Zapier Security and Data Privacy Guide for Businesses

Zapier security and data privacy requirements are a business responsibility, not an IT afterthought. Zapier sits between your CRM, payment systems, HR platforms, and accounting software -- and every Zap that runs carries customer information, financial records, or employee data across Zapier's infrastructure before it reaches its destination.

Before automating business data with Zapier, every business needs a clear understanding of what data flows through the platform and what regulatory obligations that creates. This is particularly important for EU businesses operating under GDPR, US businesses subject to CCPA or HIPAA, and any organization processing sensitive personal or financial data at scale.

Key Takeaways

• Zapier is SOC 2 Type II certified: Zapier's security and data privacy practices are audited annually against SOC 2 Type II standards -- covering security, availability, and confidentiality controls.
• Data passes through Zapier's infrastructure: When a Zap runs, trigger data passes through Zapier's servers before reaching the action app -- it is not a direct peer-to-peer connection between your tools.
• Task history stores trigger data: Zapier's task history retains the data from each Zap run for 90 days -- this includes customer names, email addresses, order amounts, and any other fields in the trigger payload.
• AI steps send data to OpenAI: When you use AI by Zapier steps, the prompt content (including dynamic data from your trigger) is sent to OpenAI's API -- this has GDPR and data processing implications for EU businesses.
• GDPR compliance requires a Data Processing Agreement: EU businesses using Zapier for personal data processing must execute a Data Processing Agreement with Zapier -- required under GDPR Article 28.

Zapier & Workflow Automation

Automate the Work. Focus on Growth.

We build custom Zapier workflows and automation systems that eliminate repetitive tasks, connect your tools, and save your team hours every week.

Let's talk

Why Does Security Matter When Automating Business Data?

Every Zap is a data pipeline. Automation that routes customer, financial, or employee data between tools must meet the same data protection standards as the tools themselves -- and in many cases exceeds the complexity of direct tool-to-tool connections because the data passes through a third-party service in transit.

The risk of uninspected data flows is real. Teams that build Zaps quickly without reviewing what data passes through them may inadvertently route PII, financial data, or sensitive business information through channels that do not meet their compliance requirements. Zapier's task history feature stores trigger payloads for 90 days -- every field in the trigger data is retained, including any personal data present in the payload. This is the most important and least understood aspect of Zapier's data handling.

• Third-party processor obligations: Under GDPR, CCPA, and similar regulations, every service that processes personal data on your behalf must be evaluated and, where required, covered by a formal agreement.
• Task history retains personal data: Customer names, email addresses, payment amounts, and any other fields in a trigger payload are retained in Zapier's task history for 90 days -- a fact most businesses do not realize until it becomes a compliance concern.
• Data flows must meet the same standards as the tools: A CRM that is GDPR-compliant does not make the Zapier integration connecting it GDPR-compliant -- the integration must be evaluated separately.
• Uninspected data flows create regulatory exposure: A data breach involving customer data routed through an unreviewed automation tool creates the same regulatory liability as a breach in your primary system.

What Security Certifications and Controls Does Zapier Have?

Zapier's security posture is robust for most standard business use cases. Its primary certification and controls as of 2026:

SOC 2 Type II: Zapier is annually audited against SOC 2 Type II standards -- the most widely recognized security certification for SaaS platforms. This covers security, availability, processing integrity, confidentiality, and privacy trust service criteria. An annual audit confirms these controls are operating effectively, not just designed correctly.

• Encryption at rest and in transit: Zapier encrypts data at rest using AES-256 and in transit using TLS 1.2 or higher -- industry-standard encryption for both states.
• Two-factor authentication: Zapier supports 2FA for user accounts; SSO via SAML 2.0 is available on the Company plan for enterprises requiring single sign-on integration.
• Connected app credential security: OAuth tokens and API keys used to connect Zapier to other apps are encrypted and stored separately from task data -- reducing risk if one data category is compromised.
• Annual penetration testing: Zapier conducts annual third-party penetration tests covering both external and internal testing scenarios.
• AWS infrastructure: Zapier uses AWS infrastructure in the US and EU -- data residency options are more limited than enterprise-focused platforms with more granular regional controls.

