2026 Independent Security Review
Zoom offers HIPAA BAA availability, end-to-end encryption as an option, and a solid set of compliance certifications. Its history includes the 2020 Zoombombing incidents that led to an $85 million settlement and a steady stream of vulnerability disclosures, including a critical Windows privilege escalation flaw (CVSS 9.6) patched in 2025. For telehealth and regulated meetings, Zoom works if you configure it deliberately. Out of the box, the default settings leave gaps that a determined attacker or an accidental participant can exploit.
73
out of 100
AES-256-GCM for meetings; E2EE available but disables some features; recordings not E2EE by default
MFA available; waiting rooms and passcodes available but not always enforced by default
SOC 2 Type II, ISO 27001, HIPAA (with BAA on Business+), HITRUST CSF, FedRAMP Moderate (Gov only)
Trust Center with security advisories; 30 CVEs published in 2025 alone
No major data breach of user data; 2020 Zoombombing incidents and $85M class action; critical CVE-2025-49457 (CVSS 9.6) patched in 2025
Easy to deploy; default settings are not secure enough for regulated use without configuration
| Category | Max Points |
|---|---|
| Encryption | 20 |
| Access Controls | 20 |
| Compliance Certifications | 20 |
| Transparency | 15 |
| Breach History | 15 |
| SMB Fit | 10 |
Zoom default meeting settings are not secure enough for regulated use. When you create a new meeting, waiting rooms and passcodes may or may not be enabled depending on your account configuration and plan tier. Cloud recording, if enabled, is not end-to-end encrypted by default. E2EE is available but disables breakout rooms, polling, and cloud recording when active. For medical practices conducting telehealth or law firms holding privileged discussions, every meeting involving sensitive information should have waiting rooms enabled, passcodes required, E2EE turned on where feasible, and cloud recording disabled unless storage is independently secured.
Zoom has matured significantly since the 2020 incidents, and its current compliance posture with SOC 2, HITRUST, and HIPAA BAA availability is credible. But 30 CVEs in a single year (2025) means the platform requires active patch management. If your organization uses Zoom for sensitive meetings, keep the client updated, configure security settings proactively, and treat the default configuration as a starting point, not a finished product.
Law firms use Zoom for client meetings, depositions, and internal discussions that may involve privileged information. The risk is not Zoom encryption (which is strong) but its meeting configuration. An improperly secured meeting can allow unauthorized participants to join, potentially waiving privilege. Enable waiting rooms, require passcodes, lock meetings after all expected participants have joined, and disable cloud recording unless you control where recordings are stored. For depositions, consider using Zoom for Government (FedRAMP Moderate) or enabling E2EE if breakout rooms are not needed.
Zoom for Healthcare signs a BAA on Business tier and above. When the BAA is executed, Zoom automatically disables cloud recording, enables encrypted chat, and enforces encryption for third-party endpoints. However, the free and Pro tiers do not qualify for a BAA, and using them for telehealth sessions involving PHI creates HIPAA exposure. If your practice uses Zoom for patient consultations, confirm you are on a BAA-eligible plan and that the BAA has been signed. Disable any third-party Zoom Marketplace apps unless they carry their own BAA.
Zoom for Government holds FedRAMP Moderate authorization and operates in a separate cloud environment from the commercial product. Standard commercial Zoom does not meet FedRAMP requirements and should not be used for meetings involving CUI. For contractors who need a video conferencing solution for non-CUI internal meetings, the commercial Business plan with configured security settings is adequate. For any meeting involving controlled information, use Zoom for Government or an alternative platform with FedRAMP authorization.
Require meeting passcodes for all scheduled meetings. Configure this as an account-wide default in Settings > Security.
Enable waiting rooms so the host controls who enters. This is the single most effective control against unauthorized meeting access.
Keep the Zoom client updated on all devices. With 30 CVEs published in 2025, including a CVSS 9.6 Windows privilege escalation, patching is not optional.
Disable cloud recording by default. If recordings are necessary, configure storage to a location you control with appropriate access restrictions.
If your organization uses Zoom for telehealth, confirm that your BAA has been signed and that you are on a Business tier or above. Free and Pro plans are not BAA-eligible.
Zoom can be HIPAA compliant on Business tier and above with a signed BAA. When the BAA is executed, Zoom automatically applies certain security settings including disabling cloud recording and enabling encrypted chat. Free and Pro plans do not qualify for a BAA.
Yes, E2EE is available as an option for Zoom meetings. However, enabling E2EE disables certain features including cloud recording, breakout rooms, and polling. E2EE is not the default setting and must be enabled by the host for each meeting or configured as an account-wide default.
Zoom has not experienced a large-scale data breach of user account information. The 2020 Zoombombing incidents involved unauthorized meeting access due to weak default settings, resulting in an $85 million class action settlement. Zoom regularly discloses and patches vulnerabilities, with 30 CVEs published in 2025 including one critical flaw rated CVSS 9.6.
Want to assess your full security posture, not just one vendor?
Take the free assessment