The short answer is no they are not GDPR compliant in any shape or form.
The actual answer is a lot more complicated because the apps are delivered by third party
and thus there is no way of telling in advance, but rather you'd have to test each individual
app and keep testing them while they're being used. At this point I don't think NORDUnet will
have the resources to do this and thus it will be up to the individual users (organisations) to
judge/test the ones they wish to use.
The examples brought forward by Zoom reps. are typically that you use the services you want to
integrate anyway and thus there won't be a problem. "Let's say you use Kahoot for in class tests,
use the integration and have them inside the client, the GDPR impact is the same".
I disagree up front, but have not looked into the actual traffic of the Kahoot integrated app, nor
Kahoot in a browser.
The in client view is basically a browser (to my understanding) with the possibility for deep
integration permissions vetted by Zoom, they can potentially have access to meeting data
and furthermore one client in a meeting can use an app that has this access. Thus the new
App shield notification mentioned on the Zoom website and release notes.
Some time late Q4 2021 or maybe early 2022 we should have/get access to custom "private" apps
(pr account instead of global). At that point we should take a look at creating apps and what is
actually going on in the background both in program and on the network.
So in short no, but there is no difference from Zooms perspective if you run On-Premise or
Public Cloud. I have no idea if Zoom actually transports internal data to and from US in the
context of Zoom Apps, but for a start that isn't really important. Looking (quickly) through the
current selection of Zoom apps I cannot find one that isn't hosted in the US anyway.