European Union Public Sector Sovereignty Controls Explainer

Introduction

This document explains how Zoom helps public sector institutions in the European Union (EU) in addressing their strict data privacy and security needs.

Zoom supports the unique requirements for EU public sector compliance and sovereignty controls

The Zoom platform supports the growing importance of sovereignty control needs across the European Union. EU public sector organizations require secure, compliant, and reliable communication systems capable of helping them meet industry and regional regulations. Zoom understands public sector organizations require solutions that help them manage increasing obligations for responsible data handling practices while enabling dependable and easy-to-manage communication systems.

Zoom is committed to helping public sector customers meet their needs through a variety of services, solutions, and tools including infrastructure hosted in the EU, flexible hybrid deployment frameworks, customer-managed encryption options, and transparent data handling policies. Through the use of these offerings, public sector IT teams can enhance their oversight and control of the storage, processing, and access of their data on the Zoom platform.

For information on Zoom and the European Union’s General Data Protection Regulation (GDPR) law, see our Trust Center documentation.

A three-layer framework enables organizations to manage their data via infrastructure, encryption, and hybrid hosting according to their policies

Zoom's three-layer framework is designed to give public sector organizations enhanced control over their data and communications:

• Platform layer: Zoom offers a dedicated EU infrastructure to host its services in EU data centers.

• Encryption layer: Organizations can manage their own encryption keys using Customer Managed Key (CMK) or Hold-Your-Own-Key (HYOK) setups.

• Content layer: Organizations can install Zoom Node to host meetings, chat, and recordings in their own IT environment.

The three-layer framework delivers four key public sector benefits

Public sector organizations, including schools, hospitals, and government agencies, may handle regulated data every day during their daily communications and collaboration workflows. These institutions must follow local and EU-wide rules to keep the data secure, private, and accessible only to authorized personnel.

Zoom’s approach for public sector organizations provides the following benefits:

• Data residency: Keeping certain data physically and logically inside the EU.

• Cryptographic control: Allowing the organization to manage access and own its encryption keys.

• Resiliency: Helping to ensure communications can continue even during outages or network problems.

• Transparency: Providing insight into data flows. How and when is data accessed: Who accessed what, and why?

Zoom helps public institutions meet these goals with configurable infrastructure, detailed policies, and strong privacy protections.

Support for GDPR compliance without custom development

Zoom provides support for GDPR compliance by incorporating its requirements into its core services, offering contractual commitments through its Data Processing Addendum and implementing technical safeguards. For all customers seeking GDPR alignment, Zoom maintains appropriate security measures, provides a self-service Data Subject Access Request (DSAR) tool, and provides transparency around data processing practices while offering options for international data transfers through mechanisms like the EU-US Data Privacy Framework and Standard Contractual Clauses.

For EU public sector organizations in healthcare, education, government, and regulated industries looking for a more managed approach to GDPR compliance, Zoom's available three-layer framework at the platform, encryption, and content levels can further enhance GDPR-aligned operations across the European Union without requiring custom code or complicated development.

Infrastructure

Zoom provides the infrastructure and controls that help public sector organizations manage strict EU requirements for data privacy, security, and service resilience.

EU-based infrastructure keeps certain data within European borders

For European Union (EU) customers who prefer not to transfer personal data—including Content, Account, Diagnostic, Support, and restricted access Website Data—to the U.S., Zoom provides dedicated infrastructure, known as the Zoom EU Infrastructure. This infrastructure hosts accounts for EU Education and Enterprise customers and currently supports a wide selection of Zoom products including Meetings, Webinar, Team Chat, Zoom Phone, Zoom Contact Center, and more.

Zoom provides customers hosted in the regional Zoom EU Infrastructure with the ability to store and process data within the region. Zoom does not transfer outside of or access data from outside this infrastructure unless a prior agreement with a customer is in place, or when specific exceptions apply including as required by applicable law, for trust and safety purposes, and to provide service notifications and enable the services. For more detailed information, please see our Zoom EU Infrastructure Fact Sheet.

Identity, Access, and Privacy features

Zoom includes standard identity and access management capabilities that integrate with existing organizational systems.

Standard Authentication and Authorization

Zoom provides typical enterprise identity integration through Single Sign-On (SSO) with SAML 2.0-compliant providers, SCIM 2.0 provisioning for automated user management, and Role-Based Access Control (RBAC) with customizable roles and permissions. These features integrate with customer-provided regional Identity Providers (IdPs), which are managed and hosted by the customer or their chosen IdP vendor, and connect to Zoom’s EU infrastructure via SAML 2.0.

Built-in Privacy and Data Controls

The platform includes standard privacy-by-design features aligned with GDPR requirements:

• Data minimization through pseudonymized identifiers in system logs

• Administrative data controls for setting retention periods and processing deletion requests

• Access logging for security monitoring and audit trails

• Least-privilege and role-based access controls for Zoom’s access to customer data and content

Organizational Data Ownership

As with other enterprise platforms, organizations maintain control over user and content lifecycles, with Zoom providing the technical infrastructure to support internal policies and regulatory requirements like GDPR Article 17 compliance.

