Zoom Video Communications is a US company headquartered in San Jose, California. Under the CLOUD Act (18 U.S.C. § 2713), every meeting recording, AI Companion transcript, and message handled through Zoom infrastructure is subject to US government compelled disclosure — regardless of where your data centre is located. Sweden's government has formally advised against Zoom. The EU Commission is now preparing legislation to restrict US cloud providers from processing sensitive public sector data.
The same meetings, recordings, and AI capabilities — with one critical difference: who has legal access to the data.
| Feature | Zoom Basic $0 | Zoom Pro $13.32/user/mo | Zoom Business $18.32/user/mo | Zoom Enterprise Custom | AMVLET · Matrix Sovereign |
|---|---|---|---|---|---|
| Meetings & Video | |||||
| Video conferencing | ✓ | ✓ | ✓ | ✓ | ✓ |
| Meeting duration limit | 40 min | 30 hours | 30 hours | 30 hours | No limit |
| Max attendees | 100 | 100 | 300 | 500+ | Unlimited |
| Screen sharing | ✓ | ✓ | ✓ | ✓ | ✓ |
| Breakout rooms | ✗ | ✓ | ✓ | ✓ | ✓ |
| Webinars | ✗ | Add-on | Add-on | ✓ | ✓ |
| Recording & Storage | |||||
| Local recording | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloud recording | ✗ | Zoom cloud — 5 GB | Zoom cloud — unlimited | Zoom cloud — unlimited | Your sovereign storage |
| Recording jurisdiction | — | Zoom / US | Zoom / US | Zoom / US | Your jurisdiction |
| AI & Transcription | |||||
| AI meeting summaries | ✗ | Zoom AI Companion | Zoom AI Companion | Zoom AI Companion | Optional — on-prem |
| AI transcription | ✗ | Zoom processes content | Zoom processes content | Zoom processes content | Optional — sovereign |
| AI smart chapters & next steps | ✗ | Zoom AI — US jurisdiction | Zoom AI — US jurisdiction | Zoom AI — US jurisdiction | Optional — sovereign |
| AI data jurisdiction | — | Zoom / US | Zoom / US | Zoom / US | Your jurisdiction |
| Messaging & Calling | |||||
| Persistent messaging (Zoom Chat) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Voice & video calling | ✓ | ✓ | ✓ | ✓ | ✓ |
| Phone (PSTN calling) | ✗ | Add-on | Add-on | ✓ | ✓ |
| End-to-end encryption | Optional — limited | Optional — limited | Optional — limited | Optional — limited | E2EE by default |
| Sovereignty & Security | |||||
| Data jurisdiction | Zoom / USA | Zoom / USA | Zoom / USA | Zoom / USA | Your jurisdiction |
| CLOUD Act exposure | YES — Zoom | YES — Zoom | YES — Zoom | YES — Zoom | NO |
| GDPR Art. 48 conflict | YES | YES | YES | YES | None |
| PDPL (Saudi Arabia) conflict | YES | YES | YES | YES | None |
| Gag order risk (§ 2705(b)) | YES | YES | YES | YES | Not applicable |
| Government data request system | LERS — built-in | LERS — built-in | LERS — built-in | LERS — built-in | Not applicable |
| Self-hostable | ✗ | ✗ | ✗ | ✗ | ✓ |
| Air-gapped deployment | ✗ | ✗ | ✗ | ✗ | ✓ |
| Cryptographic key ownership | Zoom | Zoom | Zoom | Zoom (partial BYOK) | You |
| Open Standard & Federation | |||||
| Open standard protocol | Proprietary | Proprietary | Proprietary | Proprietary | Matrix (open) |
| Interoperable federation | ✗ | ✗ | ✗ | ✗ | ✓ Cross-org |
| Vendor lock-in | Zoom | Zoom | Zoom | Zoom | None |
| Interchangeable clients | ✗ | ✗ | ✗ | ✗ | ✓ |
| NIS2 supply-chain compliance | Cannot satisfy | Cannot satisfy | Cannot satisfy | Cannot satisfy | Full documentation |
| EU Tech Sovereignty Package ready | No | No | No | No | Yes |
Zoom Video Communications Inc. is headquartered in San Jose, California. Every service it provides — regardless of data centre location — falls under US jurisdiction. Zoom even operates a dedicated government compliance system: its Law Enforcement Response System (LERS).
