Zapier hosts data in AWS servers located in the United States, including customers’ personal data and the data that is processed on behalf of customers.
This is due to Zapier’s data retention policy for your Zapier account:
- On the first Monday of each month, Zapier deletes old Zap Content and Zap History from your Zapier account.
- At that time, Zapier only retains Zap Content and Zap History from the current and previous month.
Before Zapier deletes your data on the first Monday of the month, Zapier retains up to 69 days of Zap Content and Zap History in your Zapier account. This includes:
- Data from up to 7 days of the current month (depending on when Monday falls).
- Data from the last month (up to 31 days).
- Data from two months ago (up to 31 days).
After Zapier deletes your data on the first Monday of the month, Zapier retains at least 29 days of Zap Content and Zap History in your Zapier account. This includes:
- Data from at least 1 day of the current month's data (depending on when Monday falls).
- Data from the past month (at least 28 days).
Here is an example of how this process works:
- On Sunday, March 3, your Zapier account contains data from January (two months ago), February (last month), and March (current month).
- On Monday, March 4, Zapier deletes your old account data from January (two months ago) but continues storing data from February (last month) and March (current month).
Customers on Company plans can set a custom data retention period of between 7 to 30 days for data held in their Zapier account.
Zapier does not support this option.
The European Data Protection Board (EDPB) advises that you conduct an assessment of whether or not you can transfer EU personal data on the basis of the EU Standard Contractual Clauses (SCCs). In particular, Zapier recommends the following steps:
- Consider the technical and organizational security measures included in the updated DPA. Based on the type of data you process on Zapier, determine whether these are sufficient for your use.
- Review Zapier’s Data Processing Addendum (DPA), which includes the new supplemental clauses recommended by the EDPB and incorporates the new version of the SCCs approved by the European Commission.
- Conduct a risk assessment for the transfer of personal data to the US in your use of Zapier. Information on this page and the Security and Compliance at Zapier page may be helpful for your review.
Zapier has not received any data access request from the US government under Section 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333.
If such a request were received, Zapier will use reasonable efforts: (1) to have the governmental authority request such data directly from you; and (2) to notify you of the request promptly, unless prohibited under the applicable law of the requesting government authority or Zapier. If prohibited from notifying you, Zapier will use reasonable efforts to obtain the right to waive the prohibition to communicate as much information to you as possible.
Does Zapier sell or market the data to third parties in any way? Will you share my data without my consent?
No, Zapier does not sell or market your data to third parties.
Taylor Vinters is Zapier’s EU Representative. You may contact them as follows:
Taylor Vinters Europe Limited
Fitzwilliam Street Lower
Dublin, Dublin, D02 Xt91
Yes, all of Zapier’s subprocessors have undergone an internal legal and security review to assess how customer information is protected, from both privacy and security perspectives.
Zapier can’t sign DPAs from other companies. However, Zapier’s DPA should be sufficient in any customer relationship with Zapier. Zapier’s DPA contains Standard Contractual Clauses (SCCs) for EU data and includes terms specific to how Zapier’s platform works.
The use of regulated healthcare and medical data like HIPAA is not supported on Zapier. Zapier also can’t sign business associate agreements (BAAs) or equivalent agreements for handling protected health information (PHI) or other similar information.
What security certifications does Zapier have and/or where can I find more information about Zapier’s security practices?
Zapier has obtained independent third-party auditor certifications with the AICPA’s SOC for Service Organizations, SOC 2 Type II and SOC 3. Please review the Security and Compliance at Zapier page for more information about these certifications and Zapier’s security practices.