Zoom Node

For increased control over your data, consider Zoom Node. This hybrid platform enables you to run Zoom Workplace workloads, including media routing, chat storage, recording, and web access, directly within your own environment. Zoom Node is perfect for customers who need media localization, improved content data management, or uninterrupted operations, all while maintaining the familiar Zoom experience. For more information on Zoom Node concepts, see the Zoom Node Explainer.

At its core, Zoom Node operates as a virtual machine (VM) running the Zoom Node OS. Zoom Node enables local hosting of select Zoom services through modular service components and contains:

• Zoom Node OS: The core operating layer that governs containerized modules. It handles communication, lifecycle orchestration, and resource management.

• Service Modules: Independent functional components (e.g., Meeting, Recording, Chat) deployed in isolated containers within the VM.

This modular structure allows customers to run only the services they require, simplifying management and optimizing resource use.

Zoom Node offers control and flexibility while maintaining a smooth Zoom user experience. The benefits of Zoom Node include:

• Modularity: Deploy only the services you need.

• Localization: Local media processing and retention for meetings and webinars.

• Future-proofing: Compatible with future hybrid services (Zoom Chat, Zoom Phone).

Zoom Node supports modular deployment of core services like meetings, recordings, chat, browser access, and room connectivity

These are the currently available modules for Zoom Node:

• Meetings Hybrid Module: Runs Zoom meeting servers locally to keep control of audio, video, and content streams.

  • Web Access Gateway: A Web Gateway allowing Zoom users joining via browser to join a private meeting hosted on Meetings Hybrid, without the need to access the Zoom Cloud

• Recording Hybrid Module: Store meeting recordings on-premises instead of within Zoom’s cloud.

  • Content Streaming Service: A video streaming broker service for Zoom Meeting and webinar recordings, stored at rest on the customer's Network File Storage. This service will provide the host of the meeting access to the playback, download, and redistribution of the recording via the Zoom web portal, which mirrors the workflow for recordings stored within the Zoom cloud.

• Team Chat Hybrid Module: Stores and manages internal chat content inside your own environment.

• Meeting Survivability: On-premises failover in case of cloud disruption.

• Hybrid Room Interoperability: Connect standards-based room systems to the Zoom meetings with Hybrid Room Interoperability solution.

Hybrid configurations support customer organizational policies related to data control and disaster recovery while maintaining the core functionality of the Zoom Workplace app. See our dedicated Zoom Node overview page for the latest on the various modules.

For deployment information, see the Zoom Node Deployment Field Guide.

Zoom Node is managed through a cloud interface that supports module activation, performance monitoring, software updates, and logging

Administrators can manage Zoom Node through a centralized console. This console allows them to:

• Enable or disable specific modules

• Monitor service health and network performance

• Apply updates on a controlled schedule

• Review security settings and access logs

Encryption

Zoom supports advanced encryption tools, including Customer Managed Key (CMK), that give organizations enhanced control over how their data is protected. Zoom provides multiple options for protecting sensitive communications, including full ownership of encryption keys.

Customer Managed Key (CMK) lets institutions manage and audit their own encryption keys with trusted services or in-house systems

Zoom CMK integrates with popular Key Management Service (KMS) providers, such as:

• Amazon Web Services (AWS) KMS

• Microsoft Azure Key Vault

• Oracle OCI Vault

• Thales CipherTrust (via AWS External Key Store)

You can also host your own Hardware Security Module (HSM), such as Thales Luna HSM, to provide control of encryption keys and avoid reliance on external U.S.-based systems, providing a full HYOK (Hold-Your-Own-Key) solution.

CMK can encrypt many types of sensitive Zoom content

CMK can encrypt many types of sensitive Zoom content, including:

• Meeting and webinar recordings (audio, video, chat)

• Transcripts (excluding indexed search)

• Voicemails and call recordings

• Calendar access tokens

• Microsoft Teams integration tokens

• Team Chat messages and files

• Whiteboards

• Content generated by AI Companion features

For organizations that require certain data, such as Team Chat messages, not to be decrypted by the Zoom Cloud, Zoom offers the Zoom CMK Hybrid module. Using Zoom CMK Hybrid allows organizations to generate and manage their own data keys for use with client-side encryption within their security boundary using a separate customer-managed key.

Please see the Zoom support article Content protected by Customer Managed Key for the current list.

End-to-End Encryption (E2EE) is designed so that only participants can access media during meetings or calls

Additional security controls exist for customers to secure their meetings. Zoom provides optional end-to-end encryption (E2EE) that can be enabled on the desktop or mobile Workplace apps for:

• One-on-one intra-account Zoom Phone calls

• Zoom Meetings with up to 1,000 participants

E2EE for Zoom Meetings uses the same 256-bit AES-GCM encryption method that supports standard, enhanced encryption. When enabled, Zoom’s system is designed so that the cryptographic keys are known only to the devices of the meeting participants. This makes it so that third parties, including Zoom, don't have access to the meeting's private keys.

