Last updated: February, 2023
Reason for update: News section on changes to Zoom.
Changes to in-meeting chat data processing location, and updates to the data overview drawing.
Ultimo 2022, Zoom have:
- Most gateway functions available in EU.
- Zoom native integrations available in EU.
- 3´rd party market place App providers will not necessarily be in EU but is dependent on the provider.
(any customer that chooses to activate a market place app will need to do their own due diligence regarding GDPR and also be mindful that not all apps will work with on-prem)
- EU regional customer support is established.
- Engineering is still outside Europe and procedures for releasing information, if and when needed, is in place
NORDUnet Zoom: GDPR and Privacy Facts
Many people are concerned about GDPR and privacy issues when using the video service, and NORDUnet and the Nordic NRENs receives inquiries on this subject. To address this, we have listed privacy related facts pertaining the Zoom service, including an outline of what NORDUnet has done to be in compliance with GDPR and European privacy directives.
The following facts apply to Zoom provided by NORDUnet:
• Service Delivery: Colleges and universities in the Nordic countries that use Zoom have this service operated by NORDUnet. The service is provided by the national NREN in each country.
• GDPR compliance: Zoom operated by NORDUnet is GDPR compliant and in accordance with other European privacy directives. This is secured through the individual contracts entered into and the chain of Data Processing and sub-processing agreements. University->NREN->NORDUnet->Zoom->sub-providers.
However each organization will formally need to do their own risk assessment.
• User account data: Data from users of NORDUnet's Zoom service is not stored with Zoom in the United States. The account data is stored in Zoom datacentres in Europe.
We use dedicated servers installed in Copenhagen, Denmark, Stockholm, Sweden, Helsinki, Finland and Oslo, Norway, for all meetings and meeting data.
• Logging in: All organizations that use Zoom provided by NORDUnet decide for themselves which login solution their users should use. Most use the National identity federation login (SWAMID, FEIDE, HAKA and WAYF), or directly the local institution Single Sign-On solution (SSO).
• Personal information: Personal information about users of NORDUnet's Zoom service is processed within the EU in accordance with the applicable data processing agreement. This applies to personal information necessary for using the service, such as first name, last name, email address, role, etc. Typically, as released by the home institution, using the national identity federation, through SAML attributes. No credit card details, telephone numbers or other similar information is stored in the Zoom instance provided by NORDUnet. (See section above for storing of personal data)
• Zoom public service: Zoom provides a so-called "public" or public service. Zoom from NORDUnet is not part of this public service. NORDUnet provides a private Zoom service, regulated by a separate agreement.
• Zoom local administrators: All organizations that use Zoom provided by NORDUnet have one or more local institution administrators. As with other ICT services, local Zoom administrators have a higher degree of access and use of control tools than ordinary users. Such access is necessary to keep good quality of service and to support users if they need assistance.
• Local recording: NORDUnet's Zoom service allows for local recording. If a meeting is recorded, participants in the meeting are automatically notified with a symbol in the video window and in the attendee list. The local institution administrator can set up Zoom so that all attendees must approve any recordings. The local administrator can also control whether other participants can record the meeting.
• On-prem Cloud recording:
Zoom operated by NORDUnet has support for so called Cloud Recording.
The Cloud Recordings are processed and stored temporally on local servers placed with the Zoom zones in the Nordic.
After the meeting has ended, the recording is transferred to one of the NORDUnet on-prem media management services (Kaltura MediaSite and Panopto), or directly to the NORDUnet central storage platform and a download link to retrieve the recording is provided.
The recordings are stored in video/audio format.
- The on-prem Cloud Recording feature must be activated by the local Zoom administrator.
- For integration with the on-prem media management services the user name/email must be the same in both Zoom and Kaltura/Panopto.
• Public Cloud recording: Zoom operated by NORDUnet does not contractually provide for the option to have meetings recorded with Zoom the so-called cloud recording. Local Zoom administrators have been instructed to disabled this option for all of their users.
If your license type is set to "Licensed" and you start a cloud recording, this is not covered by a contract nor by the mentioned GDPR regime for the NORDUnet service.
• Safe meetings: Zoom offers a number of mechanisms for creating safe meetings. For example, waiting rooms, and the possibility for the meeting hosts to password protect the meeting. Meeting hosts can also “lock” meetings, then no one but the invited participants can participate, this also applies to administrators. No one can use meeting rooms created by other users without permission.
You can find more information here.. https://explore.zoom.us/en/trust/security/
Or read this guide on how to secure your meetings https://nordunet.zendesk.com/hc/article_attachments/4407216402706/Securing_Your_Zoom_Meetings.pdf
• Encryption: All video and audio traffic and data are by default encrypted, too and from the meeting servers. Real End-to-End encryption is achievable between a limited number of meeting participants (200), functional limitations apply with EE2E encryption enabled.
• Data overview