Zoom EU Alternative 2026: Why EU Data Residency Doesn't Solve the CLOUD Act Problem

Post #918 in the sota.io EU Cyber Compliance Series

Zoom is the default video conferencing tool for most EU businesses and development teams. It is easy to deploy, requires no procurement process for small teams, and works reliably across platforms. Its market penetration in European enterprises is substantial — and it is precisely that penetration that makes its legal architecture worth examining carefully.

Zoom Video Communications, Inc. is a Delaware corporation headquartered in San Jose, California. It is publicly listed on Nasdaq. Under the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act), Zoom is subject to compelled data production orders from US federal law enforcement regardless of where it stores data. Zoom's much-marketed EU Data Residency option — which routes certain data to AWS Frankfurt — does not change Zoom's legal status as a US company. It does not eliminate Zoom's CLOUD Act exposure. It changes the physical location of some data; it does not change the jurisdiction under which that data can be compelled.

For EU organisations operating under GDPR — particularly those in financial services, healthcare, legal, or the public sector — this distinction matters enormously. This guide explains what Zoom's EU Data Residency option does and does not cover, what GDPR obligations arise from using Zoom, and which EU-native video conferencing alternatives close the compliance gaps that Zoom cannot close.

Zoom's Legal Structure: Delaware Incorporation and CLOUD Act Exposure

Zoom Video Communications, Inc. was incorporated in Delaware in 2011 and went public on Nasdaq in April 2019. Its principal executive offices are in San Jose, California. It is not a European company, does not have European legal entities that act as data controllers for its main platform, and is not incorporated in any EU jurisdiction.

The CLOUD Act (18 U.S.C. § 2713) requires electronic communication service providers and remote computing service providers that are incorporated or headquartered in the United States to produce data they possess, custody, or control in response to valid US legal process — regardless of where the data is physically stored. Zoom, as a US-headquartered electronic communications service provider, falls squarely within this definition.

The CLOUD Act's extraterritorial reach is the core legal issue. A Zoom recording stored on AWS infrastructure in Frankfurt, Germany, remains within reach of a US federal grand jury subpoena or National Security Letter directed at Zoom as a US corporate entity. Zoom cannot lawfully refuse to comply with valid US legal process by arguing that the data is stored in Europe. European data protection law — including GDPR Article 48, which prohibits international transfers based on foreign court judgments unless specifically covered by EU legal instruments — creates a conflict. Zoom is simultaneously subject to a US obligation to produce data and a European prohibition on transferring data based on foreign court orders not covered by Chapter V safeguards.

This is not a theoretical conflict. Post-Schrems II, the Court of Justice of the European Union held that US surveillance law obligations create a structural conflict for companies transferring EU personal data to the United States that Standard Contractual Clauses alone cannot resolve for content-accessible cloud services. Zoom, as a US cloud communications provider, sits directly in this conflict.

What Zoom Processes: The Full Scope of Personal Data

Understanding the GDPR implications of Zoom begins with understanding what Zoom actually processes about your users, participants, and meeting content. The scope is broader than most compliance teams account for.

Meeting metadata. For every Zoom meeting, Zoom retains metadata: host email address, participant email addresses, meeting title, start and end times, duration, participant device types, IP addresses of participants at connection time, and the Zoom user account identifiers of authenticated participants. Participant IP addresses are personal data under GDPR — they can identify a natural person at the network level. Meeting metadata constitutes a record of organisational communication patterns.

Recording content. Zoom cloud recordings — the default for accounts with recording enabled — store video, audio, and transcription data on Zoom's infrastructure. When EU Data Residency is enabled, these recordings are stored in AWS Frankfurt. When it is not enabled, they may be stored on US-based infrastructure. In both cases, Zoom holds the encryption keys and can access recording content. The recordings themselves contain highly sensitive personal data: names, faces, voices, and the substance of communications.

Transcription and AI Companion data. Zoom's AI Companion features — meeting transcription, meeting summary, chat composition suggestions, and whiteboard AI — process the content of your meetings in real time or post-meeting to generate text representations of spoken content. Zoom's AI Companion processes audio data through Zoom's AI infrastructure. As of the current terms, Zoom has committed not to train its AI models on customer content without consent, but the processing itself routes audio through Zoom's AI systems. The lawful basis for this processing under GDPR, and whether the AI processing constitutes automated decision-making subject to Article 22 protections, depend on the specific features enabled and how meeting participants are informed.

