// Trust & Security Report
Zapier Inc.
Workflow automation and AI orchestration platform (Zaps/workflows, Tables, Interfaces, Canvas, AI Agents, Chatbots, Zapier MCP, Zapier SDK, Zapier Enterprise governance layer)
Certifications held
4
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.zapier.com“SOC 2 (TYPE II) ... Zapier is pleased to announce that we have successfully completed our 2024 SOC2 Type II audit, which covers the period from May 1, 2023, to May 31, 2024.”
Verify on trust.zapier.com“The SOC3 report is now available for download on the trust center ... Zapier SOC 3 Report (PDF)”
Verify on trust.zapier.com“GDPR + CCPA COMPLIANT ... GDPR: Data privacy compliance ... comply with GDPR, CCPA, and other privacy regulations. Zapier will enter into a DPA (Data Processing Addendum available at zapier.com/legal/data-processing-addendum).”
> Show 6 unconfirmed / not-held certifications
source: trust.zapier.comNo public evidence Zapier itself holds ISO/IEC 27001. Search results indicate the SOC 2/ISO 27001 references found relate to Zapier's underlying infrastructure providers' own certifications, not a Zapier-held ISO 27001 certificate; Zapier's trust center and security-compliance page list only SOC 2 Type II, SOC 3, GDPR, and CCPA.
source: zapier.comNo, Zapier isn't HIPAA compliant. ... That includes not signing a Business Associate Agreement (BAA), which is a must-have if you're dealing with PHI. ... you can't use it to automate anything involving protected health information (PHI).
source: trust.zapier.comNo public evidence of a Zapier-held PCI DSS attestation. Not listed on the Trust Center badges (SOC 2 Type II, SOC 3, GDPR, CCPA) or the security-compliance marketing page.
source: trust.zapier.comNo public evidence. Not listed among Trust Center badges or the security-compliance page's certification claims.
source: trust.zapier.comNo public evidence of CSA STAR registration or self-assessment for Zapier. Not listed on the Trust Center or security-compliance page.
source: trust.zapier.comNo public evidence of FedRAMP authorization. Not listed on the Trust Center or security-compliance page.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Not stated
Trains on customer content by default for non-Enterprise plans; opt-out is available and Enterprise is auto-opted-out. Per Zapier's own security-compliance messaging: 'Enterprise customers are automatically opted out of data training. Customers on other plans can opt out by filling out the opt-out form.' Additional detail found: 'For customers who've opted out using a simple form and all Enterprise customers (who are opted out automatically), none of your content will ever be used by Zapier or our partners to train AI models or to improve our services.' This implies non-Enterprise, non-opted-out customer content CAN be used for training/service improvement by default, which is a materially different posture than 'never trains' and should be surfaced to buyers on Free/Starter/Professional/Team/Company plans.
// Security controls
Third-party audits
One or more annual third-party audit(s); annual third-party penetration testing (2025 HackerOne penetration test report listed as a Trust Center document).
trust.zapier.comBug bounty / vulnerability disclosure
Has a bug bounty or vulnerability disclosure program; 'Report a Vulnerability' quick link on the Trust Center.
trust.zapier.comSubprocessors transparency
Public, actively maintained subprocessors list with dated change-log announcements (e.g. Grafana Labs added, Bright Data removed, June 2026; Fireworks AI added as an AI subprocessor, May 2026).
trust.zapier.comCyber insurance
Has cyber insurance; Certificate of Insurance listed as a Trust Center document.
trust.zapier.comDisaster recovery
Annual Disaster Recovery (DR) test documented and made available on the Trust Center.
trust.zapier.comAI governance / access controls (Enterprise)
Action Restrictions, Managed Connections (company-owned, IT-managed app connections), Domain Restrictions, App Access Controls, Bring Your Own Model (BYOM, e.g. run through customer's own Amazon Bedrock), AI Guardrails (blocks sensitive data / risky inputs), Log Streaming to Datadog/Splunk, centralized audit trail for every AI action.
zapier.com// Products & data scope
data: Connects 9,000+ third-party apps; processes whatever workflow data the customer routes through it. Customer content may be used to train AI models / improve services unless the customer submits the opt-out form.
