All apps submitted for publication on the Zoom App Marketplace undergo a dedicated review process before they can be made available for public installation. Once an app has been submitted, the Zoom Marketplace team will conduct the review independently and work with the developer on any additional requirements.
Review time varies by app based on app quality, usability, quantity and function of features, and metadata quality (descriptive content). Testing time is typically the shortest for apps with properly defined scopes and quality metadata. Conversely, apps with heavy feature requirements, poor usability, or sub-standard metadata content can require a lengthy review process.
During Submission Review, the Publishable URL can be used to directly distribute the app to users on the developer’s account; however, the app will not be discoverable in the Marketplace until it has been approved.
When an app has been approved, the Zoom Marketplace team will notify the developer of successful approval and public availability of the app.
Fill out this form prior to submitting your app so that you can assess your app in its current state. Once you complete the assessment, you will receive an email with a link to an auto-generated App Review Report highlighting existing issues and recommendations on how to resolve those issues.
Note: Submission Reviews are only required for Public apps available for any Zoom user to install. Private apps do not require Submission Review.
Functional and usability testing
After submission, all apps undergo functional and usability testing to check for user experience issues and technical errors as well as for functional or business logic issues. During functional and usability testing, apps are reviewed for the following criteria:
- Installation / Uninstallation process
- User sign-up process
- Configuration settings
- User Experience; ease of use
- Available Support, Documentation, Feedback options
- App Deauthorization is clear and adheres with Data Compliance requirements.
Security and compliance review
All Zoom Marketplace apps are subject to a security and compliance audit encompassing a multi-part review intended to maintain customer security, integrity and resilience of the ecosystem as a whole.
Once you have submitted your app for review, after a successful functional review and prior to the publication of your app on the Zoom App Marketplace, the App Security team at Zoom will conduct a security and compliance review of your app.
The App Security team may, in its discretion, communicate with you regarding changes that you might have to make in order for your app to pass the security review; provided, however, that the results of the security review are confidential and may not be shared with third parties without Zoom’s prior written consent. Your app will not be approved on the Zoom App Marketplace unless it passes the security and compliance review. Learn more about our security best practices here.
This security and compliance review program is divided into two parts.
Part 1: Vendor attestation via technical design document
Part 2: Focused security testing of the application to ensure Zoom data security
Program overview: Review methodology
All Zoom Marketplace apps are subject to this two-part review and must receive a PASS result in order to be considered for publishing on the Zoom App Marketplace.
a. Part 1 - Vendor attestation
Part 1 is based upon the concept of “self-attestation,” where vendors(app submitters) answer a series of security and privacy-related questions pertaining to their application.
In order to submit vendor attestation, you must complete the full Technical Design Document: Security and Privacy Compliance Review and attest to its accuracy. Please download this document, fill it out, and send the completed document to firstname.lastname@example.org.
Submission of an application for acceptance into the Zoom Marketplace must be accompanied by a complete Technical Design Document (TDD).
b. Part 2 - Focused security testing
The App Security Team will engage in a focused security testing of the application to ensure Zoom data security. The team will verify that the application complies with acceptable use criteria for handling Zoom user data.
The testing is focused on Zoom Data handling, including but not limited to:
- Zoom OAuth implementation
- Sensitive data exposure
- Broken access ontrol
We will not engage in any Load Testing, intrusive penetration test, and/or DoS/DDoS.
c. Reporting and analysis of review results
Each review results in an overall decision, either PASS or FAIL.
A FAIL result represents the fact that the developer is violating the acceptable use criteria, as will be clear from the report, and that the reviewer recommends the subject application be rejected in its current state.
WARNINGS are reported to the vendor for analysis and consideration. An application with zero FAILs but one or more WARNINGS receives a PASS.
For Part 1 of the review, an overall PASS result means that the attested TDD meets acceptable use criteria. Additionally, a PASS result for Part 2 assessment means that the application passes the minimum requirement for securely handling Zoom data.
Applications must receive a PASS result, to be considered for publishing on the Zoom App Marketplace.
Zoom may PASS, FAIL, and/or approve an app for publication on the Zoom App Marketplace in its sole discretion.
The App Security team will continue reviewing any previously submitted Security Assessment Questionnaires for Zoom Marketplace Apps that are currently under review (or may be reviewed) until December 31, 2020. Beginning January 01, 2021, the App Security team will discontinue support for the Security Assessment Questionnaires and all vendors will be required to attest to the Technical Design Document: Security and Privacy Audit.
Disclaimer: Security and Compliance Reviews are not meant to be exhaustive security/penetration testing of an application. A security review by Zoom shall not be deemed a warranty or certification of your application. This report is not to be used (in any direct or indirect form) to market this app as security tested or certified by Zoom. While the results of this test will provide a reasonably accurate view of the current security level of the tested app, Zoom is not liable or responsible if the security review fails to discover security or configuration issues of the application.
If an app does not meet the standards required for Marketplace publication, the Marketplace team will deny the request for publication. Even though a submission may be denied, the Zoom Marketplace team may, in its discretion, work directly with developers to assist in re-submitting the application and address requirements to pass submission.