GDPR#

Obligatory disclaimer: The content below is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with legal and other professional counsel to determine exactly how the GDPR may or may not apply to you.

On May 25th, 2018, the EU General Data Protection Regulation (GDPR) will go into effect bringing new global data protection rights for individuals in the European Union.

You can read about your and our role in GDPR, as well as a little background on our journey on our updates blog!

We at Zapier wholeheartedly support the privacy rights of our customers and our users and are proactively working toward GDPR compliance by May 25th, 2018.

Read along for some of the changes we're making, as well as what you'll need to do as a customer or partner of Zapier.

Update for May 2nd, 2018: We are making progress on all product changes and compliance efforts and expect to be fully compliant by the 25th of May. Our vendor and internal data audit is complete. Our advanced export and deletion work is coming along quickly, and you can already export your task history and delete your account today. We've gotten updated drafts of new Terms of Service as well as new DPAs from attorneys and expect this to wrap up and be available and shared shortly.

Update for May 21st, 2018: We have final copies for new Terms of Service and Privacy Policy from our attorneys and they should go live mid-week. We also have a final copy of our DPA with Zapier as a Processor (which should cover both customers and also partners as sub-processors) which should be available mid-week as well. Check this page for any more updates this week!

Update for May 24th, 2018: New terms of service are now available, you can find both our user terms of service and our developer terms of service. In short order we'll put out a comprehensive post about Zapier's and our customer's role in GDPR.

Update for May 25th, 2018: We've completed the bulk of our compliance work, though we'll continue to make improvements. You can read about your and our role in compliance, as well as a little background on our GDPR journey here!

Changes Completed At Zapier#

To prepare for GDPR, we have undertaken many phases of research and implemented many changes -- some small, some larger. You can read about those changes here and in our updates blog on the same topic.

Research#

As with any new regulation, we worked closely with legal and other professional counsel to understand our role under GDPR.

Policy, TOS Updates and New DPAs#

Our privacy policy, as well as our TOS has been updated to reflect our new compliance with GDPR. The new Data Processing Addendum is available for signatures with partners and customers as well (though you likely do not need to sign this).

Internal Data Audit#

We've reviewed all the data we collect, as well as the reasons for why we collect it, as well as which Zapier employees have access to it. We've documented and share as much of this data publicly as possible. For example, in our Data Processing Addendum you will see our enumeration of collected data.

Vendor Audit#

We've worked through our list of vendors to ensure they are adhering to GDPR and have signed all relevant Data Processing Addendums with regards to that.

Improved Data Tooling#

We've launched some tooling extend your ability to download your data from Zapier, as well as delete it from Zapier. Much of this tooling exists today (for example, you can export your Task History) but we'll be adding even more upgrades here as we've found it to be a great product feature even beyond compliance.

You can export and delete your data in Zapier, read more about your options here.

Communication#

We've documented and shared any pertinent changes with customers and partners. This includes emails and on the site itself, here and in the updates blog.

Ongoing Process Changes#

This includes revamping processes for how we do customer support, build product, report on data, and work with applicants as we grow our team. Much of this will be in the form of internal documentation, training and processes as required by GDPR.

Zapier's Role in GDPR Compliance#

It is important to note that Zapier is acting both as a Data Controller and as a Data Processor within the realm of GDPR compliance:

As a Data Controller, you are responsible for safeguarding the data of your customers as they interact directly with services integrated with Zapier.

As a Data Processor, Zapier is responsible for safeguarding the data of our partners' and customers' users as it flows through our system.

Customer's and Partner's Role in GDPR Compliance#

As a Zapier customer or partner, you are a Data Controller and Zapier is acting as your Data Processor for your users. In this respect, you’ll want to take the following steps leading up to May 25th, 2018:

  • Ensure your Terms of Service and/or Privacy Policy are up to date.
  • If you have customers in the EU or need to be GDPR compliant, your agreement to our terms of service will be sufficient as it contains relevant addendum.
  • If you have customers in the EU or need to be GDPR compliant, you may additionally request to sign our Data Processing Addendum. This is valid for both customers and partners. Here is a sample of what our DPA looks like.
  • Perform your own research, modeling, vendor audit, and strategy steps at your company to ensure you understand GDPR as it applies to your business.
  • Be thinking about how you’ll handle consent. You should configure your Zaps and integrations to not trigger or work with users' data without proper consent.
  • Watch for updates from Zapier related to product functionality or privacy and TOS changes.

Our Vendors / Sub-Processors#

Each of our Vendors / Sub-Processors will have an executed DPA to ensure compliance under the EU GDPR requirements. An audited minimum relevant set of data is shared with each vendor (for example, we do not send server logs to Workable):

  • AWS -- the bulk of user data is hosted in AWS.
  • Stripe -- payment data is maintained in Stripe.
  • Iterable -- user data for email marketing is maintained in Iterable.
  • FullStory -- user data for user research is maintained in FullStory.
  • HelpScout -- user data for support purposes is maintained in HelpScout.
  • Slack -- user and applicant data is discussed in chat in Slack.
  • Google -- user, employee and applicant data is maintained in Google through products like Gmail or Drive.
  • Looker -- user data for analytics purposes is maintained in Looker.
  • ClientSuccess -- user data for analytics purposes is maintained in ClientSuccess.
  • BambooHR -- employee data is maintained in BambooHR.
  • Small Improvements -- employee data is maintained in Small Improvements.
  • Workable -- applicant data is maintained in Workable.
  • Typeform -- user data for survey's and forms are maintained in Typeform.
  • HelloSign -- user data for legal documents are maintained in HelloSign.

If you'd like immediate notifications and updates for any changes in sub-processes, you can sign up for an additional email list here.

↑ Was this documentation useful? Yes No (Suggest Edits)
Get Help