Chat data. In-meeting and persistent Zoom Chat messages are processed and stored by Zoom. Chat messages may include links, attachments, and business communications that constitute personal data. Zoom Chat's retention and access controls are configurable by account administrators, but the data remains on Zoom's infrastructure under Zoom's custody.

Webinar data. Zoom Webinar registrant data — names, email addresses, custom registration questions, attendance logs — is processed by Zoom as a data processor for the webinar host. Registration data often includes personal data about clients, prospects, and employees. The GDPR obligation to include Zoom in Article 30 Records of Processing Activities as a processor applies to webinar hosts operating under GDPR.

Diagnostics and telemetry. Zoom collects diagnostic data from Zoom clients: version information, device performance metrics, connection quality data, and usage telemetry. Some of this data is tied to authenticated user accounts and constitutes personal data. Zoom's privacy notice details the telemetry scope, but it is not a minimal collection model.

Zoom's EU Data Residency Option: What It Covers and What It Does Not

Zoom offers an EU Data Residency option on paid Enterprise accounts. It is marketed as a solution for GDPR compliance. Understanding exactly what it covers — and what it explicitly does not cover — is essential for any GDPR assessment.

What EU Data Residency covers (when correctly configured):

• Meeting, webinar, and phone recordings stored at rest in an AWS EU-region facility (Frankfurt)
• Cloud recording transcripts stored at rest in AWS Frankfurt
• Certain chat data stored at rest in AWS Frankfurt
• Meeting metadata processed and stored in the EU region

What EU Data Residency does NOT cover:

Zoom's corporate legal obligations. Zoom Video Communications, Inc. remains a US company. EU Data Residency cannot remove Zoom's obligations under the CLOUD Act or FISA Section 702. If US law enforcement serves valid legal process on Zoom, Zoom remains obligated to comply — and CLOUD Act compliance can compel production of data from AWS Frankfurt through Zoom as the controlling entity.

Real-time meeting processing. When a Zoom meeting is in progress, Zoom's media processing infrastructure routes audio and video for transcoding, relay, and delivery. Even with EU Data Residency enabled, Zoom cannot guarantee that all in-transit audio and video packets are processed exclusively on EU infrastructure. Media relay decisions depend on network conditions and available server capacity. Some in-transit processing may occur on non-EU Zoom servers during live meetings.

AI features. Zoom's AI Companion and transcription features process content through Zoom's AI infrastructure. Zoom's documentation on EU Data Residency does not provide comprehensive coverage of where AI feature processing occurs. If AI features are enabled, the processing of meeting content for AI purposes may occur on infrastructure outside the EU even when EU Data Residency is active.

Account management and configuration data. User account data, authentication data, and Zoom account configuration are processed in Zoom's main data centres, which are US-based for the core account management systems.

Zoom's subprocessors. Zoom relies on third-party subprocessors for various functions including cloud infrastructure (AWS), customer support tools, analytics, and communications. Not all subprocessors are EU-based, and Zoom's subprocessor list includes US-incorporated technology companies. Zoom's DPA covers these subprocessor relationships through SCCs, but each SCC relationship requires a Transfer Impact Assessment by the data exporter — EU organisations using Zoom — not just by Zoom itself.

The compliance conclusion. EU Data Residency reduces the footprint of data stored in the US at rest. It does not resolve the CLOUD Act conflict for content-accessible data. It does not cover all data categories. For EU organisations requiring a full GDPR compliance solution — particularly those subject to sector-specific requirements under DORA, NIS2, or German BDSG — EU Data Residency is a partial measure, not a complete compliance solution.

GDPR Article 28 Data Processing Agreement Analysis

EU organisations using Zoom with a paid account can execute Zoom's Data Processing Addendum (DPA). The Zoom DPA covers Zoom's role as a data processor for certain categories of customer data. Assessing the DPA against GDPR Article 28 requirements reveals several areas to verify.

Subprocessor transparency. GDPR Article 28(2) requires that data processors obtain prior specific or general authorisation from the data controller before engaging sub-processors. Zoom's DPA provides for general authorisation of subprocessors, which is GDPR-compliant if the DPA provides an appropriate notification mechanism and objection right for new subprocessors. Verify that Zoom's notification mechanism for subprocessor changes is active and that your organisation has a process for receiving and evaluating those notifications.

