Data privacy at Zapier

• Zapier login credentials are one-way PBKDF2 hashes with a workload of about 100000 iterations and HMAC-SHA256 as the underlying pseudorandom function.
• Account access credentials (like API keys for MailChimp, tokens for Salesforce, and passwords for developer apps like SAManage) held by Zapier are encrypted with AES-256 and stored in a database. Of course, Zapier has the decryption keys on hand so we can use the credentials but they are stored and maintained separately.
• All Zapier employees have access to raw HTTP logs as a part of daily support - we censor access tokens/secrets to the best of our ability. All debug logs censor account credentials (API keys, tokens, etc.) so they are not viewable in raw request logs.
• Raw low-level request logs are stored for 7 days, Task History is stored rolling for the previous three months, and is stored for approximately 90 days in S3 as backups.
• We use TLS 1.2 wherever possible (both via https://zapier.com and external API services). You can find more details here.

If you have any questions on how Zapier stores or handles your information, or if you would like a copy of Zapier Security Practices, please contact us.

Zapier has been fully GDPR compliant since May 25th, 2018. Learn how Zapier complies with GDPR.

Zapier has been fully CCPA compliant since January 1st, 2020. Learn how Zapier complies with CCPA.

Zapier does not claim HIPAA compliance, and cannot advise on how Zapier usage may or may not comply with your unique requirements.