Security and Compliance
Compliance at Zapier
We take compliance seriously and understand its significance to both our customers and partners. For this reason, Zapier has obtained independent third-party auditor certifications with the AICPA's SOC for Service Organizations, SOC 2 Type II and SOC 3.
You can request our SOC 2 Type II report through our Help & Support page and download our SOC 3 report here.
Security best practices at Zapier
We take pride in our information security program and are dedicated to its continual improvement.
User account security
Product access control
Only a subset of Zapier's personnel has access to Zapier's products and customer data through controlled interfaces. This limited access allows us to provide effective customer support, troubleshoot potential problems, detect and respond to security incidents, and implement data security.
Authentication resources
We offer two-factor authentication (2FA)
SAML integration with external identity providers.
Encryption
Zapier uses 256-bit AES encryption at rest in addition to securing network communication with TLS 1.2 for encrypting data in transit.
Change management
Every pull request goes through a peer code review, whether it's a new feature or bug fix. Security reviews are performed as appropriate for the work.
We run regular code audits for security.
We use GitLab for our CI tooling for continuous integration and delivery. Every merged PR is automatically subjected to a pipeline of rigorous tests and analysis as appropriate for the code being merged.
We perform robust unit testing and regular penetration testing.
Cloud security
Zapier utilizes Amazon Web Services (AWS) as its cloud service provider. We also leverage AWS's security and compliance controls for data center physical security and cloud infrastructure. More information about this service provider can be found on the AWS Security Cloud website.
Monitoring & logging
Availability: We have globally-distributed SRE and Security teams on-call 24/7. To ensure users have real-time service availability updates, Zapier also maintains a Status page.
Logging: We keep a comprehensive log of all user and Zap activities. Zap activities are logged internally for troubleshooting and support only. Zapier users can also see a summary of their Zap activities in their Zap History.
Vulnerability management
Threat detection
We have enabled threat detection software and enforce continual threat modeling exercises to identify and plan for any vulnerabilities in our environment.
External penetration testing
Zapier undergoes an external penetration test by an independent third party on an annual cadence, at minimum.
Security bug bounty program
Zapier's security exploit bug bounty program acknowledges and rewards the work independent security researchers do by flagging vulnerabilities Zapier might not be aware of. We look at each vulnerability on a case-by-case basis.
If you find something to report, please keep these three key points in mind:
- Please let us know about any vulnerabilities as soon as possible.
- Don't test against Zapier users' private data.
- We welcome the opportunity to work together and close the vulnerability before it's revealed to others.
As much (or as little) help as you want
Do it yourself
Whether you’re brand-new to automation or looking to grow your skills, we make DIY doable.
Hire an Expert
Choose a certified Zapier Expert to help you think through and create automated workflows.
A plan to fit your needs
Free forever
Just getting started? Explore basic Zapier features for free.
Professional
Ready to level up? Unlock powerful features with a Professional plan.
Teams and Companies
Need to automate across your organization? Check out our enterprise plans.
