Zapier makes it easy to connect your web apps together and automate your tedious work.
‍
But does that convenience come at a cost? Does Zapier’s security live up to the standards that your company needs, and is it HIPAA compliant?
‍
In this post, we’re going to explain why Zapier is safe to use, as long as you take the same reasonable precautions that you would with any other web app.
‍
And at the end of this article, we’ll explore the most stringent of security standards – HIPAA – and see if Zapier can adhere to those regulations.Â
Why Zapier needs to access your apps
‍
First, let’s take a look at how Zapier works, and why it needs permissions that might initially make some users uneasy.
‍
As an automation provider, Zapier’s main purpose is to connect multiple apps - and their data - together. With Zapier, you can automate the software your team uses every day, like Google Drive, Hubspot, Airtable, Excel, or thousands of other apps that Zapier supports.
‍
‍
Quick tip: Check out XRay.Tools to quickly search a complete indexed list of every Zapier integration, along with 5 other automation providers.
‍
In order to automate these third-party tools, you have to give Zapier access to your apps, and you have to give it permission to act on your behalf.
‍
For example, if you want Zapier to perform a certain action whenever you get an email, then you’ll need to grant Zapier permission to view your email inbox in Outlook or Gmail.
‍
‍
Similarly, if you want Zapier to generate documents in Google Drive, you need to give Zapier permission to create data through your Google account.
‍
‍
When you’re connecting an app to Zapier for the first time, the request for permissions may seem a bit intrusive at first, but they’re really just asking for what’s necessary to automate your tools. Without these permissions, you’d be very limited in what you could automate.
‍
Of course, there are some things you can build with Zapier tools and public data alone. You could potentially use Zapier tables to store all of your data in the backend, build automations connected to public newsfeeds, and publish everything to a Zapier interface.
‍
‍
However, this isn’t the way most people will use Zapier most of the time. In the vast majority of circumstances, you’ll need to connect your other software to Zapier in order to make the most of the platform.
‍
How Zapier secures your data
‍
To be clear, granting Zapier access to your apps doesn’t make Zapier a security risk in and of itself. You can confidently give Zapier the permissions it needs, because Zapier is designed to comply with modern security standards for web apps.
‍
We won’t go into deep technical detail right now or cover every aspect of Zapier’s security, but we want to highlight some key things you should know about how they handle your data.
Certified security standards
First off, Zapier has received third-party certification from auditors, so you don’t just have to take their word for it that they’re being responsible with your apps and data.
‍
They’ve received third-party auditor certification with the AICPA, and you can read the full report on Zapier’s security and compliance page.
‍
‍
Zapier is also compliant with the EU-US Data Privacy Framework Program. This ensures that data can be transferred from users in the EU to a US-based company like Zapier while still respecting all of the relevant EU data privacy laws.
Authentication and 2-factor login
Next, it’s important to remember that every app you connect to Zapier needs to be authenticated first.
The exact methods for authorizing each app vary. It will depend on the app in question, and how those developers built their Zapier integration.
‍
Zapier encourages OAuth V2 or API Keys, and these are the most common authentication methods you’ll see. But regardless of the exact method used, you’ll always need legitimate credentials to automate an app with Zapier in the first place.
‍
‍
For an added layer of security, you can always enable 2-factor authentication on your Zapier account. That would require you to use an app like 1Password in conjunction with your password whenever you want to log in.
‍
‍
Even if someone obtained your username and password, they still wouldn’t be able to sign in without the temporary code shown on your authenticated device.
Data encryption and privacy
Next, whether you’re using 2-factor authentication or not, your Zapier data is encrypted using 256-bit AES encryption, an international standard for data security. This is the same standard you use at checkout whenever you buy something online with a credit card from any reputable retailer.Â
‍
‍
Additionally, any of your data that’s stored in Zapier will only be used for your Zaps. As Zapier notes on their data privacy page, your data is not sold or marketed to third parties.
‍
‍
And if you do ever run into any issues, Zapier has a security support team available 24/7.
‍
In short, there’s really no need to worry when you connect your apps to Zapier. They’ve built a secure, reliable automation platform, and in our time building thousands of Zaps for our team and our clients, we have yet to encounter a serious security threat.
‍
General best practices for using Zapier securely
‍
Everything we’ve covered shows that Zapier lives up to modern security standards for web applications.
‍
But Zapier, like any app, can be compromised through human error if you don’t take basic security measures. So here are some quick tips that you can follow to ensure that Zapier and your other software isn’t at risk.
Use unique passwords for your logins
First – and you’ve probably heard this one before, but it bears repeating – don’t reuse passwords.
This applies to any and all software. If any app you use suffers a data breach, then your password for that app could be exposed.
‍
‍
If you’ve reused that password in different apps, that makes it easy for malicious actors to access several of your accounts with one set of credentials.Â
‍
That’s why you should always use unique passwords for every app, even if it gets difficult to remember them all. In that case, you can always use a password manager like 1Password to securely store your credentials, and even safely share logins as needed with your team.
