Zoom

Video conferencing with optional E2E encryption. Free tier: 40-minute group meetings.

Adequate

https://zoom.us · Reviewed 2026-04-02 · Editorial assessment by Mike Schneider — not an independent security audit

What should journalists know about Zoom?

Zoom is the default video tool for most newsrooms, and that ubiquity is both its strength and its liability. AES-256 GCM encryption by default, with optional end-to-end encryption on all plans including free. In May 2024, Zoom became the first UCaaS provider to ship post-quantum E2EE using Kyber-768 (NIST FIPS 203), protecting against harvest-now-decrypt-later attacks. The catch: enabling E2EE disables cloud recording, live transcription, AI Companion, breakout rooms, polling, Zoom Apps, Zoom Notes, and Zoom Whiteboard. That is a brutal tradeoff for journalists who need both security and a transcript. Trust history is mixed. The 2021 FTC settlement confirmed Zoom had falsely claimed E2E encryption for years and secretly installed a ZoomOpener web server on Macs that bypassed Safari security. In August 2023, Zoom added ToS language granting itself rights to train AI on customer content with no opt-out — CEO Eric Yuan called it a 'process failure' and reversed it within days. The current policy (updated October 2025) explicitly prohibits training on customer content. But the AI Companion data flow is complex: the ZMO option keeps processing on Zoom infrastructure, while the default routes through third-party model providers. France banned Zoom (and Teams, Meet, Webex) from all government use in January 2026, switching to the sovereign tool Visio. Zoom Workplace 7.0 (March 2026) rebrands the platform as an AI-first collaboration suite with AI Companion 3.0 agentic workflows, custom agents, voice translation, and realistic avatars. For routine newsroom meetings, Zoom is fine. For sensitive source interviews, enable E2EE and accept the feature loss — or use Signal voice calls or self-hosted Jitsi Meet instead. Jitsi Meet offers E2EE by default, no account required, no tracking, and self-hosting for full data control.

Best for

Newsroom meetings, routine interviews, webinars, large-group calls, remote collaboration. Ubiquitous client means sources already have it installed.

Not for

Sensitive source interviews without E2EE enabled. If you need transcription or cloud recording for a confidential conversation, E2EE kills both — use Signal voice calls or Jitsi Meet instead. Not suitable for journalists in OFAC-sanctioned regions (Cuba, Iran, North Korea, Syria, Crimea, Donetsk, Luhansk) where Zoom blocks access entirely.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Yes

Data is scrambled when stored on their servers

Data jurisdiction United States. Zoom Communications, Inc. (NASDAQ: ZM), headquartered in San Jose, CA. Data centers globally. AI Companion offers three data processing modes: ZMO (Zoom infrastructure only), ZM+ (Zoom plus third-party providers), and Federated (customer-controlled). OFAC restrictions block service from Cuba, North Korea, Iran, Sudan, Syria, and Russian-occupied Ukraine regions. France banned Zoom from all public sector use in January 2026, joining earlier government restrictions from Taiwan (2020), India (advisory), and Germany.

Where servers are located — affects which governments can request your data

Security rating Adequate

Privacy statement updated February 2, 2026. Zoom states it does not sell personal data and does not use meeting audio, video, or chat to train AI models (policy reversed from August 2023 when Zoom initially claimed that right). AI Companion features require admin approval; the ZMO option keeps data on Zoom infrastructure, but default processing routes through third-party model providers. E2EE is available on all plans but off by default. Without E2EE, Zoom can access meeting content and will provide it to law enforcement via valid legal process. International requests require MLATs or CLOUD Act authorization. Zoom publishes semi-annual transparency reports. E2EE meetings cap at 1,000 participants and disable cloud recording, live transcription, AI Companion, breakout rooms, join before host, live streaming, polling, Zoom Apps, Notes, and Whiteboard.

