Vimeo offers a secure video hosting solution designed for HIPAA-regulated customers. We enter into Business Associate Agreements (BAA) with covered entities and business associates on eligible Vimeo Enterprise plans. For more details, see HIPAA Compliance for Vimeo Enterprise.

Vimeo Enterprise is hosted on Google Cloud Platform with servers primarily located in the United States. Our infrastructure operates across multiple global regions to ensure optimal performance and compliance options.

For European customers, Vimeo Enterprise offers EU data residency solutions to meet GDPR compliance requirements, ensuring your data remains within European data centers when needed.

Vimeo’s Privacy Policy and Enterprise Data Processing Addendum explain the information that Vimeo collects when you use our products and services, how that information is used, with whom it may be shared, and your privacy choices.

Please see this list of our current sub-processors below.

Vimeo enforces machine-based authentication to ensure consistent security access controls.

All Vimeo users, both within and outside Vimeo’s network, must be authenticated, authorized, and validated for security configuration and posture before gaining or maintaining access to applications and customer data.

Vimeo enforces single sign-on with multi-factor authentication (MFA) for access to internal systems that store customer data.

Vimeo implements role-based access controls when provisioning access to internal systems.

Employees and contractors are only permitted to access data to fulfill their job roles and responsibilities.

Access reviews for critical systems are conducted on a quarterly basis.

Vimeo has established controls to respond quickly and efficiently in the event of an incident that results in a compromise of Vimeo services.

Vimeo maintains a status page to update customers on any outages.

Vimeo uses cloud infrastructure, which in turn uses distributed physical data centers that can be leveraged in the event of a natural disaster or other significant event to mitigate against loss of service. Distributed locations allow for server failover in the event of location specific disasters.