# Technical Design ## Technology Stack Describe in detail the technology stack used by your application. This should include: - Programming languages and frameworks - Third-party libraries, SDKs, and dependencies (with versions, if possible) - External and internal APIs the app uses or exposes - Any infrastructure or platforms the app relies on (e.g., cloud services, databases, hosting providers) We require this information to accurately assess the security posture of your app during the review process. ## Architecture Diagram Provide an architectural diagram of your application, along with additional flow diagrams where applicable. This should illustrate: - All services and components that interact with Zoom - Databases, servers, and third-party applications essential for your app's functionality This information is required to help us understand your app's design and assess its security posture during the review process. ## Application Development To obtain approval for a publishable or beta URL, the following documents are mandatory: SSDLC documentation, SAST/DAST reports, and a penetration test report. If you are publishing your application on the Marketplace, additional evidence documents are not required but they may be included as supplemental evidence to support your submission. ## Security Security team evaluates the attestation developers make on the following security questions. Question 1 - **Ensuring Secure Transmission of Zoom User Data** To protect Zoom user data, your app must ensure all network traffic is encrypted using TLS 1.2 or higher. Question 2 - **Verifying Event Notification Integrity with Secret Tokens** Zoom employs secret tokens as a mechanism to authenticate event notifications, ensuring they originate from Zoom's servers. We strongly recommend implementing these tokens to verify message integrity and prevent spoofing in your integration. Question 3 - **Encryption of Collected and Retained Zoom Information** You must ensure encryption of all Zoom user data, including Zoom OAuth tokens, if your application collects, stores, logs, or retains such information.