Data deletion obligations. GDPR Article 28(3)(g) requires that processors delete or return personal data at the end of services. Zoom's DPA covers the return or deletion of Customer Content after contract termination. The specific retention periods and deletion confirmation mechanisms should be assessed against your organisation's data retention requirements.

Transfer mechanism for US subprocessors. For Zoom's US-incorporated subprocessors that process EU personal data, Zoom relies on Standard Contractual Clauses as the transfer mechanism under GDPR Article 46. Zoom should be able to provide TIA documentation for its principal US subprocessor relationships. As the data exporter, EU organisations relying on Zoom's SCCs for US subprocessor data transfers bear a responsibility to assess whether the SCCs are effective — a responsibility that post-Schrems II EDPB Recommendations 01/2020 make clear cannot be discharged by simply signing the SCCs.

Security certifications. Zoom holds ISO 27001, SOC 2 Type II, and other security certifications. These certifications cover Zoom's security management practices but do not address the legal jurisdiction issue. Security certification and legal jurisdiction compliance are separate dimensions of a GDPR assessment.

AI Companion and GDPR: The New Privacy Risk Layer

Zoom AI Companion — including meeting transcription, meeting summary, smart recordings, and Chat AI responses — represents a significant and relatively recent expansion of what Zoom processes about your meetings. The GDPR implications require specific assessment.

Lawful basis for AI processing. AI Companion processing of meeting audio to generate transcripts and summaries is not necessary for the performance of the video conferencing service itself — it is an additional feature layer. The lawful basis for this processing is typically legitimate interests (Article 6(1)(f)) or contract performance for users who explicitly enable these features. Under EDPB guidance, legitimate interests must be assessed against data subject interests, and processing of sensitive business communications may not survive that assessment for all use cases.

Data subject awareness. GDPR requires that data subjects be informed about the processing of their personal data (Article 13/14). Meeting participants — particularly external participants, clients, or third parties who are not employees of the Zoom account holder — may not be aware that AI features are generating transcriptions and summaries of their spoken communications. The obligation to inform participants rests on the Zoom account holder acting as data controller. Enabling Zoom AI Companion without a clear participant disclosure mechanism creates a GDPR Article 13/14 compliance gap.

Automated decision-making. If AI Companion outputs — transcriptions, summaries, action item extraction — are used to inform decisions about individuals (performance assessments, client relationship management, regulatory compliance documentation), GDPR Article 22 on automated individual decision-making may apply. Article 22 requires that profiling that has significant effects on individuals be disclosed, assessable, and challengeable.

AI training commitments. Zoom has committed in its terms not to use Customer Content to train AI models without consent. This commitment is in the contractual terms and is auditable against Zoom's privacy practices. EU organisations with high-sensitivity meeting content — M&A discussions, legal advice, patient consultations, HR disciplinary proceedings — should assess whether Zoom's AI training commitments are sufficient for their use cases or whether AI features should be disabled entirely.

NIS2, DORA, and Sector-Specific Implications

Beyond baseline GDPR obligations, EU organisations in sectors covered by the EU's NIS2 Directive (Network and Information Security) or the Digital Operational Resilience Act (DORA) face additional obligations related to third-party technology providers.

NIS2 (Directive 2022/2555). NIS2 requires "essential" and "important" entities — including healthcare, energy, transport, financial infrastructure, public administration, and digital infrastructure operators — to implement supply chain security measures and assess the cybersecurity practices of their ICT suppliers. Video conferencing tools used for operational communications (including crisis management, incident response, and sensitive internal communications) are ICT service components subject to NIS2 supply chain assessment. Using a US-incorporated video conferencing provider for sensitive operational communications requires an ICT supplier risk assessment under NIS2 Article 21(2)(d).

DORA (Regulation 2022/2554). Financial entities under DORA must manage ICT third-party risk through a comprehensive ICT third-party risk management framework. Video conferencing tools used for internal communications — board meetings, trading discussions, risk management calls, regulatory communications — are ICT services within DORA's scope if the financial entity depends on them for regulated activities. Under DORA Article 28, financial entities must include critical or important ICT third-party providers in their written contractual arrangements, including provisions for data access, portability, and regulatory audit rights. Zoom's standard DPA may not satisfy DORA's specific contractual requirements for critical ICT providers.

