✔️Security & Compliance

Implement security policies, enable encryption, manage call blocking, and ensure compliance with regulatory requirements for your Zoom Phone deployment.

⏱️ Estimated Time: 20-30 minutes to configure security settings

👤 Who's This For

Zoom Phone administrators responsible for security, compliance, and data protection policies.

💼 Use Case

Use this guide to harden your phone system security, protect sensitive communications, comply with industry regulations (HIPAA, SOC 2, etc.), and prevent unauthorized access or fraud.

✔️ Prerequisites

  • Admin access to Zoom web portal

  • Understanding of your organization's security and compliance requirements

  • Knowledge of applicable regulations (HIPAA, GDPR, etc.)

  • Emergency address information for all locations

Encryption & Call Security

Standard Encryption

All Zoom Phone calls use AES-128 bit encryption by default for:

  • Connections between Zoom Cloud and Zoom clients

  • Desktop app calls

  • Mobile app calls

  • Desk phone calls (supported SIP devices)

Note: Encryption is always enabled and cannot be disabled. This provides baseline security for all communications.

End-to-End Encryption (E2EE)

Enable E2EE for maximum call privacy. With E2EE, only call participants can decrypt audio—not even Zoom can access call content.

Enabling E2EE:

Account Level:

  1. Navigate to Account Management > Account Settings

  2. Click Zoom Phone tab

  3. Under General, toggle End-to-End Encryption to enable

  4. Click Enable to confirm

  5. (Optional) Click lock icon to prevent users from disabling

Site Level (if using multiple sites):

  1. Navigate to Phone System Management > Company Info

  2. Click site name > Policy tab

  3. Toggle End-to-End Encryption

Group Level:

  1. Navigate to User Management > Groups

  2. Click group name > Zoom Phone tab

  3. Toggle End-to-End Encryption

Individual User:

  1. Navigate to Phone System Management > Users & Rooms

  2. Click user name > Policy tab

  3. Toggle End-to-End Encryption

E2EE Limitations

When E2EE is enabled, these features are not available:

  • Call recording (automatic or ad-hoc)

  • Call flip between devices

  • Call monitoring (listen, whisper, barge)

  • In-call controls (merge, transfer)

  • DTMF codes

  • Hold music

  • Park/unpark

  • Shared line appearance

  • Switch to carrier

  • Elevating call to meeting

Use Case: Enable E2EE for executives, legal teams, or sensitive departments. Keep disabled for support teams needing call recording or monitoring.

Emergency Address Management

Setting Up Emergency Addresses

Emergency addresses are provided to first responders when users dial emergency numbers (911, 999, etc.).

Account/Site Level:

  1. Navigate to Phone System Management > Company Info

  2. Click Account Settings or site name

  3. Click Settings tab

  4. Under Emergency Address, click Edit

  5. Enter complete street address

  6. Verify address is validated by system

  7. Click Save

Individual User:

  1. Navigate to Phone System Management > Users & Rooms

  2. Click user name > Profile tab

  3. Under Emergency Address, click Edit

  4. Enter or update address

  5. Click Save

Emergency Address Best Practices

Remote Workers:

  • Set emergency address to their home office location

  • Update when they relocate

  • Train users on how to update their own address

Multi-Floor Buildings:

  • Include floor/suite number in address

  • Consider separate sites for each floor for accurate routing

Mobile Users:

  • Set default emergency address

  • Educate users that address doesn't update based on location

  • Encourage users to use their mobile carrier for 911 when traveling

Desk Phones:

  • Assign emergency address based on physical phone location

  • Update if phones are moved between offices

Critical: Emergency address accuracy can save lives. Audit addresses quarterly and after office moves.

Call Blocking & Spam Protection

Managing Blocked Numbers

Block unwanted callers at the account, site, group, or user level.

Account-Level Blocking:

  1. Navigate to Phone System Management > Settings

  2. Under Security, locate Block List

  3. Click Manage Block List

  4. Click Add to create blocking rule

Blocking Options:

Prefix Match: Block all numbers with specific country code and area code

  • Example: Enter 1905 to block all calls from +1 (905) area code

  • Useful for blocking entire regions or known spam sources

Phone Number Match: Block specific phone number

  • Example: Enter 19051231234 to block +1 (905) 123-1234

  • Include country code before the number

Type Selection:

  • Inbound: Prevent blocked number from calling/texting your users

  • Outbound: Prevent your users from calling blocked number

User-Level Blocking:

  1. Navigate to user's settings

  2. Under Others, locate Block List

  3. Click Manage Block List

  4. Add blocked prefixes, numbers, or SMS short codes

  5. Users can also manage their own block list from Zoom app

Spam Call Protection

Enable Spam Detection:

  • Zoom automatically identifies potential spam calls

  • Users see spam warning before answering

  • Caller checkmark icon identifies verified calls

Block Calls Without Caller ID:

  1. Navigate to user settings

  2. Toggle Block Calls without Caller ID to enable

  3. Blocks all anonymous/hidden caller ID calls

Handling Spam Tagged Calls:

  • Educate users to report spam calls

  • Monitor call logs for spam patterns

  • Add repeat spam numbers to block list

Access Control & Authentication

Managing User Permissions

Policy Settings:

  • Navigate to Account Management > Account Settings > Zoom Phone tab

  • Configure which features users can access

  • Lock settings to prevent users from changing them

Key Security Policies:

Prevent External Calls:

  • Block all inbound external calls for sensitive users

  • Limit to internal-only communication

  • Useful for reception, internal support lines

Restrict International Calling:

