GDPR and Zapier: What You Need to Know
At Zapier, we treat users' data with utmost respect—as technologists, we support online privacy and movements like net neutrality—which is why we're wholeheartedly in support of GDPR. However, we won't lie: Getting ready for GDPR compliance wasn't a walk in the park. We'd like to share some of how we've approached compliance, and how we're helping you (our customers and partners) stay compliant with these privacy regulations.
Zapier isn't quite like other services. We don't generate revenue from selling ads (like many social networks) or from selling user data. Our service provides automations between your apps.
So the most complicated aspect for Zapier with respect to GDPR is that we touch a lot of data across thousands of APIs (of course, only as directed by the user) as a part of our automation offering. That means for this privacy audit we had to take into consideration the effect on users, partners, developers, vendors, and their interactions with Zapier. It got a little complex, but let's cover the basics!
Zapier as Processor, User as Controller
The biggest relationship we manage and the bulk of our activity is likely this: Users acting as Controllers and Zapier acting as a Processor.
For example, let's say a user creates a web form using a service like Typeform which has First Name, Last Name, and Email Address fields for collecting leads. They also have a CRM (customer relationship manager) service like Pipedrive set up for their sales team. They use Zapier to help automatically take form submissions and move them into their CRM. In this case Typeform, Pipedrive, and Zapier are all Processors under GDPR.
Zapier also uses a variety of Sub-Processors. The most relevant ones are well-known services like Amazon Web Services (our hosting provider) or Stripe (our payments provider). We strive to minimize the amount of data each Sub-Processor has access to (for example, due to the nature of our software product, AWS handles all user data but Stripe only handles a minimum set of billing data). We've executed all the necessary Data Processing Addendums and will work with Sub-Processors to maintain compliance.
How to Comply with GDPR as a Controller
As a Controller, you have a couple things you'll want to consider. Gentle reminder: This isn't legal advice, so talk to your attorney!
Agreements
Review our Terms of Service and optionally sign the additional Data Processing Addendum: In preparing for GDPR we updated our user terms of service and developer terms of service.
If you've accepted the agreements above, you do not need to sign the additional Data Processing Addendum. However, if you need an electronic copy for your records we do provide an automated mechanism to execute and e-sign the Data Processing Addendum.
Audit Your App Connections
Connect approved apps and configure Zaps mindfully. Since we only store and transfer data that you configure Zapier for, the first step is to only connect apps to Zapier that you have a compliant relationship with.
Audit Your Zaps
The next step is to minimize the data Zapier is configured to trigger on. In a practical sense, this means avoiding Zap triggers that pull in lots of data and/or filter the data you're pulling in a later step—minimize the data a Zap touches. That's just best practices for any service you use.
For example, in Gmail, use the "New Email Matching Search" trigger instead of the "New Email" trigger with a later Filter step to keep the data that's pulled in focused on just what you need (also, you'll save money this way!). Or, if you are going to send alerts into a service like Slack, think carefully about what data you want to include in that alert text.
Use Zapier's Tools
Finally, become familiar with our delete tools. While you can always delete your entire account (which means we will delete all of your data), if you visit your Task History, you'll have access to a delete tool that allows you to remove data records Zapier has handled on your behalf.
This allows you to select particular Tasks through the filters that include facets like Zap, date, and even free text.
We also ofter coarser but more complete options like deleting all data and exporting all data. Visit the Security page in Settings to manage your data.
You can learn about this feature in our documentation.
Zapier as a Controller
In addition to being a Processor, Zapier also acts as a Controller. That means we will manage your personal data—the details of which are available in our user terms of service.
Today, we allow anyone to delete their account as well as any Task in their Task History, which might contain personal information. Deleting your account also deletes or anonymizes all personal data we might have collected (except for things we must keep for other compliance, like billing records in order to pay taxes, etc.). We also plan to offer more powerful tooling next week around deleting specific data in your account.
We also support the exporting of your Task History (which we've opened up to all users, paid or not). And next week we will be shipping a more comprehensive export tool that will cover all data we track. In the meantime, you can contact us with any requests!
You can read more about our GDPR and Zapier at https://zapier.com/help/gdpr/, or shoot us an email at contact@zapier.com if you have other questions. We're happy to help!
About the Author
Bryan Helmig is a co-founder and CTO at Zapier, jazz/blues musician and fine beer and whiskey lover.