COMPLIANCE AT ZAPIER
Zapier takes compliance seriously and understands its significance to both customers and partners. For this reason, Zapier have obtained independent third-party auditor certifications with the AICPA’s SOC for Service Organizations, SOC 2 Type II and SOC 3. Zapier’s SOC 3 report can be downloaded here.
SECURITY BEST PRACTICES AT ZAPIER
Zapier takes pride in its information security program and is dedicated to its continual improvement.
User Account Security
Product Access Control
A subset of Zapier's personnel has access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of personnel is to provide effective customer support, troubleshoot potential problems, detect and respond to security incidents, and implement data security.
Zapier uses 256-bit AES encryption at rest in addition to securing network communication with TLS 1.2 for encrypting data in transit.
- Peer code reviews: every pull request is reviewed by peers, whether it’s a new feature or bug fix. Security reviews are performed as appropriate for the work.
- Regular code audits for security.
- Continuous integration and delivery: we use GitLab for our CI tooling. Every PR that is merged is automatically subjected to a pipeline of rigorous tests and analysis as appropriate for the code that is being merged.
- Robust unit testing.
- Regular penetration testing.
Zapier utilizes Amazon Web Services (AWS) as its cloud service provider and leverages AWS' security and compliance controls for data center physical security and cloud infrastructure. Further resources for this service provider can be found on the AWS Security Cloud website.
Monitoring & Logging
Zapier has globally distributed SRE and Security teams that are on-call 24/7. To ensure users have real-time service availability updates, Zapier maintains a Status page.
Zapier maintains a comprehensive log of all user and Zap activities. Zap activities are extensively logged internally for troubleshooting and support, and presented in summary in Zap History to inform users directly.
Zapier has enabled threat detection software and enforces continual threat modelling exercises to identify and plan for any vulnerabilities in our environment.
External Penetration Testing
Zapier undergoes an external penetration test by an independent third party on an annual cadence, at minimum.
Security Bug Bounty Program
Zapier’s Security Exploit Bug Bounty Program acknowledges the work independent security researchers do by flagging vulnerabilities Zapier might not be aware of, with a discretionary reward system. There’s no maximum amount: Zapier looks at each vulnerability on a case by case basis.
Three key points to keep in mind if you find something to report:
- Please let Zapier know as soon as possible.
- Don’t test against Zapier users’ private data.
- Zapier welcomes the opportunity to work together with you and close the vulnerability prior to revealing the vulnerability to others.