‍
Share your Zapier connections carefully
On the subject of collaborating with your team, our next tip is a little more specific to Zapier:
‍
Always be intentional about sharing app connections with your team in Zapier.
‍
On team accounts, any app connection can either be kept private to you only, or shared with your team.
‍
‍
Sharing a connection with your team can be very convenient, since it will allow them to build Zaps using your authenticated account, but it’s not always appropriate to share your connections.
‍
For instance, you might want to set up a Zap that sends emails from your individual Gmail account in your company workspace.Â
‍
Sharing your individual Gmail account would allow users to read all the messages in your inbox and even send emails on your behalf via Zapier. You probably don’t want to give your entire team the ability to do that.
‍
But thankfully, Zapier makes it easy to avoid granting too much access. You have full control over every app you connect to Zapier, and you can choose who to share it with – if anyone.
Consider the permissions granted to each account
Along similar lines, remember that when you connect an app to Zapier, the connection will usually have all of the same permissions and abilities that the associated account has.Â
‍
So for example, let’s say there’s a document in our Google Drive account called “Q4 2023 Financial Report”.Â
‍
The [email protected] account has full access to view and edit the document, but the [email protected] account has view-only permissions.Â
‍
‍
If Tom connects his Google account to Zapier, any Zaps he builds with it will be able to edit the Financial Report doc.Â
‍
But if Matt connects his Google account, any Zap he builds will only be able to view the doc, and won’t be able to edit it.Â
‍
In the “Append Text” step pictured below, this Zap will try to use Matt’s Google account to add the words “Test Text” to the Q4 Financial Report.Â
‍
‍
‍
In the “Append Text” test below, you can see that the test result just says “No data available”. The Zap was able to send a request to edit the doc, but the doc remains unchanged because Matt’s account doesn’t have edit access. Â
‍
‍
And if we check the document in Google Drive, we can see that its text hasn’t been changed. There’s no “Test Text” at the end of the doc.Â
‍
‍
As this example illustrates, the permissions each user has when they use an app directly will also carry over to using the app automatically via Zapier.Â
‍
However, in some cases, you can set the permission levels separately by using a Personal Access Token to authenticate the app. Unfortunately, this option is only available in a few select apps, like Airtable.Â
‍
In general, the best approach to using Zapier securely is to stick with the same precautions that you’d use with any web app. Keep your passwords complex and unique, and make sure you only grant necessary and appropriate permissions to your teams.Â
‍
Zapier is not HIPAA compliant
‍
Before we wrap up this post, we want to point out that in spite of its high security standards, Zapier is not HIPAA compliant.
‍
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a US law regulating the use of patients’ private medical information. Understandably, this law has some very strict requirements for how medical information can be stored and accessed.
‍
‍
On their data privacy page, Zapier plainly states that they don’t support the use of Protected Healthcare Information covered by HIPAA, and won’t sign a BAA certifying that your Zaps comply with HIPAA if you ask.
‍
We at XRay don’t represent Zapier, and this is just our opinion. But we believe the choice to not support HIPAA compliance mostly comes down to the extremely flexible and variable nature of Zapier and its integrations.
‍
You may have noticed in this post and in others on our blog, we don’t usually call Zapier an “app”, but rather a “provider”.
‍
Of course, technically speaking, it is a software application. But Zapier’s purpose is to connect other apps together to build something new. It doesn’t just have a predefined set of functions that you can perform. It lets you build almost anything you can think of using other tools.
‍
With so many possibilities for what their users can build, we think that Zapier can’t realistically guarantee that users won’t build something that exposes protected information.
‍
Zapier can’t control how other apps handle and process your data, and they can’t feasibly track every update to every one of the thousands of apps they have integrations for.Â
‍
As such, a lack of HIPAA compliance shouldn’t be seen as an indication of poor security. It’s just not a practical goal for an automation provider with open-ended functionality to ensure that all of their integrated apps meet the extremely specific standards set forth in HIPAA.Â
‍
This is certainly frustrating if you’re hoping to automate work related to the healthcare industry, but for most Zapier users, it’s ultimately not a reason to worry. Zapier still uses industry-standard security to protect your data, as we’ve covered in this post.
‍
If you do need to build an automation that’s HIPAA compliant, reach out to us. You can schedule a free consultation to discuss your plans and your options.Â
Securely automating your apps with Zapier
As you work online, it’s always important to strike a balance between privacy, security, and productivity. There are a lot of malicious actors out there who will try to steal or expose data online, but keeping all of your data offline just isn’t a practical option.
Business runs on the web, and automation providers like Zapier let you automate that business using industry-standard encryption, authentication, and data privacy policies to keep you safe. Just take sensible precautions, as you would with any software, and you can confidently use Zapier to automate your work.
If you’d like to learn more about building workflow automations, check out our blog or our YouTube channel. You can also follow XRay on Twitter, Facebook, or LinkedIn.