Additionally, Zoom has introduced post-quantum E2EE (PQ E2EE) for Zoom Workplace, specifically for Zoom Meetings, Zoom Phone, and Zoom Rooms support. The launch of the new security enhancement makes Zoom the first Unified Communications as a Service (UCaaS) company to offer a post-quantum E2EE solution for video conferencing. Post-quantum end-to-end encryption (PQ E2EE) offers the same security property as end-to-end encryption (E2EE): only the meeting participants, and not even Zoom’s server, have access to the keys used to encrypt the meeting. Unlike end-to-end encryption, PQ E2EE is designed to withstand the threat of an adversary who can capture encrypted network traffic and who hopes to acquire a quantum computer in the future and use it to decrypt the captured data.

Customers interested in these additional encryption features can enable E2EE. However, there are prerequisites and limitations to be aware of.

Client Requirements: E2EE requires all meeting participants to join from the Zoom Workplace desktop app, mobile app, or a Zoom Room.

Feature Limitations: Enabling E2EE is incompatible with certain features, including:

• Cloud recording for Zoom Meetings

• Automatic call recording for Zoom Phone

• AI Companion features

• Continuous meeting chat

• Additional features listed in our support documentation

Consult our support articles for Zoom Phone and Zoom Meetings for full details regarding limitations, dependencies, and implementation.

Client-level encryption options for enhanced Zoom Team Chat security

Zoom Team Chat offers multiple encryption options beyond standard encryption, each designed for different security requirements and organizational structures.

Standard Team Chat Encryption (Default)

By default, Zoom encrypts Team Chat messages in-transit using TLS and at-rest using AES-256 encryption with Zoom-managed keys. This provides baseline security for most organizational needs.

Advanced Chat Encryption (ACE)

ACE uses device-generated and stored keys to encrypt messages between chat participants, with additional TLS protection in-transit. Keys are generated and operated on chat participants' devices, providing enhanced privacy but limiting functionality when participants aren't simultaneously online.

Advanced CMK Chat Encryption (ACCE)

ACCE uses customer-managed keys through Zoom's CMK service, but keys are generated and secured in the Zoom cloud. This option provides customer key control while maintaining better cross-account compatibility than device-based solutions.

Client-side CMK Hybrid Chat Encryption (CSE)

CSE uses customer-managed keys generated and stored on-premises through CMK Hybrid infrastructure. This provides the highest level of customer control over encryption keys, as they never reside in Zoom's cloud environment.

Key Differences

• ACE: Device-generated keys, intra-account messaging only

• ACCE: Customer keys in Zoom cloud, works across accounts

• CSE: Customer keys on-premises, intra-account messaging with ACCE fallback for external communications

Requirements

• ACE: Paid accounts, admin enablement

• ACCE: Zoom Enterprise Plus (or higher) or CMK Add-on license

• CSE: Zoom Enterprise Plus or CMK Hybrid licenses (with a minimum of two CMK Hybrid licenses and two servers for fault tolerance)

Important Limitations

All advanced encryption options restrict Team Chat functionality, including:

• AI Companion features

• Message editing and translation

• Animated GIFs and link previews

• Message archiving with third-party providers

• Continuous meeting chat integration

Availability Notes

• CSE is only available for CMK Hybrid customers with on-premises key management infrastructure

• ACCE serves as the fallback protocol for CSE-enabled accounts when communicating with external contacts

• Organizations should evaluate whether enhanced security justifies the feature limitations, as standard encryption may sufficiently support regulatory compliance frameworks

A secure connection process supports regional server assignment and data compliance

Whether you use the Zoom Workplace app, join meetings, or access the Zoom web portal via your browser, Zoom Meetings are designed to encrypt customer data in transit using trusted methods when communicating with the Zoom web portal or services in the Zoom Cloud Platform. This includes the connection process and for real-time media in transit (video, audio, and in-meeting shared content).

When a user starts a Zoom Meeting or Zoom Phone call:

1. The Zoom Workplace app first contacts Zoom's global Lookup Service using TLS 1.2 or TLS 1.3 encryption.

2. Lookup metadata, including IP geolocation and device information, is sent over HTTPS (port 443) with TLS 1.2 or higher encryption.

3. Based on location and availability, the app is directed to the optimal Zoom Zone Controller and regional media node.

4. The Zoom Workplace app tests connectivity to each node and establishes encrypted media sessions (video, audio, content) via:

   1. UDP (preferred, port 8801) with AES-256-GCM encryption

   2. TCP (fallback, port 8801) with AES-256-GCM encryption

   3. TCP (secondary fallback, port 443) with TLS 1.2 or TLS 1.3 encryption

More details about Zoom’s encryption design using industry-standard encryption methods for data in transit and at rest can be found within our Zoom Encryption Whitepaper. For validation of Zoom security practices, please see our attestations and certifications available by visiting our Zoom Trust Center.