Common use of Zoom’s Storage and Use of Protected Information Clause in Contracts

Zoom’s Storage and Use of Protected Information. a. Covered Entity may not transmit or store Protected Information in Zoom’s systems except as described in this paragraph. b. When Zoom provides services subject to a Business Associate Agreement, its services are limited to transmission of communications between persons using those services, and the provision of end-to-end encrypted storage of chat communications on Zoom servers. Covered Entity may elect to store encrypted chat communications sent over Zoom’s servers. In such cases, the encryption keys to such communications are retained only by the persons using Zoom’s services and Zoom does not have encryption keys for any such end-to-end encrypted communications. For clarity, with respect to accounts provisioned subject to a Business Associate Agreement, Zoom’s storage is limited to end-to-end encrypted chat communications. c. Consistent with the foregoing, Zoom’s rights and obligations with respect to Protected Information under this Agreement are limited to those rights and obligations applicable solely to Zoom’s transmission of Protected Information, as described in this paragraph. d. For the avoidance of doubt, Zoom is not responsible for the use, disclosure, or storage of any Protected Information stored locally on Covered Entity’s systems; any use, storage, or disclosure of any Protected Information after the Protected Information has been transmitted using Zoom services, except as described in this paragraph 2; or Protected Information that Covered Entity discloses to Zoom in a manner not covered by paragraph 2(b). e. All Protected Information subject to this Agreement is, shall be, and shall remain the sole property of Covered Entity. f. Business Associate shall act as a Qualified Service Organization within the meaning of 42 C.F.R. Part 2 only to the extent Business Associate receives, stores, processes, or otherwise deals with any records containing Part 2 Patient Identifying Information. Business Associate shall not act as a Qualified Service Organization or be subject to liabilities imposed on any Qualified Service Organization with respect to Business Associate’s treatment of other forms of data, including PHI that does not qualify as Part 2 Patient Identifying Information.