Verify Zapier's current certification status directly on their security page before publication -- ISO 27001 status in particular may have changed since this article was written.

Which Data Types Flow Through Zapier and What Are the Risks?

Understanding what data your Zaps carry is the first step in assessing compliance obligations. Different data types carry different regulatory sensitivity.

Shopify Zapier data integration routes customer names, email addresses, order details, and shipping addresses through Zapier's infrastructure -- all of which constitutes personal data under GDPR and potentially CCPA. This is a common integration and a common compliance gap.

• CRM data: Customer names, email addresses, phone numbers, and company details are PII subject to GDPR and CCPA -- every Zap touching CRM data requires a Data Processing Agreement.
• Payment data: Order amounts, payment status, and billing details from Stripe or Shopify carry financial data sensitivity -- confirm Zapier's handling meets PCI-DSS requirements if applicable.
• HR and employee data: New hire details, salary information, and employment records are highly sensitive under data protection law and employment regulations -- treat these Zaps with the same caution as your HR system itself.
• Health data: Any Zap routing data from healthcare tools or forms that includes health information is subject to HIPAA in the US -- Zapier does not sign Business Associate Agreements, which has significant implications (covered in the compliance section below).
• The task history risk: Every data field in a Zap's trigger payload is stored in Zapier's task history for 90 days -- audit your active Zaps to understand what personal data is being retained and whether task history should be disabled for sensitive workflows.

How Do AI Steps in Zapier Affect Data Privacy?

AI by Zapier steps introduce a data privacy layer that many businesses overlook. When you use AI steps in Zapier workflows, any dynamic data from your trigger that is included in the prompt is sent to OpenAI's API -- adding OpenAI as a sub-processor in your data flow.

For a complete understanding of Zapier AI data handling, every AI step in a Zap creates a data flow to OpenAI that must be documented in your data processing records. This adds a layer of sub-processor complexity to data governance that is easy to miss when building AI-enhanced automation workflows.

• Data sent to OpenAI on every AI step execution: The prompt content -- including any customer names, email content, or form responses mapped into the prompt -- is sent to OpenAI's API each time the step runs.
• OpenAI API data usage policy: OpenAI does not use API data to train its models by default (as of 2024) -- verify the current policy directly with OpenAI before including sensitive data in AI step prompts.
• GDPR sub-processor obligations: If you are an EU business and your AI step prompts include personal data, OpenAI is a sub-processor under your DPA with Zapier -- your DPA must cover this sub-processor chain.
• Data minimization principle: Only include the minimum data necessary in AI step prompts -- if classification requires only an email subject line, do not include the full email body or customer name in the prompt.
• Prohibited data in AI steps: Health data (HIPAA), financial account data, passwords, government ID numbers, and special category personal data under GDPR should never be included in AI step prompts under any circumstances.

What GDPR and Compliance Requirements Apply to Zapier?

EU businesses using Zapier for any Zap that processes personal data must address several specific compliance requirements:

GDPR Article 28 requires that data processors -- including Zapier, when it processes personal data on behalf of an EU business -- be covered by a Data Processing Agreement. Zapier's DPA is available in their legal documentation. EU businesses should execute the DPA and retain a signed copy as part of their GDPR compliance records before using Zapier for any personal data processing.

• Records of Processing Activities: Every Zapier data flow involving personal data should be documented in your GDPR RoPA -- including which data categories flow, which apps are connected, and the legal basis for processing.
• Data subject rights and task history: If a customer requests deletion of their data, personal data stored in Zapier's task history must be addressed as part of the response -- coordinate with your Zapier admin.
• CCPA applicability: US businesses subject to CCPA should evaluate whether Zapier's data handling meets CCPA service provider requirements -- Zapier's privacy policy and DPA cover CCPA obligations.
• HIPAA critical note: Zapier does not sign Business Associate Agreements as a standard product offering. Businesses with HIPAA-covered data should not route protected health information through Zapier without specific legal evaluation and advice -- this is a hard compliance line, not a gray area.

