
Enterprise Verdict
CONDITIONAL
Verified SOC 2 Type II, ISO 27001, and GDPR DPA certifications.
Opaque data export and deletion policies, increasing vendor lock-in risk.
Request a comprehensive DPA and MSA detailing data export, retention, and SLA terms.
Risk Assessment
Seven-category enterprise risk analysis derived from community and vendor signals. Each card shows the evidence tier and the underlying finding.
Public documentation buyers may want to verify availability of specific uptime commitments or reliability history.
Enterprises should negotiate fixed-rate contracts and monitor pricing changes for overage risks.
Data export status unclear. Integration score: 0/100. Webhooks available, reducing lock-in risk.
Average community support/satisfaction rating: 3.5/5.0 based on 159 user reviews.
Compliance score: 100/100. GDPR status: dpa_available. Encryption at rest: yes.
SOC 2: type_ii. ISO 27001: certified. Overall compliance score: 100/100.
No training on user data detected. Code ownership terms unclear. Legal/ToS risk score: 65/100.
Due Diligence Alerts
Priority reviews, recommended inquiries, and verified strengths — based on 86+ community data points
Security & Compliance
External Registry Verification
Data Security
Security Features
Legal & IP Risk
IP Ownership
Liability & Indemnification
Exit Terms
ToS Red Flags
Limits legal recourse for customers in disputes with Zoom, preventing class-action lawsuits.
Zoom can make modifications, deletions, and additions to the agreement at any time, potentially altering critical terms without explicit consent.
Customers are liable for acts and omissions of any third party granted access to services, increasing compliance and security burden.
Zoom retains full ownership of all telemetry, product usage data, diagnostic data, and any feedback provided, limiting customer IP.
All payments are non-cancelable and non-refundable for the subscription term, limiting flexibility and increasing financial commitment risk.
Data & Migration Lock-in Risk
- Deep integration with Zoom Workplace ecosystem (Meetings, Chat, Phone, Docs).
- Proprietary formats for certain content (e.g., Whiteboard, Clips) may complicate export.
- Reliance on Zoom's AI Companion for workflow automation.
Enterprise Contract Intelligence
DPA availability, data residency, and contract risk signals for procurement teams
A GDPR Data Processing Addendum (DPA) is publicly available, which includes Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) for data transfers. However, a public list of sub-processors is available separately.
Zoom offers data residency options for primary regions, with customer control available on the Enterprise tier. However, the platform has a known risk of data routing through China for non-Enterprise tiers, which is a critical concern for EU/regulated buyers. SCCs and BCRs are in place for cross-border transfers.
⚠ 5 contract risk flags — click to review
The contract risk is medium-high due to auto-renewal clauses, Zoom's unilateral right to modify terms, and non-refundable charges. The lack of explicit data portability guarantees and undisclosed indemnification terms further increase lock-in and legal exposure. A 30-day termination notice period is standard.
Security Certifications AI-enhanced
| Certification | Status | Auditor | Valid Until | Source |
|---|---|---|---|---|
| ⏳ Scanning in progress — check back after next weekly audit. | ||||
Data Privacy Documents
| Document | Status | URL | AI Assessment |
|---|---|---|---|
| Sub-processors | ✅ Active | Link | ✅ Publicly documented |
| AI/Model Training Policy | ❌ Not Found | — | ✅ No training by default |
| Data Retention Policy | ❌ Not Found | — | 🟡 Described, no formal doc |
| Data Flow Diagram | ❌ Not Found | — | — |
| GDPR Compliance Statement | ✅ Active | Link | ✅ Publicly documented |
| KVKK Compliance Statement | ❌ Not Found | — | ⚪ Not disclosed |
| CCPA Compliance Statement | ❌ Not Found | — | ✅ Publicly documented |
Legal Contracts
See Legal & IP Assessment section above for full analysis of ToS, DPA, MSA, SLA, EULA, and AUP.
