Videoconferencing Security

Remote Connection Security

Our remote connection cloud is a proprietary global network that has been built from the ground up to provide quality communication experiences.  We have partnered with Zoom for our operations and cloud platform.  Zoom operates in a scalable hybrid mode: web services providing such functions as meeting setup, user management, conference recordings, chat transcripts, and voice mail recordings are hosted in the cloud, while real-time conference media is processed in globally distributed tier-1 colocation data centers with SSAE 16 SOC 2 Type 2 certifications.

Real-time Media Processing

A distributed network of low-latency multimedia software routers connects the communications infrastructure. With these multimedia routers, all session data originating from instaScript’s device and arriving at the participants’ devices is dynamically routed between endpoints.  Real-time sessions operate analogously to the popular mobile conversation over the public mobile network.

Firewall Compatibility

During session setup, the Zoom client connects via HTTPS (port 443/TLS) to Zoom servers to obtain information required for connecting to the applicable meeting or webinar, and to assess the current network environment such as the appropriate multimedia router to use, which ports are open and whether an SSL proxy is used. With this metadata, the Zoom client will determine the best method for real time communication, attempting to connect automatically using preferred udp and tcp ports 8801, 8802, and 8804. For increased compatibility and support of enterprise SSL proxies, connection can also be made via HTTPS (port 443/TLS). An HTTPS connection is also established for users connecting to a meeting via the Zoom web browser client.

Client Application

Role-based user security

The following pre-meeting security capabilities are available to instaScript:

• Enable an end-to-end (E2E) encrypted meeting
• Secure log-in using standard username and password or SAML single sign-on
• Start a secured meeting with password
• Schedule a secured meeting with password.

Selective meeting invitation

instaScript can selectively invite participants via email, IM, or SMS. This provides greater control over the distribution of the meeting access information. InstaScript can also create the meeting to only allow members from a certain domain email to join.

Meeting Details Security

Zoom retains event details pertaining to a session for billing and reporting purposes. The event details are stored at the Zoom secured database and are available to the instaScript account administrator for review on the instaScript portal page once they have securely logged-on.

Application security

Zoom can encrypt all presentation content at the application layer using the Advanced Encryption Standard (AES) 256-bit algorithm.

Zoom client group policy controls

Specifically applicable to the Zoom Meetings client for Windows and Zoom Rooms for Windows, administrators can define a broad set of client configuration settings that are enforced through Active Directory group policy controls.

E2E Chat Encryption

Zoom E2E chat encryption allows for a secured communication where only the intended recipient can read the secured message. Zoom uses public and private key to encrypt the chat session with Advanced Encryption Standard (AES-256). Session keys are generated with a device-unique hardware ID to avoid data being read from other devices. This ensures that the session cannot be eavesdropped on or tampered with.

Meeting Security

Role-based user security

The following in-meeting security capabilities are available to instaScript:

• Secure a meeting with E2E encryption
• Waiting Room
• Enable wait for host to join
• Expel a participant or all participants
• End a meeting
• Lock a meeting
• Chat with a participant or all participants
• Mute/unmute a participant or all participants
• Screen share watermarks
• Audio signatures
• Enable/disable a participant or all participants to record
• Temporary pause screen-sharing when a new window is opened

The following in-meeting security capabilities are available to the meeting participants:

• Mute/unmute audio
• Turn on/off video
• Blur snapshot on iOS task switcher

instaScript and Client authenticated meeting

instaScript is required to authenticate (via https) to the Zoom site with their user credentials (ID and password) to start a meeting. The client authentication process uses a unique per-client, per-session token to confirm the identity of each participant attempting to join a meeting. Each session has a unique set of session parameters that are generated by Zoom. Each authenticated participant must have access to these session parameters in conjunction with the unique session token in order to successfully join the meeting.

Open or password-protected meeting

instaScript can require the participants to enter a password before joining the meeting. This provides greater access control and prevents uninvited guests from joining a meeting.

Edit or delete meeting

instaScript can edit or delete an upcoming or previous meeting. This provides greater control over the availability of meetings.

instaScript controlled joining meeting

For greater control of meeting, instaScript can require participants to only join the meeting after instaScript has started it. For greater flexibility, instaScript can allow participants to join before instaScript. When joining before instaScript, participants are restricted to a 30-minute meeting.

In-meeting security

During the meeting, Zoom delivers real-time, rich-media content securely to each participant within a Zoom meeting. All content shared with the participants in a meeting is only a representation of the original data. This content is encoded and optimized for sharing using a secured implementation as follows:

• Is the only means possible to join a Zoom meeting
• Is entirely dependent upon connections established on a session-by-session basis
• Performs a proprietary process that encodes all shared data
• Can encrypt all screen sharing content using the AES 256 encryption standard
• Can encrypt the network connection to Zoom using 256-bit TLS encryption standard
• Provides a visual identification of every participant in the meeting

Host controlled joining meeting

Authentication methods include single sign-on (SSO) with SAML or OAuth.