When Does Your Business Need More Than Zapier's Built-in Security?

For most standard business automation -- CRM connections, marketing tools, productivity apps -- Zapier's SOC 2 Type II certification and GDPR-compliant DPA provide adequate security coverage. Several specific scenarios require more.

Businesses with HIPAA-covered data, financial services regulatory requirements, or data residency obligations need to assess carefully whether when Zapier needs custom development applies to their situation -- a purpose-built integration layer can provide the compliance controls Zapier's standard offering cannot.

• HIPAA-covered healthcare data: Zapier's absence of BAA support means PHI routing through Zapier creates HIPAA compliance risk -- a custom integration with BAA coverage may be required.
• Financial services regulation: Businesses subject to FCA, SEC, or similar financial regulation may face data handling requirements that exceed Zapier's standard offering for specific data categories.
• Data residency requirements: Businesses required to keep data within specific geographic regions face constraints with Zapier's US-primary infrastructure and limited EU data residency options.
• Immutable audit trail requirements: Compliance frameworks requiring detailed, immutable logs of every data access and transformation may need custom integration providing more granular logging than Zapier's task history offers.
• Enterprise security beyond SOC 2: Organizations with requirements for ISO 27001, FedRAMP, or PCI-DSS Level 1 certification need to verify whether Zapier meets those standards for each specific data type before routing it through the platform.

Conclusion

Zapier's security and data privacy controls are robust for most business use cases. SOC 2 Type II certification, AES-256 encryption, and a GDPR-compliant DPA cover the majority of standard business data flows adequately. The specific areas requiring careful attention are task history data retention (90 days of personal data stored by default), AI step data flows to OpenAI, and HIPAA-covered health data (where Zapier's standard offering is insufficient without a BAA).

Audit your current Zaps to identify which ones process personal data, execute Zapier's DPA if you are an EU business, review your task history retention settings for sensitive workflows, and establish an internal policy for which data types can be included in AI step prompts.

Zapier & Workflow Automation

Automate the Work. Focus on Growth.

We build custom Zapier workflows and automation systems that eliminate repetitive tasks, connect your tools, and save your team hours every week.

Let's talk

Need Help Designing a Compliant Zapier Automation Stack for Your Business?

Compliance gaps in automation are often invisible until they become incidents. Building compliance into the architecture from the start is significantly less expensive than retrofitting it after a breach or regulatory review.

At LowCode Agency, we are a strategic product team, not a dev shop. We design Zapier automation stacks for compliance-conscious businesses, with GDPR-compliant data flow architecture, DPA review support, and custom integration development for requirements that exceed Zapier's standard security posture.

• GDPR-compliant data flow design: We review which personal data flows through each Zap and design architectures that minimize unnecessary data exposure and meet GDPR data minimization requirements.
• Task history audit: We audit existing automation stacks to identify which Zaps are retaining personal data in task history and advise on appropriate configuration changes.
• AI step data governance: We review AI step prompts to identify personal data inclusion risks and establish data governance policies for AI-enhanced workflows.
• DPA review support: We advise on Zapier's DPA requirements and help ensure the correct agreements are in place before personal data processing begins.
• Security-appropriate Zap architecture: We design automation architectures that keep sensitive data minimized in transit and avoid unnecessary personal data exposure at each step.
• Custom integration for compliance requirements: When Zapier's standard offering is insufficient for your compliance requirements, we build purpose-built integration layers with the controls your regulatory environment requires.
• Compliance documentation: We document data flows, processing records, and technical measures for inclusion in your GDPR RoPA and compliance records.

We have built 350+ products for clients including Coca-Cola, American Express, and Zapier.

Speak to the team about compliant Zapier automation design at https://www.lowcode.agency/contact.