How to protect yourself:

Enable E2EE for sensitive interviews (Settings > Security > End-to-end encryption). Require version 6.0.10+ for post-quantum E2EE (Kyber-768). Disable AI Companion features for sensitive meetings — admin controls can block AI processing workspace-wide. Choose the ZMO data processing option to keep AI data on Zoom infrastructure only. Use waiting rooms and passcodes. Disable cloud recording before sensitive calls. For the most sensitive conversations, use Signal voice calls or self-hosted Jitsi Meet instead.

AES-256 GCM encryption by default, optional E2EE and post-quantum E2EE (Kyber-768) on all plans, SOC 2 Type II and ISO 27001 certified, under FTC consent order through ~2026 with mandatory third-party audits. E2EE is off by default and disables essential journalist features (recording, transcription) when enabled. High vulnerability volume (30+ CVEs in 2025, 36 in 2024) but responsive patching — critical CVE-2026-22844 (CVSS 9.9) was patched before exploitation. The 2023 AI training policy reversal and 2021 FTC settlement for false encryption claims are serious trust flags. France's 2026 government ban signals growing institutional skepticism. Adequate for routine use; enable E2EE for anything sensitive, or use Jitsi Meet/Signal.

Who Owns This

Owner Zoom Communications, Inc. (NASDAQ: ZM). Founded 2011 by Eric Yuan (CEO and Board Chair). Dual-class share structure gives Yuan outsized voting control despite reduced economic ownership — Yuan sold most direct Class A holdings through pre-arranged trading plans by March 2025. Top institutional shareholders: Vanguard (9.5%), BlackRock (7.5%), Morgan Stanley (~4.5%).

Funding Publicly traded since April 2019. FY2026 revenue: $4.87 billion (up 4.4% YoY). Enterprise revenue: $2.93B (up 6.5%). $7.8 billion cash and marketable securities. 4,468 customers contributing >$100K annually (up 9.3% YoY).

Business model Freemium SaaS. Revenue from Pro, Business, and Enterprise subscriptions plus add-ons (Phone, Webinars, Rooms, Contact Center, Custom AI Companion). Enterprise revenue growing faster than online. Repositioning as AI-first collaboration platform — AI Companion 3.0 (December 2025) adds agentic workflows, custom agents, and third-party integrations (Salesforce, Slack, ServiceNow).

Known issues

2021 FTC settlement: Zoom falsely claimed end-to-end encryption from at least 2016, secretly installed ZoomOpener web server on Macs bypassing Safari safeguards, stored some cloud recordings unencrypted for up to two months. No fine, but 5-year consent order with mandatory third-party security audits. | August 2023: ToS change granted Zoom rights to train AI on customer content with no opt-out. Reversed within days after global backlash. CEO Yuan called it a 'process failure.' Current policy (October 2025) explicitly prohibits using customer content for model training. | January 2026: Critical CVE-2026-22844 (CVSS 9.9) — command injection in Zoom Node Multimedia Routers (MMRs) allowed remote code execution by meeting participants. Patched in version 5.2.1716.0. No known exploitation in the wild. | 2025: 30 security vulnerabilities published, average CVSS 6.3. Notable: CVE-2025-49457 (malicious code via Zoom libraries), CVE-2025-49459 (missing authorization on Windows ARM), CVE-2025-64740 (privilege escalation on Windows). | 2024: 36 security vulnerabilities published. CVE-2024-24691 (critical privilege escalation on Windows), CVE-2024-45421 and CVE-2024-45419 (high-severity privilege escalation and info leak). | AI Companion data flow: enabling AI features routes meeting data through third-party model providers unless ZMO (Zoom Models Only) hosting option is selected. Many admins enable AI features without understanding this distinction. | France banned Zoom from all government use (January 2026), switching to sovereign French tool Visio — reflects EU digital sovereignty concerns. | OFAC restrictions: Zoom blocks access from Cuba, North Korea, Iran, Sudan, Syria, Crimea, Sevastopol, Donetsk, and Luhansk.

Pricing

Free: 40-minute group meetings, 100 participants. Pro: $13.33/user/month. Business: $18.33/user/month. Enterprise: custom. AI Companion included on all paid plans. Custom AI Companion add-on available for enterprise.

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.