EU-Native Video Conferencing Alternatives

The following alternatives provide video conferencing without Zoom's CLOUD Act exposure and with EU-law-governed data controllers.

Whereby (Norway)

Whereby AS is a Norwegian company headquartered in Oslo. Norway is not an EU member state but is part of the European Economic Area (EEA), and the EEA Agreement extends the EU's legal framework — including GDPR — to Norway. The European Commission has not issued a formal adequacy decision for Norway because such decisions are not needed: Norway, as an EEA member, is treated as equivalent to an EU member state for GDPR data transfer purposes. Transfers from EU organisations to Whereby AS do not require SCCs.

Whereby offers browser-based video meetings that require no client download for guests. Meeting rooms can be persistent (always-on URLs) or scheduled. Whereby's infrastructure is hosted on EU cloud providers. For teams seeking a no-install, simple video conferencing solution with EU legal governance, Whereby is the closest functional match to the Zoom use case.

Whereby's compliance documentation includes a GDPR DPA. It does not have the CLOUD Act exposure of US-incorporated video conferencing providers. For EU organisations requiring a documented EU-law data processor relationship, Whereby provides a cleaner GDPR baseline than Zoom.

OpenTalk (Germany)

OpenTalk GmbH is a German company that develops and operates open-source, GDPR-focused video conferencing software. OpenTalk is specifically designed for the German and broader EU public sector, with features oriented toward public administration compliance requirements (German DSGVO, BayDSG, public sector procurement standards).

OpenTalk is available as a hosted service on German infrastructure (Telekom, Hetzner) or self-hosted. It provides meeting recordings, whiteboard collaboration, hand-raise and polling features, and calendar integration comparable to Zoom's core feature set. As a German GmbH, OpenTalk GmbH is subject to EU law and German BDSG. No SCCs are required for the data controller relationship.

For German public sector organisations, healthcare institutions, and financial entities under German regulatory oversight, OpenTalk provides the strongest available compliance documentation for video conferencing infrastructure.

Infomaniak kMeet (Switzerland)

Infomaniak Network AG is a Swiss company headquartered in Geneva that operates kMeet, a privacy-focused video conferencing platform based on open-source Jitsi Meet infrastructure. Switzerland has an adequacy decision from the European Commission, making transfers to Infomaniak possible without SCCs.

Infomaniak is a certified B-Corp and markets explicitly on European data sovereignty and renewable energy hosting. kMeet supports up to 16 participants on the free plan, with larger conference sizes on paid plans. No account is required for participants — hosts share a meeting link and guests join via browser. Infomaniak's infrastructure is hosted entirely in Switzerland.

For teams that use Zoom primarily for external client meetings or guest-accessible calls, kMeet provides a structurally comparable experience with a fully EU-framework data controller relationship.

Nextcloud Talk (Germany)

Nextcloud Talk is the integrated video conferencing and messaging component of the Nextcloud platform, developed by Nextcloud GmbH (Stuttgart, Germany). Nextcloud Talk supports one-on-one and group video calls, screen sharing, and integrated chat, within the Nextcloud platform.

The GDPR advantage of Nextcloud Talk is the same as Nextcloud broadly: as a self-hosted or EU-hosted Nextcloud deployment, all video call data stays within infrastructure controlled by the organisation or a specifically contracted EU host. Nextcloud GmbH is a German company. For organisations already using Nextcloud for file storage and collaboration, Nextcloud Talk adds video conferencing without adding a new third-party data processor relationship.

Nextcloud Talk on a self-hosted instance requires a TURN/STUN server for reliable peer-to-peer video connections in enterprise environments. EU-based TURN providers or self-hosted coturn deployments on Hetzner or OVHcloud infrastructure keep all signalling within EU-controlled infrastructure.

Jitsi Meet (Self-Hosted on EU Infrastructure)

Jitsi Meet is an open-source video conferencing solution originally developed by Atlassian (acquired from Jitsi.org) and now maintained by 8x8, Inc. — a US company. The hosted meet.jit.si service is operated by 8x8 and inherits 8x8's CLOUD Act exposure. However, the open-source Jitsi Meet software can be self-hosted on any infrastructure.

For EU organisations with infrastructure capability, deploying Jitsi Meet on Hetzner, OVHcloud, or Scaleway infrastructure within the EU creates a video conferencing stack with no US-incorporated data processor in the chain. The data controller is the organisation itself; no DPA is needed for the self-hosted stack. All meeting data stays on EU-controlled servers.