Operational Readiness
| Document | Status | URL | AI Assessment |
|---|---|---|---|
| Business Continuity Plan (BCP) | ❌ Not Found | — | ⚪ Not disclosed |
| Disaster Recovery Plan (DRP) | ❌ Not Found | — | ⚪ Not disclosed |
| Incident Response Plan | ❌ Not Found | — | ⚪ Not disclosed |
| 3rd Party Penetration Test | ❌ Not Found | — | 🟡 Described, no formal doc |
Technical Transparency
| Document | Status | URL | AI Assessment |
|---|---|---|---|
| SBOM | ❌ Not Found | — | ⚪ Not disclosed |
| OSS License Inventory | ❌ Not Found | — | ⚪ Not disclosed |
| Vulnerability Management Policy | ✅ Active | Link | ✅ Publicly documented |
| Patch Management Policy | ❌ Not Found | — | ⚪ Not disclosed |
| Offboarding / Data Export Guide | ❌ Not Found | — | ⚪ Not disclosed |
| SIG Questionnaire | ❌ Not Found | — | — |
| CAIQ | ❌ Not Found | — | — |
Financial Resilience
| Item | Status | Details |
|---|---|---|
| Cyber Liability Insurance | ❌ Not Found | ⚪ Not disclosed |
| TCO Disclosed | ✅ Available | Annual: $21,996/year for 100 users (Business tier) |
Community Intelligence
Recurring issues and curated signals from GitHub, Hacker News, Reddit, Stack Overflow, web sources, and enterprise review platforms.
Intelligence Synthesis
Community discussion this week highlights a mixed user experience with Zoom, focusing on persistent audio and microphone issues, alongside frustrations with the mobile application's user interface and disappearing controls. While many users praise Zoom's ease of use and collaborative capabilities, concerns about unexpected overage fees on Zoom Phone and inconsistent browser microphone permissions have also surfaced. The vendor continues to announce new AI-powered features and maintain a strong market position, but these operational and transparency issues remain points of friction for users.
Recurring Issues
Enterprise Impact: Persistent audio issues can severely disrupt critical business meetings and negatively impact productivity and external communication.
Zoom should investigate and provide clearer troubleshooting for microphone and audio connectivity, potentially with in-app diagnostics or improved support resources.
Enterprise Impact: Poor UI/UX can lead to user frustration, reduced adoption, and increased support requests within an enterprise, especially for less tech-savvy employees.
Zoom should conduct user experience research, particularly for mobile interfaces, to simplify controls and improve the intuitiveness of core features.
Enterprise Impact: Unforeseen billing charges can lead to budget overruns and administrative burden for enterprise procurement and finance teams.
Zoom should provide clearer documentation on what constitutes 'metered calling' and offer more transparent real-time usage tracking and alerts for Zoom Phone services.
Enterprise Impact: Inconsistent permission handling can create security and privacy concerns, as well as lead to user confusion and potential bypasses of IT-mandated browser settings.
Zoom should clarify its approach to browser permissions and ensure consistent, transparent behavior that aligns with standard web API practices, or document any special browser integrations.
Source Signals
Financial Impact Panel
Cost intelligence and pricing signals for enterprise procurement decisions
Base price sourced from: official pricing page ↗
Pricing data from public sources — enterprise rates differ. Verify with vendor.
TCO Calculator
Calculate the real monthly cost for your team. Adjust seats, usage, and pricing tier below.
Estimated Monthly Cost
Estimated Annual TCO — 100 Users ±20% confidence band
Assumptions
- Free tier used as SMB baseline.
- If free tier insufficient: Pro at $13/seat/mo → $15,996/yr base for 100 users.
Assumptions
- Based on 'Pro' tier at $13.33/seat/month.
- Base (license): $15,996/yr for 100 users.
- +32% overhead (impl+training+support) → $21,114/yr.
Assumptions
- Pricing not publicly disclosed — contact vendor for quote.
Estimates from publicly scraped pricing data.
Synthesized from 20+ independent public sources: developer forums & repositories, security databases, vendor disclosures, regulatory filings, and community review platforms. Not affiliated with any vendor. Corrections?
Download PDF Report
Create a free account to download the full enterprise audit PDF.
Sign up — it's free →Already have an account? Log in