Security and Compliance

COMPLIANCE AT ZAPIER

Zapier takes compliance seriously and understands its significance to both customers and partners. For this reason, Zapier have obtained independent third-party auditor certifications with the AICPA’s SOC for Service Organizations, SOC 2 Type II, and SOC 3. Zapier’s SOC 3 report can be downloaded here.

SOC

If you're a Zapier for Teams or Enterprise customer, are on a Teams/Enterprise trial, or have access to Premier Support, reach out to Support to request a copy of our SOC2 report.

SECURITY BEST PRACTICES AT ZAPIER

Zapier takes pride in its information security program and is dedicated to its continual improvement.

User Account Security

Product Access Control

A subset of Zapier's personnel has access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of personnel is to provide effective customer support, troubleshoot potential problems, detect and respond to security incidents, and implement data security.

Authentication Resources

Encryption

Zapier uses 256-bit AES encryption at rest in addition to securing network communication with TLS 1.2 for encrypting data in transit.

Change Management

  • Peer code reviews: every pull request is reviewed by peers, whether it’s a new feature or bug fix. Security reviews are performed as appropriate for the work.
  • Regular code audits for security.
  • Continuous integration and delivery: we use GitLab for our CI tooling. Every PR that is merged is automatically subjected to a pipeline of rigorous tests and analysis as appropriate for the code that is being merged.
  • Robust unit testing.
  • Regular penetration testing.

Cloud Security

Zapier utilizes Amazon Web Services (AWS) as its cloud service provider and leverages AWS' security and compliance controls for data center physical security and cloud infrastructure. Further resources for this service provider can be found on the AWS Security Cloud website.

Monitoring & Logging

Availability

Zapier has globally distributed SRE and Security teams that are on-call 24/7. To ensure users have real-time service availability updates, Zapier maintains a Status page.

Logging

Zapier maintains a comprehensive log of all user and Zap activities. Zap activities are extensively logged internally for troubleshooting and support, and presented in summary in Zap History to inform users directly.

Vulnerability Management

Threat Detection

Zapier has enabled threat detection software and enforces continual threat modelling exercises to identify and plan for any vulnerabilities in our environment.

External Penetration Testing

Zapier undergoes an external penetration test by an independent third party on an annual cadence, at minimum.

Security Bug Bounty Program

Zapier’s Security Exploit Bug Bounty Program acknowledges the work independent security researchers do by flagging vulnerabilities Zapier might not be aware of, with a discretionary reward system. There’s no maximum amount: Zapier looks at each vulnerability on a case by case basis.

Three key points to keep in mind if you find something to report:

  1. Please let Zapier know as soon as possible.
  2. Don’t test against Zapier users’ private data.
  3. Zapier welcomes the opportunity to work together with you and close the vulnerability prior to revealing the vulnerability to others.
Was this article helpful?
78 out of 95 found this helpful