Every cloud recording stored on Zoom, and every AI Companion-generated transcript, meeting summary, smart chapter, and action item, is held on Zoom-controlled US infrastructure. A single CLOUD Act order compels Zoom to produce complete recordings and AI-derived intelligence from your most sensitive meetings — board sessions, M&A discussions, legal strategy, personnel matters — without notifying you. Zoom's own Transparency Report documents thousands of such government data requests annually.
Zoom operates a dedicated Law Enforcement Response System (LERS) — a streamlined channel specifically designed to process government data requests efficiently. While Zoom presents this as a transparency measure, LERS means US law enforcement has a purpose-built, low-friction path to your meeting data. Zoom's "Node Survivability Modules" address connectivity resilience during network outages — they are not a CLOUD Act solution. They do not change jurisdiction and provide no legal protection against compelled disclosure.
Zoom Chat — the persistent messaging component of Zoom Workplace — stores all message history, file attachments, and shared content on Zoom's US-controlled servers. Enterprise messaging contains highly sensitive operational intelligence: decision trails, document drafts, confidential attachments, and strategic discussions. Sweden's eSam, representing 34 central government agencies, concluded that this data exposure to US jurisdiction made Zoom incompatible with government use. GDPR Article 48 provides no lawful basis to resist a CLOUD Act compelled disclosure.
Saudi Arabia's Personal Data Protection Law (PDPL, Royal Decree M/19) restricts cross-border transfer of personal data outside the Kingdom without NDMO authorisation. When a US CLOUD Act order compels Zoom to produce data of Saudi users or Saudi organisations, Zoom must comply — regardless of PDPL. There is no US–Saudi bilateral executive agreement, no PDPL-compliant transfer mechanism, and no notification right. The conflict is structurally identical to GDPR Article 48: following US law means violating Saudi law, and vice versa. No Zoom contractual assurance resolves this.
Under 18 U.S.C. § 2705(b), US authorities can attach a non-disclosure order to a CLOUD Act demand, legally prohibiting Zoom from informing you that your data was requested or produced. This directly violates GDPR's transparency obligations (Articles 13–14) and eliminates any practical ability to challenge the disclosure. Your government ministry, legal team, or board may have had their most sensitive discussions reviewed by a foreign government — and the law ensures you never find out. Zoom's own Transparency Report confirms it regularly receives and complies with such requests.
In May 2026, the European Commission confirmed it is preparing its "Tech Sovereignty Package" — including the Cloud and AI Development Act (CADA) — which will propose restricting US cloud providers from processing sensitive public sector data, including financial, judicial, and health data. Under these proposals, EU government bodies may be required to use European sovereign cloud infrastructure for their most sensitive workloads. Zoom, as a US-headquartered provider, would fall directly within the scope of these restrictions. The direction of European regulation is unambiguous: US providers are being structurally excluded from sensitive public sector use.
The Matrix open standard (spec.matrix.org) delivers everything Zoom offers — meetings, messaging, voice, video, file sharing, AI, webinars — on an open, vendor-neutral protocol where your organisation controls its own server, its own data, and its own encryption keys. No Zoom, no US jurisdiction, no LERS, no CLOUD Act applicability at any layer.
Zoom was the world's meeting room during COVID. But convenience was never the same as sovereignty. Zoom's architecture requires your communications to flow through US-controlled infrastructure for every call, every recording, every AI summary — making CLOUD Act exposure a structural fact, not a manageable risk. Matrix eliminates that architecture entirely.
AMVLET is built on Element Server Suite (ESS Pro), the enterprise-grade implementation of the Matrix standard. For EU organisations subject to GDPR and the incoming CADA legislation, and for organisations in Saudi Arabia subject to PDPL, Matrix is the only architecturally sound path: a communications platform where CLOUD Act compelled disclosure is not a risk to manage — it is a structural impossibility.
Read the Matrix specification →Switch from Zoom to a sovereign communications platform that gives you every feature — without putting your most sensitive conversations under US jurisdiction or in scope for the EU's incoming Tech Sovereignty regulation.