No admin console-grade governance (SSO/SCIM, action restrictions, BYOM) at these tiers; those are Enterprise-only. Not eligible for BAAs/PHI use at any tier.
data: Adds SAML SSO, SCIM provisioning, workspaces, action/domain/app access restrictions, managed connections, BYOM (route AI through customer's own infrastructure e.g. Bedrock), AI Guardrails, log streaming, full audit trail via Asset History API. Automatically opted out of AI training on customer content.
Target tier for regulated/large-org buyers; this is the tier where the trust-center certifications (SOC 2 Type II, SOC 3) and the automatic AI-training opt-out actually apply operationally alongside governance controls.
data: Lets external AI assistants (e.g. Claude, ChatGPT) call Zapier-governed actions across 9,000+ apps through one authenticated, audited connection.
Same underlying auth, policy, and audit-trail layer as Zapier SDK; IT sees and controls both surfaces identically per Zapier's own product messaging.
data: Used by developers/coding agents (e.g. Claude Code, Cursor) to build custom integrations against the same governed connection layer as MCP.
Shares Zapier's runtime, credential handling, and audit logging with the rest of the platform.
data: Operates on its own domain (zapierdesk.com) with its own head office and contact (contact@zapierdesk.com); discloses no ownership, parent, or legal-entity relationship to Zapier Inc. (zapier.com). Claims its own ISO 9001:2015 and ISO 27001:2022.
Included only to disambiguate: this is where the stray 'Zapier ISO 27001' search hits originate. It is a different company, so its ISO 27001:2022 must NEVER be credited to Zapier Inc.'s automation platform. Zapier Inc.'s own product family (per zapier.com and its Trust Center) does not include a 'Zapier Desk' product.
// What to watch
- AI-training default: non-Enterprise customer content is used to train AI models / improve services by default unless the customer submits an opt-out form; only Enterprise is auto-opted-out. This is a meaningful caveat for buyers on lower tiers and should be surfaced explicitly, not folded into a blanket 'does not train on data' claim.
- HIPAA: Zapier explicitly states on its own blog it is NOT HIPAA compliant and will not sign a BAA on any plan. Any third-party integration/consultant claiming 'HIPAA-compliant Zapier workflows' (e.g. HIPAAtizer) is a wrapper product, not Zapier itself; do not credit HIPAA to Zapier.
- ISO 27001: the stray ISO 27001 references surface from (a) Zapier's underlying infrastructure providers' own certifications (host, not vendor) and (b) 'Zapier Desk' at zapierdesk.com, which is a SEPARATE, UNAFFILIATED same-name company (its own domain, head office, and contact; no disclosed ownership link to Zapier Inc.), not a Zapier product. Neither can be credited to Zapier Inc. Zapier's own Trust Center and security-compliance page list only SOC 2 Type II, SOC 3, GDPR, and CCPA. Graded held=false with no public vendor-domain evidence; the identity question is resolved, not merely pending.
- Could not fully load the full text of zapier.com/privacy and zapier.com/legal/data-privacy in this pass (fetch returned only headers/titles); DPA availability and legal-entity naming were confirmed via secondary vendor-domain search snippets rather than a direct full-page read. Recommend a follow-up direct fetch before treating privacy_policy_url details as fully verified.
- Zapier's marketing surface (homepage, security-compliance page) emphasizes broad 'AI governance and security' language that could be read as implying deeper compliance coverage (e.g. HIPAA-adjacent 'AI Guardrails' for 'sensitive data') than the trust center actually documents; only SOC 2 Type II, SOC 3, GDPR, and CCPA are backed by trust-center badges/documents.
// At a glance
Pricing model
Freemium SaaS subscription, per-task/per-user tiers (Free, Starter, Professional, Team, Company) plus custom-priced Enterprise; no self-host option.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Zapier Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.zapier.com