Help

GDPR compliance at Zapier

Last updated:
Note

The content below is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with legal and other professional counsel to determine exactly how the GDPR may or may not apply to you. Read more about your role and Zapier's role in GDPR.

On May 25, 2018, the EU General Data Protection Regulation (GDPR) went into effect, bringing new global data protection rights for individuals in the European Union.

Zapier fully supports the privacy rights of our customers and our users and is fully GDPR-compliant. This article covers the changes that were made to comply with GDPR, as well as what you'll need to do as a user or partner of Zapier.


Changes completed at Zapier

To prepare for GDPR, Zapier has undertaken many phases of research and implemented a number of changes.

Research
As with any new regulation, Zapier has worked closely with legal and other professional counsel to understand our role under GDPR.

Policy, TOS updates and new DPAs
Zapier's privacy policy and terms of services have been updated to reflect our new compliance with GDPR. The new Data Processing Addendum is available for signatures with partners and customers as well (though you likely do not need to sign this).

Internal data audit
Zapier has reviewed all the data we collect, as well as the reasons for why we collect it, as well as which Zapier employees have access to it. We've documented and shared as much of this data publicly as possible. For example, you will see enumeration of collected data in Zapier's Data Processing Addendum.

Vendor audit
Zapier has worked through our list of vendors to ensure they are adhering to GDPR and have signed all relevant Data Processing Addendums with regards to that.

Improved data tooling
Zapier has launched some tooling extend your ability to download your data from Zapier, as well as delete it from Zapier. Much of this tooling exists today (for example, you can export your Task History) but we'll be adding even more upgrades here as we've found it to be a great product feature even beyond compliance.

You can export and delete your data in Zapier in your data management settings.

Communication
Zapier has documented and shared any pertinent changes with customers and partners. This includes emails and on the site itself, here and in the updates blog.

Ongoing process changes
This includes revamping processes for how Zapier does customer support, builds product, reports on data, and works with applicants as we grow our team. Much of this will be in the form of internal documentation, training and processes as required by GDPR.


Zapier's role in GDPR compliance

It's important to note that Zapier is acting both as a Data Controller and as a Data Processor within the realm of GDPR compliance:

As a Data Controller, you're responsible for safeguarding the data of your customers as they interact directly with services integrated with Zapier.

As a Data Processor, Zapier is responsible for safeguarding the data of our partners' and customers' users as it flows through our system.


Customers' and partners' roles in GDPR compliance

As a Zapier customer or partner, you are a Data Controller and Zapier is acting as your Data Processor for your users. In this respect, you must take the following steps leading up to May 25, 2018:

  • Ensure your Terms of Service and/or Privacy Policy are up to date.
  • If you have customers in the EU or need to be GDPR compliant, your agreement to our terms of service will be sufficient as it contains relevant addendum.
  • If you have customers in the EU or need to be GDPR compliant, you may additionally request to sign Zapier's Data Processing Addendum. This is valid for both customers and partners. Here is a sample of what Zapier's Data Processing Addendum looks like.
  • Perform your own research, modeling, vendor audit, and strategy steps at your company to ensure you understand GDPR as it applies to your business.
  • Be thinking about how you’ll handle consent. You should configure your Zaps and integrations to not trigger or work with users' data without proper consent.
  • Watch for updates from Zapier related to product functionality or privacy and TOS changes.

Zapier's vendors and sub-processors

Each of Zapier's vendors and sub-processors will have an executed Data Processing Addendum to ensure compliance under the EU GDPR requirements. An audited minimum relevant set of data is shared with each vendor (for example, Zapier does not send server logs to Workable):

  • AWS: the bulk of user data is hosted in AWS.
  • Stripe: payment data is maintained in Stripe.
  • Iterable: user data for email marketing is maintained in Iterable.
  • FullStory: user data for user research is maintained in FullStory.
  • HelpScout: user data for support purposes is maintained in HelpScout.
  • Slack: user and applicant data is discussed in chat in Slack.
  • Google: user, employee and applicant data is maintained in Google through products like Gmail or Drive.
  • Looker: user data for analytics purposes is maintained in Looker.
  • ClientSuccess: user data for analytics purposes is maintained in ClientSuccess.
  • BambooHR: employee data is maintained in BambooHR.
  • Small Improvements: employee data is maintained in Small Improvements.
  • Workable: applicant data is maintained in Workable.
  • Typeform: user data for surveys and forms are maintained in Typeform.
  • HelloSign: user data for legal documents are maintained in HelloSign.

To receive immediate notifications and updates for any changes in vendors or sub-processers, sign up for this email list.


Need More Help?

Contact Support

Tell us about your problem, and we’ll find you a solution or you can email support.
Get Help

Hire an Expert

We have a directory of professionals across the globe who are ready to help.
Find a Zapier Expert

Zapier Community

Connect with other Zapier users and industry professionals to get help crafting the perfect workflow.
Check out the community