With SSO, a user logs-in once and gains access to multiple applications without being prompted to log-in again at each of them. Zoom supports SAML 2.0 which enables web-based authentication and authorization including SSO. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a user between a SAML authority (an identity provider) and a web service (such as Zoom). Zoom works with Exchange ADFS 2.0 as well as enterprise identity management such as Centrify, Fugen, Gluu, Okta, OneLogin, PingOne, Shibboleth, Symplified, and many others. Zoom can map attributes to provision a user to different group with feature controls.

OAuth-based provisioning works with Google or Facebook OAuth for instant provisioning. Zoom also offers an API call to pre-provision users from any database backend. Additionally, your organization can add users to your account automatically with managed domains. Once your managed domain application is approved, all existing and new users with your email address domain will be added to your account.

Administrative Controls

The following security capabilities are available to the account administrator:

• Secure login options using standard username and password or SAML SSO
• Add user and admin to account
• Upgrade or downgrade user subscription level
• Delete user from account
• Review billing and reports
• Manage account dashboard and cloud recordings

Special Security Features/Options API

APIs are available for integrating Zoom with custom customer applications and third-party applications. Each customer account may include API integration key credentials managed by the customer account admin. API calls are transmitted securely over secure web services and API authentication is required.

Zoom Rooms

Zoom Rooms is Zoom’s software-based conference room system. It features video and audio conferencing, wireless content sharing, and integrated calendaring running on off-the-shelf hardware. Communications are established using 256-bit TLS encryption and all shared content is encrypted using AES-256 encryption. The Zoom Rooms app is secured with App Lock Code. The App Lock Code for Zoom Rooms is a required 1-16 digit numeric lock code that is use to secure your Zoom Rooms application. This prevents unauthorized changes to your Zoom Rooms application and settings on your accompanying hardware.

Zoom Chat

Persistent, cross-platform chat is a feature of Zoom Meetings that enables users to chat and share files 1-1 or in groups. Users can click “Meet” from any chat to start an instant Zoom video meeting with the group participants. Chat can be encrypted for HIPAA-compliant settings.

Zoom Phone

Zoom Phone is a cloud phone system available as an add-on to Zoom’s platform. Support for inbound and outbound calling through the public switched telephone network (PSTN) and seamlessly integrated telephony features enable customers to replace their existing PBX solution and consolidate all of their business communication and collaboration requirements into their favorite video platform.  Utilizing standards-based Voice-over-Internet-Protocol (VoIP) to deliver best in class voice services, Zoom Phone delivers a secure and reliable alternative to traditional on-premise PBX solutions. Call setup and in-call features are delivered via Session Initiation Protocol (SIP). While leveraging OPUS as the preferred codec to ensure the highest quality possible, Zoom Phone also supports additional industry-standard codecs G.722, G.711, and G.729 for media transcoding.

Authentication

Zoom Phone SIP registration authenticates using AES-128 bit TLS 1.2 encryption

Media Encryption

VoIP media is transported and protected by Secure Real-time Transport Protocol (SRTP) with AES-128 encryption

Private Network Peering

Zoom has established direct private network peering links between Zoom Phone data centers and Zoom Phone PSTN service provider networks to ensure maximum protection.

Emergency Calling

• Zoom Phone supports E911 (USA/CAN) enhanced emergency services to provide caller location to the local Public Safety Answering Point (PSAP) as required by law. Originating call location addresses can be defined and assigned at the account and individual user level.
• Emergency calls made from the Zoom mobile app on iOS and Android smartphones will automatically default to the mobile device’s native outbound cellular calling feature and bypass the Zoom Phone service to directly route the emergency call to the mobile network operator’s PSAP.
• Zoom Phone administrators may optionally choose to automatically intercept and reroute emergency calls to internal response teams.

Toll Fraud

Zoom Phone prevents toll fraud through access control and automated detection capabilities. Our security department actively monitors customers’ accounts to detect irregular calling patterns and will notify customers of potential fraudulent activities.

Calling Black Lists

Customizable global and personal black lists allow users and administrators to easily add and manage blocked phone numbers

Invoking Elevate-to-Meeting feature

When elevating a Zoom Phone call to a Zoom Meeting, all available Zoom Meeting security features will then apply to the interaction.

Privacy Zoom only stores basic information under user account profile information:

• Email address
• User password – salted, hashed
• First name
• Last name
• Company name (optional to provide)
• Company phone number (optional to provide)
• Profile picture (optional to provide)

For more information about our privacy policy, visit https://zoom.us/privacy.

Security and Privacy Certifications

SOC2

The SOC 2 report provides third-party assurance that the design of Zoom, and our internal processes and controls, meet the strict audit requirements set forth by the American Institute of Certified Public Accountants (AICPA) standards for security, availability, confidentiality, and privacy. The SOC 2 report is the de facto assurance standard for cloud service providers.

TRUSTe

TRUSTe has certified the privacy practices and statement for Zoom and also will act as dispute resolution provider for privacy complaints. Zoom is committed to respecting your privacy. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

EU-US Privacy Shield

Zoom participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Zoom has committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List https://www.privacyshield.gov/list.

FedRAMP

Zoom is authorized to operate under The Federal Risk and Authorization Management Program (FedRAMP), a governmentwide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.