  • Navigate to Phone System Management > Settings

  • Under Calling, configure international calling restrictions

  • Prevent fraud and control costs

Require Feature Access Codes:

  • Force users to enter PIN for certain features

  • Adds authentication layer for sensitive operations

Role-Based Access Control

Admin Roles:

  • Assign minimum necessary privileges

  • Use role management for delegation

  • Create queue admins for call queue management only

  • Limit full admin access to IT leadership

User Groups:

  • Create groups by department or security level

  • Apply different security policies per group

  • Simplify policy management at scale

Recording & Data Retention

Call Recording Compliance

Recording Consent:

  • Enable recording prompts for legal compliance

  • Configure consent options (one-party vs. two-party)

  • See Call Recording Setup article for details

Data Retention:

  • Set retention policies for recordings

  • Configure automatic deletion after X days

  • Balance compliance requirements with storage costs

PII Redaction:

  • Enable automatic redaction of sensitive data

  • Protects credit cards, SSNs, etc. in transcripts

  • Configure PII groups for your industry

Recording Access:

  • Limit who can access recordings

  • Use role-based permissions

  • Audit recording access regularly

Voicemail Security

Voicemail PIN Codes:

  • Require PINs for voicemail access via phone

  • Set complexity requirements

  • Force periodic PIN changes

Voicemail Transcription:

  • Enable for searchability

  • Apply PII redaction to transcripts

  • Consider disabling for highly sensitive environments

Compliance Frameworks

HIPAA Compliance

For healthcare organizations handling protected health information (PHI):

Requirements:

  • Sign Business Associate Agreement (BAA) with Zoom

  • Enable E2EE for calls discussing PHI

  • Enable automatic call recording with consent prompts

  • Configure PII redaction for transcripts

  • Implement access controls and audit logs

  • Train staff on HIPAA-compliant usage

Zoom Trust Center:

  • Access compliance documentation at zoom.us/trust

  • Download SOC 2, HIPAA, ISO certifications

  • Review security whitepapers

GDPR Compliance

For organizations handling EU citizen data:

Data Subject Rights:

  • Ability to export user call logs

  • Process for data deletion requests

  • Document data processing activities

Data Residency:

  • Configure data storage location if required

  • Review Zoom's data center locations

  • Understand where call data is processed

Industry-Specific Compliance

Financial Services:

  • Enable call recording for regulated activities

  • Implement retention policies per regulations

  • Configure trade surveillance if required

Legal:

  • Use E2EE for attorney-client privilege

  • Enable recording for evidence preservation

  • Implement secure voicemail access

Education:

  • FERPA compliance for student data

  • COPPA compliance for calls involving minors

  • Configure age-appropriate security policies

Security Monitoring & Auditing

Call Logs for Security

Monitor for Anomalies:

  • Unusual call volumes

  • Calls to blocked countries

  • Repeated failed authentication attempts

  • Spam call patterns

Export Logs Regularly:

  • Monthly security audits

  • Compliance reporting

  • Incident investigation

Quality of Service Monitoring

Security Indicators:

  • Sudden quality drops may indicate network attacks

  • Monitor for unusual latency patterns

  • Track failed calls that could indicate system issues

User Activity Monitoring

Track Adoption:

  • Identify users not using Zoom Phone (security bypass risk)

  • Monitor for policy violations

  • Review recording access logs

💡 Security Best Practices

See Details

Implement Principle of Least Privilege Only grant users and admins the minimum permissions needed. Regularly review and revoke unnecessary access.

Enable Multi-Factor Authentication (MFA) Require MFA for all admin accounts accessing Zoom web portal. This prevents unauthorized access even if passwords are compromised.

Conduct Regular Security Audits Quarterly review of blocked numbers, emergency addresses, user permissions, and compliance settings. Document findings and remediation.

Train Users on Security Educate users about spam calls, phishing attempts via phone, proper handling of sensitive calls, and when to use E2EE.

Document Security Policies Create written policies for call recording, data retention, acceptable use, and incident response. Include in employee handbooks.

🚀 Quick Wins

See Details

Enable Spam Protection Immediately Turn on spam detection and caller verification to reduce fraud calls from day one.

Audit Emergency Addresses Run through all users and verify emergency addresses are current and accurate. Schedule quarterly reviews.

Block High-Risk Area Codes If you don't do business in certain regions, proactively block area codes known for spam/fraud.

Set Up E2EE for Executives Enable E2EE for C-suite and leadership to protect sensitive strategic conversations.

Configure Data Retention Early Set recording retention policies before go-live to avoid scrambling later when storage fills up.

⚠️ Common Security Issues

See Details

Users can't make calls after enabling E2EE → Verify E2EE is properly enabled at all levels (account/site/group/user). Check that users are on compatible Zoom clients. Some features are incompatible with E2EE.

Emergency calls showing wrong location → Update emergency address and wait 15 minutes for propagation. Verify address was validated by system (validated addresses show checkmark).

Blocked numbers still getting through → Verify block rule type is "Inbound" not "Outbound." Check that prefix format includes country code. User-level blocks override account blocks.

Compliance audit findings → Review call recording settings, check consent prompts are enabled, verify PII redaction is working, export logs to demonstrate compliance.

Spam calls increasing → Enable "Block Calls without Caller ID," add repeat offenders to block list, educate users not to engage with spam calls (confirms number is active).

🎯 Security Checklist

Essential security measures:

Immediate:

First Week:

First Month:

Ongoing:

PreviousReporting & AnalyticsNextIntegrations Overview

Last updated

Was this helpful?