Security at Zapier

We take the security of your data seriously. Learn more about how Zapier protects your data.

Privacy at Zapier

For specific details on privacy at Zapier, refer to Zapier's Privacy Policy.

GDPR

Zapier has been fully GDPR compliant since May 25th, 2018. Learn how Zapier complies with GDPR.

CCPA

Zapier has been fully CCPA compliant since January 1st, 2020. Learn how Zapier complies with CCPA.

HIPAA

Zapier does not claim HIPAA compliance, and cannot advise on how Zapier usage may or may not comply with your unique requirements.

Reliability at Zapier

• Hosting infrastructure: Hosted within the AWS Cloud, Zapier benefits from the comprehensive security controls in - place to secure our servers physically and virtually.
• Status page: Zapier has processes in place to ensure you can always get a real-time update on the Status page.

We're committed to handling our user and partner data securely, so we're actively pursuing SOC 2 Type II certification in 2020. The SOC 2 (System and Organization Controls) Type II report is a globally-recognized security measure that rates a service provider's compliance with security, availability, and confidentiality best practices.

Product and Data Safeguards

• Accounts and Access Controls
• Two factor authentication (2FA)
• SAML integration with external identity providers

Customer Data

• 256-bit AES Encryption
• Strict access controls
• All network communication secured with TLS 1.2
• Shared Zaps are sanitized of all identifying or proprietary information before others are given access

Hosting

Hosted within the Amazon cloud, Zapier benefits from the comprehensive security controls in place to secure our servers physically and virtually (https://aws.amazon.com/security/)

Threat Detection and Management

• Integration with AWS GuardDuty threat detection and monitoring service
• Fleetwide audit logging

Audit & Logging

Zapier maintains a comprehensive log of all user and Zap activities. Zap activities are extensively logged internally for troubleshooting and support, and presented in summary in the Task History to inform users directly.

Quality Controls

• Peer code reviews: every pull request is reviewed by peers, whether it’s a new feature or bug fix. Security reviews are performed as appropriate for the work.
• Regular code audits for security.
• Continuous Integration and Delivery: we use GitLab for our CI tooling. Every PR that is merged is automatically subjected to a pipeline of rigorous tests and analysis as appropriate for the code that is being merged.
• Robust unit testing
• Regular penetration testing

Zapier Bug Bounty

Zapier’s Security Exploit Bug Bounty Program acknowledges the work independent security researchers do by flagging vulnerabilities we might not be aware of with a discretionary reward system: there’s no maximum amount; Zapier looks at each vulnerability on a case by case basis.

Three key points to keep in mind as and when you find something to report:
- Let us know as soon as you can.
- Don’t test against our users’ private data.
- Give us the opportunity to work together and close the vulnerability prior to revealing the vulnerability to others.