What are the key features ZenVideo Enterprise provides to support HIPAA-regulated customers?

HIPAA compliance requires a shared responsibility model. While ZenVideo helps enforce HIPAA requirements for covered customers, our customers are required to use our services and configure them in compliance with HIPAA requirements. See HIPAA configuration requirements for ZenVideo Enterprise.

ZenVideo Enterprise provides multiple capabilities that our customers should take advantage of when using our service under HIPAA:

Authentication: ZenVideo supports single-sign-on (SSO) and two-factor authentication (2FA) to manage access and authorization for ZenVideo users. Please see ZenVideo’s guides to configure access and security, such as ZenVideo’s SSO guide and Two Factor Authentication.

Authorization

• In-depth User Management: ZenVideo allows you to set default libraries for a new user to automatically join. For more information, please see our articles on Folder Role Permissions, Enterprise Team Library, SSO Group permissions for Enterprise teams.
• Video Privacy Settings: ZenVideo offers various privacy settings that you can configure based on the content of each video. For an in depth understanding of ZenVideo’s video privacy settings please see the Overview of video privacy settings and the article for step-by-step instructions on how to change the settings.

Data Protections

1. Data Encryption: All ZenVideo application endpoints are encrypted and authenticated prior to the exchange or derivation of session keys. Public keys must be authenticated prior to use. All externally facing servers and applications must use a minimum of TLS 1.2 where possible.\
   1. Data in Transit: All video and other data transmitted to ZenVideo from users is encrypted in transit using strong encryption protocols. ZenVideo supports secure channels to encrypt all traffic in transit equivalent to TLS 1.2 protocols and/or AES 256 encryption.
   2. Data at Rest: All data except video data within ZenVideo’s production database is encrypted at rest. Video data is encrypted where technologically feasible. All encryption keys are stored in a secure server with very limited access. ZenVideo has implemented safeguards to protect all ZenVideo user data from creation to deletion.
2. Data Retention: ZenVideo’s Enterprise Data Retention Tool allows customers to customize video retention policies according to their needs and HIPAA obligations. Unless earlier deleted by a member of your account, ZenVideo will maintain your video data for ninety (90) days after your ZenVideo account is deleted. You are responsible for downloading a copy of any data you wish to retain prior to expiration or termination of your Enterprise agreement. For help obtaining copies, please contact support. If you downgrade your Enterprise account to a free or self-serve account, you must immediately remove all content that could subject ZenVideo to compliance with HIPAA.
3. Data Availability: ZenVideo has established controls to respond quickly and efficiently in the event of an incident that results in a compromise of ZenVideo services. These controls have been codified through ZenVideo Security policies and procedures. They provide system-specific response teams and procedures for each type of incident. They include protocols for assessing incident severity, remediating incidents, and where necessary, notifying affected customers. ZenVideo uses cloud infrastructure, which in turn uses distributed physical data centers that can be leveraged in the event of a natural disaster or other significant event to mitigate against loss of service. Distributed locations allow for server failover in the event of location-specific disasters. Tests of failover procedures and walkthroughs of ZenVideo’s established system-specific disaster recovery plans take place annually.