Self-hosting Jitsi requires operational investment: server provisioning, SSL certificate management, TURN server configuration, and ongoing maintenance. It is not appropriate for organisations without technical infrastructure capability, but for development teams, MSPs, and organisations with existing EU cloud infrastructure, it provides maximum control over meeting data.

Wire (Switzerland)

Wire Swiss GmbH (Zug, Switzerland) provides end-to-end encrypted messaging, voice calls, and video conferencing under Swiss data protection law. Wire is designed for business and enterprise use, with a focus on security-sensitive communications. End-to-end encryption in Wire means that Wire Swiss GmbH cannot access call content — content is encrypted before leaving the device and decryptable only by the intended recipients.

Wire Enterprise provides team video conferencing with E2E encryption, persistent messaging, file sharing, and administrative controls. For EU organisations where the privacy of meeting content is the primary concern — legal, healthcare, financial — Wire's E2E encryption model provides a stronger content protection guarantee than Zoom's server-side encryption (where Zoom holds the keys).

Switzerland's adequacy decision under the EU-CH adequacy arrangement means transfers to Wire Swiss GmbH do not require SCCs. Wire's E2E model means even a valid Swiss court order cannot compel Wire to produce plaintext meeting content that Wire does not hold.

Practical Migration Guide: From Zoom to EU Alternatives

Step 1: Audit your Zoom use cases. Zoom is used differently across an organisation — all-hands calls, client demonstrations, external partner meetings, team standups, one-on-ones, webinars, support calls. Each use case has different participant types (internal only, mixed, external only), different data sensitivity levels, and different feature requirements (recording, transcription, large group, webinar, polling). Audit each use case before selecting a single alternative.

Step 2: Match use cases to alternatives. Guest-accessible client calls with no client install: Whereby or kMeet. Internal-only team communication with maximum security: Wire. Large EU public sector or regulated industry deployment: OpenTalk. Teams already on Nextcloud: Nextcloud Talk. Organisations with EU server infrastructure and technical capability: Jitsi self-hosted.

Step 3: Pilot with a specific team. Roll out one alternative to one team for 30 days before organisation-wide migration. Identify friction points, feature gaps, and integration requirements (calendar invites, Slack notifications, CRM logging). Address these before expanding the rollout.

Step 4: Update data processing records. Remove Zoom from Article 30 Records of Processing Activities as a data processor for the migrated use cases. Add the replacement provider under the appropriate legal basis (adequacy decision for Switzerland/Norway, no transfer mechanism required for EU-incorporated providers).

Step 5: Handle existing Zoom recordings. Cloud recordings stored in Zoom constitute personal data that cannot simply be abandoned. Before closing a Zoom account, download all relevant recordings, review them against data retention policies, and delete recordings that have exceeded their retention period. Update your data retention schedule to reflect the new video conferencing stack.

Conclusion

Zoom's EU Data Residency option is a genuine feature that reduces some categories of GDPR exposure. It is not a complete GDPR compliance solution. The fundamental issue — Zoom's status as a US company subject to the CLOUD Act — persists regardless of where Zoom stores specific data categories at rest. US law enforcement can compel Zoom to produce data Zoom possesses, custodays, or controls under valid US legal process, and EU data protection law does not currently provide effective counterweights to that obligation.

For EU organisations in regulated sectors — financial services under DORA, healthcare under NIS2, public sector under sector-specific national data protection requirements — Zoom's legal architecture creates compliance risks that EU Data Residency cannot close. The alternatives reviewed here — Whereby (Norway), OpenTalk (Germany), Infomaniak kMeet (Switzerland), Nextcloud Talk (Germany), Wire (Switzerland), and self-hosted Jitsi — each provide a cleaner GDPR baseline because they are governed by EU or EU-equivalent law, operate on EU or EU-adjacent infrastructure, and do not carry CLOUD Act obligations.

The migration from Zoom to an EU-native alternative requires planning and testing but is operationally feasible for most organisations. The compliance benefit — a video conferencing stack where the data controller and processor relationship is fully within EU legal jurisdiction — is worth the migration cost for organisations whose primary GDPR exposure lies in their communication infrastructure.

Start of the sota.io EU Video Conferencing Series. Coming next: Microsoft Teams EU Alternative.