AI Summaries are strictly opt-in and user-configurable. When summarization is enabled during a call, audio is transcribed, encrypted, and stored in Google Cloud Storage. Only users that participated in the call can access summaries, both during and after calls.
Transcriptions can't be accessed without a secure key, which has limited and audited access. Transcriptions are generated by Zoom Cloud Transcriptions, and are not saved in Zoom's servers. Raw transcription data is only sent to OpenAI APIs, and is never sent to analytics services or client devices.
Cloud Services and Storage
We use Google Cloud Platform, including Firebase, to manage user authentication, store user data, distribute our application, and run server-side functions for our applications. Google provides a highly secure network and computing environment. All data is encrypted in transit via HTTPS TLS 1.2 and stored on our servers under AES-256.
We aim to retain a minimum amount of customer data. For example, for each user we only retain data that is required to render that user to other users on the same team, such as name, availability, and profile picture.
Audio, Video, and Screen Share
We use Zoom as our sole vendor for audio, video, data transmission, and recording for call data streams including screen share and text chat. Zoom uses 256-bit AES-GCM encryption for streams in transit between Zoom applications, clients, and connectors. Streams flowing between users’ Multi apps are not decrypted until they reach the recipients’ devices. The encryption keys for each meeting are generated and managed by Zoom’s servers.
These call data streams are not recorded unless a user turns on call recording for a specific call. Call recordings utilize Zoom's cloud call recording, which are transferred to Google Cloud Storage on call completion. Zoom deletes all calls within 30 days.
Access to your call metadata is limited to a few Multi operations engineers, for whom access is essential. Access to this sensitive data is protected by two-factor authentication and is audited.
We use WebRTC for shared control: Data channels for data passing, and ICE for session creation. We use Twilio for STUN/TURN, and all streams are end-to-end encrypted and are not stored in Multi servers.
Shared control is only possible while in a call and actively screen sharing. Shared control is optional and requires two-way consent. The sharer always has the option to override shared control by clicking the mouse and selecting the "stop" button on the screen share controls.
We use the following analytics tools to better understand customer needs, troubleshoot, and inform our product roadmap:
None of these services receive access to the audio, video, transcriptions, recordings, or other streaming data.
Backup and Recovery
We maintain daily backups of server data and can recover in under an hour.